VPN and port forwarding advice

[RoadHazard]

I feel like I'm *this* close to getting this all to work, if I can get a little help.

I'm running Windows 7 Ultimate (32-bit) inside VB on a Windows 10 Pro (64-bit) host. So, Windows within Windows. The Win7 guest is using a VPN client (not server) to the outside world. It also needs one port forwarded to communicate with the outside world.

I've tried configuring its network in NAT mode (the default), but can't get the port-forwarding to work. I've also tried Bridged mode, and this also gets close, but no cigar. In both cases, the Win 7 guest can access teh Interwebs just fine, and its public IP address appears as that of the VPN server, but the port-forwarding still doesn't seem to work yet.

In NAT mode, the local IP appears to be 10.10.x.x. In Bridge mode, it's 192.168.1.x, which is much more "normal" and part of my local LAN. In fact, other machines on the LAN can ping it successfully in Bridge mode, but not in NAT mode. In both cases, I set my "real" router (the actual hardware, not the notional router inside VB) to forward the appropriate port, although in NAT mode i'm not sure what IP to route the port to, since 10.10.x.x. isn't part of the subnet my router knows to handle.

In Bridge mode, VB's port-forwarding option is grayed-out. In NAT mode, it's enabled and I can attempt to set up port-forwarding rules, but it either doesn't do what I think or I'm entering the wrong IP address(es).

Any hints? Do I need to try one of the other networking modes (NAT Network, etc.)? Am i on the right track but just entering incorrect parameters somewhere? Barking up the wrong tree entirely?

[scottgus1]

You should become familiar with what the various network types are available. See section 6 in the manual, especially 6.2 and the table shown.

Bridged puts your guest in your host's physical network, and acts like the guest is just another new PC on the physical network. Bridged has no port forwarding. NAT and NAT network act like house routers, translating your physical network to another IP range, just like your real router translates the internet to your real network's IP range. Host-Only and Internal don't access the outside world so they won't help you.

Now adding in a VPN in the guest throws all the above on its head. VPNs are like tyrants: they take over everything and make the network do only what the VPN allows. Your guest should get an IP address from the VPN system, and any internet traffic to the guest must come through the VPN, so any ports that would have to be opened must be done in the VPN server, and the VPN server's IP address must be used to access your guest, as if the VPN server were your router now instead of the physical router you possess. I doubt if you can do what you want with a VPN running in the guest.

[BillG]

Perhaps you should tell us exactly what you are trying to do. You explanation so far does not compute. There is no way that a VPN would need (or could use) port forwarding. A VPN is a point to point connection and the packets are encapsulated and encrypted when they comes through the router. How could port forwarding possibly do anything?

[RoadHazard]

Perhaps you should tell us exactly what you are trying to do.

Good point. Here's what I'm doing. I've got several Windows apps running on the same box. Some need to be accessed remotely, and some prefer anonymity. Specifically, I'm running security camera software that allows remote WAN access through port forwarding. It's basically a lightweight webserver. On the other hand, I'm also running a P2P client that benefits from the IP obscurity that a VPN client provides.

Either one works beautifully on its own. I can access my security cameras while I'm on the road, or I can run the P2P client with VPN protection, but I can't make both work at the same time. In essence, I want the VPN client to apply its magic to some apps (or some network connections) but not others.

My hope was that by segregating the P2P app and the VPN driver in their own virtual machine I could prevent the VPN voodoo from interfering with the "normal" network access of the other apps. That doesn't seem to work. At least, not yet.

It seems doable. My hunch is that I just haven't hit on the right combination of settings.

To me, the Bridged connection feels like the right path because it gives the VM its own IP address on my LAN, just as if it was a distinct machine. To all the world, they're two completely separate boxes with two different Ethernet NICs, right? So why can't I get them to behave like separate machines with different network characteristics?

[RoadHazard]

Well, that was easy!

I changed P2P clients and everything worked out of the box, first time. Sheesh.

That's the third P2P client I tried, too. The first two were easy enough to set up, but required a bit of fiddling. The third just... worked. No port forwarding, no IP trickery, no nothing. Now my VB has one IP address, the host has another, and they both have different external WAN addresses, too. Perfect.

Thanks for the help, although I can't promise that I won't be back tomorrow with another dumb question.

[BillG]

That sounds good. It was certainly the right approach and was doable. Glad you found the right combination.