December 4, 2020

Snap Labs BastionBox

Today we released a new open-source tool, the Snap Labs BastionBox! BastionBox is a simple, secure way to manage access to your cloud and on-premises lab environments. Head on over to our GitHub page for technical details and to try it out!


Simple is Secure

At Snap Labs, we provision a lot of lab environments. This means we have tons of system credentials, SSH keys, and VPN configurations to keep track of. We’re also extremely conscious of the security implications of misconfiguring a security group for one of our lab instances. Windows boxes with RDP open to the internet (especially vulnerable lab images!) don’t tend to last very long without getting compromised…

To address both of these problems, we implemented a bastion host approach for access to our labs. Every lab we deploy is only accessible through a single instance, integrated with our platform, that manages the VPN configurations and console connections for a seamless and secure lab access experience for our users.

We really like this approach and think others could benefit from adopting the same principles. So, we open sourced a good portion of our internal solution! What does the open source version do?

BastionBox Features

The Snap Labs BastionBox is easy to deploy into AWS through a pre-configured AMI, or into any other lab environment through a simple install script on Ubuntu 20.04 (and likely others systems. It provides two ways to access systems in your lab environment:

  • Console Connections - access lab systems through your browser via SSH, VNC, or RDP
  • VPN Access - connect your host workstation to the lab with an OpenVPN configuration file

Console Connections

Console connections use the awesome Apache Guacamole ( project to provide a clientless remote access gateway to your lab systems directly through your browser. To create a new console connection, simply provide credentials/connection details for a system in your lab and save the connection. Then, connect to your lab system through the browser in one click. BastionBox makes sure you’re authenticated and passes along the previously saved connection details to authenticate to your lab system.


Creating a new console connection
                                                                                                                                          Creating a new console connection                                


VPN Configurations

BastionBox implements an OpenVPN server and custom scripts to dynamically create and revoke VPN configurations. This is an easy way to share access to your lab when you want to, and to revoke it when you’re done sharing. To create a configuration, simply provide a name and the operating system that you’ll be connecting from, then hit create. BastionBox will automatically create a new OpenVPN configuration file and save it for download at any time.


Creating a new VPN configuration file
                                                                         Creating a new VPN configuration file                                


The BastionBox Interface

Our goal was to create a single, simple interface to allow lab access management. At the same time, we hope  to bolster your lab’s security posture by reducing the number of systems exposed to external networks.


Manage multiple console connections and VPN configs in a simple, intuitive interface.
                                                                                                                                                      Manage multiple console connections and VPN configs in a simple, intuitive interface.                                


We hope you like BastionBox and enjoy the lab access experience it provides as much as we have!


How Accenture Keeps Cyber Security Teams Trained on the Latest Threats

read NOW