VMb has been set as default gateway in VMa. In VMb, connection sharing has been enabled on the OpenVPN TAP adapter and routing has also been enabled in this VM. This works quite well and programs running in VMa can now access the internet using the OpenVPN connection in VMb. Great!
The problem now is firewalling this setup. I can’t run a firewall on VMa, so any firewalling has to be done on VMb. VMa should be blocked from communicating with anything except VMb and public internet addresses (through the OpenVPN connection) and it should also be possible to block all internet access for VMa if OpenVPN goes down (for instance by disabling a FW rule).
I have tried this with the Windows 7 firewall in VMb but can’t make it work.
In VMb, I blocked all incoming and outgoing connections in Firewall Properties for all three profiles (Domain, Private and Public).
Then I defined custom rules:
r1: Allow everything incoming on internal adapter (connects to VMa).
r2: Allow everything outgoing on internal adapter.
r3: Allow everything incoming on bridged adapter (connects to host).
r4: Allow everything outgoing on bridged adapter.
r5: Allow everything incoming on OpenVPN TAP adapter.
r6: Allow everything outgoing on OpenVPN TAP adapter.
(‘everything’ means all firewall profiles, all interface types, all protocols, all ports, all IPs)
With these rules enabled I can ping from VMa to VMb, from VMb to VMa, from VMa to public internet through OpenVPN. I can not ping from VMa to host (which is what I want).
Now when I:
Disable r1 I can not ping from VMa to VMb. This works as expected. But I can still ping internet through the VPN tunnel, which was not expected and I think it indicates that packets routed via the default gateway on VMb are not filtered by the firewall before going out on the VPN tunnel. If so this will be a BIG problem when firewalling this setup!
Disable r2 I can not ping from VMb to VMa. This works as expected. But I can still ping internet, same comments as for r1.
Disable r3. No effect at all.
Disable r4. Can ping from VMa to internet, same comments as for r1. Can not ping from VMb to internet, as expected. This indicates that packets originating on VMb are filtered by the firewall, but packets arriving on the VBox internal network adapter and which are routed to the default gateway (OpenVPN adapter) are not filtered by the windows firewall.
Disable r5. No effect at all.
Disable r6. No effect at all.
To me, it seems as if packets routed from the internal adapter in VMb, via default gateway to OpenVPN adapter and then via the bridged adapter out to internet are never filtered by the firewall in VMb. If so, Duuh!
The BIG question now is, how can I firewall OpenVPN?
Is there some other firewall which allows me to define rules on the command line and that hooks on to the VBox adapters in a way that allows filtering of routed packets?