Move the player VPN away from the vulnbox onto the router
ldruschk opened this issue · 6 comments
This allows to test the setup up-front before the vulnboxes are running and allows the players to access the network even when their vulnbox is down
Should we open the test submission endpoint for the players, or should they not be able to submit flags from that network?
Connecting to one VPN appeared to be a mental overload for some players, I fear it will get worse if two different VPNs are involved 😇
I am not sure that I am 100% sure what you mean regarding the test submission endpoint.
My plan is to rework the network layout and give every team a /24 network with the vulnbox being 10.0.1.1/25 and the player VPN being 10.0.1.128/25. If teams want to self-host the vulnbox and use a separate router VM they can assign that machine the 10.0.1.126/25 or whatever else they like.
We could then simply configure the /24 subnet in the ctf.json and flag submissions would work from both, the player VPN and the vulnbox VPN (or the "local" network if teams wish to self-host).
The teams which do not want to self-host would never have to touch the vulnbox VPN and instead would only see the player VPN with the added benefit that they are able to test that upfront. Although I would suggest adding more clarification on the download page to avoid teams downloading the wireguard config for the vulnbox and thus disconnecting themself, something like "DANGER ZONE" in huge red letters should(TM) be sufficient.
I thought with router you meant our wireguard router, I didn't know you planned to give out more than a /32 to the teams.
Would you put the teamgw and vulnbox into a hetzner private network? That would reintroduce all our interface names problems, right? We could also stick with /32 and just portforward the service ports to the vulnbox' public ip 😛
What? We can simply run one OpenVPN-server per team in addition to the wireguard interfaces. Basically the same thin Faust did https://2020.faustctf.net/information/setup/ and C4T BuT S4D did this as well for their second Catty Blitz I believe.
There is no need to use the internal networks at all, we can simply forward the traffic between the player- and vulnbox VPN over our router (there shouldn't really be a lot of traffic anyways, since most traffic is usually between vulnbox <-> game network or players <-> game network for exploits.
First I thought you wanted a big openvpn for everyone, then I thought you'd want to reintroduce teamgw VMs like traditional a/d ctfs do, but now I get it.
I am not sure if the benefit "teams can still exploit when their vulnbox is down" is big enough, though. If a team manages to bar themselves out of the vulnbox they have confused "capture the flag" with "configure the firewall" and I don't mind them losing points, and if an attacker manages to do that then our vulnbox is bad and we should feel bad.
The main advantage when we consider this a beginner CTF is that people are able to setup their OpenVPN configuration in advance, since that apparently caused more problems than expected. Also, if the public IPs of the teams got lost again they could still simply login through the VPN since they know their private IP.