Network sharing question with VMs and VPNs.
 

I currently have a Windows VM that connects to a corporate VPN. I have VirtualBox setup with a "hosts-only" network, which appears in the VM as a network connection. This "host-only" type of network connection can be accessed outside of the VM via whatever ip address you give it inside of the VM.

In Windows, there is a dialog that lets you share this VPN connection with the host-only connection. Once I do that, I can access VPN resources via the hosts-only ip address, outside of the VPN. This works well, I've been doing this for a while. It has limitations. I have to manually set a route for each IP on the VPN I want to access. Since there are only a half dozen of these, this works very well. I do not have, nor do I want, DNS from VPN exposed to my Linux box. No name lookup. I can only access VPN resources by manually setting a route on the linux host, and then I can access it via its ip. I've been doing this for a while now, and it works very well.

So - how do I do this with a Linux VM? In my Linux VM I can see the VPN connection, I think it is gpd1. I see the host-only connection, eth1. I can access this host-only connection via it's ip address outside of the VM. So far so good.

The only step missing is sharing gpd1 through eth1. How, in Linux, do I tell it to share gpd1 through eth1? I do this with Windows and it works but I don't know what it is doing behind the scenes.

To configure your linux box as a router it will need to know where to route different packages (it probably already does know that as you have configured your vpn and eth1) and it will need to be told to let other machines send their traffic through its interfaces. You tell your machine to do that with:

If you think the above solves your problem you probably want to put that command in some startup file like /etc/rc.d/rc.local or you might want to create a file in /etc/sysctl.d.

For example /etc/sysctl.d/if_forward.conf:
regards Henrik

How does that tell it to route traffic from gpd0 through eth1?

This works. Not sure if this is the best way to do it, but it does get the job done.


root@zzz:~# iptables -A FORWARD -o gpd0 -i eth1 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
root@zzz:~# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
root@zzz:~# iptables -t nat -F POSTROUTING
root@zzz:~# iptables -t nat -A POSTROUTING -o gpd0 -j MASQUERADE

That masquerading trick was probably needed because machines in the corporate network did not know how to route to your home network through the VPN.

regards Henrik

Yeah, that was the biggest problem - how to get from there to here. FWIW, this:

sysctl -w net.ipv4.ip_forward=1

Is *absolutely* necessary. Nothing works without it.

It's not at all neccesary because it enables forwarding everywhere on every interface, globally.
More secure practice is to only enable forwarding per specific interface (for example eth0 only):