[Solution is at the bottom of the post for those not interested in me addressing the question]
Thanks scottgus1, your suggestion about using a Host-only adapter was a step in the right direction.
Firstly, to address your question:
scottgus1 wrote:... I wonder if the concern you have about the failure of the VPN software in the guests leading to insecure guest internet might not also be a possibility on the host. Then all the guests would have insecure internet.
To goal here is to make the Internet connection of the Guest VM dependent on the VPN connection on the Host. If the VPN goes down, the guest loses Internet connectivity and is not exposed. Isolating the Guest to a Host-only adapter has the added benefit of preventing the Guests from transmitting on the local LAN as well (benefit in hindsight).
scottgus1 wrote:... could you point the OS at the VPN gateway as a proxy? ... Or perhaps another router guest with the VPN in that?
Your second point got me to the solution. However, using a second (router) guest is not desirable, as a) you would need extra resource to run this router guest, and b) this router guest would NAT on the host's NIC and could still expose the other guest/s to the Internet if the VPN goes down (there is also the additional complexity of making sure to have all the necessary check and balance on the router guest to disable the proxy should the VPN go down.
Solution:
I found the solution here:
http://serverfault.com/questions/127129 ... on-windows
In Virtualbox Main window:
- Go to "File" > "Preferences" > "Network"
- Go to the "Host-Only Networks" tab
- Create a new Host-Only network (default name is "Virtualbox Host-Only Ethernet Adapter")
On the Windows host:
- Go to "Control Panel" > "Network and Sharing Center" > "Adapter Setting"
- Right-click on the "TAP Windows Adapter V9" > "Properties"
- Go to the "Sharing" tab, and select the option "Allow other users... this computer's Internet connection"
- In the dropdown, select the "Virtualbox Host-Only Ethernet Adapter" (this is the default name)
A popup will appear stating that the TAP adapter will be shared on IP address 192.168.137.1 This it the default assigned by Windows, if you wish to change this IP address you need to edit the registry, refer to
https://support.microsoft.com/en-au/hel ... cp-service or with visual aids
http://www.tomshardware.co.uk/faq/id-19 ... range.html
In Virtualbox Main window:
- Go to "File" > "Preferences" > "Network"
- Go to the "Host-Only Networks" tab and select "Virtualbox Host-Only Ethernet Adapter" (if you have not changed the name)
- Under "Adapter" tab enter the following:
- IPv4 Address: 192.168.137.1
- IPv4 Network Mask: 255.255.255.0
- Under "DHCP server" tab:
- You can enable this server, and the default values will be fine.
- Note: I disabled the DHCP server, and manually assigned the IP address in the Guest
- You still need to update the gateway and DNS in the guest VM (explained later)
In the Guest VM, under "Network" settings change the following:
- Attached to: Host-Only adapter
- Name: Virtualbox Host-Only Ethernet Adapter
Making the guest use the Host-Only adapter caused the following error at bootup:
Code: Select all
Failed to open/create the internal network 'HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter' (VERR_INTNET_FLT_IF_NOT_FOUND).
Failed to attach the network LUN (VERR_INTNET_FLT_IF_NOT_FOUND).
This is a known issue as discussed here:
https://www.virtualbox.org/ticket/14832
In my case, enabling the "VirtualBox NDIS6 Bridged Networking driver" solve my problem as discussed here
http://stackoverflow.com/questions/3372 ... -windows10
Finally, boot up the guest VM, and make the following changes to the Ethernet adapter/interface:
- IPv4 Address: 192.168.137.x (where x is anything from 2-254; this IP address ranges needs to be the same as defined in the Windows registry)
- Network Mask: 255.255.255.0
- Gateway: 192.168.137.1
- DNS: 192.168.137.1 (this will cause DNS leakage by the guest VM when the VPN is not connected) or
- DNS: 8.8.8.8 (no DNS leakage by guest VM)
- Reset the adapter/interface for the new setting to take effect
8.8.8.8 is the main DNS server provided by Google, additional public DNS server can be found here:
http://public-dns.info/
To test if everything is working, ping a server before and after the VPN connection is established on the host machine
or
Try and get the external IP address of the guest before and after the VPN connection is established on the host machine with the following code:
Code: Select all
dig +short myip.opendns.com @resolver1.opendns.com
I guess the same process can be applied if you want the Guest to use a specific NIC on the Host machine, instead of a VPN connection. I do not have the means to test this further though.
If I have missed something let me know.