Over the past couple of weeks, we've seen various users talking about TryHackMe's VPN functionality, among several misconceptions. This blog post will clarify these misconceptions by explaining how our network works, what users can expect from this functionality, and general advice on how users can practice good security hygiene.
TryHackMe uses OpenVPN to allow users to communicate with machines used for their practical cyber security training. The users connecting via OpenVPN will be assigned an IP address to identify their VPN connection. This VPN connection is similar to joining a public WiFi Network.
Since machines started in labs are intentionally made to be vulnerable (to practice hacking and defending) and we want users to practice hacking within a safe environment, they're only accessible on the TryHackMe network, through either the VPN connection or AttackBox (and are not publically accessible). A brief diagram of this is shown below:
This communication channel is bi-directional as these vulnerable servers need to respond to any communication packets that are being sent by a user. Many scenarios on TryHackMe rely on this bi-directional communication channel e.g. for users to retrieve files from their host machines for privilege escalation checks, reverse shells, and so on.
As users accessing vulnerable machines needs the ability to access their local machine through an IP address allocated by the VPN server, means other users on the same network can each their own (and other) VPN allocated IP addresses.
TryHackMe's OpenVPN is configurated to only send traffic through the VPN when accessing vulnerable machines, and nothing else. This means when you browse the internet, the traffic does not get sent through the VPN; only traffic on 10.10.*.* is forwarded through the VPN.
Can I Be Hacked?
Since it is possible to reach users' VPN IP addresses, it may be possible for other users to scan these IP addresses. This does not mean that users can be hacked. It merely means that if you are running a service (e.g. a python web server, an FTP server) intended to be accessed by vulnerable machines, other users may also access these other services if they know your IP address and scan for the particular service that's running.
Using the VPN is the same as connecting to a public network, such as a school, cafe, business, or any network where other users are also connected.
What can I do to be more secure?
Now that you're aware that other users may be able to access services and connections you have running, here are some suggestions to reduce your attack surface:
TryHackMe's Attack Box
TryHackMe's in-browser machine (called the AttackBox) is the easiest and most secure way to get started with hacking!
TryHackMe provides all users with an AttackBox machine, that has all the needed security tools pre-installed to start hacking in a legal and safe environment, accessed entirely through the browser. Each user is able to start their own instance of an AttackBox with a click of a button within all TryHackMe labs.
The AttackBox (once started) can only be accessed by either using randomized credentials or a magic link (which is specific to each user). Unless any credential configuration changes are made to the AttackBox, no other users are able to access other instances of an isolated, web-based AttackBox.
Utilizing Virtual Machines
For users planning on connecting to TryHackMe's network via the VPN, we recommend that they set up this connection inside a virtual machine. Virtual machines, when set up correctly, can provide an isolated environment that can be specifically used to install and run tools against vulnerable machines on TryHackMe. In addition to using virtual machines, make sure you:
- Use strong passwords for any services that you're utilizing on the machine.
- Disable services not being used - For example, if you started a python server for TryHackMe exercise, make sure it's disabled after the exercise is complete.