Add HTB VPN to Kali 2020.1 and Fix VPN Routing Issue (No Internet)

Issue

After adding an the HTB OpenVPN profile to Kali Linux 2020.1, upon connecting to the VPN, an additional default route is added to Kali's routing table forcing all internet traffic to the HTB environment where there isn't actually an internet connection.

This blog post walks through setting up the VPN and removing the extra default route, plus scripting the connection to the VPN since it add the broken route every time the VPN connects.

Download OpenVPN creds from HTB

Get your OpenVPN file from here: https://www.hackthebox.eu/home/htb/access
It comes downloaded as .ovpn. I renamed my file to HackTheBox.ovpn. This will become the name of the VPN connection we see in the GUI.

Adding VPN connection to Kali

Verify network connections first:    
sudo nmcli connection
Now to add the the OpenVPN connection to your list of linux networks:   
 sudo nmcli connection import type openvpn file Downloads/HackTheBox.ovpn
Verify the new network connection was added:   
sudo nmcli connection
In the top right of the screen you can also verify the VPN was added. Toggling the checkbox will connect and disconnect from the VPN respectively.

Fixing Internet Routing issue:

This guide is assuming 1 wired connection and 1 VPN connection. After connecting to the HTB VPN, some users may find their Kali Linux machine no longer can reach the Internet, but is still able to reach the lab environment VMs. This issue is due to the VPN connection adding a more preferred default route out the VPN tunnel interface. 
The route marked 1 in the picture above is an unneeded default route to the HTB environment. The route marked 2 is the default route where internet bound traffic should be sent. This is because the gateway (router.asus.com) is my router, while 10.10.14.1 is the HTB environment on the other end of the VPN tunnel.

If we remove the first default route, our internet bound traffic will use route 2. HTB traffic will remain unaffected and be handled by these two routes which are already installed in the routing table:
Removing the extra default route:   
sudo route del -net default gw 10.10.14.1 netmask 0.0.0.0 dev tun0
After running that the routing table is fixed:

Bash script fix

Every time you disconnect and reconnect to HTB, you'll have to remove the default route. Here is a quick bash script to simply the connection process. Make a file called ConnectToHTB. To make it executable: chmod 755 ConnectToHTB
Added this to the file:
   # Turn on HTB VPN Connection
   nmcli connection up d7aa1e3e-f13f-47b1-8c4a-a99d73bf4dd3
   # Remove default route to HTB to allow Internet access in Linux
   sudo route del -net default gw 10.10.14.1 netmask 0.0.0.0 dev tun0
Replace d7aa1e3e-f13f-47b1-8c4a-a99d73bf4dd3 in the first command with the UUID of your VPN connection, which can be found using nmcli connection

Now to connect to HTB, ./ConnectToHTB from the terminal.

Thanks for reading 

-DJ

Comments

  1. Hopefully this doesn't end up as a double comment, but my last comment just didn't show up.

    In any case, for anyone stumbling across this from the internet, there is far simpler solution. You can just tell network manager not to add the default route.

    ```sh
    $ nmcli connection import type openvpn file [username].ovpn
    $ nmcli connection edit [username]
    # Change connection name to something useful
    > set connection.id htb
    # Disable default routes
    > set ipv4.never-default true
    > set ipv6.never-default true
    # Save the connection changes
    > save
    $ nmcli connection up htb
    ```

    ReplyDelete

Post a Comment