The virtual machine is what I’d use for internet activities, and I want to make sure there’s no leaks or anything.
Are things still hidden from the router and ISP if the VPN is only on the virtual machine? If so, are there any privacy/security/speed pros and cons to having the VPN just on the virtual machine? What about just on the host?
Also, am I right in thinking that having the VPN on both the host and virtual machine would result in slower speeds than if it was just on one? Or is that not how it works?
(1 pro I can think of for it being on the virtual machine: You could have different virtual machines that use different VPNs)
I run the OpenVPN client on my host, and apply policy-based routing to route all traffic from VM’s network through the gateway in the VPN’s network.
1 pro I can think of for it being on the virtual machine: You could have different virtual machines that use different VPNs
You can also have in by running the VPN client on the host.
The VPN client creates a virtual NIC and make it part of the VPN network, where lies a gateway (the remote NAT). You can forget about the virtual/VPN part, your host is now a router between different private networks, and some of them have a gateway. That’s a multi-WAN router.
Policy based routing is a good thing, but you have to know how to do this.
But if you don’t have a much skills and paranoia level is high you have to use this scheme:
2 networks: 1 private without NAT and internet access. and one default NAT network
router VM has 2 network adapters connected to each network. on the router VM you configure classic NAT and masquerade over any VPN you want to use.
example for private network using mullvad DNS (10.64.0.1)
<network xmlns:dnsmasq='http://libvirt.org/schemas/network/dnsmasq/1.0'>
<name>private</name>
<uuid>8acccf11-aa11-1111-1111-f59112233447</uuid>
<bridge name='private-bridge' stp='on' delay='0'/>
<mac address='52:54:00:33:22:11'/>
<domain name='private'/>
<dns>
<forwarder addr='10.64.0.1'/>
</dns>
<ip address='192.168.15.254' netmask='255.255.255.0' localPtr='yes'>
<dhcp>
<range start='192.168.15.150' end='192.168.15.250'/>
<host mac='52:54:00:be:10:01' name='router' ip='192.168.15.1'/>
<host mac='52:54:00:ec:10:02' name='vm1' ip='192.168.15.10'/>
<host mac='52:54:00:6c:10:03' name='vm2' ip='192.168.15.11'/>
</dhcp>
</ip>
<dnsmasq:options>
<dnsmasq:option value='dhcp-option=option:router,192.168.15.1'/>
<dnsmasq:option value='dhcp-option=option:dns-server,10.64.0.1'/>
</dnsmasq:options>
</network>
please look to the <dnsmasq:option value='dhcp-option=option:router,192.168.15.1'/> this overwrites default route for this network. Because by default it will be ip address of the host.
Also you have to specify namespace for this xml xmlns:dnsmasq='http://libvirt.org/schemas/network/dnsmasq/1.0'
Old topic, sorry to reply here but I cannot seem to get this working on my own server.
I have an Ubuntu 22.04 KVM host with an OpenVPN client connecting to a remote OpenVPN service.
From the KVM Host I am able to connect to the remote network behind the OpenVPN server. I use netplan to set up a bridge ‘br0’ for the KVM Client VMs. The client VM’s get their IP via DHCP and can connect to the internet and local LAN.
I’d like these Client VMs to access the remote network behind the OpenVPN server for a specific IP subnet only.
On my KVM Host, when connected to the OpenVPN server I have the following interfaces:
- enp3s0: has no IP directly bound to it
- br0: has a static IP bound to it
- tun0: the OpenVPN tunnel
The Client VMs all use ‘br0’ as a virtual NIC.
How would I get access to the ‘tun0’ NIC from the Client VMs?