support VPN tunnels from control-server to exit-nodes

[sprocketsecurity]

As a user I would like to use multiple cloud providers. This would require a VPN tunnel so traffic could be routed out various exit-nodes.

Engineering notes:
there is a blocking issue: the intrarouting with OpenVPN is prevented TCP traffic from traversing the tunnel when destin to the Internet (0.0.0.0/0).

We're tried adding an iroute statement in the ccd for exit-nodes with iroute 0.0.0.0 128.0.0.0
but this isn't helping. UDP and ICMP traffic work ok, but TCP doesn't. Odd. Problem appears to be with traffic being accepted on the tun interface of the exit-node.

TODO:

• Troubleshoot openvpn configs, perhaps we had something wrong with our configs.
• Possibly ditch layer 3 tunneling for layer 2. Not optimal, but would probably work. This would require some tweaking to multi-path routing.

[W9HAX]

Discussion came up about using SSH Layer 3 tunnels for Node -> Server connections. This might remove the OpenVPN traffic exceptions we're seeing, worth a shot.

Refer to GraphX SSH Tunnel's example:

#Pivotbox changes:
openvpn --mktun --dev tun0
ifconfig tun0 1.1.1.2 netmask 255.255.255.252 up
#IP Forwarding and PermitTunnel yes only need to be done once
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "PermitTunnel yes" >> /etc/ssh/sshd_config 
service sshd reload
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


#local kali vm
openvpn --mktun --dev tun0
ifconfig tun0 1.1.1.1 netmask 255.255.255.252 up
ssh -w 0:0 -fN user@linuxbox
#hostFile is one IP per line you can get almost that by exporting the hosts from the msf database using hosts -c address -o /tmp/hostFile
tr -d '"' /tmp/hostFile > hosts
cat hosts | while read LINE; do
route add -host $LINE dev tun0
done