I have an interesting situation where I have a corporate VPN that can only connect through a specific (outdated) version of Ubuntu (and/or Windows) using a vendor-supplied client that creates a VPN interface on
tun0 upon successful authentication. I use a different distribution on my personal Linux machine, on which the VPN client will not run because of library issues.
As a workaround, I have more-or-less figured out how to configure the Ubuntu VM (on VirtualBox) to work as a router when the VM is configured in bridge mode. Unfortunately, this works on some networks (like my home one) because I can get another IP no problem for my bridged VM, but on many public networks, this does not work.
I believe I should be able to do this with two network adapters on the VM, one with NAT, and one as a Host-Only connection, but I’m not sure how to set up the routing so that I can send traffic on my host through the VPN tunnel.
Here’s the setup so far:
[host]$ VBoxManage list hostonlyifs Name: vboxnet0 GUID: 786f6276-656e-4074-8000-0a0027000000 DHCP: Disabled IPAddress: 192.168.56.1 NetworkMask: 255.255.255.0 IPV6Address: fe80::800:27ff:fe00:0 IPV6NetworkMaskPrefixLength: 64 HardwareAddress: 0a:00:27:00:00:00 MediumType: Ethernet Wireless: No Status: Up VBoxNetworkName: HostInterfaceNetworking-vboxnet0
The guest interfaces (after connecting to the vpn –
enp0s3 is the NAT adapter,
enp0s8 is the host-only adapter):
[guest]$ ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:b2:d9:c2 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3 valid_lft 83176sec preferred_lft 83176sec 3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:3c:81:82 brd ff:ff:ff:ff:ff:ff inet 192.168.56.101/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s8 4: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1384 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet XXX.XXX.XXX.XXX peer 22.214.171.124/32 scope global tun0
On the guest, I enable translation between the host-only adapter and the VPN tunnel with the following commands:
sudo sysctl net.ipv4.conf.all.forwarding=1 sudo sysctl net.ipv6.conf.all.forwarding=1 sudo iptables -A FORWARD -i enp0s8 -o tun0 -j ACCEPT sudo iptables -A FORWARD -i tun0 -o enp0s8 -j ACCEPT sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
On the host, I can replace the default route with
192.168.56.1 (the host-only VM adapter), but then obviously no data can get out at all. Since the VM is not getting it’s own access to the internet, I need to have some traffic coming in/out to the internet through the host, but then I would like to force as much as possible of that to go through the VM’s VPN connection. It feels like I’m close, and this should be possible, but I’m not sure what the missing piece is.
On a side note, I think I could get this to work for certain applications by perhaps doing an SSH SOCKS proxy to the VM, perhaps? I’d like to route all traffic through the VPN, if possible.