Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/BaddKharma/redStack/llms.txt

Use this file to discover all available pages before exploring further.

All configuration for a redStack deployment is controlled through Terraform input variables. Set them in a terraform.tfvars file before running terraform apply.
Variables marked Required have no defaults. Terraform will error immediately if they are not set.

Required variables

These three variables must be set in every deployment. There are no defaults.
localPub_ip
string
required
Your local public IP address in CIDR notation. Used to restrict SSH and management access at the security group level. Terraform validates this value — it will reject non-CIDR strings.Find your public IP with curl ifconfig.me, then append /32.
localPub_ip = "108.51.27.140/32"
ssh_key_name
string
required
Name of an existing AWS EC2 key pair. Terraform does not create this — it must already exist in your account before you run terraform apply.The key pair is used for SSH access to Linux instances and to decrypt the Windows Administrator password.
ssh_key_name = "rs-rsa-key"
Create a key pair via AWS CLI:
aws ec2 create-key-pair --key-name rs-rsa-key \
  --query 'KeyMaterial' --output text > ./rs-rsa-key.pem
chmod 400 ./rs-rsa-key.pem
ssh_private_key_path
string
required
Path to the .pem private key file on the machine running Terraform. Used by Terraform to call rsadecrypt() and automatically decrypt the Windows Administrator password so it appears in terraform output.
ssh_private_key_path = "./rs-rsa-key.pem"
The path is relative to the directory where you run terraform apply. An absolute path also works.

AWS configuration

aws_region
string
default:"us-east-1"
AWS region where all resources are created. All instances, VPCs, security groups, and Elastic IPs are deployed in this region.
aws_region = "us-east-1"
project_name
string
default:"redStack"
Prefix applied to every resource name and Project tag. Use distinct values when running multiple simultaneous deployments so you can isolate them in the AWS Console and billing reports.
project_name = "redStack"
For a second parallel deployment (e.g., with external VPN), use "redStack-extVPN" and a matching CostCenter tag.

Instance types

Each lab component runs on its own EC2 instance. Adjust these to balance cost and performance.
Estimated monthly cost at defaults with all instances running 24/7: ~$135/month plus data transfer. Stop instances when not in use to reduce costs.
mythic_instance_type
string
default:"t3.medium"
EC2 instance type for the Mythic C2 team server. The default t3.medium (2 vCPU, 4 GB RAM) is the recommended minimum — Mythic’s Docker stack is memory-intensive.
mythic_instance_type = "t3.medium"
guacamole_instance_type
string
default:"t3.small"
EC2 instance type for the Apache Guacamole server. Guacamole is the browser-based access portal for all internal lab instances.
guacamole_instance_type = "t3.small"
windows_instance_type
string
default:"t3.medium"
EC2 instance type for the Windows operator workstation. Accessed via RDP through Guacamole.
windows_instance_type = "t3.medium"
redirector_instance_type
string
default:"t3.micro"
EC2 instance type for the Apache redirector. The redirector handles only HTTP/HTTPS proxying and header validation — a t3.micro is sufficient for most lab workloads.
redirector_instance_type = "t3.micro"
If you enable external VPN (enable_external_vpn = true), consider upgrading to t3.small. The redirector will also route VPN traffic and run WireGuard.
sliver_instance_type
string
default:"t3.small"
EC2 instance type for the Sliver C2 server.
sliver_instance_type = "t3.small"
havoc_instance_type
string
default:"t3.medium"
EC2 instance type for the Havoc C2 server. Havoc runs a Qt-based teamserver and a graphical desktop — the t3.medium default is recommended.
havoc_instance_type = "t3.medium"

Network configuration

use_default_vpc
boolean
default:"false"
When false (recommended), Terraform creates a dedicated VPC for the team server infrastructure using the CIDR specified in vpc_cidr. When true, all team server instances are placed in your account’s AWS default VPC.
use_default_vpc = false
Using the default VPC is not recommended for production labs. A dedicated VPC provides network isolation and avoids conflicts with other resources in your account.
vpc_cidr
string
default:"10.50.0.0/16"
CIDR block for the dedicated team server VPC. Only used when use_default_vpc = false.
vpc_cidr = "10.50.0.0/16"
redirector_vpc_cidr
string
default:"10.60.0.0/16"
CIDR block for the redirector VPC. The redirector always runs in its own VPC, peered to the team server VPC.When running two deployments simultaneously, change one of them to avoid CIDR conflicts — for example, use 10.61.0.0/16 for the second deployment.
redirector_vpc_cidr = "10.60.0.0/16"

Redirector and domain

redirector_domain
string
default:"\"\""
Custom domain for the Apache redirector. When set, the redirector uses this domain for TLS certificate provisioning.When left empty, the redirector operates in closed environment mode — it uses the public IP with a self-signed certificate. This is the correct setting for HTB, VL, and PG labs where no public domain is needed.
# Open environment (public lab with custom domain)
redirector_domain = "c2.yourdomain.com"

# Closed environment (HTB/VL/PG — leave empty)
redirector_domain = ""
After deployment, point your domain’s A record to the Redirector Elastic IP shown in terraform output deployment_info.
enable_redirector_htaccess_filtering
boolean
default:"true"
When true, the redirector loads redirect.rules with Apache mod_rewrite rules that block known scanner user-agents and AV/sandbox IP ranges, redirecting them to a decoy page.Set to false for HTB, VL, and PG environments where scanner blocking is unnecessary and may interfere with lab traffic.
enable_redirector_htaccess_filtering = true   # Open environment
enable_redirector_htaccess_filtering = false  # HTB/VL/PG

C2 URI prefixes

These URI prefixes are baked into agent payloads at deploy time. The redirector uses them to route incoming C2 callbacks to the correct team server. Set these before running terraform apply — changing them after deployment requires redeploying payloads.
URI prefixes are embedded in compiled payloads. Changing them after deploying agents requires generating and re-deploying new payloads.
mythic_uri_prefix
string
default:"/cdn/media/stream"
URI prefix routed to the Mythic C2 team server. Designed to blend with CDN traffic patterns.
mythic_uri_prefix = "/cdn/media/stream"
sliver_uri_prefix
string
default:"/cloud/storage/objects"
URI prefix routed to the Sliver C2 server. Designed to blend with cloud storage traffic patterns.
sliver_uri_prefix = "/cloud/storage/objects"
havoc_uri_prefix
string
default:"/edge/cache/assets"
URI prefix routed to the Havoc C2 server. Designed to blend with edge/CDN cache traffic patterns.
havoc_uri_prefix = "/edge/cache/assets"

C2 header validation

The redirector requires a specific HTTP header to be present on all C2 callbacks. Requests without the correct header are served a decoy CloudEdge CDN maintenance page.
c2_header_name
string
default:"X-Request-ID"
The HTTP header name the redirector checks on every incoming request.
c2_header_name = "X-Request-ID"
c2_header_value
string
default:"\"\""
The token value the redirector expects in the header. Leave empty to have Terraform auto-generate a random token at deploy time (recommended). The generated value is shown in terraform output deployment_info and terraform output network_architecture.
# Auto-generate (recommended)
c2_header_value = ""

# Or set a specific value
c2_header_value = "my-secret-token"
Auto-generation is recommended. The token appears in all output sections so you can reference it when building payloads.

Autostart

enable_mythic_autostart
boolean
default:"true"
When true, Mythic starts automatically on instance boot via a systemd service. When false, you must SSH in and start Mythic manually after each boot.
enable_mythic_autostart = true

External VPN (HTB / VL / PG)

These variables enable routing lab traffic through an external OpenVPN connection — required for HTB, VulnLab, and Proving Grounds targets.
enable_external_vpn
boolean
default:"false"
When true, Terraform configures an OpenVPN client on the redirector and a WireGuard tunnel between the redirector and Guacamole. Internal lab machines can then reach CTF targets through the VPN.
enable_external_vpn = false  # Default — open environment
enable_external_vpn = true   # HTB/VL/PG mode
Enabling this also disables the default gateway redirect on the OpenVPN client to preserve VPC peering and C2 connectivity.
external_vpn_cidrs
list(string)
default:"[\"10.10.0.0/16\"]"
List of CIDR blocks that should be routed through the redirector’s VPN tunnel. These are added as static routes on the WireGuard interface on the Guacamole server.The default covers most HTB and VulnLab target ranges. Add additional ranges as needed for your platform.
external_vpn_cidrs = ["10.10.0.0/16"]

# Multiple ranges
external_vpn_cidrs = ["10.10.0.0/16", "10.13.0.0/16"]

Tagging

tags
map(string)
default:"{}"
A map of additional key-value tags applied to every AWS resource in the deployment. Useful for cost tracking, filtering resources in the AWS Console, and billing reports.Every resource also receives an automatic Project tag set to the value of project_name.
tags = {
  Owner      = "Operator"
  CostCenter = "redStack"
  Purpose    = "Boot-to-Breach Training Environment"
}

Full example: terraform.tfvars

The following example shows all key variables with comments. Copy this to terraform.tfvars and fill in your values.
terraform.tfvars
# ============================================================================
# REQUIRED — must be set before terraform apply
# ============================================================================

# Your public IP for SSH access (curl ifconfig.me)
# Must be in CIDR format with /32 suffix
localPub_ip = "108.51.27.140/32"

# Name of your existing AWS EC2 key pair
# Must already exist in AWS EC2 Console > Key Pairs
ssh_key_name = "rs-rsa-key"

# Path to your SSH private key file (.pem)
# Used to auto-decrypt the Windows Administrator password
ssh_private_key_path = "./rs-rsa-key.pem"

# ============================================================================
# AWS CONFIGURATION
# ============================================================================

aws_region   = "us-east-1"
project_name = "redStack"

# ============================================================================
# INSTANCE TYPES
# ============================================================================

mythic_instance_type     = "t3.medium"  # 2 vCPU, 4 GB RAM
guacamole_instance_type  = "t3.small"   # 2 vCPU, 2 GB RAM
windows_instance_type    = "t3.medium"  # 2 vCPU, 4 GB RAM
sliver_instance_type     = "t3.small"   # 2 vCPU, 2 GB RAM
havoc_instance_type      = "t3.medium"  # 2 vCPU, 4 GB RAM
redirector_instance_type = "t3.micro"   # 2 vCPU, 1 GB RAM

# ============================================================================
# NETWORK
# ============================================================================

use_default_vpc     = false           # Recommended: create a dedicated VPC
vpc_cidr            = "10.50.0.0/16"  # TeamServer VPC CIDR
redirector_vpc_cidr = "10.60.0.0/16" # Redirector VPC CIDR
                                      # Change to 10.61.0.0/16 for a second parallel deployment

# ============================================================================
# REDIRECTOR AND DOMAIN
# ============================================================================

# Apex or subdomain pointing to the Redirector Elastic IP
# Leave empty for closed environments (HTB/VL/PG)
redirector_domain = "c2.yourdomain.com"

# Set false for HTB/VL/PG — scanner/AV blocking not needed in lab environments
enable_redirector_htaccess_filtering = true

# ============================================================================
# C2 URI PREFIXES
# These are baked into payloads at deploy time. Set before terraform apply.
# ============================================================================

mythic_uri_prefix = "/cdn/media/stream"
sliver_uri_prefix = "/cloud/storage/objects"
havoc_uri_prefix  = "/edge/cache/assets"

# ============================================================================
# C2 HEADER VALIDATION
# ============================================================================

# c2_header_name  = "X-Request-ID"  # Default — override if needed
# c2_header_value = ""              # Leave empty to auto-generate (recommended)

# ============================================================================
# MYTHIC
# ============================================================================

enable_mythic_autostart = true

# ============================================================================
# EXTERNAL VPN (HTB / VL / PG)
# ============================================================================

# Set true for HTB/VL/PG — enables OpenVPN client + WireGuard routing
enable_external_vpn = false

# CIDR blocks reachable through the VPN tunnel
# external_vpn_cidrs = ["10.10.0.0/16"]

# ============================================================================
# TAGGING
# ============================================================================

tags = {
  Owner      = "Operator"
  CostCenter = "redStack"  # Match to project_name for per-deployment billing isolation
  Purpose    = "Boot-to-Breach Training Environment"
}