-
Notifications
You must be signed in to change notification settings - Fork 69
Configuration
The configuration of the framework is very easy. There are different sections of the configuration that needs to be handled in a different manner:
- Global settings
- Authentication settings
- Encryption settings
- Transport module settings
All these sections serve a different purpose in the framework's life, but it is almost self-explanatory.
The Global settings section consists several settings that are needed for the framework itself. This is used to set up the client and server mode, and the address of the server.
Most of the default settings do not really need to be modified. If you know what you are doing, please adjust the settings, otherwise just state your server's IP and hostname below.
Example configuration for the Global section:
remoteserverip = 54.76.113.73
remoteserverhost = PUT_YOUR_SERVER_HOSTNAME_HERE
# SERVER configs, does not really need to be modified
serverif = xfl0
serverip = 10.9.0.1
servernetmask = 24
serverbind = 0.0.0.0
# CLIENT configs, does not really need to be modified
clientif = xfl0
clientip = 10.9.0.101
clientnetmask = 24
mtu = 1350
scope = scope.txt
Here comes your server's IP, the client will connect to this IP over the different protocols.
Your server's hostname/domain name should be stated here. Some modules use this instead of the IP address (like SOCKS v5).
default: xfl0
Name of the interface on the server side. By leaving it to the default, it is almost sure that it will not collide with any other tools.
Please note that this setting is Linux specific
default: 10.9.0.1
Change it to whatever IP that you like, this will be the IP of the server. Please make sure that the client IPs are in the same range as this IP/netmask.
default: 24
Netmask that specifies the VPN's IP range.
default: 0.0.0.0
By default the tool binds on all interfaces. If you want to bind to a specific interface, please specify the IP address of that one.
default: xfl0
Same thing as the serverif, but on the client side. It does not have to match with the server, this is just an alias for the interface.
Please note that this setting is Linux specific
default: 10.9.0.101
Make sure you change this on every client, otherwise there will be an IP collision on the VPN and the framework will malfunction.
default: 24
Make sure you keep this netmask value as the same as the servernetmask otherwise it will not work properly.
default: 1350
Most network interface's MTU is 1500 by default. We are tunnelling data over those interfaces, so there will be an overhead. 150 bytes for this overhead are more than enough. If you would like to pimp it up, it is up to you. Please note that some of the modules are doing fragmentation, so it will have no or very little effect on those modules.
default: scope.txt
In split tunnelling mode the framework read the file specified in this option. This file should contain a list of IP addresses or ranges of IP addresses that is needed to be accessed over the tunnel. This is very useful, when only a handful of IPs needs to be routed. The following formats can be used in the file:
- Specifying a single IP: 192.168.0.1
- Specifying a small range of IP addresses: 192.168.0.1-200
- Specifying a full range of IP addresses: 192.168.0.1/24
default: N/A
In some cases it is possible that we need to override the default router setting. With this optional value it is possible to change the routing table from the configuration in advance without issuing commands.
See this use case: Unix jumpbox with SSH access
There is a basic Authentication module support in the framework that supports 2-step authentication only (not to confuse with two-factor authentication). This will be improved later. The two authentication module that is done at the moment:
- noauth
- saltedsha512
Example configuration for the Authentication section:
[Authentication]
module = saltedsha512
key = Y0u_mu5t,b3.stup1d-T0_Us3.Th1s_4s_4,K3y
This one is dangerous to enable. Provides no authentication at all. Anybody can connect to the server without knowing any secrets.
By default this is the one enabled. A key must be specified (longer the better) which will be used for the authentication. When the client connects to the server, it generates a salt and concatenates to the key. The salted key will be hashed by SHA-512 and the hash (+salt) will be sent to the server. If the server's key matches, the authentication was successful.
Encryption is on the roadmap will be introduced early 2018 hopefully. Therefore no encryption settings are present in the framework at the moment.
Example configuration for the Encryption section:
TBD
Every transport module is a bit different. The settings needs to be configured depend on the specific module, so each transport module has its own section in the configuration.
To find out how to configure that specific Transport module that you are looking for please find the list of module here: Transport modules
Example configuration for the TCP Generic section:
[TCP_generic]
enabled = yes
serverport = 1337
XFLTReaT 2017-2020 Balazs Bucsay @xoreipeip
- Home - Introduction to XFLTReaT
- The framework - The framework explained
- Installation - How to install the tool
- Configuration - How to configure the framework
- Operating System support - See the supported Operating Systems
- Transport modules - Explanation of the transport modules
- Authentication modules - Explanation of the authentication modules
- Encryption modules - Explanation of the encryption modules
- Use Cases - Examples use cases
- Development - How to develop for the framework