| Setting |
Value |
| VLAN Name |
CLIENT-DELIVERY-ZONE |
| VLAN ID |
50 |
| Subnet |
192.168.50.0/24 |
| Gateway |
192.168.50.1 |
| Bridge |
vmbr50 (PVE2) |
| DNS |
8.8.8.8 |
- PVE2 provides NAT for the 192.168.50.0/24 subnet via iptables MASQUERADE
- Proxy VM 101 has a static route:
192.168.50.0/24 via 192.168.1.9 (persistent via netplan)
- CDW VMs have route to VPN subnet:
10.50.10.0/24 via 192.168.50.11
| Direction |
Ports |
Protocol |
Action |
| CDW → Internet |
80, 443, 22, 53 |
TCP |
Allow |
| CDW → Internet |
51820 |
UDP |
Allow (WireGuard) |
| CDW → Training VLAN |
All |
All |
Block |
| CDW → Management Network |
All |
All |
Block |
| CDW → Internet |
All other |
All |
Block |
Note: Dreamwall/OPNsense firewall rules are pending configuration.
The CDW Guacamole instance is proxied through the existing Nginx reverse proxy on PVE1 VM 101 (crc-proxy-gateway-01, 192.168.1.55).
- Site config:
/etc/nginx/sites-available/crc.guac.02.tcecure.com
- TLS: Certbot-managed Let's Encrypt certificate (expires 2026-07-28, auto-renewal)
- Proxy target:
http://192.168.50.10:8080/guacamole/
- Features: WebSocket support, HTTP→HTTPS redirect
Local Machine
→ ssh devin-adm@108.31.169.90 -p 2225 (PVE1)
→ ssh devin-adm@192.168.1.9 (PVE2)
→ ssh crc-adm@192.168.50.X (CDW VM)
| User |
Auth |
Sudo |
Purpose |
| crc-adm |
SSH key (ed25519) |
NOPASSWD |
Admin operations |
| devin-adm |
SSH key (ed25519) |
NOPASSWD |
Automation |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDjh69D3QRj3wXt34v62ufdXOjGf0q2KkMK/trdFxsz crc-adm@tcecure
All CDW connections are organized under: CDW - Client Delivery Workbench
| Connection |
Type |
Target |
Username |
| CDW Guacamole SSH |
SSH |
192.168.50.10 |
crc-adm |
| CDW VPN Gateway SSH |
SSH |
192.168.50.11 |
crc-adm |
| CDW Kali Ops RDP |
RDP |
192.168.50.12 |
crc-adm |
| CDW Scanner SSH |
SSH |
192.168.50.13 |
crc-adm |
| CDW Monitor SSH |
SSH |
192.168.50.14 |
crc-adm |
| CDW Windows RDP |
RDP |
192.168.50.15 |
crc-adm |
| CDW Capture SSH |
SSH |
192.168.50.16 |
crc-adm |
| Group |
Access Level |
| cdw-admins |
Full access to all connections + system admin |
| cdw-operators |
Access to all CDW connections |
| cdw-temporary-users |
Time-limited access (per engagement) |