├── LICENSE ├── README.md ├── install-docker.sh ├── setup-config.sh └── vmware-fusion_howto-add-interfaces.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 DiabloHorn 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # VySOlator 2 | VySOlator provides isolation of (virtual) networks based on VyOS. The goal of this project is to provide an initial setup for anyone who is looking to properly isolate (virtual) networks and protect their host machine. Use cases for this project: 3 | * Pentesting 4 | * Malware research 5 | 6 | Currently only one network (internet only) is provided but more will be added as the project progresses. 7 | 8 | # Process (steps) 9 | * Building the VyOS iso 10 | * Configure additional VMware networks 11 | * Create and configure the VyOS virtual machine 12 | * Troubleshooting 13 | * Optional: test your setup 14 | 1. Use your favourite network attacks and ensure it works as intended 15 | 1. Create a pull request or issue if you found a way to access something else than the internet 16 | 17 | ## Building the VyOS iso 18 | A pre-build iso is available through VyOS (https://downloads.vyos.io/). However, building it from scratch allows for more granular control. Here are the steps for building the iso using docker: 19 | 20 | 1. Install docker, you can use the script in this repository 21 | * sudo ./install-docker.sh 22 | 1. Clone the VyOS repo and change the branch to crux 23 | * git clone https://github.com/vyos/vyos-build 24 | * cd vyos-build 25 | * git checkout crux 26 | 1. From within the vyos-build folder 27 | * sudo docker build -t vyos-builder docker 28 | * sudo docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos-builder bash 29 | * ./configure --custom-package vim --build-by DiabloHorn 30 | * sudo make iso 31 | 32 | The result of the above commands will be the iso created in the ```build``` directory within the ```vyos-build``` directory. This is the iso we can use to install VyOS. 33 | 34 | ## Configure additional VMware networks 35 | We will add to new networks two VMWare (vmnet2,vmnet3) that have zero interaction with the host. Below are the configration steps per VMWare version: 36 | 37 | * [VMWare fusion and fusion pro](vmware-fusion_howto-add-interfaces.md) 38 | * VMware workstation (todo) 39 | * VirtualBox (todo) 40 | 41 | ## Create and configure the VyOS virtual machine 42 | 43 | ### Creating the virtual machine 44 | Add a new virual machine and select install from disc or image as the installation method. In the next screen select the vyos image we build in the previous step. As the operating system we choose Linux/Debian 7.x 64-bit (newer Debian version might also work). Recommended disk space is 5 GB and memory 512 mb. Give it two network adapters, one connected to vmnet2 and the other to vmnet3. After the vm has booted login with: 45 | 46 | Username: ```vyos``` 47 | Password: ```vyos``` 48 | 49 | On the commandline interface just run ```install image``` and make some common sense choices. After you are one, reboot the system. You will be able to login into your virtual gateway using your chosen password. The username will remain ```vyos```. You can now shutdown (```poweroff```) your virtual machine to be able to configure some additional network interfaces. 50 | 51 | ### Configure the virtual machine 52 | #### Enable ssh for remote management 53 | The following commands will enable SSH and DHCP on the 'mgmt' interface: 54 | 55 | > ```configure``` 56 | > ```set interfaces ethernet eth1 description 'mgmt interface'``` 57 | > ```set interfaces ethernet eth1 address '10.7.7.1/24'``` 58 | > ```set service dhcp-server shared-network-name mgmt subnet 10.7.7.0/24``` 59 | > ```set service dhcp-server shared-network-name mgmt subnet 10.7.7.0/24 range 0 start '10.7.7.2'``` 60 | > ```set service dhcp-server shared-network-name mgmt subnet 10.7.7.0/24 range 0 stop '10.7.7.10'``` 61 | > ```set service ssh listen-address '10.7.7.1'``` 62 | > ```set service ssh port '22'``` 63 | > ```commit``` 64 | > ```save``` 65 | > ```exit``` 66 | 67 | To be able to connect to VyOS via SSH another VM has to be placed in the same network/segment. 68 | 69 | #### Running setup script 70 | We perform the following from our mgmt VM: 71 | > ```scp setup-config.sh vyos@10.7.7.1:~/``` 72 | 73 | > ```ssh vyos@10.7.7.1 "chmod +x setup-config.sh ; sg vyattacfg -c ./setup-config.sh"``` 74 | 75 | That's it. If we now place a VM in the same segment / interfaces as vmnet3/eth2 it will only be able to connect to the internet. 76 | 77 | ## Troubleshooting 78 | * *Running "sudo docker build -t vyos-builder docker" does not work (container is unable to install packages)* 79 | When running docker on Ubuntu 16 you might have no internet inside your containers, comment out dnsmasq in /etc/NetworkManager/NetworkManager.conf and restart the Network Manager service. 80 | * *I messed up the configuration* 81 | > ```configure``` 82 | > ```load /opt/vyatta/etc/config.boot.default``` 83 | > ```commit``` 84 | > ```# If you are doing this remote, connection will drop after this``` 85 | > ```save``` 86 | > ```exit``` 87 | > ```reboot``` 88 | * *Can I use different IP ranges than your example?* 89 | Yes, of course. Be mindful of typo's 90 | 91 | # References 92 | * https://docs.docker.com/install/linux/docker-ce/ubuntu/ 93 | * https://github.com/vyos/vyos-build 94 | * https://vyos.readthedocs.io/en/latest/install.html 95 | * https://spin.atomicobject.com/2017/04/03/vmware-fusion-custom-virtual-networks/ 96 | * https://github.com/bertvv/cheat-sheets/blob/master/docs/VyOS.md 97 | * https://superuser.com/questions/1130898/no-internet-connection-inside-docker-containers 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /install-docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | apt-get update 4 | apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common 5 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - 6 | add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" 7 | apt-get update 8 | apt-get install docker-ce docker-ce-cli containerd.io 9 | -------------------------------------------------------------------------------- /setup-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | source /opt/vyatta/etc/functions/script-template 3 | 4 | #ensure script is running correctly 5 | if [ "$(id -g -n)" != 'vyattacfg' ] ; then 6 | exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@" 7 | fi 8 | 9 | ########################-overview interfaces-###################################################### 10 | # eth0 - uplink 11 | # eth1 - management interfaces 10.7.7.0/24 12 | # eth2 - internet only interface 10.8.8.0/24 13 | ################################################################################################### 14 | 15 | ########################-configuration starts here-################################################ 16 | configure 17 | 18 | ######## Interfaces 19 | echo "[*] configuring interfaces" 20 | set interfaces ethernet eth0 description 'uplink' 21 | set interfaces ethernet eth0 address dhcp 22 | commit 23 | echo "[V] eth0 configured" 24 | set interfaces ethernet eth2 description 'inetonly' 25 | set interfaces ethernet eth2 address '10.8.8.1/24' 26 | commit 27 | echo "[V] eth2 configured" 28 | 29 | ######## DHCP 30 | echo "[*] configuring DHCP" 31 | set service dhcp-server shared-network-name inetonly subnet 10.8.8.0/24 default-router '10.8.8.1' 32 | set service dhcp-server shared-network-name inetonly subnet 10.8.8.0/24 dns-server '8.8.8.8' 33 | set service dhcp-server shared-network-name inetonly subnet 10.8.8.0/24 dns-server '8.8.4.4' 34 | set service dhcp-server shared-network-name inetonly subnet 10.8.8.0/24 domain-name 'inetonly' 35 | set service dhcp-server shared-network-name inetonly subnet 10.8.8.0/24 lease '86400' 36 | set service dhcp-server shared-network-name inetonly subnet 10.8.8.0/24 range 0 start '10.8.8.2' 37 | set service dhcp-server shared-network-name inetonly subnet 10.8.8.0/24 range 0 stop '10.8.8.254' 38 | commit 39 | echo "[V] DHCP configured" 40 | 41 | ######## NAT 42 | echo "[*] configuring NAT" 43 | set nat source rule 100 outbound-interface 'eth0' 44 | set nat source rule 100 source address '10.8.8.0/24' 45 | set nat source rule 100 translation address masquerade 46 | commit 47 | echo "[V] NAT configured" 48 | 49 | save 50 | 51 | ######## NTP 52 | echo "[*] configuring NTP" 53 | set system ntp server '0.pool.ntp.org' 54 | set system ntp server '1.pool.ntp.org' 55 | set system ntp server '2.pool.ntp.org' 56 | commit 57 | echo "[V] NTP configured" 58 | 59 | ######## DNS 60 | echo "[*] configuring DNS" 61 | set system name-server '8.8.8.8' 62 | set system name-server '8.8.4.4' 63 | commit 64 | echo "[V] DNS configured" 65 | 66 | ######## Firewall 67 | echo "[*] configuring firewall" 68 | 69 | ######## global states 70 | set firewall state-policy established action accept 71 | set firewall state-policy related action accept 72 | set firewall state-policy invalid action drop 73 | set firewall source-validation strict 74 | 75 | ######## define groups 76 | set firewall group network-group internalranges 77 | set firewall group network-group internalranges network '10.0.0.0/8' 78 | set firewall group network-group internalranges network '172.16.0.0/12' 79 | set firewall group network-group internalranges network '192.168.0.0/16' 80 | 81 | set firewall group address-group vyos-updates address '185.144.208.249' 82 | set firewall group address-group vyos-updates description 'downloads.vyos.io' 83 | 84 | 85 | set firewall group address-group dns-servers address '8.8.8.8' 86 | set firewall group address-group dns-servers address '8.8.4.4' 87 | set firewall group address-group dns-servers description 'Google DNS' 88 | 89 | ######## define zone policies 90 | set zone-policy zone local local-zone 91 | set zone-policy zone local default-action drop 92 | set zone-policy zone local description 'local zone' 93 | 94 | set zone-policy zone uplink 95 | set zone-policy zone uplink interface eth0 96 | set zone-policy zone uplink default-action drop 97 | set zone-policy zone uplink description 'uplink zone' 98 | 99 | set zone-policy zone mgmt 100 | set zone-policy zone mgmt interface eth1 101 | set zone-policy zone mgmt default-action drop 102 | set zone-policy zone mgmt description 'mgmt zone' 103 | 104 | set zone-policy zone inetonly 105 | set zone-policy zone inetonly interface eth2 106 | set zone-policy zone inetonly default-action drop 107 | set zone-policy zone inetonly description 'internet only' 108 | 109 | ######## configure firewall rules per zone 110 | set firewall name uplinkTOinetonly default-action drop 111 | set firewall name uplinkTOmgmt default-action drop 112 | 113 | set firewall name mgmtTOuplink default-action drop 114 | set firewall name mgmtTOinetonly default-action drop 115 | set firewall name mgmtTOlocal default-action drop 116 | set firewall name mgmtTOlocal rule 10 action accept 117 | set firewall name mgmtTOlocal rule 10 protocol tcp 118 | set firewall name mgmtTOlocal rule 10 destination port 22 119 | 120 | set firewall name localTOuplink default-action drop 121 | set firewall name localTOuplink rule 10 action accept 122 | set firewall name localTOuplink rule 10 protocol udp 123 | set firewall name localTOuplink rule 10 destination port 123 124 | 125 | set firewall name localTOuplink rule 20 action accept 126 | set firewall name localTOuplink rule 20 protocol tcp 127 | set firewall name localTOuplink rule 20 destination port 443 128 | set firewall name localTOuplink rule 20 destination group address-group vyos-updates 129 | 130 | set firewall name localTOuplink rule 30 action accept 131 | set firewall name localTOuplink rule 30 protocol tcp_udp 132 | set firewall name localTOuplink rule 30 destination port 53 133 | set firewall name localTOuplink rule 30 destination group address-group dns-servers 134 | 135 | set firewall name inetonlyTOmgmt default-action drop 136 | 137 | set firewall name inetonlyTOuplink default-action accept 138 | set firewall name inetonlyTOuplink rule 10 action drop 139 | set firewall name inetonlyTOuplink rule 10 protocol tcp_udp 140 | set firewall name inetonlyTOuplink rule 10 destination group network-group internalranges 141 | 142 | ######## apply rules to zones 143 | set zone-policy zone local from mgmt firewall name mgmtTOlocal 144 | 145 | set zone-policy zone uplink from inetonly firewall name inetonlyTOuplink 146 | set zone-policy zone uplink from mgmt firewall name mgmtTOuplink 147 | set zone-policy zone uplink from local firewall name localTOuplink 148 | 149 | set zone-policy zone mgmt from inetonly firewall name inetonlyTOmgmt 150 | set zone-policy zone mgmt from uplink firewall name uplinkTOmgmt 151 | 152 | set zone-policy zone inetonly from uplink firewall name uplinkTOinetonly 153 | set zone-policy zone inetonly from mgmt firewall name mgmtTOinetonly 154 | 155 | commit 156 | 157 | echo "[V] firewall configured" 158 | 159 | save 160 | 161 | exit 162 | 163 | exit 164 | -------------------------------------------------------------------------------- /vmware-fusion_howto-add-interfaces.md: -------------------------------------------------------------------------------- 1 | # Adding networks/segments to VMware fusion 2 | This guide concerns the adding of network interfaces without DHCP to VMware fusion. 3 | 1. Add the network interfaces to your VM using the regular way of doing so 4 | * Virtual Machine --> Settings --> Add Device 5 | 1. Shutdown all of VMWare fusion 6 | 1. Edit the following file as superuser ```/Library/Preferences/VMware Fusion/networking``` 7 | 1. Add the following interfaces at the bottom of the file 8 | > answer VNET_2_DHCP no 9 | > answer VNET_2_HOSTONLY_NETMASK 255.255.255.0 10 | > answer VNET_2_HOSTONLY_SUBNET 10.7.7.0 11 | > answer VNET_2_VIRTUAL_ADAPTER no 12 | > answer VNET_3_DHCP no 13 | > answer VNET_3_HOSTONLY_NETMASK 255.255.255.0 14 | > answer VNET_3_HOSTONLY_SUBNET 10.8.8.0 15 | > answer VNET_3_VIRTUAL_ADAPTER no 16 | 1. Start VMware fusion 17 | 18 | --------------------------------------------------------------------------------