[BUG]The client cannot automatically obtain an IP via DHCP #159
Description
Describe the bug
- Ligolo-ng Client (Proxy) runs on the Windows host machine.
- Ligolo-ng Agent (Server) runs inside WSL.
- Inside WSL, the OpenVPN Client is also running, which creates the tun0 interface for accessing the remote 10.10.x.x and 10.129.x.x networks.
My current network environment is like this: Kali in WSL is connected to the VM Net8 network card via bridging, and there is a virtual network card Tun0 created after connecting to OpenVPN. The network card in Windows also has the VM Net8 network card, so Kali and Windows can communicate with each other. The current requirement is for Windows to also connect to the virtual network card Tun0 in Kali. Therefore, I set Windows as the Proxy end and Kali as the Agent end to try to establish a tunnel. However, unfortunately, Windows cannot properly access the IP address in the Tun0 network card.
- Kali
❯ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 5e:bb:f6:9e:ee:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.60.100/24 brd 192.168.60.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5cbb:f6ff:fe9e:eefa/64 scope link dadfailed tentative proto kernel_ll
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.10.14.47/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::102d/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5da9:511e:f811:7499/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever- Windows
It should be noted that thevEthernet(LAN)network adapter is the bridged VM Net8 network adapter, meaning the two network adapters have the same configuration, and vEthernet (LAN) can be regarded as VM Net8.
maple@maple ~ ipconfig.exe
Windows IP 配置
未知适配器 Clash 1:
连接特定的 DNS 后缀 . . . . . . . :
IPv4 地址 . . . . . . . . . . . . : 198.18.0.1
子网掩码 . . . . . . . . . . . . : 255.255.0.0
默认网关. . . . . . . . . . . . . :
以太网适配器 vEthernet (Default Switch):
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::2278:9d6b:16af:86b3%31
IPv4 地址 . . . . . . . . . . . . : 172.23.32.1
子网掩码 . . . . . . . . . . . . : 255.255.240.0
默认网关. . . . . . . . . . . . . :
以太网适配器 vEthernet (LAN):
连接特定的 DNS 后缀 . . . . . . . :
IPv6 地址 . . . . . . . . . . . . : fd15:4ba5:5a2b:1008:e391:f58d:a18c:68dd
临时 IPv6 地址. . . . . . . . . . : fd15:4ba5:5a2b:1008:4488:3bfb:7d75:5ebc
本地链接 IPv6 地址. . . . . . . . : fe80::9202:e25:d798:bdac%6
IPv4 地址 . . . . . . . . . . . . : 192.168.60.1
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : fe80::250:56ff:fec0:2222%6
To Reproduce
Steps to reproduce the behavior:
- Go to Windows Proxy
maple@maple D:\ligolo-ng .\proxy.exe -selfcert
time="2025-08-27T23:53:56+08:00" level=info msg="Loading configuration file ligolo-ng.yaml"
time="2025-08-27T23:53:56+08:00" level=warning msg="Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!"
time="2025-08-27T23:53:56+08:00" level=info msg="Listening on 0.0.0.0:11601"
time="2025-08-27T23:53:56+08:00" level=info msg="Starting Ligolo-ng Web, API URL is set to: http://127.0.0.1:8080"
time="2025-08-27T23:53:56+08:00" level=warning msg="Ligolo-ng API is experimental, and should be running behind a reverse-proxy if publicly exposed."
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: 0.8.2
ligolo-ng » time="2025-08-27T23:54:05+08:00" level=info msg="Agent joined." id=aca28313-973c-47bc-ae2b-8d57e4bbdf39 name=Pepster@maple remote="192.168.60.100:46890"
ligolo-ng » session
? Specify a session : 1 - Pepster@maple - 192.168.60.100:46890 - aca28313-973c-47bc-ae2b-8d57e4bbdf39
[Agent : Pepster@maple] » tunnel_start --tun ligolo
time="2025-08-27T23:54:25+08:00" level=info msg="Starting tunnel to Pepster@maple (aca28313-973c-47bc-ae2b-8d57e4bbdf39)"
2025/08/27 23:54:25 Using existing driver 0.14
2025/08/27 23:54:26 Creating adapter
2025/08/27 23:54:26 Removed orphaned adapter "Clash"
[Agent : Pepster@maple] » -
Go to Kali Agent
❯ ./agent --connect 192.168.60.1:11601 --ignore-cert WARN[0000] warning, certificate validation disabled INFO[0000] Connection established addr="192.168.60.1:11601" -
Go to 'ncpa.cpl'
Only obtain the APIPA IP (169.254.189.30), the APIPA address is "link-local only". This means the operating system considers
169.254.189.30can only be used for direct connection to devices on this interface and cannot be used to route traffic to other networks.
-
If setting the IP manually
For example, I set it to 192.168.60.200, which does not conflict with other IPs in VM Net8.
-
See error
# Kali
❯ ./agent --connect 192.168.60.1:11601 --ignore-cert
WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established addr="192.168.60.1:11601"
ERRO[0539] Connection error: read tcp 192.168.60.100:46890->192.168.60.1:11601: read: connection reset by peer
FATA[0539] read tcp 192.168.60.100:46890->192.168.60.1:11601: read: connection reset by peer
---------------------
#Windows
[Agent : Pepster@maple] » 2025/08/28 00:02:56 [ERR] yamux: Failed to read header: read tcp 192.168.60.1:11601->192.168.60.100:46890: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
time="2025-08-28T00:02:56+08:00" level=warning msg="Lost tunnel connection with agent Pepster@maple (aca28313-973c-47bc-ae2b-8d57e4bbdf39)!"
time="2025-08-28T00:02:56+08:00" level=warning msg="Agent dropped." id=aca28313-973c-47bc-ae2b-8d57e4bbdf39 name=Pepster@maple remote="192.168.60.100:46890"Proxy information:
- OS: Windows 11 24H2 26100.5067
- Architecture amd64
- Version Ligolo-ng v0.8.2
Agent information:
- OS: Kali
- Architecture amd64
- Version Ligolo-ng v0.7.5
Additional context
- Enable IPv4 forwarding
# Execute inside WSL
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p- Set up NAT/MASQUERADE (SNAT):
# This should refer to the return traffic from eth0 to the Ligolo Client (host machine).
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allow traffic from eth0 (Ligolo tunnel entry) to tun0 (OpenVPN tunnel exit)
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
# Allow traffic from tun0 (OpenVPN tunnel entry) to eth0 (Ligolo tunnel return)
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT- ligolo-ng.yaml
agent:
deadbeefcafe:
autobind: true
interface: ligolo
interface:
ligolo:
routes:
- 10.10.10.0/23
- 10.10.14.0/23
- 10.129.0.0/16
web:
behindreverseproxy: false
corsallowedorigin:
- https://webui.ligolo.ng
debug: false
enabled: true
enableui: true
listen: 127.0.0.1:8080
logfile: ui.log
secret: 7e268b3f08aef8214b6de448fcbfc029e13ab74401600f3541e02b7ba3bdaa9d
tls:
alloweddomains: []
autocert: false
certfile: ""
enabled: false
keyfile: ""
selfcert: false
selfcertdomain: ligolo
trustedproxies:
- 127.0.0.1
users:
ligolo: $argon2id$v=19$m=32768,t=3,p=4$uEFXONbdPh1BRikWVjU/+Q$iepemmXsPhkAB1FuO72EHHX1bZa+5Kc2GPgDAlo8UdM
I observed in Wireshark whether the traffic packets go through the Ligolo network card, and found that they do not.