Vulnerable servers on GCP

Posted November 7, 2019 | View revision history

In an older post, I described painfully and tediously configuring a single OpenVPN server which would connect a user to a private network of vulnerable servers. The idea was to shield the vulnerable servers from public-internet auto-barragement, but make them available for banging on for pop-the-box challenges for my students in my information security management class.

This year, I moved everything to Google Compute Platform – mostly because they offer $300 for new accounts. I also converted from having students run virtual machines on their own laptops, to spinning up a gcp version of Kali that I had specially prepared, which included nested virtualization with qemu for a self-containted pentesting instance.

Furthermore, I also met a new goal – of creating a separate vpn network for each team. Surprise surprise, some of the students in one of my colleague’s classes got cheeky and defaced other teams’ vulnerable servers. Separate vpn networks mitigated that attack vector.

I used Vagrant, Chef (chef-zero), Terraform, and Ansible – in that order – to provision, deploy, and hot-fix manage the separate workspaces for each team. I also switched to provisioning the vpn server with an all-in-one script. Hallelujah.

Check out the repo on github


David Eargle is an Assistant Professor at the University of Colorado Boulder in the Leeds School of Business. He earned his Ph.D. degree in Information Systems from the University of Pittsburgh. His research interests include human-computer interaction and information security. He has coauthored several articles in these areas using neurophysiological and other methodologies in outlets such as the Journal of the Association for Information Systems, the European Journal of Information Systems, the International Conference on Information Systems, and the Hawaii International Conference on System Sciences), along with the Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). More about the author →

This page is open source. Please help improve it.