Windows 10 Host + Cent0S 7 Guest + Openvpn on guest: no route to host.

[netus067]

First of all, hello to everyone...I'm new here

Right away my setup, in order to clearly understand:
My router has no static route option, indeed by direct Windows VPN I can let clients communicate but they can't go over internet by the VPN DNS, so they just connect and use the local VPN unless they use DNS from own ISP connection.

Anyway, apart from this, I would like to understand how let a VM work as guest and openvpn server inside:
1) Router IP 192.168.1.1
2) Host Windows 10, IP 192.168.1.91
3) CentOS 7 installed as guest, openvpn server installed on guest

What are the correct network settings to let users from outside access the GUEST VPN and also ping and internet access...?
And to what IP address the router has to open port since I can't port forward for an IP different than 192.168.1.x?

At first I tried to set bridged network for the virtualbox guest, ok everything is fine and the guest also obtains a local IP address (eg. 192.168.1.244) but even if I open port 1195 (eg.) for the 192.168.1.244, I can't connect to the VPN (no route to host)

Then, instead, I chose 2 network cards into Virtualbox and not bridge only, so NAT + Host-only
but I can't understand how to open the port on router...Do I need to port forward from Virtualbox or what else?
And I can't ping the guest from host, so how it could work if host doesn't "see" the guest? Impossible...

Also tried paravirtualized by NAT but it seems to be working as Guest → Host direction only and not the opposite.

These are the iptables rules when bridged (and paravirtualized, is it good?)...in this case network card is eth0 while when NOT paravirtualized has another name (eg. enp0s3)

Code: Select all

# Generated by iptables-save v1.4.21 on Mon Sep 16 01:48:51 2019
*mangle
:PREROUTING ACCEPT [807:112829]
:INPUT ACCEPT [807:112829]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [326:44491]
:POSTROUTING ACCEPT [337:47046]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Sep 16 01:48:51 2019
# Generated by iptables-save v1.4.21 on Mon Sep 16 01:48:51 2019
*nat
:PREROUTING ACCEPT [78:15365]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [12:912]
:POSTROUTING ACCEPT [12:912]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Sep 16 01:48:51 2019
# Generated by iptables-save v1.4.21 on Mon Sep 16 01:48:51 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [47:7428]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1195 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Mon Sep 16 01:48:51 2019

Thanks for your answers

[scottgus1]

Bridged is the right way to allow access to your guest by things on the LAN and from the internet. I would set a static IP address in the guest OS, in the same range as the network router controls (for you, 192.168.1.###) but not in the part of the range the router's DHCP server hands out, so there's no interference one day when your guest is off and another device takes your guest's IP address.

One note: Bridged does not always work through a Wi-fi adapter. You should go wired if you want to be Bridged reliably all the time.

If you can access your guest services and shared folders from PCs on the LAN (such as your host & other devices connected to your private 192.168.1.### network) then Virtualbox is working and all other configuration is beyond the Virtualbox forum's scope.

Start off with as simple a network in the guest as possible: use the standard virtual network card that the New Guest wizard would pick for a new CentOS guest, on the first guest network adapter. Set the guest network to Bridged, and Bridge to the physical wired ethernet card you are using to access the physical network on the host PC. Turn off all other network adapters in the guest.

Be sure that your guest can access the internet. Also, set up a shared folder in your guest and confirm you can access that shared folder from your host and from another PC in your physical network.

Once you get this far your guest is fully networked and will behave as another PC on your physical network. Anything else re VPNs & ports is typical networking that can be found on the forums pertaining to the program or service needed. I have never had to footle about with iptables & routes to get a Bridged guest to access and be accessed from the internet.

[netus067]

Hello, thanks for your answer even if too generic...the plan here is specific, instead.

Here I ask if someone knows how to let it work, not only how bridge works. I know how it works between a simple host-guest when you bridge, ok, the guest is on the same range but it's not the issue. If I use a simple bridge, host and guest share as usual. The problem is the additional layer, so adding the VPN to this config on guest.

First of all, the problem about connection here is on the iptables 'cause when I disable iptables, the VPN connection works as usual. But then, even checking all the config I can't find the issue for the fact that who accesses that guest CAN'T PING the host and guest and can't see a web server (eg. on the Host IP 192.168.1.91)

So, maybe bridge is not the right choice for VPN in this case, or someone could explain why this happens...
thank you

[scottgus1]

First of all, hello to everyone...I'm new here

I know how it works

You do see the problem between these two quotes, don't you? The first strongly implies the lack of the second. Thus my supposedly "too generic" answer. All the fancy networking tricks & tables & routes in the world will not help if we fail to check if there is an actual network in place. I've a mind to let you wither on the vine for your attitude.

I spend valuable time trying to help someone and get lip in response...

even if too generic...the plan here is specific, instead.
Here I ask if someone knows how to let it work, not only how bridge works. I know how it works between a simple host-guest when you bridge, ok,

If I use a simple bridge, host and guest share as usual.

This is the grand extent and as far as Virtualbox goes to help your needs. Virtualbox provides virtual "hardware". Virtualbox establishes the network. With a Bridged guest you now have two PCs and a switch, attached to your LAN. Just as if you had two physical PCs and a switch, you have to figure out what to do with it. There's a lot folks can do to sauce a working network.

The problem is the additional layer, so adding the VPN to this config on guest.

First of all, the problem about connection here is on the iptables 'cause when I disable iptables, the VPN connection works as usual.
But then, even checking all the config I can't find the issue for the fact that who accesses that guest CAN'T PING the host and guest and can't see a web server (eg. on the Host IP 192.168.1.91)

All of this is standard networking that is beyond the scope of the Virtualbox forum. You now have two PCs and a switch, attached to your LAN. Go to a networking forum or google for how to add your VPN layer to a PC on the LAN and still let folks se the host web server etc. The way you do it with one of the physical PCs on a LAN is the way you'd do it with the Virtualbox guest.

And chill your 'tude if you ever decide to post here again.

[netus067]

Please don't feel bad, maybe you misunderstood because I meant no offense. You're right about bridge because is working as intended. The problem was somewhere else because while bridging I installed the VPN by a good prepared script and now it works like a charm...
I need to find the real differences in server config to understand why before it didn't work as expected.