As I have been completing various capture the flag challenges, I have wanted to review the network traffic by running it through analysis in tools such as Suricata and Zeek. I have captured this traffic with tcpdump manually, but I wanted to automate this collection. Looking at the man page for OpenVPN, I encountered the relevant option of --up.
--up cmd
Run command cmd after successful TUN/TAP device open (pre--user UID change).
This command will enable you to run a script automatically once the tunnel is established, but for this script to execute a second option must be specified as well. The --script-security command must be set to 2.
--script-security level
This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level:
0 Strictly no calling of external programs
1 (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
2 Allow calling of built-in executables and user-defined scripts.
3 Allow passwords to be passed to scripts via environmental variables (potentially unsafe).So our command at this point looks something like this:
sudo openvpn --config profile.ovpn --script-security 2 --up upscript.sh
Now what does upscript.sh need to look like? A simple script might look like the one below.
#!/bin/bash
tcpdump -i tun0 -s 65535 -w ./tun0-`date +"%Y%m%d%k%M%S"`.pcap -Z $(logname) &This script will create a pcap in the directory from which OpenVPN was launched with the name tun0-<timestamp> . The -Z option is used to specify the owner of the pcap. If -Z is not specified, the pcap file will be owned by the user tcpdump and standard users will not be able to access the file. If the ampersand is left off the end of the command, OpenVPN will not pass traffic.
I have taken this a step further and added an alias command in my .zshrc file so that I can just run the command sudo openvpn profile.vpn and the capture will happen automatically. I did encounter an issue running an alias command starting with sudo, but found the solution at https://linuxhandbook.com/run-alias-as-sudo/. The simple solution is to add an alias for sudo of sudo followed by a space. The two alias commands in my .zshrc file are shown below.
alias sudo='sudo '
alias openvpn='openvpn --script-security 2 --up /opt/lubak0x0a-scripts/openvpn-up.sh --down /opt/lubak0x0a-scripts/openvpn-down.sh --config $1'With these alias commands defined, I can run the following command to launch OpenVPN and log all network traffic across the tunnel.
sudo openvpn profile.ovpnThe commands in this article will need to be adapted to meet your needs, but I hope it provides a starting point. If you find any errors or run into any issues please let me know and I will update this guide with your input.