Outputs Reference

After terraform apply completes, two outputs are available. They contain everything you need to operate the lab: IP addresses, credentials, the C2 header token, URI routing table, and a full network diagram with actual IPs populated.

Save both outputs immediately after deployment. You will reference IPs, credentials, and the C2 header token throughout the lab.

terraform output deployment_info > redstack-info.txt
terraform output network_architecture >> redstack-info.txt

`deployment_info`

Full deployment details for every lab instance, including access URLs, IPs, credentials, and operational notes.

terraform output deployment_info

The output is structured as numbered sections, one per lab component.

1. Guacamole access portal

The browser-based access portal for all internal lab instances. This is the primary entry point for operators.

Field	Description
URL	`https://<public-ip>/guacamole` — open in browser
Public IP	Elastic IP assigned to the Guacamole instance
Private IP	Internal VPC IP
Username	`guacadmin`
Password	Auto-generated at deploy time (shown in output)
SSH (ext)	`ssh -i <key>.pem admin@<public-ip>` — from your local machine
SSH (int)	`ssh admin@<private-ip>` — from within the VPC

All internal instances (Mythic, Sliver, Havoc, Windows) are accessible through Guacamole using the connections pre-configured at deploy time. No manual Guacamole configuration is required.

2. Mythic C2 team server

The Mythic framework team server. Internal-only — no public IP is assigned.

Field	Description
Web UI	`https://<private-ip>:7443` — accessible from Windows workstation or via SSH tunnel
Private IP	Internal VPC IP
Username	`admin`
Password	Auto-generated (shared across all lab instances)
SSH (int)	`ssh admin@<private-ip>` — from within the VPC
Operator access	Port 7443 via the Windows workstation browser or Guacamole
Guacamole connection	`Mythic Team Server (SSH)`

The Mythic web UI runs on port 7443 with a self-signed TLS certificate. Accept the certificate warning in your browser on first access.

3. Sliver C2 server

The Sliver framework team server. Internal-only.

Field	Description
Private IP	Internal VPC IP
Username	`admin`
Password	Auto-generated (shared across all lab instances)
SSH (int)	`ssh admin@<private-ip>`
Operator port	`31337` (gRPC multiplexer)
Guacamole connection	`Sliver C2 Server (SSH)`

Connect the Sliver client to port 31337 on the private IP from within the lab network.

4. Havoc C2 server

The Havoc framework team server. Internal-only. Provides both SSH and VNC (graphical desktop) access.

Field	Description
Private IP	Internal VPC IP
Username	`admin`
Password	Auto-generated (shared across all lab instances)
SSH (int)	`ssh admin@<private-ip>`
Operator username	`operator`
Operator password	Auto-generated (same shared password)
Guacamole connections	`Havoc C2 Desktop (VNC)` \| `Havoc C2 Server (SSH)`

The Havoc teamserver exposes a graphical Qt-based UI. Access it via VNC through Guacamole for the full desktop experience.

5. Apache redirector

The public-facing Apache redirector. Routes C2 callbacks to the correct team server based on URI prefix and the C2 header token. Requests without the token are served a decoy page.

Field	Description
Public IP	Elastic IP — this is the IP your payloads call back to
Private IP	Internal VPC IP (Redirector VPC)
Domain	Custom domain if configured; otherwise `c2.example.com` placeholder
Username	`admin`
Password	Auto-generated (shared across all lab instances)
SSH (ext)	`ssh -i <key>.pem admin@<public-ip>` — from your local machine
SSH (int)	`ssh admin@<private-ip>` — from within the Redirector VPC
C2 Header	`X-Request-ID: <token>` — required on all C2 callbacks
Decoy page	Requests without the header receive a CloudEdge CDN maintenance page

URI routing table (as configured by your *_uri_prefix variables):

URI prefix	Routed to
`/cdn/media/stream/`	Mythic C2 team server
`/cloud/storage/objects/`	Sliver C2 server
`/edge/cache/assets/`	Havoc C2 server

The C2 header token shown in this output must be embedded in all payloads. Requests that arrive without it are silently redirected to the decoy page — the C2 callback will fail.

5b. External VPN routing (if enabled)

This section appears only when enable_external_vpn = true. It describes the OpenVPN + WireGuard routing configuration for reaching HTB, VulnLab, or Proving Grounds targets.

Field	Description
Status	`ENABLED`
WireGuard server	Redirector private IP — WireGuard interface `wg0` at `10.100.0.1`
WireGuard client	Guacamole private IP — WireGuard interface `wg0` at `10.100.0.2`
Target CIDRs	CIDR blocks routed through the tunnel (from `external_vpn_cidrs`)
VPN service	`sudo systemctl {start\|stop\|status} ext-vpn` (run on redirector)
WireGuard status	`sudo wg show` (run on redirector or Guacamole)

Traffic path (internal machine to CTF target):

[Teamserver / Windows Operator]
  -> default VPC route
  -> Guacamole (wg0 gateway, MASQUERADE)
  -> WireGuard tunnel (UDP 51820)
  -> Redirector (wg0 server)
  -> tun0 (OpenVPN, MASQUERADE)
  -> CTF target

WireGuard keys are generated on Guacamole at boot — no pre-deployment key setup is required. The tunnel comes up automatically.

Quick start steps:

Upload the .ovpn file to the Windows workstation

Open the Guacamole sidebar (Ctrl+Alt+Shift) → Devices → upload your .ovpn file.

SCP the .ovpn to the redirector

From the Windows workstation:

scp lab.ovpn admin@<redirector-private-ip>:~/vpn/

Start the VPN service on the redirector

sudo systemctl start ext-vpn

Verify the WireGuard tunnel

Run on both the redirector and Guacamole — both should show the other as a peer with a recent handshake time:

sudo wg show

Verify routing from any internal machine

ping <ctf-target-ip>

6. Windows operator workstation

The Windows operator workstation. Internal-only — accessed via RDP through Guacamole.

Field	Description
Private IP	Internal VPC IP
Username	`Administrator`
Password	Auto-decrypted using `ssh_private_key_path` — shown in plain text in the output
Access	RDP via Guacamole
Guacamole connection	`Windows Operator Workstation (RDP)`

The Windows password is decrypted by Terraform using the private key at ssh_private_key_path. If the instance is not yet fully initialized when you run terraform output, you may see (not yet available) — wait a few minutes and run the output command again.

`network_architecture`

A text-based network diagram with actual IP addresses populated from the deployment. Use this to quickly understand the topology and verify traffic paths.

terraform output network_architecture

The diagram shows:

VPC layout

VPC A — Team Server Infrastructure

Mythic, Sliver, Havoc (internal only)
Guacamole (public Elastic IP)
Windows Operator (internal only)

VPC B — Redirector Infrastructure

Apache Redirector (public Elastic IP)

VPC A and VPC B are connected via VPC peering.

Traffic flow

C2 callbacks are validated by URI prefix and the X-Request-ID header token:

<uri-prefix>/ → Redirector public IP → C2 team server private IP
No header → Decoy CloudEdge CDN maintenance page

If external VPN is enabled, the diagram also shows the WireGuard + OpenVPN routing path and the full list of routed CIDRs.

External VPN section (when enabled) additionally shows:

WireGuard tunnel path: internal machines → Guacamole → Redirector → CTF targets
Security configuration: source_dest_check disabled, double NAT (MASQUERADE on both hops), IP forwarding, and gateway filtering details

Saving outputs for offline reference

Both outputs contain all the information you need to operate the lab. Save them immediately after deployment.

# Save deployment info and network diagram to a single file
terraform output deployment_info > redstack-info.txt
terraform output network_architecture >> redstack-info.txt

The outputs include plaintext credentials and the C2 header token. Treat redstack-info.txt as a sensitive file and store it accordingly.

Terraform

​deployment_info

​network_architecture

VPC layout

Traffic flow

​Saving outputs for offline reference

Build docs developers (and LLMs) love

`deployment_info`

`network_architecture`

Saving outputs for offline reference