- Reset environment to baseline (if not already clean):
ssh devin-adm@192.168.1.9 # PVE2
for vmid in 300 301 302 303 304 306; do
sudo qm rollback $vmid cdw-baseline-v1
sudo qm start $vmid
done
- Generate client VPN config (see VPN Configuration)
- Create Guacamole user in the
cdw-temporary-users group
- Deploy WireGuard to client endpoint via NinjaOne or manual config
- Export results from Kali, OpenVAS, and Wazuh
- Disable client access:
- Remove/disable Guacamole temporary user
- Remove client WireGuard peer from wg0.conf on VM 301
- Restart WireGuard:
sudo wg-quick down wg0 && sudo wg-quick up wg0
- Reset environment to baseline snapshot
ssh devin-adm@192.168.1.9
for vmid in 300 301 302 303 304 305 306; do
echo "=== VM $vmid ==="
sudo qm listsnapshot $vmid
done
SNAP_NAME="cdw-baseline-v2"
for vmid in 300 301 302 303 304 306; do
sudo qm snapshot $vmid $SNAP_NAME --description "CDW baseline $(date +%Y-%m-%d)"
echo "Snapshot $SNAP_NAME created on VM $vmid"
done
sudo qm rollback 302 cdw-baseline-v1
sudo qm start 302
- Login as guacadmin
- Settings → Users → Add User
- Set username, password, expiration date
- Assign to group:
cdw-temporary-users
- The user will only see CDW connections
- CDW - Client Delivery Workbench — contains all 7 connections
- cdw-admins — full admin access
- cdw-operators — operational access to all connections
- cdw-temporary-users — limited, time-bound access
ssh crc-adm@192.168.50.11
# Generate client keys (on any machine)
wg genkey | tee client_private.key | wg pubkey > client_public.key
# Add peer on VPN server
sudo wg set wg0 peer <CLIENT_PUBLIC_KEY> allowed-ips 10.50.10.X/32
# Make persistent
sudo wg-quick save wg0
sudo wg set wg0 peer <CLIENT_PUBLIC_KEY> remove
sudo wg-quick save wg0
sudo wg show
- Check if VM 300 is running:
sudo qm status 300 on PVE2
- Check Guacamole service:
ssh crc-adm@192.168.50.10 'sudo docker ps'
- Check proxy route:
ssh devin-adm@192.168.1.55 'ip route | grep 192.168.50'
- Check nginx:
ssh devin-adm@192.168.1.55 'sudo nginx -t && sudo systemctl status nginx'
- Verify WireGuard is running:
ssh crc-adm@192.168.50.11 'sudo wg show'
- Check port 51820/UDP is open on Dreamwall
- Verify DNS:
nslookup vpn.cdw.tcecure.com
- Check client config matches server public key
- Check VM status:
sudo qm status <VMID> on PVE2
- Try restart:
sudo qm reboot <VMID>
- If stuck, force stop and start:
sudo qm stop <VMID> && sudo qm start <VMID>
- Last resort — rollback to baseline:
sudo qm rollback <VMID> cdw-baseline-v1
- Username:
crc-adm
- Password:
CDW_Ops2026
- If XRDP shows old username, logout of Guacamole and reconnect
- Restart XRDP if needed:
ssh crc-adm@192.168.50.12 'sudo systemctl restart xrdp'