VPN Tunnelling¶
VPN tunnelling lets Revelion test internal networks and hosts that are not publicly reachable. When a VPN config is attached to a mission, the sandbox container establishes the tunnel before any scanning begins — all tool traffic routes through it automatically.
Available on all plans
VPN tunnelling is available on all plans, including Free.
Supported Protocols¶
| Protocol | File Format | Notes |
|---|---|---|
| OpenVPN | .ovpn |
Inline certs supported |
| WireGuard | .conf |
Standard WireGuard config format |
Setup¶
1. Upload a VPN Config¶
Navigate to Settings → VPN Configs and click Add Config.
- Give it a name (e.g., "Lab Network — OpenVPN")
- Upload your
.ovpnor.conffile - Save
The config is stored encrypted and is only accessible to your account.
2. Attach to a Mission¶
During mission setup, expand the Advanced Options section and select a VPN config from the dropdown. Only configs belonging to your account are shown.
The VPN is attached per-mission — you can use different configs for different targets.
How It Works¶
When the mission starts, Revelion spins up an isolated sandbox container for the scan. Before any tools run:
- The VPN config is injected into the container at runtime
- The tunnel is established (OpenVPN or WireGuard)
- The container's default route is updated to send traffic through the tunnel
- Tools (Nmap, Caido, custom scripts) run inside the container and reach internal hosts via the tunnel
The VPN teardown happens automatically when the mission ends or the container is destroyed.
Traffic Requirements
Ensure your VPN config permits the traffic generated by pentesting tools — port scanning, HTTP probing, exploit payloads. Some corporate VPNs block this traffic or route only specific subnets. Test your config with a lightweight Quick scan before running a Deep scan over the tunnel.
Testing a Config¶
Before running a full mission, you can verify a VPN config works correctly. From Settings → VPN Configs, click Test on any saved config. Revelion will:
- Spin up a temporary container
- Establish the tunnel
- Check the external IP to confirm traffic is routing through the VPN
- Return the result and destroy the container
A successful test confirms the tunnel connects. It does not guarantee all tool traffic will route correctly — verify subnet routing in your VPN server config if you encounter issues during scanning.
Troubleshooting¶
Container starts but target is unreachable
Check that your VPN server routes the target subnet to connected clients. WireGuard configs require explicit AllowedIPs entries.
OpenVPN auth failure
Embed credentials directly in the .ovpn file using auth-user-pass with inline <auth> block, or use certificate-only authentication.
Tunnel drops mid-scan
Enable keepalive settings in your VPN server config. For OpenVPN: keepalive 10 60.