Extending OpenVAS Scans to Multiple Subnets Using SSH Layer 2 VPN

Hi everyone,

I’m looking to solve a problem and would appreciate your help.

I have installed OpenVAS on a server, which is a virtual machine. On the target network, I have also installed a virtual machine (a sort of virtual appliance) that I connect to via an SSH Layer 2 VPN, using TAP interfaces. Scanning from my server (let’s call it network A) to the target network (let’s call it network B) works correctly.

OpenVAS  ---->  VPN Layer 2 SSH  ---->  Target Network
 Network A                       Network B

My goal now is to extend the scans to all subnets within network B. What I tried to do is add a new ENS interface within network B, assign it a free IP address, configure NAT, and set up the firewall to allow access to all TCP/UDP rules, etc.

OpenVAS  ---->  VPN Layer 2 SSH  ---->  Target Network
 Network A                       Network B
                                     ----> Subnet B.1

The ping from network A to subnet B.1 works; I can see the traffic correctly using TCPdump and traceroute. However, the issue is that the scans are “falsified.”

I tested by directly placing my VM inside the subnet and performing a scan (where the results show multiple high vulnerabilities). Then, I tried passing through the “management network” applying my idea, and the scans are completely different! I don’t see any vulnerabilities as if the traffic is not reaching the targets (even though ping and traceroute work).


If I install a VM for each subnet, it works.
If I install a single VM for the management network and redirect traffic to the subnets, it doesn't work.

Why do you think this happens?
Am I missing something in the firewall configuration?
Is there a better way to achieve what I have in mind, i.e., scanning the subnets by installing a single virtual machine that acts as a gateway?

I look forward to your suggestions and thank you in advance!

That is not a supported setup, and without looking at a TCP-Dump i can´t tell you. It might me a MTU related issue, esp. if ICMP works but not TCP. In General scanning trough a firewall or via VPN is not recommended at all. It is always better just speak the Management Protocol via the VPN and deploy local scanner into each sub-network.

I know that some GVM installations use OpenVPN successfully as Layer-2 VPN to scan trough …

1 Like