Disable LAN vpn only for windows VM

[Js333]

- I have the latest Virtual Box, Extension Pack and Guest Additions running
- Windows 10 22H2 Guest 64bit assigned 2.6 ram
- Windows 11 Host 64bit with 8gb total ram

I have an Asus Router flashed with Merlin so I am able to tunnel clients through the VPN or not with policy rules which I have added as an image to this post. I have also attached a picture of the network settings of the VM.

I am new to networking so could someone help me to make the VM become a client on my network instead of piggybacking through my host. I want this so I am able to isolate the VM and disable VPN for it. By the way, I apologise if this isn't the appropriate place to post this question.

Thanks

[scottgus1]

You'd probably want to use Bridged instead of NAT. Bridged goes around the host network stack, whereas NAT goes through it.

Virtualbox Networks: In Pictures

[Js333]

I will give that a try soon. Is there an option if I decided to use wifi instead of ethernet that I could still have the same setup or would it only be through ethernet? I think I've tried bridged before with wifi and it didn't work on my hardware.

If it could work, do you have a good article to help me setup bridged with wifi too? Thanks

[scottgus1]

You can try Bridged through Wi-Fi, simply by selecting the Wi-Fi adapter to Bridge to. However, per the linked tutorial, Bridged doesn't always work with Wi-Fi. No way to predict if yours will work or not except to try it.

If you can't Bridge over Wi-Fi, then you have to stay on wired ethernet.

[Js333]

Awesome! It works on wifi and ethernet. Thanks for that!

I changed my guest's Wifi bridged adaptor MAC address to be the same as the adaptor on my host and wifi works also. I can now set rules for my VM on the host network. The only thing I didn't think about is the fact that the VM can access all devices on the network now. Does this mean the VM is more of a security threat now?

One of the cool things about using a VM is that is effectively sandboxed but it seems with a bridged connection any type of threat actor or malware on the guest could far more easily infect the host/network. Am I right in saying that?

[scottgus1]

I changed my guest's Wifi bridged adaptor MAC address to be the same as the adaptor on my host

Was this necessary to get the Bridged to Wi-Fi to work? Or did you just do it? It seems to me that two devices with the same address will have some form of interference somewhere.

The only thing I didn't think about is the fact that the VM can access all devices on the network now.

True. The VM is now a separate computer as viewed by the LAN, so it can be handled separately.

But the VM could access all network services and resources via LAN IP address while using NAT, too, so not much change on that front, except that computer & service network names weren't available under NAT but can be used in Bridged.

Does this mean the VM is more of a security threat now? ... with a bridged connection any type of threat actor or malware on the guest could far more easily infect the host/network. Am I right in saying that?

Depends on what you're doing in the VM. Using it as a separate computer with your usual acumen in safe web browsing and email usage practices? No more problem than your Wi-FI-enabled phone, tablet, or laptop. Doing full-on malware testing? Yes, very.

The tutorial has a setup to block the VM from the LAN while allowing it to use Internet, see "Sandbox". I don't know how this will interfere with your project of splitting the VM from the host VPN, though.

[Js333]

I'm not sure if it was necessary actually. If I run into issues in the future I will remember what you said and make the MAC addresses seperate.

I use my VM for work - no play at all and always practice smart and safe internet usage so I'm probably being more paranoid than need be hahaha

That tutorial looks a bit heavy for me right now (networking is not my strong suit as you can tell) and I still have a lot of stuff on my plate but will give it a try in the future for sure!

[scottgus1]

You'll probably be fine not sandboxing the network. Run separate antivirus inside the VM if you go on the web in it, and you should be OK.