EVE-NG on Google Cloud

Contents
Introduc tion

Why to cloud EVE-NG on Google Cloud

Why Google Cloud
What about Amazon AWS, …

C loud E VE -N G on G oogle C loud

1- Create a Google Cloud account

2- Create and configure a VM instance
3- Connect to the VM instance
4- Set up the EVE-NG on the VM instance
5- Install Transmission
6- Prepare images to work in EVE-NG
6.1 QEMU devices
6.2 IOU devices
7- Connect nodes inside EVE-NG with the Internet
Introduction
W hy to c loud E VE -N G on G oogle c loud?

Building an EVE lab could require much resources that your workstation might lack.
You can make use of the free tier of Google Cloud to avoid:
- your workstation hardware limitation/upgrade.
- rack rental and its high costs.
When you cloud EVE, all your EVE labs and topology images will be hosted on a VM on the cloud.

W hy G oogle C loud?

It offers $300 credit once you create a Google Cloud account by which you can get a server with computing
resources up to 52GB RAM and 8 vCPU for free.
No auto-charge after free trial ends.
It also supports nested virtualization which is a must if you want to run QEMU VMs (.qcow2 images) inside
EVE VM hosted on the cloud.

W ha t a bout Am a zon AW S , …?

The free tier of the other cloud service providers is very limited.
Amazon cloud does not natively support nested virtualization and the their solution comes with high costs.
However, Oracle cloud and Microsoft Azure do support nested virtualization natively.
 EVE-NG on Google Cloud

EVE-NG on Google Cloud

S te p 1: C re a te a G oogle C loud a c c ount

You can create a Google Cloud account through https://cloud.google.com/free

Note: it will ask you for credit card credentials, however you will not pay anything at any stage.
After creating your Google Cloud account, you will get the $300 credit and you will be landed on Google
Cloud Platform dashboard.

At any time later, you can access Google Cloud Platform through https://console.cloud.google.com/
S te p 2: C re a te a nd c onfigure a VM ins ta nc e

think of the VM instance as your workstation that requires operating system and hardware.
2.1 Name

You can create several VM instances, so you need to give each one a name to distinguish between them.

2.2 Region

Google datacenters hosting its cloud services is located in several locations around the world.
You can choose in which location you want to host your VM instance.
However, pricing is different from one region to another.
Regarding cost, Region = us-east1 (South Carolina) and Zone = us-east1-b are good choices.

2.3 Machine type

You can specify up to 52GB of memory and 8vCPU.

Regarding CPU platform, Intel Skylake or Hasewell are good choices for nested virtualization to function.
Keep in mind that the charge for the storage is much higher than of the processing.

2.4 Boot disk

Options for the disk which the machine will boot from:
1- an existing disk(must be unattached to be able to attach it to another VM)
2- a snapshot of a previously created disk(to avoid unattaching it).
2- a public image (such as Linux ubuntu and Windows,..).
3- a custom image.

As we did not create a VM instance before, we cannot rely on the snapshots or existing disks choices now.
Public images are the ones offered to you by Google Cloud Platform service:
Public images are good but nested virtualization (to run qemu on EVE server) is not enabled on them.
So that we will customize a public image to enable nested virtualization, using Google Cloud Shell:

note: to get your project ID:

To create a customized image with nested virtualization enabled, using cloud shell:
gcloud compute images create qemu-enabled-image --source-image-project=ubuntu-
os-cloud --source-image-family=ubuntu-1604-lts --
licenses="https://compute.googleapis.com/compute/v1/projects/vm-
options/global/licenses/enable-vmx"

where qemu-enabled-image is the output image that we will configure our VM instance to boot from.
The source image that we've licensed is ubuntu 16.0.4 LTS which is a cheap and a perfect OS for EVE server.

Now you can configure your machine to boot from the customized image you have just created:

Boot disk could be standard or SSD.

However, although SSD performance is better than the standard, it is much more expensive than the standard.
Use standard disk to avoid getting run out of the credit quickly.
2.6 Firewall

By default, all incoming traffic from outside a network to the VM instance is blocked.
We will access EVE and "transmission" via HTTP so we will allow HTTP traffic.

After creating the VM, you will be redirected to the "VM instances" work area:

The server is up and running.

From the "VM instances" work area you can start, stop, edit, delete, and connect to your VM.
S te p 3: C onne c t to the VM ins ta nc e

To connect to the VM, you need to know its public IP address (External IP):

There are two main methods to connect to the VM:

3.1 T hrough the te rm ina l e m ula tor of the VM ins ta nc e

As shown in the below figure (Connect --> SSH).

In this method, SSH keys exchange is handled automatically for you.

3.2 T hrough third-pa rty tools (s uc h a s putty)

There are two types of authentication methods; using password or public key.
We will use password authentication method for the root user as it is simpler (but less secure) and sufficient for
this demonstration.

Password Authentication (configuration)

To configure password authentication on VM instance :
1- assume the "root" role as it is required for many commands to be authorized:
sudo -s
2- configure the root user's password used for authentication:
passwd

3- enter and confirm a password of your choice:

networksecured
networksecured

4- enable root login and password authentication

vim /etc/ssh/sshd_config

this command is to edit the settings of the SSH service on the VM instance to modify the following settings:
PermitRootLogin yes
PasswordAuthentication yes
Note: to activate file editing you, press "i".
Note: to save file with changes, press "ESC" followed by ":wq"
5- for changes to take effect, restart the SSH service:
service sshd restart
Connect to a VM instance via putty
Now, you can connect to the VM via Putty using the root user credentials:
1- obtain the public IP address of the VM instance.

2- paste the IP address into the Host Name field within putty:
Note: we will need to use winSCP in a later stage. we will use the same method (password authentication) and
credentials (username: root and password: network secured).
S te p 4: S e t up the E VE -N G on the VM ins ta nc e

4.1 R e na m e the E the rne t inte rfa c e

For EVE to function, the first Ethernet interface name of the VM instance should be eth0.
To verify the name of the NIC, issue the command ifconfig

To rename the interface name:

vim /etc/udev/rules.d/70-persistent-net.rules

This command will return:

To edit this file:

press "i" and then replace "ens4" with "eth0" then press "ESC" then press ":wq" then "ENTER" to save your
modification and return back.
To verify:
 The NIC name is still unchanged. Restart the machine so that changes take effect:
shutdown -r now

The interface name is changed now.

4.2 Ins ta ll E VE :

1- Follow the next commands:

wget http://www.eve-ng.net/repo/eczema@ecze.com.gpg.key

apt-key add eczema@ecze.com.gpg.key

apt update

add-apt-repository "deb [arch=amd64] http://www.eve-ng.net/repo xenial main"

apt update

apt-get install eve-ng

Note: Don't edit the default password

Note: Keep issuing the " apt-get install eve-ng" command until you find all updates are installed.
 Now, you have EVE installed.
2- Logout and login again.
3- Follow the wizard, defaults are ok.

4.3 Ve rify E VE ins ta lla tion

1- Copy the IP address of the EVE server.

Note: this IP is dynamic, so you will need to check it every time you start your VM.

2- Paste the IP address into your web browser:

this is the community edition of EVE so open it via http://34.75.51.216
It works!
S te p 5: Ins ta ll T ra ns m is s ion (B itT orre nt c lie nt)

Note: every time you login to the VM instance hosting EVE you will be presented with the EVE-NG Setup
utility, click Control-C:

If you need to get appliances for your EVE labs through torrent, you can download and install "transmission"
as it wouldn't conflict with any HTTP service running on the VM instance.

5.1 Ins ta ll T ra ns m is s ion:

Follow the next commands:

sudo -i
apt update
add-apt-repository ppa:transmissionbt/ppa
apt-get update
apt-get install transmission-cli transmission-common transmission-daemon
apt-get install transmission-gtk transmission-cli transmission-common
transmission-daemon

5.2 C re a te "tra ns m is s ion" D ire c torie s

After installing "transmission", you will need to create the locations (and set their permissions) for
"transmission" downloads:
mkdir /home/kareem/Downloads
mkdir /home/kareem/Downloads/transmission
mkdir /home/kareem/Downloads/transmission/incompletetorrents
chgrp -R debian-transmission /home/kareem/Downloads/transmission
chmod -R 775 /home/kareem/Downloads/transmission
service transmission-daemon start
service transmission-daemon stop
5.3 C onfigure "tra ns m is s ion" s e ttings

-To edit the transmission service settings, use the following command:
vim /etc/transmission-daemon/settings.json

and press "i" to enter the INSERT mode.

then press "ESC" then ":wq"
service transmission-daemon start

you can access the "transmission" via the URL: http://External_IP:9091

Note: For the transmission service to start automatically:
systemctl enable transmission-daemon.service
5.4 Allow "tra ns m is s ion" tra ffic

By default, all incoming traffic from outside your network is blocked unless you allow it.
So you need a firewall rule to allow inbound connections on port 9091, the port we configured transmission to
listen on:

You can create a single rule that control whatever ports you need:
5.5 Ve rify "tra ns m is s ion"

So, transmission URL is http:// 34.75.51.216:9091

You can torrent either through a URL or uploading a torrent file to the VM.

I will use a magnet link to download an IOU (to demonstrate later how to generate its license) and a QEMU
appliance to test KVM (nested virtualization).
S te p 6: P re pa re im a ge s to w ork in E VE -N G

S tep 6a : P re pa re Q E M U im a ge s to w ork in E VE

After downloading the images you want, you need to import them to the EVE directory to be accessible by EVE.
qemu images should be in /opt/unetlab/addons/qemu/ directory:

If the file is compressed, you can decompress it directly into the destination directory:
tar xzvf /home/kareem/Downloads/transmission/winserver-S2016-R2-x64.tar.gz
--directory /opt/unetlab/addons/qemu/

Check the destination directory:

After refreshing:
The last step is to fix the permissions:
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

To ensure that the image is accessible by EVE:

Configure the computing resources for the appliance:

Note: on EVE website, there are QEMU options for the common appliances, review it for appliances you want to run.
Start the node.
When you move your moue over the node, the port assigned to the node will appear on the left bottom corner of the
EVE web GUI interface:

Use this port number when connecting to the node from your workstation:

Your connection will be refused until you finish step 6c.

S tep 6b: P re pa re IO U im a ge s to w ork in E VE

After downloading the images you want, you need to import them to the EVE directory to be accessible by EVE.
ios images should be in /opt/unetlab/addons/iol/bin/ directory:
To copy the image from the "transsmission" directory to EVE directory:
But first obtain the location of the source

cp /home/kareem/Downloads/transmission/i86bi_LinuxL3-AdvEnterpriseK9-
M2_157_3_May_2018.bin /opt/unetlab/addons/iol/bin/

After refreshing the destination directory, check it:

The last step is to fix the permissions:

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
To ensure that the image is accessible by EVE:

Configure the computing resources for the node:

If you tried to start the node, it will not start as it requires a license.
G e ne ra te IO U Lic e nc e

6b.1 Create an iou keygen file in the EVE directory for iou images:
vim /opt/unetlab/addons/iol/bin/ioukeygen.py

This command will also open the file to be edited (by pressing "i").
6b.2 Copy the following script and paste it to the file (using the right click):
#! /usr/bin/python
print "\n*********************************************************************"
print "Cisco IOU License Generator - Kal 2011, python port of 2006 C version"
import os
import socket
import hashlib
import struct
# get the host id and host name to calculate the hostkey
hostid=os.popen("hostid").read().strip()
hostname = socket.gethostname()
ioukey=int(hostid,16)
for x in hostname:
ioukey = ioukey + ord(x)
print "hostid=" + hostid +", hostname="+ hostname + ", ioukey=" + hex(ioukey)[2:]
# create the license using md5sum
iouPad1='\x4B\x58\x21\x81\x56\x7B\x0D\xF3\x21\x43\x9B\x7E\xAC\x1D\xE6\x8A'
iouPad2='\x80' + 39*'\0'
md5input=iouPad1 + iouPad2 + struct.pack('!L', ioukey) + iouPad1
iouLicense=hashlib.md5(md5input).hexdigest()[:16]
# add license info to $HOME/.iourc
print "\n*********************************************************************"
print "Create the license file $HOME/.iourc with this command:"
print " echo -e '[license]\\n" + hostname + " = " + iouLicense + ";'" + " | tee $HOME/.iourc "
print "\nThe command adds the following text to $HOME/.iourc:"
print "[license]\n" + hostname + " = " + iouLicense + ";"
# disable phone home feature
print "\n*********************************************************************"
print "Disable the phone home feature with this command:"
print " grep -q -F '127.0.0.1 xml.cisco.com' /etc/hosts || echo '127.0.0.1 xml.cisco.com' | sudo tee -a /etc/hosts"
print "\nThe command adds the following text to /etc/hosts:"
print "127.0.0.1 xml.cisco.com"
print "\n*********************************************************************"
6b.3 Save the file and exit the editor (by pressing "ESC" then ":wq").
6b.3 Fix permissions for the new created script file:
chmod +x /opt/unetlab/addons/iol/bin/ioukeygen.py

6b.4 Run the license generator script the you have just written:
/opt/unetlab/addons/iol/bin/ioukeygen.py
6b.5 Copy the generated license:
[license]
eve-ng = 97264f2e52a3fbe6;
6b.6 Create iourc licence file for EVE:
vim /opt/unetlab/addons/iol/bin/iourc

6b.7 Paste the license into that file:

6b.8 Save the file and exit the editor (by pressing "ESC" the ":wq").
6b.9 Fix permissions with:
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

6b.10 Verify that the iourc file is created:

Go back to the EVE GUI interface and start the IOU node, it should start now.
When you move your moue over the node, the port assigned to it will appear on the left bottom corner of the EVE
interface:

Note: your connection will be refused until you finish step 6c.
S te p 6c : a llow c onne c tions from the Inte rne t to E VE de vic e s :

By default, all incoming traffic from outside your network is blocked so you need to open every port forwarded to
every device in your EVE lab.
In our example we need to allow inbound connections to ports 32769 and 32770:

You can use the rule we have created in step 5 to allow the ports 32769 and 32770:

Now you can connect to appliances in step 6a and step 6b.

S te p 7: C onne c t node s ins ide E VE w ith the Inte rne t

B a c kground

1- When you create a node in EVE, you assign its interfaces private IP addresses.
Any interface of this node to have access to the Internet needs:
- A gateway to access the Internet and
- Its IP to be translated to a public IP because its IP is not real ==> (PAT or Port Forwarding)
The real IP that we have is the external IP assigned to the VM instance hosting EVE.
2- EVE, during installation, creates 10 bridge interfaces on the host machine:

The role of a bridge interface is to connect a guest (a node inside EVE) interface to the host network interface (eth0).

S te ps

Let's assume you have assigned an IP of 192.168.13.17/24 to the windows server node in our topology so you will
need a gateway with an IP in this subnet to access the Internet (let's say 192.168.13.1):

1- Create a virtual gateway with an IP address from this subnet:

ip address add 192.168.13.1/24 dev pnet1

You can configure any pnet interface (leave pnet0 for the Management access only as in step 6).
To make this configuration persistent to survive between reboots:
vim /etc/network/interfaces

and edit pnet1 settings:

iface eth1 inet manual
auto pnet1
iface pnet1 inet static
address 192.168.255.1
netmask 255.255.255.0
bridge_ports eth1
bridge_stp off

2-As the communication between the guest and host interfaces is established on the kernel level, you need to enable IP
forwarding in the kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward

To make IP forwarding persistent:

vim /etc/sysctl.conf

and uncommit net.ipv4.ip_forward=1

3- Translate the IP addresses in this subnet to the dynamic interface IP address of the VM instance:
iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.13.0/24 -j MASQUERADE

To save this configuration:

apt-get install iptables-persistent

Follow the wizard, the defaults are what we need. Then:

netfilter-persistent save
netfilter-persistent reload
 Ve rific a tion

1- Add Cloud1 network (equivalent to pnet1):

2- Connect it to windows server node:

3- RDP the windows server node and open any web browser and test any web server on the Internet:

It works!
Note:
Cloudx is equivalent to pnetx, i.e., if you have configured pnet2 for another subnet, connect the nodes in this subnet to
cloud2 if they need access directly to the Internet.

E ng. K areem E l-S ayed NE T W O R K S E C U R E D

E mail: eng.kareem.el.s ayed@ gmail.com L inkedIn: linkedin.com/in/kareem-el-s ayed