Force virtual machine to only use VPN connection?

Here's what I have:

Mac OS X 10.10 - running VirtualBox and acting as an OpenVPN client. This works just fine on the VPN and is intended to be my host machine. There is also a WiFi connection on this machine that acts as my gateway to the outside world. This Mac is set up with NAT to connect to the WiFi router.

Windows 7 Pro - this is a virtual instance to be running through VirtualBox on the Mac.

My OpenVPN Server is running on CentOS but I don't think that matters for the purposes of my question.

How can I make sure that my Windows machine only makes connections through the VPN and never via the WiFi?

When I first started, I thought that the OpenVPN client would act as a new network adapter and I could expose only that adapter in the VirtualBox settings. But that doesn't seem to be the case, VirtualBox just takes it as a NAT adapter.

To be clear, the desired use case would be the following:

The OpenVPN client is running fine on the Mac host machine which means that it runs fine on the Windows machine.
The OpenVPN goes down on the Mac client but the Mac keeps running via the Wifi connection. The Windows machine now no longer has access to any internet resources since there is no connection.

How can I achieve this?

Unknown Coder

Posted 2015-08-11T16:18:35.787

Reputation: 93

1@Arjan yes, thank you. The reference to CentOS is for my OpenVPN server. So I think that bit of info shouldn't have an impact on the answers since my question is basically client-side only. – Unknown Coder – 2015-08-14T16:08:33.837

The question How can I make VirtualBox guests share the host's VPN connection? on AskUbuntu covers this topic in detail.

– Breakthrough – 2015-08-18T16:20:28.523

Answers

The answer is: it depends whether you are using OpenVPN in the bridged or routed mode: you have a routed OpenVPN if your new virtual interface is tunX, a bridged OpenVPN if, instead, you have a tapX virtual interface.

For bridged OpenVPN: select, in the VirtualBox screen, Network-> Bridged Adapter, Name -> tap0.

For routed Openvpn: select, in the VirtualBox screen, network-> NAT.

This way you will not need an OpenVPN client on your VM. Also, the above answers cover both important cases, the OP did not not state which OpenVPN mode is in use.

To double check hat the above is working correctly, load in your browser the following URL, www.whatismyipaddress.com; from its output, or the geolocation tools provied in the answer if you are not sure, you shall be able to ascertain what is your apparent external IP.

MariusMatutiae

Posted 2015-08-11T16:18:35.787

Reputation: 41 321

thanks for the reply, that's along the right lines. I have done the IP address checking you mentioned. But what I'm more concerned about is how this all reacts when the Host loses VPN connection. In a NAT scenario, when then VPN is lost on the host, Host uses WiFi and passes on the same connection to the Client - that is not the desired process. How would your solution react in a scenario where the VPN connection is lost? – Unknown Coder – 2015-08-20T18:30:29.887

@JimBeam It depends. The VM is always routed thru whichever connection you have available. If the OpenVPN connection is lost, and the routing table is changed, then the VM will be routed through the wifi. If the OpenVPN is lost for a short time, the routing table is not changed, then the OpenVPN connection is re-established, your VM will never be routed thru the wifi. If you must, at all costs, go thru the OpenVPN, then only policy routing can give you the certainty that no packets are routed thru the wifi. Normally, OpenVPN are quite sturdy, though. – MariusMatutiae – 2015-08-20T20:58:37.017

This: For bridged OpenVPN: select, in the VirtualBox screen, Network-> Bridged Adapter, Name -> tap0. doesn't work for me (OSX host + Ubuntu guest) – Worker – 2016-12-14T13:16:30.270

1@Worker What do you mean by does not work? Cannot find tap0? No external connection? Some error message? – MariusMatutiae – 2016-12-14T15:09:13.030

@MariusMatutiae does not work - means whole this approach is not working. According to my findings VPN tap interface doesn't support such bridging. – Worker – 2016-12-14T15:31:27.680

1@Worker It works perfectly on Linux. I did not try this out on MacOS, but I did try it out on FreeBSD (both as guest and as a host) and on OpenBSD (as guest only), and it works perfectly in these situations. So I am a bit surprised about your findings. – MariusMatutiae – 2016-12-14T16:55:15.500

Sounds like you are looking for a "bridged" rather than a NAT virtual interface. This way you can bind the virtual interface (meaning the interface for communication between your Mac host and the Windows guest) to only one specific interface of the host. As far as I understand the question, you have a VPN interface set up on the host, right? For details see http://www.virtualbox.org/manual/ch06.html#network_bridged

Echsecutor

Posted 2015-08-11T16:18:35.787

Reputation: 315

This is an interesting answer. However, I don't see a why to bind to the VPN on the host. You can bind to the adapter on the host, but not specifically to the VPN. So in that scenario, if the VPN goes down on the host, it would use WifI and the Bridged adapter would still use the Wifi connection. It wouldn't stop the traffic from the VM. Any thoughts on that? – Unknown Coder – 2015-08-14T16:12:39.787

This depends on how the VPN client is implemented. On Windows hosts, they tend to present themselfs as adapters. I will check on OSX at home tonight ;) – Echsecutor – 2015-08-17T13:23:35.453

It is the same on OS X, the VPN is a separate adapter. – qasdfdsaq – 2015-08-18T14:00:11.423

Disclaimer: I've never used Virtualbox so this might not be possible.

Option 1 Bind the network adapter of the Windows Machine to the openvpn interface.

Option 2 Slightly more complicated, create a network infront of the Windows box, and use a small Openvpn router on linux then set up iptables to only allow Windows to use the openvpn interface. There would then be no way for Windows to access the internet when the VPN was down because the linux box would block it.

Michael B

Posted 2015-08-11T16:18:35.787

Reputation: 714

@MariusMatutiae In the quiet words of the Virgin Mary... come again? - aka what the hell are you talking about?!

– Michael B – 2015-08-20T15:36:15.527

The best way to ensure all traffic is routed through your VPN would be to run a VPN client inside the virtual machine. If you're running an OpenVPN client in the VM, you can set the push "redirect-gateway" option in your configuration to ensure all client traffic is directed through the VPN. If the server connection is lost, all client requests should then timeout (as opposed to being routed through the remaining NAT adapter).

Should there be a problem with the OpenVPN client itself, you can use the Windows Firewall to explicitly disable any processes from accessing the remaining NAT adapter provided by VirtualBox. You can accomplish this by using a default-deny policy/rule for all incoming and outgoing connections on the main network adapter, adding an exception only for the OpenVPN client. This will force all other traffic inside the VM to be routed through the tunnel adapter, or simply be blocked if it is not available.

Breakthrough

Posted 2015-08-11T16:18:35.787

Reputation: 32 927

I'm trying to NOT run a client VPN client inside my virtual machine – Unknown Coder – 2015-08-14T18:40:11.563

@JimBeam Why not just use the firewall on your host machine to prevent the VirtualBox process from accessing any network adpater besides the OpenVPN tunnel? – Breakthrough – 2015-08-15T08:44:02.660

how exactly would I go about that on OSX please? – Unknown Coder – 2015-08-15T14:55:06.923

I don't own any Apple products, so I can't really be of much help at this point... Perhaps ask a moderator to move this question to AskDifferent.SE instead (or again consider using OpenVPN inside the VM).

– Breakthrough – 2015-08-16T22:02:27.337