10.11 Exploit SecureNAT for Remote Access into Firewall without Any Permission

Version from 18:23, 22 Jan 2024

...

As explained in section 3.7 Virtual NAT & Virtual DHCP Servers, SecureNAT consists of the TCP/IP stack operated in user mode and Virtual NAT/Virtual DHCP Server. In particular, when IP access via Virtual NAT is performed the data is automatically relayed to the host using Socket API at the user level. This is a very advanced and intriguing technology.

...

Assuming that you can only log on to 192.168.1.1 as a general user, you will have to run VPN Bridge in user mode. As shown below, run vpnbridge with the start option. Please refer to section 5.2 Operating Modes for more detailed configuration information.

...

• [Setting Name]
  Designate some arbitrary name such as "Bridge".

• [Host Name]
  Input the IP address of the computer that you installed VPN Server on beforehand. (In this example, 130.158.6.51.)

• [Port Number]
  Input one of the listener ports of the computer that you installed VPN Server on beforehand. We recommend using port number 443 if you have to go through any firewalls or proxy servers.

• [Virtual Hub Name]
  Input the name of the Virtual Hub you created on the VPN Server beforehand.

• Proxy Server Related Items
  If you must go through a HTTP proxy server or SOCKS proxy server to access the Internet on the 192.168.1.0/24 network, you would enter all the information about that proxy server here. (See section 4.4 Making Connection to VPN Server.)

• [Auth Type]
  Input the authentication method used for the user registered to the Virtual Hub (in this example, the user "test") on the computer that you installed VPN Server to beforehand. "Standard Password Authentication" should be sufficient under any normal circumstances.

• [User Name]
  Input the user name of the user registered to the Virtual Hub (in this example, the user "test") on the computer that you installed VPN server to beforehand.

• [Password]
  Input the password of the user registered to the Virtual Hub (the one you registered beforehand).

...

• SecureNAT utilizes many complicated techniques such as user mode TCP/IP stacks, but all processes required by SecureNAT can be executed in user mode. Therefore, in a network such as the example network given here where VPN Bridge is running under general user privileges, only processes that can be executed under that user's privileges can be performed, even if a buffer overflow or other such error occurs in VPN Bridge's or SecureNAT's program code. This means that, compared to a setup which requires VPN Bridge to be run under system privileges, one that runs under general user privileges has increased overall system integrity.
• Of course, even when setting up a remote access VPN such as the one in this example that uses a combination of VPN Bridge with SecureNAT and VPN Server, all data under the SoftEther VPN protocol is encrypted via SSL by default. Even if you are sending data over the Internet, you will not have to worry about any third parties stealing or modifying the data you are transferring. You can also use server certificate authentication when making a cascade connection to the VPN Server (see section 3.4 Virtual Hub Functions for more details) to increase the security of your VPN even further.
• This example shows how to set up a remote access VPN without having to change any of the firewall or NAT settings on the remote network. Generally, making modifications to a firewall or NAT to allow traffic to pass through certain ports can not only be a costly procedure, but can introduce new security risks to your network as well. Therefore, this method is not recommended unless you have absolutely no other choice. If you have a similar situation where you have received permission from the network or system administrator to set up a remote access VPN, but there is concern over the cost, security risks, or firewall/NAT configuration, the method given in this example of using SecureNAT and VPN Bridge together offers a simple, cost effective solution for your remote access needs.
• All traffic that passes through SecureNAT is accurately logged in the security log file of the Virtual Hub on the VPN Bridge (or VPN Server) running SecureNAT.

...

Current version

...

As explained in section 3.7.1 What is SecureNAT?, SecureNAT consists of the TCP/IP stack operated in user mode and Virtual NAT/Virtual DHCP Server. In particular, when IP access via Virtual NAT is performed the data is automatically relayed to the host using Socket API at the user level. This is a very advanced and intriguing technology.

...

VPN Bridge is free to use if you just want to use it to connect to VPN Server. After unpacking the VPN Bridge Linux install package's tar.gz file and installing VPN Bridge on the computer at 192.168.1.1, the executable file vpnbridge will be created. (See section 9.3.3 Checking the Required Software and Libraries, 9.3.4 Extracting the Package and 9.3.5 Creating an Executable File.)

Assuming that you can only log on to 192.168.1.1 as a general user, you will have to run VPN Bridge in user mode. As shown below, run vpnbridge with the start option. Please refer to section 5.2.2 User ModeEdit section for more detailed configuration information.

...

• [Setting Name]
  Designate some arbitrary name such as "Bridge".

• [Host Name]
  Input the IP address of the computer that you installed VPN Server on beforehand. (In this example, 130.158.6.51.)

• [Port Number]
  Input one of the listener ports of the computer that you installed VPN Server on beforehand. We recommend using port number 443 if you have to go through any firewalls or proxy servers.

• [Virtual Hub Name]
  Input the name of the Virtual Hub you created on the VPN Server beforehand.

• Proxy Server Related Items
  If you must go through a HTTP proxy server or SOCKS proxy server to access the Internet on the 192.168.1.0/24 network, you would enter all the information about that proxy server here. (See section 4.4.1 Selecting the Proper Connection Method.)

• [Auth Type]
  Input the authentication method used for the user registered to the Virtual Hub (in this example, the user "test") on the computer that you installed VPN Server to beforehand. "Standard Password Authentication" should be sufficient under any normal circumstances.

• [User Name]
  Input the user name of the user registered to the Virtual Hub (in this example, the user "test") on the computer that you installed VPN server to beforehand.

• [Password]
  Input the password of the user registered to the Virtual Hub (the one you registered beforehand).

...

• SecureNAT utilizes many complicated techniques such as user mode TCP/IP stacks, but all processes required by SecureNAT can be executed in user mode. Therefore, in a network such as the example network given here where VPN Bridge is running under general user privileges, only processes that can be executed under that user's privileges can be performed, even if a buffer overflow or other such error occurs in VPN Bridge's or SecureNAT's program code. This means that, compared to a setup which requires VPN Bridge to be run under system privileges, one that runs under general user privileges has increased overall system integrity.
• Of course, even when setting up a remote access VPN such as the one in this example that uses a combination of VPN Bridge with SecureNAT and VPN Server, all data under the SoftEther VPN protocol is encrypted via SSL by default. Even if you are sending data over the Internet, you will not have to worry about any third parties stealing or modifying the data you are transferring. You can also use server certificate authentication when making a cascade connection to the VPN Server (see section 3.4.12 Server Authentication in Cascade Connections for more details) to increase the security of your VPN even further.
• This example shows how to set up a remote access VPN without having to change any of the firewall or NAT settings on the remote network. Generally, making modifications to a firewall or NAT to allow traffic to pass through certain ports can not only be a costly procedure, but can introduce new security risks to your network as well. Therefore, this method is not recommended unless you have absolutely no other choice. If you have a similar situation where you have received permission from the network or system administrator to set up a remote access VPN, but there is concern over the cost, security risks, or firewall/NAT configuration, the method given in this example of using SecureNAT and VPN Bridge together offers a simple, cost effective solution for your remote access needs.
• All traffic that passes through SecureNAT is accurately logged in the security log file of the Virtual Hub on the VPN Bridge (or VPN Server) running SecureNAT.

...