Tunneling Windows VM to Target Environment (WireGuard)

There have been many cases where I needed a to use a Windows machine on internal tests but only had access to a Linux VM internally. Most of the time, I need a Windows VM the most when doing Active Directory testing and running into tooling issue on Linux. One option is to turn the Linux machine into a WireGuard VPN server and connect via a Windows VM. Once you have the connection, you can use the windows runas command to launch a PowerShell session as an authenticated domain user in the client environment.

Example Windows VM with Active AD Session in Foreign Environment

Setup WireGuard VPN on Internal Network (Kali Linux)

Install WireGuard

sudo apt install wireguard resolvconf

Generate Keys

wg genkey | tee server-privatekey | wg pubkey > server-publickey
wg genkey | tee client-privatekey | wg pubkey > client-publickey

Create Server Config

sudo tee /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.10.10.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = $(cat server-privatekey)

[Peer]
PublicKey = $(cat client-publickey)
AllowedIPs = 10.10.10.2/32
EOF

sudo chmod 700 /etc/wireguard/wg0.conf

Create Client Config

tee client.conf << EOF
[Interface]
PrivateKey = $(cat client-privatekey)
Address = 10.10.10.2/32
DNS = $(cat /etc/resolv.conf | grep nameserver | grep -v '#' | head -1 | cut -d ' ' -f 2)

[Peer]
PublicKey = $(cat server-publickey)
AllowedIPs = 0.0.0.0/0
Endpoint = $(ip addr show tun0 | grep inet | awk '{ print $2 }' | cut -d/ -f1 | head -1):51820
PersistentKeepalive = 21
EOF

Configure Network Adaptor

sudo wg-quick up wg0
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

The above assumes you are using eth0 as your primary network adaptor in the client environment.

Note that the above setup will not be persistent across reboots! In order to restart the VPN service, run sudo wg-quick up wg0 after a reboot. This is by design since I don’t want random VPNs active client devices. Make sure to reboot the Linux client device or shutdown the VPN once the test is complete.

Configure Client (Windows VM)

Install WireGuard Client (PowerShell)

wget https://download.wireguard.com/windows-client/wireguard-installer.exe -o wireguard-installer.exe
./wireguard-installer.exe

Configure VPN Profile

Create VPN Profile in WireGuard VPN (Windows)

Paste in the contents of client.conf that was created during the sever setup

Example Config (Templated)

Test VPN Access

After activating the WireGuard VPN profile, test the connect using the following command.

nslookup <CLIENT_DOMAIN>

Launch Shell as Domain User

runas /netonly /user:<ADDOMAIN>\<ADUSER> powershell.exe

# Confirm access as shell
net view \\<ADDOMAIN>\

This technique of launching shells as AD user in non-AD connected system was originally found in the SharpHound Documentation

Active AD Session in Foreign Environment

PreviousConfiguring Windows 11 for AD TestingNextCoercion and Relay

Last updated