H 241: Tailscale VPN (15 pts extra)

What You Need for This Project

A Debian Linux 11 machine
A Windows computer to serve as the client

Purpose

To make a Linux VPN server to protect internet traffic from the Window client.

WARNING ABOUT AZURE
If you are using an Azure or other cloud Windows server, this project may cause you to lose access to it. I don't recommend doing it. You may be able to do it by first configuring Google Remote Desktop on the cloud Windows server, but that might not work.

Installing Tailscale on Windows

On Windows, in a Web browser, go to

https://tailscale.com/ On the left side, click the "Get started for free" button.

Click "Sign up with Google" and log in to your Google account.

You see the Welcome page shown below.

Click the "Download Tailscale for Windows" button.

On the next page, click the blue "Download Tailscale for Windows" button.

Run the installer you downloaded. When you see the "Installation Succesfully Completed" message, click Close.

In the lower right corner of your desktop, click the up-arrow. Click the Tailscale icon, which is nine dots in a square, outlined in red in the image below.

A Web page opens. Log in with your Google account. Click Connect.

Installing Tailscale on Debian 11

The instructions below assume you are using Debian 11 (Bullseye). For other Linux versions, see: Setting up Tailscale on Linux

On your Debian Linux server, in a Terminal session, execute these commands:

curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg \ | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list \ | sudo tee /etc/apt/sources.list.d/tailscale.list sudo apt update sudo apt install tailscale -y sudo tailscale up

You see a URL, as shown below.

Open that URL in a browser on any machine. Log in to the same Google account you used on Windows.

Click Connect.

The "tailscale up" command finishes, returning a "$" prompt, as shown below.

Now we need to enable IP forwarding and make the Linux machine an exit node.

On your Debian Linux server, in a Terminal session, execute these commands:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf sudo sysctl -p /etc/sysctl.d/99-tailscale.conf sudo tailscale up --advertise-exit-node

The commands succeed without errors, as shown below.

Using the Admin Console

In a web browser, go to

https://login.tailscale.com/admin/machines

You see two machines, as shown below.

On the "debian11" line, on the right side, click the three-dot icon. Click "Edit route settings...".

Click the "Use as exit node" slider, as shown below.

Using the Exit Node on Windows

In the lower right corner of your desktop, click the up-arrow. Right-click the Tailscale icon. Click "Exit node", debian11, as shown below.

Testing the VPN with Tracert

On your Windows machine, click Start and type CMD. Open a Command Prompt and execute this command:

tracert 8.8.8.8

The first hop is the Debian machine, with the same IP address you saw in the Machines web page above.

Traffic is being routed through the VPN!

Testing for Leaks

Let's see how good this VPN is.

Installing Wireshark

On your Windows client machine, If you don't already have it, download and install Wireshark from

https://wireshark.org

Monitoring "puppy" Packets

Launch Wireshark.

In the main Wireshark window, double-click Ethernet0, or whatever adapter connects to the Internet on your system, as shown below.

In the the "Capturing from Ethernet0" window, at the top left, in the "Apply a display filter" bar, type this:

frame contains "puppy"

and press Enter.

The filter bar turns green, as shown below.

Wireshark is now listening for any packets containing the word "puppy".

Using Unencrypted DNS

Open Edge. At the top right, click the three-dot icon. Click Settings.

In Settings, search for

secure dns

Click the toggle button to turn secure DNS off, as shown below.

Visiting Puppywar

In Edge, go to:

https://puppywar.com

as shown below.

You will likely see some DNS traffic leaking outside the VPN, as shown below.

Fixing the Leak

This seems to be a known issue with Tailscale on Wndows. There doesn't seem to be a preferred solution. The fix below is at best a sleazy workaround, but it seems to work.

Click Start. Type NETWORK. Click "View network commections".

Right-click Ethernet0 and click Properties.

Double-click "Internet Protocol Version 4 (TCP/IPv4)".

Change the DNS server address to 127.127.127.127, as shown below.

Click OK. Click OK.

Restarting the Wireshark Capture

In Wireshark, from the menu bar, click Capture, Restart.

Click "Continue without Saving".

Wireshark is listening for new "puppy" packets, as shown below.

Visiting Weatherpuppy

In Edge, go to:

https://weatherpuppy.com

as shown below.

The page loads, and Wireshark doesn't detect any traffic containing "puppy". The leak is fixed!

Flag H 241.1: Adapter Name (15 pts)
On your Windows machine, click Start and type CMD. Open a Command Prompt and execute this command:
ipconfig
The flag is covered by a green rectangle in the image below.

Posted 6-7-23