VPN Setup
For CTFs, Hack The Box, Red vs Blue exercises, and private labs, you often need to connect your VM to a VPN to access remote networks safely.
The simplest, most portable way across Windows, Linux, and macOS is to run the VPN inside the VM itself.
Hack the Box Guide
HTB has a page on this, you can read that one or continue reading.
Step by Step
-
Install a VPN client inside your VM
For example, install OpenVPN:
sudo apt update sudo apt install openvpn -
Transfer your
.ovpnfile into the VMDownload or copy the VPN configuration file from your CTF provider
-
Connect to the VPN inside the VM
sudo openvpn --config your-config-file.ovpn -
Verify the VPN Connection
Inside the VM, check for the VPN interface (
tun0) and confirm you can reach the CTF network:ip addr # Try and ping a HTB machine ping X.X.X.X
Virtual Machine Network Settings
- Set the VM to use NAT mode in your hypervisor (VirtualBox, VMware, etc.)
- NAT allows the VM to reach the internet (and thus connect to the VPN) without exposing the VM directly to the host network.
Pros and Cons
| Pros | Cons |
|---|---|
| Easiest, fastest setup | VPN config and keys live inside the VM |
| Works identically across Windows/Linux/Mac hosts | If VM is compromised, VPN session could be exposed |
| Full control from inside the VM | Might use a bit more VM resources |
(Optional) Advanced Setup: VPN on Host, VM Routed Through Tunnel
For more advanced setups, you can connect to the VPN on the host and route only VM traffic through the tunnel.
Why Use This Method?
- The VM does not need to manage VPN credentials or config files.
- The VM's traffic is transparently routed through the host’s VPN.
- Adds an extra layer of separation: the VM is unaware it’s using a VPN.
- Reduces risk if the VM is compromised.
High-Level Steps
-
Connect to the VPN on your host machine
- Use OpenVPN client normally.
- Verify you have a VPN interface like
tun0(Linux),utunX(macOS), or a TAP adapter (Windows).
-
Configure the VM to use the VPN interface
- In VirtualBox, set the VM’s Network Adapter to:
- Bridged Adapter
- Attach to the VPN network interface (
tun0, TAP, etc.)
- If the VPN interface is not selectable, a manual virtual bridge may be needed (advanced).
- In VirtualBox, set the VM’s Network Adapter to:
-
Ensure Only the VM Uses the VPN
- Configure routing rules or firewall rules on the host:
- Ensure that only VM traffic is sent through the VPN.
- Prevent host system traffic from leaking through the VPN unintentionally.
- Example (Linux):
- Use
iptablesorfirewalldto isolate traffic by interface. - Policy-based routing using
ip ruleandip routeif needed.
- Use
- Configure routing rules or firewall rules on the host:
Pros and Cons
| Pros | Cons |
|---|---|
| VM is unaware of VPN, safer in some cases | More complex to set up |
| No VPN credentials inside the VM | Requires careful network and firewall setup |
| Host retains more control over traffic | Platform differences (Linux best, Windows/Mac harder) |
Which Method Should You Use?
| Situation | Recommended Setup |
|---|---|
| Fastest and simplest across all OS | VPN inside the VM |
| Maximum control and separation | VPN on the host, VM bridged to tunnel |
Final Advice
- Start with VPN inside the VM it's faster, safer, and easier to troubleshoot.
- Move to VPN on the host setups only if you need strict traffic isolation, host-controlled routing, or extra security protections.