open network access to virtualbox guest from host only

Discussions related to using VirtualBox on Linux hosts.
brainchild
Posts: 44
Joined: 31. May 2021, 02:09

open network access to virtualbox guest from host only

Post by brainchild »

I have built a Debian virtual machine running in VirtualBox on a Linux Mint host.

I am confused about the choices for networking configuration.

I wish to achieve the following behavior:
  • Resolve host name of guest when queried on host (even though guest is not registered on external DNS or DHCP server).
  • Allow guest to access public internet services (e.g. web).
  • Allow host to access services running on guest (e.g. SSH) through hostname of guest.
  • Block access to services on guest originating outside the host.
As a matter not directly related to the virtualization system, I would like the SSH server to accept a login for any registered user without a password or key (which is sensible, since access from outside the host would be blocked).

Which configution settings should I choose for the results I have explained?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: open network access to virtualbox guest from host only

Post by scottgus1 »

See Virtualbox Networks: In Pictures

The first three bullets look they could easily be covered by Bridged. Bridged puts the VM in the host's physical LAN (note that Bridged does not always work through the host's Wi-Fi.) It would be up to the VM's OS to publish its host name on the network.

The fourth bullet, preventing the guest from accessing LAN services, while allowing access to host services and the the internet, may require that you shift to using "Sandbox" instead. Then you could make two outbound firewall rules in the router OS VM: one to block LAN access as shown, one extra to allow host access (this one is higher priority in the list than the LAN block rule).

Sandbox may interfere with the VM OS publishing its host name, though, and accessing the VM's services from the LAN will require port forwarding in the router OS VM.

Adjusting the SSH credentials requirements would be between you and the VM's OS. I don't think there is anything in Virtualbox that would influence this.
brainchild
Posts: 44
Joined: 31. May 2021, 02:09

Re: open network access to virtualbox guest from host only

Post by brainchild »

scottgus1 wrote:See Virtualbox Networks: In Pictures

The first three bullets look they could easily be covered by Bridged. Bridged puts the VM in the host's physical LAN (note that Bridged does not always work through the host's Wi-Fi.) It would be up to the VM's OS to publish its host name on the network.
I think the sense of what I am trying to achieve is closer to the host and guest communicating on an isolated virtual network such as not to affect the host's connections through its physical interfaces.

I wish to keep the guest isolated from the real world, except for connections it initiates as a client. I would not wish it to register with or even necessarily to be known by a router or any other physical device beyond the host.

I think the objectives might be realized through NAT, which is largely a de-facto firewall (by blocking incoming traffic), but the host must be able to initiate connections to the guest through an address, and to resolve the address from a host name (e.g. `ssh hostnameofguest`).
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: open network access to virtualbox guest from host only

Post by scottgus1 »

brainchild wrote:host and guest communicating on an isolated virtual network such as not to affect the host's connections through its physical interfaces.
^this sounds like Host-Only. But Host-Only does not give internet.
brainchild wrote:keep the guest isolated from the real world, except for connections it initiates as a client.
^ this sounds like NAT. NAT also provides internet. In fact, the host's and LAN's services are also "part of the internet" for NAT purposes.
brainchild wrote:the host must be able to initiate connections to the guest through an address,
^ NAT provides port forwarding, which allows VM services to be accessed by the host. The IP address used would be 127.0.0.1:portnumber if you're accessing the VM from the host OS, and host.ip.ad.ress:portnumber if you're accessing the VM from the LAN.
brainchild wrote:and to resolve the address from a host name (e.g. `ssh hostnameofguest`).
^ I'm not too sure about this one. You could put the VM's host name in the host OS's Hosts file. I'm not sure how to get the VM OS to be able to publish its name through a router (which is what NAT behaves like), unless there is a DNS server available on the LAN that the VM OS can push its name to.
brainchild
Posts: 44
Joined: 31. May 2021, 02:09

Re: open network access to virtualbox guest from host only

Post by brainchild »

scottgus1 wrote:
brainchild wrote:the host must be able to initiate connections to the guest through an address,
^ NAT provides port forwarding, which allows VM services to be accessed by the host. The IP address used would be 127.0.0.1:portnumber if you're accessing the VM from the host OS, and host.ip.ad.ress:portnumber if you're accessing the VM from the LAN.
For connections initiated by the guest, the client address is not needed anywhere but in the NAT table. This effect of course is automatic when the connection is specified as NAT.
scottgus1 wrote:
brainchild wrote:and to resolve the address from a host name (e.g. `ssh hostnameofguest`).
^ I'm not too sure about this one. You could put the VM's host name in the host OS's Hosts file. I'm not sure how to get the VM OS to be able to publish its name through a router (which is what NAT behaves like), unless there is a DNS server available on the LAN that the VM OS can push its name to.
It is not necessary or even helpful that the name would be published to the router to which the host is physically connected. When a guest system is connected to the host by NAT, the translation, and consequently the routing, is done by the host. All that is required is that part of the resolution chain local to the host include checking a mapping of guests to host names.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: open network access to virtualbox guest from host only

Post by scottgus1 »

brainchild wrote:It is not necessary or even helpful that the name would be published to the router to which the host is physically connected.
Let me clarify that the "router" across which the VM might have to publish its name so the host and possibly LAN can access the VM by name is Virtualbox's NAT, to which the VM is connected, which behaves like a router. The NAT "router" sits between the VM and the host, and the VM OS's name has to get across the NAT "router". I'm not certain how to make that work. There are not very many configurations to NAT available in the Virtualbox network GUI. Vboxmanage command line has more settings, see https://www.virtualbox.org/manual/ch09.html#changenat.

If Virtualbox's NAT cannot be configured sufficiently, you might have to try Sandbox, which has the benefit of allowing a full-fledged router OS to be used instead of Virtualbox NAT.
brainchild
Posts: 44
Joined: 31. May 2021, 02:09

Re: open network access to virtualbox guest from host only

Post by brainchild »

scottgus1 wrote: Let me clarify that the "router" across which the VM might have to publish its name so the host and possibly LAN can access the VM by name is Virtualbox's NAT, to which the VM is connected, which behaves like a router.
Right. The way you mentioned publishing to the router made me think your idea was that the host would resolve the address by a DNS query to its external router.

In fact all that is needed in principle is that VBox would provide a hook to name server queries originating locally, and return the address assigned to a VM if the host name matches any of its guests.

It would be very nice if VBox provided this feature. Otherwise, the next best solution seems to be to assign a static address, through the command-line interface to the advanced features, and then, as you suggest (though it is very ugly) entering an item in the local hosts file.

Otherwise, I believe that NAT offers the appropriate isolation, as it prevents access initiated outside the local host, as long as port forwarding is not enabled.
brainchild
Posts: 44
Joined: 31. May 2021, 02:09

Re: open network access to virtualbox guest from host only

Post by brainchild »

Does the project supply any channel for the public to request features?

I think adding some kind of hook, if possible, to the local system for resolving host names of guest systems, would be a generally useful feature.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: open network access to virtualbox guest from host only

Post by scottgus1 »

Yes, you can post an enhancement request on the Bugtracker.

However, the likelihood of it showing up anytime soon might be low, unless Oracle's customers also want it, or you contribute the source code, and it doesn't open security holes (one I am thinking of, does there exist a normal method for a computer behind a real router to publish out onto the internet its computer name so internet computers can access it?).

This might be something you'll have to home-roll for a while. A service on the VM which communicates with a service on the host to publish the name.

Keep in mind that the NAT and NAT Network 'router WAN ports' always connect to the host's IP address. To access the VM through NAT/NAT Network, you would always have to point at the host IP address and port (or host's localhost and port if accessing from the host itself). You'd need some kind of DNS server(?) in your LAN to translate "VM OS name:portnumber" to "host.ip.address:portnumber". The port number would have to be part of the mix: If more than one VM is running through NAT to provide services to the LAN, they all would use the same host IP address but different port numbers.
brainchild
Posts: 44
Joined: 31. May 2021, 02:09

Re: open network access to virtualbox guest from host only

Post by brainchild »

I think I have found a decent solution, though frustrating because of being both simpler than it seems, but also more complicated than it might be. The solution is to place two adapters on the guest, one NAT, for access to public services, and the other host only, for serving requests originating from the host.

Because, however, the use case I have described seems to occur from rather common circumstances and demands, it would be nice if a more straightforward solution were available, involving configuring a single interface.

The host-only network includes a DHCP server, so that either static or dynamic addresses may be used. However, as is generally the case, I feel the benefits of a DHCP server are largely lost if not also accompanied by a DNS server that serves dynamic records based on address leases. From a design standpoint, such an enhancement, offering a DNS server on the host-only interface, would be straightforward, and I can little think of any security vulnerability it might introduce. Then, the host might open connections to the guest using the guest name for DNS lookup. This arrangement is especially useful for development and testing work flows, in which operations are executed on the guest, but requested by the host.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: open network access to virtualbox guest from host only

Post by scottgus1 »

It's the "block the guest except through opened ports" part of the requirement that gets in the way of the "access the guest via its network name" part.

The most optimum setup for publishing the guest's name to the LAN for easy access is via Bridged, which puts the guest on the LAN like any other LAN PC. However, there is no 'ports only' filter on Bridged, just like there is no 'ports only' between computers in the LAN.

The solution to this problem would be the same as how you'd do it in a real LAN with real PCs. How to get the PC's name onto the LAN while blocking access to the PC from the LAN except through opened ports? Solve that in real life, and that's how to do it in Virtualbox.

One possible solution to the above problem is a good secure firewall in the LAN PC's OS. Only the opened firewall ports would be accessible for network access to the OS. Set the firewall, if possible, to broadcast the OS's network name (maybe like how File and Printer Sharing in Windows adjusts the Windows firewall so the Windows name gets out onto the LAN). Same concept for the Virtualbox guest: Bridge it to the LAN, then open ports in the OS's firewall, and set the OS to broadcast its name.

When you add a 'port forwarding' device between the guest and the LAN, such as a router, a firewall appliance, or Virtualbox NAT, that also would be solved the same way you'd do it in real life: figure out how to get the PC behind a router or firewall appliance to get its name out on the LAN, then do the same to either Virtualbox NAT (if it can be done) or a Sandbox setup.

Keep in mind that if you use Virtualbox NAT, the guest name out on the LAN has to point to 'host.ip.add.ress' to get through NAT. If you have multiple guests putting their names out, all through NAT, all the names have to point to 'host.ip.add.ress'. In order to get to each of the guests' services, a unique port number would be required in addition to the published name. This is similar to the results you'd get if putting a router between a PC or group of PCs and the LAN: the PCs' published names would all have to point at the intervening router's WAN IP address for the LAN to find them, and the port numbers would all have to be different to get to each PC's services. Sandbox allows the guest behind the router OS guest to at least have a different IP address than the host has, although all the guests behind the router guest would have the same IP address, and at the expense of another guest to handle.

Access via published computer name while blocking all but desired ports would probably best be solved with Bridged and a good guest-provided firewall.
brainchild
Posts: 44
Joined: 31. May 2021, 02:09

Re: open network access to virtualbox guest from host only

Post by brainchild »

scottgus1 wrote:It's the "block the guest except through opened ports" part of the requirement that gets in the way of the "access the guest via its network name" part.
I did not write a requirement that end points outside the host would access services on the guest. In fact I specified the contrary.

To review, the requirements are as follows:
  1. Resolve host name of guest when queried on host
  2. Allow guest to access public internet services
  3. Allow host to access services running on guest through hostname of guest.
  4. Block access to services on guest originating outside the host
The NAT interface allows (2), the host-only interface allows (3) (except that a numeric address may be required, if the host name may not be resolved), and neither the NAT or host-only interface violates (4). Only (1) remains unsatisfied, and it seems would remain so, unless VirtualBox would offer a further feature of placing a DHCP server on the host-only network shared with the host.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: open network access to virtualbox guest from host only

Post by scottgus1 »

OK, I see your point. I must have confused the requirements along the way. Sorry about that.

Virtualbox does put a DHCP server on Host-Only. I think it's a DNS server you wanted, alike you mentioned above?

Curiously, I started a Host-Only-connected Windows XP and 7 VMs with File and Printer Sharing turned on, and I was able to ping the VMs from the host both by Host-Only IP address and the OS's network computer name.

So it appears the publishing of the computer name happens inside the OS through Host-Only, without a special DNS server set up. Could be only a Windows thing, though. Linux might require some special configuration to make it happen between Linux/Linux or Linux/Windows.
brainchild
Posts: 44
Joined: 31. May 2021, 02:09

Re: open network access to virtualbox guest from host only

Post by brainchild »

scottgus1 wrote:So it appears the publishing of the computer name happens inside the OS through Host-Only, without a special DNS server set up. Could be only a Windows thing, though. Linux might require some special configuration to make it happen between Linux/Linux or Linux/Windows.
I'll investigate more thoroughly, as it seemed not to work when I tried, which is on a Linux/Linux configuration.

I believe I read on other postings as well as in documentation that no DNS server is provided. If you are right, the feature may be an undocumented one. Have you found any documentation on the subject?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: open network access to virtualbox guest from host only

Post by scottgus1 »

The only documentation I have seen is the manual, which in PDF form is text-searchable. There's some references to DNS in the 'changenat' link above, but I don't recall mention of a Virtualbox-provided DNS server.
Post Reply