How to use Win8.1 virtual instance to share it's vpn to its OSX host.

[Sam Santoyo]

Hey guys, thanks for droppin by.

I do have a very peculiar scenario:
MBPro 15" on High Sierra 10.13.3 , running VirtualBox 5.2.4 with a win 8.1 instance.

Both OS's have a company image, meaning some functionality has been restricted, OSX via JAMF software, VirtualBox running regular win 8.1 with some admin restrictions.

The win8.1 virtual instance has a preinstalled VPN client called GlobalProtect, which is working perfectly.
The OSX runs its Mac version, but it doesn't work because of some libraries aren't compatible with High Sierra and this hasn't been addressed by GlobalProtect (kernels)

How could I bridge my virtual instance so the host (osx) could use its VPN? Yep, I want to make my Mac laptop use my virtual win8.1 VPN.
Any help will be very much appreciated.

Cheers and thanks in advance!
S.

[socratis]

I was thinking about that the other day actually; how to use the network in the guest, while not on the host. In Windows, that's a fairly easy thing to do:

1. you choose Bridged mode for the VM
2. you bridge the VM NIC to an actual NIC on the Windows host
3. you disable all the bindings, *except* the VirtualBox Bridged adapter for that NIC.

But I don't have a clear plan on how to selectively disable bindings on OSX, Linux or Solaris hosts. So, I was thinking the following theoretical, untested scenario:

1. you choose Bridged mode for the VM
2. you bridge the VM NIC to an actual NIC on the host
3. in the TCP/IP properties of the host's NIC, you give it a manual IP that's not valid. So, if let's say that your LAN is 10.1.2.x based, you give your host a 192.168.99.x address. Can't work.

The question that I had is would that affect the bridged part or not. Haven't tried it...

Now, that's a potential solution to part 1 of your question; preventing the host accessing the world, but allowing the guest to do so. Part 2 would be to redirect any traffic from the host to the guest and then "somehow" forward that to the other port. I'm thinking of something like the following:

[quote]      GUEST                   HOST
+----------------+      +--------------+
| 192.168.56.101 |<-<-<-| 192.168.56.1 |
|       |        |      | 192.168.99.1 |- - - -  Nowhere
|   10.1.2.x     |->->->|   Bridged    |>>>>>>>> Internet
+----------------+      +--------------+

Black: HostOnly part
Blue:  Bridged to host's NIC
Red:   Invalid/non-routable IP of the host's NIC[/quote]

Since 1) I'm no network guru, and 2) this affects a much larger range of hosts, I'm going to move the message from the "OSX Hosts" section to "Using VirtualBox".

[mpack]

I don't claim to be a network guru either, but AFAIK a VPN connection is designed to be end to end, not shared. If VPN was available on the host then it could be accessible to the guest via NAT. But when VPN is in the guest you'd need a reverse NAT of some kind. I guess that means checking out Internet Connection Sharing... except you have a OS X host which hence probably doesn't support Windows ICS protocol. So, you seem to have set this problem up perfectly so it can't be solved.

[socratis]

To tell you the truth, I'm more interested in the part where the guest has access via Bridged, but the host itself doesn't, for Linux/OSX hosts. I don't have those steps, the how-to. That's the "getting an 10.1.2.x address in a 10.1.2.0/24 network" part.

The "192.168.56.1 -?-> 192.168.56.101 -?-> 10.1.2.x -> 10.1.2.1 -> Internet part, I haven't 1) thought about it too much, and 2) with such a restrictive host/guest setup, I'm not sure that it's going to (be allowed to) work...

[andyp73]

In some versions of Linux (Red Hat variants) you can control IPv4 and IPv6 with:

sudo sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
sudo sysctl -w net.ipv4.conf.eth0.disable_ipv4=1

I have no idea whether doing so will also break the bits that VirtualBox needs.
-Andy.

[socratis]

Couldn't get the nested bridged part to work. That is an OSX 10.11.6 host, running a guest Mint 17.3. That guest acts like a "guest/host" to a WinXP SP3 "guest/guest". And I'm a little bit stuck, because I *do* get an IP in WinXP, but that's it. No pinging except the "guest/host" Mint, not even the gateway. I thought that this was working, but can't get it to work now...

[okiuss]

Example for a linux vpn guest on a macOS host

(A) Guest network:

• 1 NAT Adapter (10.0.2.x)
  1 Host only Adapter (192.168.56.y)

(B) Enable routing and NAT for the VPN adapter in the guest machine

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

(C) Start your VPN software in the guest

(D) Enable routing for the company lan on the host

Code: Select all

route add -net x.y.z/mask 192.168.56.y

For a windows guest you have to implement part (B) by activating internet connection sharing on the vpn adapter.