| | 1 | = Setting up OpenVPN between VirtualBox guests and hosts = |
| | 2 | |
| | 3 | == Scenario == |
| | 4 | |
| | 5 | You have a host (Debian Etch assumed below) where you're running |
| | 6 | multiple VBox VMs in NAT mode. Let's call them debianvm and ubuntuvm. |
| | 7 | You can connect out of those virtual machines to your LAN and the internet |
| | 8 | using ssh, http etc, but you're disappointed that you can't connect into |
| | 9 | those boxes because the VBox NAT doesn't do port forwarding. |
| | 10 | |
| | 11 | (Note: as of version 1.3.8, VBox does support port forwarding) |
| | 12 | |
| | 13 | Your options are: |
| | 14 | - Post a query to the vbox-users mailing list. |
| | 15 | And get told, not unreasonably, that the NAT mode doesn't |
| | 16 | support it. |
| | 17 | - Read the documentation on "Host Interface Networking". |
| | 18 | And run away in terror because it looks real complicated. |
| | 19 | - Follow the instructions below to run OpenVPN clients |
| | 20 | in those virtual machines, making them (almost) first |
| | 21 | class citizens of your LAN and allowing you to connect in to them. |
| | 22 | |
| | 23 | So: |
| | 24 | |
| | 25 | On the host (192.168.7.3 assumed here) as root: |
| | 26 | |
| | 27 | First, enable packet forwarding |
| | 28 | (a one line uncomment edit in /etc/sysctl.conf). |
| | 29 | Then: |
| | 30 | |
| | 31 | apt-get install openvpn |
| | 32 | cd /etc/openvpn |
| | 33 | cat<<EOF > debianvm.conf |
| | 34 | dev tun |
| | 35 | ifconfig 10.8.0.5 10.8.0.6 |
| | 36 | keepalive 10 60 |
| | 37 | port 1195 |
| | 38 | EOF |
| | 39 | /etc/init.d/openvpn start |
| | 40 | |
| | 41 | On the debianvm guest, as root: |
| | 42 | |
| | 43 | apt-get install ssh openvpn |
| | 44 | cd /etc/openvpn |
| | 45 | cat<<EOF > debianvm.conf |
| | 46 | remote 192.168.7.3 |
| | 47 | dev tun |
| | 48 | ifconfig 10.8.0.2 10.8.0.1 |
| | 49 | keepalive 10 60 |
| | 50 | redirect-gateway |
| | 51 | EOF |
| | 52 | /etc/init.d/openvpn start |
| | 53 | |
| | 54 | On the host: |
| | 55 | |
| | 56 | ping 10.8.0.2 |
| | 57 | |
| | 58 | should respond. And |
| | 59 | |
| | 60 | ssh -l root 10.8.0.2 |
| | 61 | |
| | 62 | should get you a login. |
| | 63 | |
| | 64 | [There's nothing special about ssh; e.g a host-side xtightvncviewer |
| | 65 | connecting in to a tightvncserver running on the guest works fine too]. |
| | 66 | |
| | 67 | This might be all you need, in which case skip the next section. |
| | 68 | |
| | 69 | == Multiple VMs == |
| | 70 | |
| | 71 | Now we'll set up our ubuntuvm too. |
| | 72 | We'll simply run another openvpn on the host; it'll need to listen |
| | 73 | on a different port number (but that's easier than setting up OpenVPN's |
| | 74 | server mode IMHO). We need to add +4 to get to the the next usable IP |
| | 75 | addresses (debianvm's link used .1 and .2 for the endpoints, and .0 and .3 |
| | 76 | for net and broadcast addresses; ubuntuvm will use .4 through .7, with |
| | 77 | .5 and .6 being the endpoints). |
| | 78 | |
| | 79 | On the host (still as root in /etc/openvpn): |
| | 80 | |
| | 81 | cat<<EOF > ubuntuvm.conf |
| | 82 | dev tun |
| | 83 | ifconfig 10.8.0.5 10.8.0.6 |
| | 84 | keepalive 10 60 |
| | 85 | port 1195 |
| | 86 | EOF |
| | 87 | /etc/init.d/openvpn restart |
| | 88 | |
| | 89 | On the guest: |
| | 90 | |
| | 91 | # NB First you'll need to enable the "universe" and apt-get update |
| | 92 | |
| | 93 | apt-get install ssh openvpn |
| | 94 | |
| | 95 | cat<<EOF > ubuntuvm.conf |
| | 96 | remote 192.168.7.3 1195 |
| | 97 | dev tun |
| | 98 | ifconfig 10.8.0.6 10.8.0.5 |
| | 99 | keepalive 10 60 |
| | 100 | redirect-gateway |
| | 101 | EOF |
| | 102 | /etc/init.d/openvpn restart |
| | 103 | |
| | 104 | On the host: |
| | 105 | |
| | 106 | ping 10.8.0.6 |
| | 107 | |
| | 108 | should respond. And |
| | 109 | |
| | 110 | ssh -l username 10.8.0.6 |
| | 111 | |
| | 112 | should log you into ubuntuvm (don't forget: |
| | 113 | ubuntu doesn't allow root logins). |
| | 114 | |
| | 115 | You should also find you can ssh (or whatever) |
| | 116 | directly from debianvm to ubuntuvm and vice-versa. |
| | 117 | |
| | 118 | == Tidying up == |
| | 119 | |
| | 120 | On Debian, the openvpn init scripts run openvpn for any |
| | 121 | config files in /etc/openvpn on boot, so there should be |
| | 122 | no need to redo any of the above setup again; the VPN |
| | 123 | tunnels should just appear automatically. |
| | 124 | |
| | 125 | Make sure all your machines have |
| | 126 | 10.8.0.2 debianvm |
| | 127 | 10.8.0.6 ubuntuvm |
| | 128 | in their /etc/hosts (or whatever you use for hostname resolution). |
| | 129 | |
| | 130 | Make sure your LAN is set up to route the 10.8.0.0/255.255.255.0 |
| | 131 | net via the gateway at 192.168.7.3. |
| | 132 | |
| | 133 | You should now be able to connect to debianvm and ubuntuvm |
| | 134 | just the same as if they were any other machines on your LAN. |
| | 135 | |
| | 136 | == Disclaimer == |
| | 137 | |
| | 138 | - The above doesn't include encryption. Just wanted to point |
| | 139 | this out in case anyone assumed OpenVPN did some by default. |
| | 140 | See the openvpn docs; using static keys adds 4 lines per VM |
| | 141 | to the above total (generate key, scp it to client, add one |
| | 142 | line to .conf files). |
| | 143 | |
| | 144 | - OpenVPN doesn't support broadcast. |
| | 145 | Maybe that breaks some Windows things. |
| | 146 | |
| | 147 | - The redirect-gateway in the client config reroutes all traffic |
| | 148 | through the VPN tunnel. Suspect this could somehow break |
| | 149 | DHCP interactions with the NAT-mode VirtualBox built-in DHCP |
| | 150 | server, but it's worked fine for me so far. |
