⚠️ When VPN is required by a program, make sure you meet all the prerequisites below before beginning to test a scope.
When is the VPN required?
The use of the YesWeHack VPN is mandatory when indicated in a “Program's Rules”, in the Hunting Requirements section.
ℹ️ Programs require the use of the YesWeHack VPN to manage more effectively the traffic from hunters, and to avoid raising unnecessary alerts.
It also allows them to apply exceptions for connections originating from the VPN IPs to provide optimal testing conditions.
How does the VPN work?
The YesWeHack VPN is used to funnel specific Hunters' traffic from their machine to the Program's scopes (servers).
The VPN configuration does not declare the default route (i.e., 0.0.0.0). Only traffic targeting the scopes in which the user is involved is routed by the VPN.
In other words, when you try to reach a scope, your requests are routed through the YesWeHack VPN server, and then forwarded to the scope's server. On the target's side (i.e., organization’s server), your requests will thus appear as coming from the YesWeHack VPN outbound IP address.
The YesWeHack VPN will route traffic when:
The target scope is part of a program where the VPN is enabled.
The IP address on which the (sub)domain resolves has been correctly listed in the program's VPN IP list.
The program is enabled.
Set up & Configuration
Go to “My YesWeHack tools” by clicking on your name in the top-right corner
Click on “VPN”
Click on “Download VPN configuration”. This will download the client configuration file for OpenVPN.
ℹ️ If needed, get OpenVPN (https://community.openvpn.net/openvpn#GettingOpenVPN) and then import the profile in your OpenVPN client (https://openvpn.net/connect-docs/import-profile.html) or use it directly with the OpenVPN CLI tool.
You will need credentials to log into your OpenVPN client. Your default credentials are the ones of your YesWeHack account.
You can change the VPN password (without changing the YesWeHack platform password), by clicking on the Configure VPN password button:
💡You only need to download the configuration file once. Your routes will be automatically updated based on the programs you participate in.
I have VPN login issues
Make sure to use the right set of credentials. Your YesWeHack account or the ones you configured for the VPN.
Try to set a new set of credentials on the platform if you can’t remember them.
Contact our support team at [email protected] for any other question.
I have VPN logout issues
Connection will timeout if no request to the Program scopes is made.
Connection will drop if a hunter's VPN config is updated (e.g., program with VPN disabled, modification in program VPN IP list, etc.)
Connection might also drop if several VPN instances were launched, or are opened, on several devices. In this case, you may kill other instances or change your YesWeHack VPN password in order to close previous sessions that might have stayed opened.
If disconnections persist despite being properly connected, with no additional instances open, and while attempting to access a VPN program, we recommend re-downloading and re-importing the VPN configuration file.
User-agent
Programs might require Hunters to append their HTTP requests User-Agent header with a specific string. As for the VPN, it is indicated in the Hunting requirements section of the program.
This configuration signals to the target that you’re an authorized security tester and it makes much easier for organisations being tested in the context of incident response to quickly identify bug bounty operations in their logs.
ℹ️ This configuration signals to the target that you’re an authorized security tester.
It also makes it much easier for organisations to quickly identify Bug Bounty operations in their logs during incident responses.
💡 We strongly recommend that you use your favourite proxy's “Match & Replace” feature (Burp Suite, CAIDO, Zap) to set up your User-agent.
Once the correct User-Agent is in place, organisations are more likely to let you go further with your tests, as they recognize them as legitimate.