| 1 | = Setting up OpenVPN between VirtualBox guests and hosts = |
| 2 | |
| 3 | == Scenario == |
| 4 | |
| 5 | You have a host (Debian Etch assumed below) where you're running |
| 6 | multiple VBox VMs in NAT mode. Let's call them debianvm and ubuntuvm. |
| 7 | You can connect out of those virtual machines to your LAN and the internet |
| 8 | using ssh, http etc, but you're disappointed that you can't connect into |
| 9 | those boxes because the VBox NAT doesn't do port forwarding. |
| 10 | |
| 11 | (Note: as of version 1.3.8, VBox does support port forwarding) |
| 12 | |
| 13 | Your options are: |
| 14 | - Post a query to the vbox-users mailing list. |
| 15 | And get told, not unreasonably, that the NAT mode doesn't |
| 16 | support it. |
| 17 | - Read the documentation on "Host Interface Networking". |
| 18 | And run away in terror because it looks real complicated. |
| 19 | - Follow the instructions below to run OpenVPN clients |
| 20 | in those virtual machines, making them (almost) first |
| 21 | class citizens of your LAN and allowing you to connect in to them. |
| 22 | |
| 23 | So: |
| 24 | |
| 25 | On the host (192.168.7.3 assumed here) as root: |
| 26 | |
| 27 | First, enable packet forwarding |
| 28 | (a one line uncomment edit in /etc/sysctl.conf). |
| 29 | Then: |
| 30 | |
| 31 | apt-get install openvpn |
| 32 | cd /etc/openvpn |
| 33 | cat<<EOF > debianvm.conf |
| 34 | dev tun |
| 35 | ifconfig 10.8.0.5 10.8.0.6 |
| 36 | keepalive 10 60 |
| 37 | port 1195 |
| 38 | EOF |
| 39 | /etc/init.d/openvpn start |
| 40 | |
| 41 | On the debianvm guest, as root: |
| 42 | |
| 43 | apt-get install ssh openvpn |
| 44 | cd /etc/openvpn |
| 45 | cat<<EOF > debianvm.conf |
| 46 | remote 192.168.7.3 |
| 47 | dev tun |
| 48 | ifconfig 10.8.0.2 10.8.0.1 |
| 49 | keepalive 10 60 |
| 50 | redirect-gateway |
| 51 | EOF |
| 52 | /etc/init.d/openvpn start |
| 53 | |
| 54 | On the host: |
| 55 | |
| 56 | ping 10.8.0.2 |
| 57 | |
| 58 | should respond. And |
| 59 | |
| 60 | ssh -l root 10.8.0.2 |
| 61 | |
| 62 | should get you a login. |
| 63 | |
| 64 | [There's nothing special about ssh; e.g a host-side xtightvncviewer |
| 65 | connecting in to a tightvncserver running on the guest works fine too]. |
| 66 | |
| 67 | This might be all you need, in which case skip the next section. |
| 68 | |
| 69 | == Multiple VMs == |
| 70 | |
| 71 | Now we'll set up our ubuntuvm too. |
| 72 | We'll simply run another openvpn on the host; it'll need to listen |
| 73 | on a different port number (but that's easier than setting up OpenVPN's |
| 74 | server mode IMHO). We need to add +4 to get to the the next usable IP |
| 75 | addresses (debianvm's link used .1 and .2 for the endpoints, and .0 and .3 |
| 76 | for net and broadcast addresses; ubuntuvm will use .4 through .7, with |
| 77 | .5 and .6 being the endpoints). |
| 78 | |
| 79 | On the host (still as root in /etc/openvpn): |
| 80 | |
| 81 | cat<<EOF > ubuntuvm.conf |
| 82 | dev tun |
| 83 | ifconfig 10.8.0.5 10.8.0.6 |
| 84 | keepalive 10 60 |
| 85 | port 1195 |
| 86 | EOF |
| 87 | /etc/init.d/openvpn restart |
| 88 | |
| 89 | On the guest: |
| 90 | |
| 91 | # NB First you'll need to enable the "universe" and apt-get update |
| 92 | |
| 93 | apt-get install ssh openvpn |
| 94 | |
| 95 | cat<<EOF > ubuntuvm.conf |
| 96 | remote 192.168.7.3 1195 |
| 97 | dev tun |
| 98 | ifconfig 10.8.0.6 10.8.0.5 |
| 99 | keepalive 10 60 |
| 100 | redirect-gateway |
| 101 | EOF |
| 102 | /etc/init.d/openvpn restart |
| 103 | |
| 104 | On the host: |
| 105 | |
| 106 | ping 10.8.0.6 |
| 107 | |
| 108 | should respond. And |
| 109 | |
| 110 | ssh -l username 10.8.0.6 |
| 111 | |
| 112 | should log you into ubuntuvm (don't forget: |
| 113 | ubuntu doesn't allow root logins). |
| 114 | |
| 115 | You should also find you can ssh (or whatever) |
| 116 | directly from debianvm to ubuntuvm and vice-versa. |
| 117 | |
| 118 | == Tidying up == |
| 119 | |
| 120 | On Debian, the openvpn init scripts run openvpn for any |
| 121 | config files in /etc/openvpn on boot, so there should be |
| 122 | no need to redo any of the above setup again; the VPN |
| 123 | tunnels should just appear automatically. |
| 124 | |
| 125 | Make sure all your machines have |
| 126 | 10.8.0.2 debianvm |
| 127 | 10.8.0.6 ubuntuvm |
| 128 | in their /etc/hosts (or whatever you use for hostname resolution). |
| 129 | |
| 130 | Make sure your LAN is set up to route the 10.8.0.0/255.255.255.0 |
| 131 | net via the gateway at 192.168.7.3. |
| 132 | |
| 133 | You should now be able to connect to debianvm and ubuntuvm |
| 134 | just the same as if they were any other machines on your LAN. |
| 135 | |
| 136 | == Disclaimer == |
| 137 | |
| 138 | - The above doesn't include encryption. Just wanted to point |
| 139 | this out in case anyone assumed OpenVPN did some by default. |
| 140 | See the openvpn docs; using static keys adds 4 lines per VM |
| 141 | to the above total (generate key, scp it to client, add one |
| 142 | line to .conf files). |
| 143 | |
| 144 | - OpenVPN doesn't support broadcast. |
| 145 | Maybe that breaks some Windows things. |
| 146 | |
| 147 | - The redirect-gateway in the client config reroutes all traffic |
| 148 | through the VPN tunnel. Suspect this could somehow break |
| 149 | DHCP interactions with the NAT-mode VirtualBox built-in DHCP |
| 150 | server, but it's worked fine for me so far. |