Dev mode — no Cloudflare Access header present. Authenticated as dev@local.
EPL
dev@local

Before You Start

Complete this checklist before the workshop. Arrive with your devcontainer running, your Cloudflare account created, and your hardware in hand. Anything you miss means less lab time on day one.

Engagement Platform Labs — Student Onboarding Guide

Read this before class. Complete the software setup and the pre-class warmup check. If anything is not working when you arrive, raise it with the instructor in the first 5 minutes so it does not block you later.

What You Will Build

Over two days you will assemble a complete red-team engagement platform from commodity hardware, OpenWrt, and the Cloudflare developer stack:

  • Custom OpenWrt firmware on a Mango router (the “drop device”)
  • A VS Code devcontainer running an OpenWrt rootfs as your “engagement platform”
  • A two-node Tailscale mesh (devcontainer + Mango) with MagicDNS
  • A Cloudflare Tunnel from your devcontainer to the public internet
  • A Cloudflare Worker as your engagement front door (REST API + ChatOps)
  • D1 device registry, KV job queue, and R2 artifact storage with signed URLs
  • EmojiChef ChatOps over Discord: emoji in, pcap download link out

The capstone (Lab 14) round-trips a Discord emoji through the Worker, through the Tailnet, to the Mango, captures a packet trace, uploads it to R2, and delivers a signed download URL back to Discord.

Hardware Kit

You will receive the following at the workshop:

ItemPurpose
GL.iNet Mango (GL-MT300N-V2)Drop device — gets custom firmware in Lab 02
USB flash drive (16GB+)ExtRoot overlay for the Mango (Lab 03)
Ethernet cableConnect your laptop to the Mango WAN port

Bring your own laptop. No minimum spec; Docker just needs to run.

Required Accounts

Create these before class. Free tiers are sufficient for all of them.

  1. Cloudflaredash.cloudflare.com

    • Create an account and confirm your email.
    • You will receive a workshop subdomain on eplabs.cloud; you do not need to bring your own domain. If you prefer to use a domain you own, follow the DNS setup in handouts/workshop_domain_prerequisites.md.

  2. Tailscalelogin.tailscale.com

    • Create an account. The instructor will add your devices to the workshop tailnet via an auth key on your assignment card.

  3. Discorddiscord.com

    • Create an account. The workshop Discord guild invite is on your assignment card.

Required Software

Install everything below before class. Verify each item with the command shown.

Docker

docker run --rm hello-world
# Expected: "Hello from Docker!" and exit 0

Docker Desktop (Mac/Windows) or Docker Engine (Linux) both work. Podman is also supported if you know how to configure it.

VS Code + Dev Containers Extension

  1. Install VS Code.
  2. Inside VS Code, install the extension: ms-vscode-remote.remote-containers (Extensions panel → search “Dev Containers”)
  3. Verify: View > Command Palette > Dev Containers: Show Log exists.

Git

git --version
# Expected: git version 2.x.x

Node 20.x LTS (for EmojiChef verification, Lab 11)

node --version
# Expected: v20.x.x

Exact version matters less than being in the v20 LTS line.

  • jq — JSON pretty-printing for curl outputs
  • ssh — should already be present on most systems

Pre-Class Warmup

Do this the evening before the workshop, not the morning of.

# 1. Clone the workshop repository
git clone https://github.com/errantpacket/OpenWRT_Course.git
cd OpenWRT_Course/courses/engagement-platform-labs

# 2. Pull the ImageBuilder image (this is ~800MB; do it on good network)
docker pull openwrt/imagebuilder:ramips-mt76x8-23.05.3

# 3. Run the engagement platform build
cd labs
make engagement-platform
# Expected: exits 0; output/engagement-platform-rootfs.tar.gz exists

If make engagement-platform exits 0 and produces the output file, Docker is working correctly and you are ready for Lab 02.

If it fails, the most common causes are:

  • Docker daemon not running (docker ps will fail too)
  • Insufficient disk space (the build needs ~3GB free)
  • Proxy or corporate firewall blocking the image pull

Bring the error output to class; the instructor can usually diagnose it in under 2 minutes.

Day 1 Topics

  • Lab 01: Hardware familiarization — Mango physical inspection, SSH, failsafe mode, TFTP recovery, serial console (3.3V UART pinout)
  • Lab 02: Build two OpenWrt artifacts — the devcontainer rootfs and the Mango drop firmware — from the same ImageBuilder baseline
  • Lab 03: ExtRoot — expand the Mango’s 16MB flash via USB, install Tailscale
  • Lab 04: Cloudflare account verification — DNS, wrangler, D1/KV/R2/Access entitlements
  • Lab 05: Two-node Tailscale mesh — devcontainer + Mango, MagicDNS, ACL tags
  • Lab 06: Cloudflare Tunnel — expose a service from the devcontainer without port forwarding
  • Lab 07: First Worker deployment — the engagement platform front door

Day 2 Topics

  • Lab 08: CF Access — operator SSO; device service tokens
  • Lab 09: D1 device registry and audit log
  • Lab 10: KV job queue + R2 artifact storage with signed URLs
  • Lab 11: EmojiChef ChatOps — Discord webhook to Worker decode to job queue
  • Lab 12: Drop device deployment — bake secrets into the Mango image so it self-enrolls on first boot
  • Lab 13: Edge relay / redirector (Oblique-Relay patterns on the Worker)
  • Lab 14: Capstone end-to-end round-trip

What to Bring

  • Laptop with Docker, VS Code, and Dev Containers extension installed.
  • Power adapter for the laptop.
  • Your assignment card (distributed by the instructor on day one).
  • Cloudflare, Tailscale, and Discord accounts created and confirmed.
  • Optional: USB-to-UART adapter (3.3V) if you want to use the serial console in Lab 01. The instructor will have one for demonstration; bring your own if you want hands-on serial access.

Questions

Contact the instructor at drip@errantpacket.com for pre-class questions. Day-of questions go to the workshop Discord.

Your progress

Status across all 14 labs — updates as you complete each one.