Setting up OpenVPN between VirtualBox guests and hosts
Contributed by Tim Day, 2007/03/13
Scenario
You have a host (Debian Etch assumed below) where you're running multiple VBox VMs in NAT mode. Let's call them debianvm and ubuntuvm. You can connect out of those virtual machines to your LAN and the internet using ssh, http etc, but you're disappointed that you can't connect into those boxes because the VBox NAT doesn't do port forwarding.
(Note: as of version 1.3.8, VBox does support port forwarding)
Your options are:
- Post a query to the vbox-users mailing list. And get told, not unreasonably, that the NAT mode doesn't support it.
- Read the documentation on "Host Interface Networking". And run away in terror because it looks real complicated.
- Follow the instructions below to run OpenVPN clients in those virtual machines, making them (almost) first class citizens of your LAN and allowing you to connect in to them.
So:
On the host (192.168.7.3 assumed here) as root:
First, enable packet forwarding (a one line uncomment edit in /etc/sysctl.conf). Then:
apt-get install openvpn cd /etc/openvpn cat<<EOF > debianvm.conf dev tun ifconfig 10.8.0.5 10.8.0.6 keepalive 10 60 port 1195 EOF /etc/init.d/openvpn start
On the debianvm guest, as root:
apt-get install ssh openvpn cd /etc/openvpn cat<<EOF > debianvm.conf remote 192.168.7.3 dev tun ifconfig 10.8.0.2 10.8.0.1 keepalive 10 60 redirect-gateway EOF /etc/init.d/openvpn start
On the host:
ping 10.8.0.2
should respond. And
ssh -l root 10.8.0.2
should get you a login.
[There's nothing special about ssh; e.g a host-side xtightvncviewer connecting in to a tightvncserver running on the guest works fine too].
This might be all you need, in which case skip the next section.
Multiple VMs
Now we'll set up our ubuntuvm too. We'll simply run another openvpn on the host; it'll need to listen on a different port number (but that's easier than setting up OpenVPN's server mode IMHO). We need to add +4 to get to the the next usable IP addresses (debianvm's link used .1 and .2 for the endpoints, and .0 and .3 for net and broadcast addresses; ubuntuvm will use .4 through .7, with .5 and .6 being the endpoints).
On the host (still as root in /etc/openvpn):
cat<<EOF > ubuntuvm.conf dev tun ifconfig 10.8.0.5 10.8.0.6 keepalive 10 60 port 1195 EOF /etc/init.d/openvpn restart
On the guest:
# NB First you'll need to enable the "universe" and apt-get update
apt-get install ssh openvpn
cat<<EOF > ubuntuvm.conf remote 192.168.7.3 1195 dev tun ifconfig 10.8.0.6 10.8.0.5 keepalive 10 60 redirect-gateway EOF /etc/init.d/openvpn restart
On the host:
ping 10.8.0.6
should respond. And
ssh -l username 10.8.0.6
should log you into ubuntuvm (don't forget: ubuntu doesn't allow root logins).
You should also find you can ssh (or whatever) directly from debianvm to ubuntuvm and vice-versa.
Tidying up
On Debian, the openvpn init scripts run openvpn for any config files in /etc/openvpn on boot, so there should be no need to redo any of the above setup again; the VPN tunnels should just appear automatically.
Make sure all your machines have
10.8.0.2 debianvm 10.8.0.6 ubuntuvm
in their /etc/hosts (or whatever you use for hostname resolution).
Make sure your LAN is set up to route the 10.8.0.0/255.255.255.0 net via the gateway at 192.168.7.3.
You should now be able to connect to debianvm and ubuntuvm just the same as if they were any other machines on your LAN.
Disclaimer
- The above doesn't include encryption. Just wanted to point this out in case anyone assumed OpenVPN did some by default. See the openvpn docs; using static keys adds 4 lines per VM to the above total (generate key, scp it to client, add one line to .conf files).
- OpenVPN doesn't support broadcast. Maybe that breaks some Windows things.
- The redirect-gateway in the client config reroutes all traffic through the VPN tunnel. Suspect this could somehow break DHCP interactions with the NAT-mode VirtualBox built-in DHCP server, but it's worked fine for me so far.