[SOLVED] Connect to machine on host's OpenVPN subnet from VirtualBox VM?

sundialsvcs · 01-17-2017, 05:29 PM

I have a [OS/X ...] host that's running OpenVPN and which is connected to a subnet that includes address 10.44.55.55.

I want the VM to be able to reach that subnet, too.

I've tried various things, including setting up a NAT virtual adapter. ("enp0s9")

I then tried, for example, sudo net route add -host 10.44.55.55 enp0s9, which by-the-way produces this:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 enp0s3
...
10.44.55.55     *               255.255.255.255 UH    0      0        0 enp0s9

... but still no joy: ping 10.44.55.55 from the guest produces no response.

I also tried it with a "Host-Only Adapter" ("enp0s8") but once again no joy.

What might I be doing wrong?

I would expect that, one way or the other, the traffic should emerge into the host's networking, with some valid return address, destined for 10.44.55.55, which I can ping successfully from the host's command line. I would intuitively expect that the traffic would know how to get there with no further configuration needed.

Ref: https://www.virtualbox.org/manual/ch06.html#network_nat

Quote:

A virtual machine with NAT enabled acts much like a real computer that connects to the Internet through a router. The "router", in this case, is the VirtualBox networking engine, which maps traffic from and to the virtual machine transparently. In VirtualBox this router is placed between each virtual machine and the host. This separation maximizes security since by default virtual machines cannot talk to each other.

[ ... ]

The network frames sent out by the guest operating system are received by VirtualBox's NAT engine, which extracts the TCP/IP data and resends it using the host operating system. To an application on the host, or to another computer on the same network as the host, it looks like the data was sent by the VirtualBox application on the host, using an IP address belonging to the host. VirtualBox listens for replies to the packages sent, and repacks and resends them to the guest machine on its private network.

The bugaboo seems to be somewhere in "resends it using the host operating system." I would expect the packets, destined as they are for a VPN-connected subnet, to be routed to that subnet just as are pings originated on the host. If "the host" can ping that address, why don't packets coming out of the VM and "being resent using the host operating system" do the same thing?

Edit: Interestingly, traceroute 10.44.55.55 from the guest shows the packets being pitched to the Internet at large ... where of course they promptly disappear into the gloom since these are non-routable addresses. When the route command is added to send them to either the Host-Only Network or the NAT, there is no output whatsoever from traceroute.

sundialsvcs · 01-19-2017, 07:10 AM

Still no joy ...

After entering the command route add -host 10.44.55.55 gw 192.168.56.1 dev enp0s8 (this being the IP-address of the host on the Host-Only Network and the virtual adapter leading to it) ...

... tcpdump -nn icmp on the host shows the ping Request packets emerging from the Host-Only Network at its IP address: 192.168.56.101 > 10.44.55.55.

... but nothing is received on the remote side if the ping is made from the virtual machine.

If the ping is made from the host, it works as expected.

I still don't understand why a packet produced by the virtual machine and routed to an address which the host knows how to reach does not get there, when sent to the host-side address as a gateway.

sundialsvcs · 06-07-2017, 11:33 AM

Well, the solution turned out to be much simpler than I thought. The adapter-type should be NAT, not Bridged Networking.

"Bridged Networking" literally communicates with the host adapter directly, bypassing the usual host stack.

When set to "NAT," and when the OpenVPN tunnel is up, addresses on the other side of the tunnel can be pinged from the host.

This lets the VM reach out to the OpenVPN-connected remotes, but it of course does not let those remotes reach in to the VM. (Neither can the host "ping" that interface.) The connection is one-way outward-only but now it can see virtual interfaces such as utunX on the host.