Bind VM to specific Interface/VPN connection

[OverThinkingIt]

The setup I am trying to achieve is simple: isolate the guest traffic to a specific VPN connection/adapter. It the vpn connection is not present, or goes down, then the guest should not have internet access.

This is the same scenario as this question:
(cannot post links) google "force virtual machine to only use vpn connection"
However, I am not getting the desired result.

Host: Windows 10
Guest: Linux Mint 18

The process that I am trying to achieve is a follows:
1) Start VPN connection (openVPN) on the host system, the guest uses/shares the VPN connection to access the internet.
2) VPN disconnects on the host system, the guest cannot access the internet. i.e. it does not use the host's current network connection.

I have read several post that suggest configuring the network option in virtualbox settings to use either bridge or NAT.
NAT - achieves the first point, but fails on the second one.
Bridging - does not work at all. If I bridge the physical ethernet adapter, I bypass the VPN connection completely. Bridging on the VPN adapted, results in no connection at all. Note: on the windows host it states that it is a TAP adapter, but the ovpn config file creates a tun device.

I have tried binding the guest VM to a specific interface with the following code:

Code: Select all

VBoxManage modifyvm "VM name" --natbindip1 "10.45.0.2"

but have not gotten it to work (an additional problem with the above code is, that the IP address is not the same every time I connect to the VPN.)

What have I overlooked in this setup?
Am I required to firewall rules on the host to prevent/redirect traffic only to the VPN connection. (again, problematic as the IP address in not fixed)

Thanks in advance.

[scottgus1]

If you wish to have the guest VPN-access the internet through a physical network card that the host can use too, then no matter what you try, the guest could at one time or another get internet access without going through the VPN.

Can you install the VPN software inside the guest OS? Then the guest itself would handle getting to the internet through Virtualbox NAT and tunnel its packets privately without the host knowing.

[OverThinkingIt]

Thanks for the suggestion, however that is not an idle solution in my test case for three reason:

1. I am trying to isolate the VM from the internet and tunnel the traffic to a remote site that is more secure. Relying on a VPN connection from inside the guest means, the possibility exists that the VPN could disconnect and guest has access to an unprotected internet (and the host does not know about this)
2. I am currently testing with only 1 VM, but could need to expand this to more. Having the VPN connection established from the host-side make this transparent to the Guest and easier to control the network access (disconnect the VPN, and all guests are isolated)
3. Additional overhead on the VPN server when multiple guests initiate their own VPN connection. (this is purely academic, as I will never require such heavy loads)

Essentially, I want the host to act like a VPN gateway and the guest VM to only see that (encrypted) network interface. I thought that bridging the VPN adapter would suffice but what I think is happening, is that the guest VM is trying connect/transmit directly on this adapter without any encryptions keys; hence it is failing.

Is there a way to create a virtual NIC, route all traffic from this NIC through the VPN connection on the host side, and bind/bridge the guest to the virtual NIC?

[scottgus1]

Virtualbox does have a virtual NIC between the guests and the host. It's the Host-Only adapter. Whether you can then route traffic the guest(s) send to that Host-Only virtual adapter into your VPN I don't know.

You of course have the project in your head more than I do, but I wonder if the concern you have about the failure of the VPN software in the guests leading to insecure guest internet might not also be a possibility on the host. Then all the guests would have insecure internet.

I have heard that businesses can set up internet proxies for their employees to limit internet access. Assuming the VPN sets up a gateway for the OS's internet requests, could you point the OS at the VPN gateway as a proxy? Then if the VPN goes down the proxy goes down and the internet is unavailable. Or perhaps another router guest with the VPN in that? The supposed-to-be-secured guests point at the router OS guest through Internal networks, and the router guest is NATted or Bridged?

[OverThinkingIt]

[Solution is at the bottom of the post for those not interested in me addressing the question]

Thanks scottgus1, your suggestion about using a Host-only adapter was a step in the right direction.

Firstly, to address your question:

... I wonder if the concern you have about the failure of the VPN software in the guests leading to insecure guest internet might not also be a possibility on the host. Then all the guests would have insecure internet.

To goal here is to make the Internet connection of the Guest VM dependent on the VPN connection on the Host. If the VPN goes down, the guest loses Internet connectivity and is not exposed. Isolating the Guest to a Host-only adapter has the added benefit of preventing the Guests from transmitting on the local LAN as well (benefit in hindsight).

... could you point the OS at the VPN gateway as a proxy? ... Or perhaps another router guest with the VPN in that?

Your second point got me to the solution. However, using a second (router) guest is not desirable, as a) you would need extra resource to run this router guest, and b) this router guest would NAT on the host's NIC and could still expose the other guest/s to the Internet if the VPN goes down (there is also the additional complexity of making sure to have all the necessary check and balance on the router guest to disable the proxy should the VPN go down.

Solution:

I found the solution here: http://serverfault.com/questions/127129 ... on-windows

In Virtualbox Main window:

• Go to "File" > "Preferences" > "Network"
• Go to the "Host-Only Networks" tab
• Create a new Host-Only network (default name is "Virtualbox Host-Only Ethernet Adapter")

On the Windows host:

• Go to "Control Panel" > "Network and Sharing Center" > "Adapter Setting"
• Right-click on the "TAP Windows Adapter V9" > "Properties"
• Go to the "Sharing" tab, and select the option "Allow other users... this computer's Internet connection"
• In the dropdown, select the "Virtualbox Host-Only Ethernet Adapter" (this is the default name)

A popup will appear stating that the TAP adapter will be shared on IP address 192.168.137.1 This it the default assigned by Windows, if you wish to change this IP address you need to edit the registry, refer to https://support.microsoft.com/en-au/hel ... cp-service or with visual aids http://www.tomshardware.co.uk/faq/id-19 ... range.html

In Virtualbox Main window:

• Go to "File" > "Preferences" > "Network"
• Go to the "Host-Only Networks" tab and select "Virtualbox Host-Only Ethernet Adapter" (if you have not changed the name)
• Under "Adapter" tab enter the following:
  • IPv4 Address: 192.168.137.1
  • IPv4 Network Mask: 255.255.255.0
• Under "DHCP server" tab:
  • You can enable this server, and the default values will be fine.
  • Note: I disabled the DHCP server, and manually assigned the IP address in the Guest
  • You still need to update the gateway and DNS in the guest VM (explained later)

In the Guest VM, under "Network" settings change the following:

• Attached to: Host-Only adapter
• Name: Virtualbox Host-Only Ethernet Adapter

Making the guest use the Host-Only adapter caused the following error at bootup:

Code: Select all

Failed to open/create the internal network 'HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter' (VERR_INTNET_FLT_IF_NOT_FOUND).

Failed to attach the network LUN (VERR_INTNET_FLT_IF_NOT_FOUND).

This is a known issue as discussed here: https://www.virtualbox.org/ticket/14832
In my case, enabling the "VirtualBox NDIS6 Bridged Networking driver" solve my problem as discussed here http://stackoverflow.com/questions/3372 ... -windows10

Finally, boot up the guest VM, and make the following changes to the Ethernet adapter/interface:

• IPv4 Address: 192.168.137.x (where x is anything from 2-254; this IP address ranges needs to be the same as defined in the Windows registry)
• Network Mask: 255.255.255.0
• Gateway: 192.168.137.1
• DNS: 192.168.137.1 (this will cause DNS leakage by the guest VM when the VPN is not connected) or
• DNS: 8.8.8.8 (no DNS leakage by guest VM)
• Reset the adapter/interface for the new setting to take effect

8.8.8.8 is the main DNS server provided by Google, additional public DNS server can be found here: http://public-dns.info/

To test if everything is working, ping a server before and after the VPN connection is established on the host machine
or
Try and get the external IP address of the guest before and after the VPN connection is established on the host machine with the following code:

Code: Select all

dig +short myip.opendns.com @resolver1.opendns.com

I guess the same process can be applied if you want the Guest to use a specific NIC on the Host machine, instead of a VPN connection. I do not have the means to test this further though.

If I have missed something let me know.