virtualbox.org

Hi,

I' m doing my engineer degree and I had picked VPN as my BSc Thesis. I want to create VPN server implementation which wil be used for remote employees for connection to company resources. I thought to do that as much as possible using only software solutions without any hardware (almost). I want to know your opinion if it will be possible to do.
I want to setup windows server 2012 with openVPN and with AD, FTP, and some other things in virtualbox, and also setup 2-3 windows 10 hosts with ad accounts. but from other side I will be using same ISP, so I also thought that I can use 2 laptops. And is it possible o setup on 1st laptop in virtualbox WS2012 and connect to domain 3 hosts in virtualbox from 2nd laptop? Then for hosts I can use hotspot from my mobile phone so they will have different private IP
I want to learn more about networking, sorry if I' m not thinking correctly about that. I will appreciate your help and suggestions.

Re Virtualbox's networking capabilities, see Virtualbox Networks: In Pictures.

Generally, anything you can do that doesn't depend on physical hardware, like a fancy video card or running a CNC machine, you can do in a Virtualbox VM. AD, file server, etc all are possible.

If you can run an OpenVPN server to the internet from a PC on a LAN behind a router, then you can switch out the PC and substitute a Virtualbox VM Bridged to the host instead. (Mind the caveat about Bridged and Wi-Fi.)

Having a domain of vms spread over multiple hosts is possible, but it makes the networking more complex. Running a domain of vms all on one host is pretty straight forward because you can use an internal network (ie a virtual network) for the vms. If the vms are split over multiple hosts, there is no simple way get them is the same network and the same IP subnet. It will make life much easier for you if the pc hosting the vms can run all of the domain machines itself.

From a domain point of view, it would also be better if the DC and the router/VPN server were separate vms. From a networking point of view, an Ethernet connection to a physical NAT device is a better bet than wi-fi for vms.

My preferred option for a domain of vms is to use an internal network on the host for all the vms and a virtual router to connect this network to a physical LAN, such as a home network behind a NAT router (even if the host PC is the only machine on the LAN). Your 2012 server vm could handle both the VPN and routing tasks. It could also host the DC role, but I would use a separate vm for the DC. I have seen too many odd problems with combined DC/routers, physical and virtual.

After thinking about this a bit more, having the client vms on a different host would be a more realistic simulation. The only way they could access the domain network would be by using the VPN, and that is the same situation as a remote client accessing the domain by VPN. If they are in the same network they can access the domain servers directly.

Yes it will be, but how I can add to domain PC which is installed on different PC in VB, when DC i installed also on other PC in VB. Will it pass with my local network (outside of virtualbox)? Because I want to do it all by vritual machines. I can not afford to use mass of hardware.

That is not a VirtualBox problem. You would join it to the domain in exactly the same way as you would join a remote physical PC connecting by VPN. In other words, using a virtual solution does not make that harder or in any way different. That is why it is a realistic simulation.

The only thing that is different is the way you configure the networking. In a real world situation, the client would connect to the VPN server through the Internet, then negotiate a VPN connection to tunnel the encrypted traffic through that connection. In a virtual emulation of that situation, the client vm would connect to the VPN server through the LAN connection between the host PCs, then negotiate a VPN tunnel through the physical LAN. How you then join the client to the domain is a Microsoft matter and is exactly the same in both cases.

With regard to the networking, the domain controller and the VPN server would be in an internal virtual network on one host PC. The external NIC of the VPN server would be bridged to the PC's network adapter so that it can access the LAN (ie the network which connects the physical PCs.) The clients would be running on the other PC and would be bridged to its network adapter. The vm clients will be able to access the VPN server through the LAN, but can only access the domain machines after they connect by VPN. The only equipment you would need is a simple switch to connect the physical machines.

It's not the problem to get switch, I can borrow 1 from work or use my router which has also 4 port switch.I will start to setup DC, openvpn, ftp, dhcp on my main machine, and then hosts on second.

That would be fine. If the two hosts are connected to your router, everything should be easy. Set up your domain in an internal virtual network on one PC and set up your VPN router with one NIC in that network and one bridged to the NIC in the host which connects to your router. Your guests on the other PC will be able to see the external NIC of the VPN server through the LAN.

Plan was good, but unfortunately my second machine is broken (motherboard is dead because of my today electricity failure :/), it was quite old laptop where want to install hosts in VB. From now simulation using 1 PC will be not that realistic, but is it possible?

Roughly speaking a VPN allows a client PC on the internet to get on the domain behind a network router. The 'internet', for your purposes, is just a router with the client on the WAN side and the domain/VPN on the LAN side.

See 'sandbox' in my link above (you might not have to bother with the block-local-LAN firewall rule part). You could set up a pfSense VM acting as a router, with the pfSense WAN adapter Bridged to the host's Ethernet port. The pfSense WAN adapter will get an IP address from the host network's DHCP server, or you can set a static IP address on the pfSense WAN adapter in the host network's IP range. A client VM can also be Bridged to the Ethernet port. The host, any computers on the host's LAN, and the client VM are all in the LAN and they would all behave like the 'internet' to the pfSense VM.

The domain controller VM and the VPN server attach to the pfSense VM's LAN side through an Internal network. Open appropriate ports for VPN in the pfSense firewall, then get the client to hunt up the VPN through the pfSense WAN adapter IP address and ports.

The biggest problem with trying to do it on one machine is running out of resources - disk space, CPU power or memory. You would end up needing at least 16G RAM, preferably more.

Hmm so I dont have enough RAM for that and my CPU will not handle that. Also I thoutght about some raspberry, but I can not install WS2012 on it. I will check maybe there is some cheap laptops (I'm traveling between 2 locations so I need to have it with me)/PC's in my area.

I had a bit of spare time yesterday so I set up the 2 PC scheme we discussed. I already had a domain set up in vms on one PC (Fred). it connected to the LAN with a pfSense NAT router vm. I set up a Windows server, joined it to the domain and set up RRAS as a NAT/VPN server. I then swapped it for the pfSense vm.

From the other PC (Bob) I connected a vm set to bridged to the VPN server using a domain account which had remote access enabled. Once the VPN was connected, the vm could see the domain servers and could join the domain in the normal way.

When VM starts.
After VM connects.
After domain join.