Hst:WXP MS Net Bridge OpenVPN SVR - Gst:Ubuntu Bridged Adptr

[DebbieTent]

Hello

Virtual Box Guest "Bridged Adapter" connected to
Virtual Box Host "MS Network Bridge" (Bridging Open VPN TAP Adapters) ....

Is this even possible .. Am I a Noob ?

I did some research but could not find an exact match for this problem so I posted here, however, apologies if this has been discussed before.

Reading the Virtual Box User Manual I found the following caveat (PDF Version 2.2.2 - Page 86)

With VirtualBox 2.0.4 and above, it is possible to use Crossbow Virtual Network
Interfaces (VNICs) with bridged networking, but with the following caveats:

• A VNIC cannot be shared between multiple guest network interfaces, i.e.
  each guest network interface must have its own, exclusive VNIC.
• The VNIC and the guest network interface that uses the VNIC must be as-
  signed identical MAC addresses.

However, this does not appear resolve the issue described below and results in duplicate packet transmission errors



Scenario details

V.Box HOST: (Version 4.2.16 r86992 - VirtualBox_Extension_Pack-4.2.16-86992)

• Windows XP Pro - Running OpenVPN server in bridged mode to VPN Clients.
  - Network adapter: Microsoft Network Bridge, linking multiple OpenVPN TAP Adapters (Version 9.9) to single physical NIC
  (All works perfectly without the V.Box Guest)

V.Box GUEST: (With VirtualBox_Extension_Pack-4.2.16-86992)

• Ubuntu 12.04 LTS Server
  - Network adapter: Bridged Adapter, using either Intel PRO/1000 T Server (82543GC) or Paravirtualized Network (virtio-net)

V.Box Guest different Network modes tried and failed

• V.Box Bridged Adapter, linked to the Microsoft Network Bridge described above.
  V.Box Guest has network connectivity,
  V.Box Host OpenVPN server traffic is corrupted with the following error on all clients.

  Fri Aug 09 01:21:02 2013 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #31 ] 
  -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

  (Repeated until VBox Client is killed)
• V.Box Bridged Adapter, linked to "dedicated" OpenVPN TAP (Version 9.9) Adapter included in V.Box Host MS Network Bridge
  V.Box has No network connectivity,
  OpenVPN works normally.
• V.Box Bridged Adapter, linked directly to the physical NIC
  V.Box Client Can NOT ping V.Box host (VPN Server),
  V.Box Client Can NOT ping VPN Clients,
  V.Box Client Can ping separate physical machines in the V.Box Host Subnet (eg. Default router),
  OpenVPN works normally.

As the OpenVPN works perfectly without the VBox machine being operational I decided to place the details of the problem on this forum,
I thought somebody here may have either found a way to solve the problem or could confirm that it is a known issue.
However, I will link this post to a reverse link on the OpenVPN forum for maximum exposure.

In order to resolve the issue I have added a second physical NIC to the Host and attached the V.Box Client to that.
The second NIC has no network services or protocols attached to it by the V.Box host, all networking is managed by
the V.Box Client, Ubuntu.

However, what would be ideal is that both V.Box Host and V.Box Client can share the same NIC both using Network Bridge,
with no ill side effects to the OpenVPN traffic.

Thankyou for reading this, hopefully (but doubtfully ) there is a solution

[noteirak]

I think we need to go back to a very basic fact : VPNs are P2P by nature, and the whole point of using them is to be secure and private. This means there are security features put in place to exactly prevent what you're trying to do : bridging on a VPN interface.
I am not sure to understand what you're trying to do here, but bridging on a VPN will not work, especially OpenVPN. There is no way around this without doing some aweful hacking, which I do not have the details of.

Long story short : not gonna work, by design, due to the VPN itself and not Virtualbox.

[DebbieTent]

Thank you for your clarification noteirak, the security consideration you point out, I admit, I had over looked.

Well, at least, I understand now why the particular setup I tried was non-functional.

As it stands, using the two NICs is sufficient for my requirements and it is good to know that OpenVPN has
anticipated security measures beyond my particular understanding.

Many thanks.

However .. this does lead me to consider other security considerations.

For example, by using two NICs in the same machine I can achieve the desired result, the only difference is
that the virtual machine is operating through different hardware, though on the same machine and subnet.

While operational, the Virtualisation software has full access to the VPN keys and data transmission, so ..

Is this a short coming of the operating system, the VPN software or perhaps computers in general ?

.. or in this case perhaps, the administrators lack of understanding !!

Hmmmmm ... The Plot Thickens !

[noteirak]

If you could give me the exact IPs value, a little schema of your network setup, I could explain to you why it works, and if it's a security short-coming or not.

[DebbieTent]

Hi noteirak, I am satisfied that, at present, my system is suitably secure and, at this time, I do not need to consider this scenario any further.

Many thanks for your time in resolving my initial problem.

[M10T]

Hi,

I would like to expand on this problem: (The Computer in question is actually the exact same system as the original Post)

My HOST - WXP - With Windows Network Bridge as HOST NIC: 3COM EtherLink + TAP Adapters (Not in use but attached)

My GUEST - WXP - With VirtualBox Bridged Network: Intel Pro/1000 T Server (Correctly detected by WXP Guest)
VBox Bridge Adapter connected to Windows Network Bridge of HOST.

The guest simply cannot get access to the network.

So regardless of OpenVPN (Which has been switched off) It seems that using a Bridge on WXP OS
and then using VBox Bridged Adapter + Intel Pro/1000 T Does not work ?

CAn this be confirmed as true or false, if false is there any thing I should check ?
I have been through the settings many times looking for errors or misconfigs but nothing
is obviously wrong
FYI: The HOST OS Network Bridge has the VirtualBOX Bridged Network Driver Attached.

Thanks for any help.

[DebbieTent]

I would like to expand on this problem: (The Computer in question is actually the exact same system as the original Post)

As stated .. The Exact same machine.

[DebbieTent]

Well .. I discovered that since OpenVPN V232 it is now possible to:

Use VBOX Client WXP-SP3:

• VBox Bridge Adapter

Connect to VBOX Host WXP-SP3:

• Microsoft Windows XP Network Bridge
  • 3Com Etherlink III NIC
    With OpenVPN TAP Adapters bridged.

And there is absolutely no issue ... OpenVPN works perfectly !

Either OpenVPN have dropped their security requirements or they just plain forgot to compile something into V232