How do I share one VM's VPN tunnel with another VM?

H

halpoins

Member
Apr 2, 2021
5
2
8
33
Bottom line: I am connecting to the internet via VPN on UDP/53 in order to deal with a captive wifi portal, something which is possible in a desktop environment but not a headless server environment. So I have two VMs: Ubuntu Desktop and Ubuntu Server. Desktop can connect to the web using tun0, but Server can't.

I have tried for weeks to set up the VPN in my router so that the individual clients don't have to bother with it. I have tried configuring openvpn on the server, but the VPN provider has explicitly stated they don't support UDP/53 on router or CLI environments.

Is there a way to bridge the two VMs so that the Server can "borrow" the downstream internet connection that the Desktop is creating through its VPN interface? Even if it's slow, I don't care. A trickle is better than nothing.
 
AFAIU you use a VPN method which works in a desktop environment only but you want to use accessing it from a server without desktop environment too.
Since I don't know your network topology in detail I cannot be sure if one of the following possibilities is convenient for you, however:
- use the Desktop VM as (maybe NAT) router, define for this an additional bridge (without any hardware, just internal) and connect an additional NIC in each VM to it. Then route connections to VPN at the headless VM via Desktop VM.
- similar to above but instead of routing use a tap instead of a tun deive and create a bridge inside the Desktop VM, then the headless one has direct access to VPN network (works only if the VPN protocol allows bridging, tap and connecting more endpoints).
 
Richard said:
AFAIU you use a VPN method which works in a desktop environment only but you want to use accessing it from a server without desktop environment too.
Since I don't know your network topology in detail I cannot be sure if one of the following possibilities is convenient for you, however:
- use the Desktop VM as (maybe NAT) router, define for this an additional bridge (without any hardware, just internal) and connect an additional NIC in each VM to it. Then route connections to VPN at the headless VM via Desktop VM.
- similar to above but instead of routing use a tap instead of a tun deive and create a bridge inside the Desktop VM, then the headless one has direct access to VPN network (works only if the VPN protocol allows bridging, tap and connecting more endpoints).
Click to expand...
You have understood correctly. I have a simple network of a physical router and the Proxmox host, which has one Network Device enp0s31f6 and one Linux Bridge vmbr0. If I follow you correctly, I'll create a new Linux Bridge on my PVE host which will become available to the hosts to add as a network device.

But when you say "route connections to VPN" I don't know how to do that off the top of my head, I'd have to start with googling that phrase. Is it simply writing a new block in /etc/network/interfaces? Not all of my VMs have that file by default, so I'm not sure where they are getting their network interface instructions from.

Your second suggestion is also outside of my expertise but I'm willing to attempt anything. Do you happen to know of a good proxmox wiki page or other resource that would guide me through that?
 
halpoins said:
But when you say "route connections to VPN" I don't know how to do that off the top of my head, I'd have to start with googling that phrase. Is it simply writing a new block in /etc/network/interfaces? Not all of my VMs have that file by default, so I'm not sure where they are getting their network interface instructions from.
Click to expand...

At PVE host:
- Create a new bridge (without assigning any NIC to it) with a new subnet which exists only locally, choose e.g. 192.168.100.100/24 as address and specify 192.168.100.1 a gateway (yes, /etc/network/interfaces will contain that configuration, but nothing to edit there when you use Proxmox VE WEG-GUI)
- Create new interfaces for both Ubuntu Desktop and Ubuntu server VM which are assigned to the new bridge

At Ubuntu Desktop VM:
- assign address 192.168.100.1 to the new NIC
- allow routing by
Code: 
echo 1 > /proc/sys/net/ipv4/ip_forward
- define NAT by
Code: 
iptables -t NAT -A POSTROUTING -j MASQUERADE
Attention! Desktop environment may overwrite network settings done by command line. Check the documentation.

At Ubuntu Server VM:
- assign address 192.168.100.101 to the new NIC
- set 192.168.100.1 as default gateway


halpoins said:
Your second suggestion is also outside of my expertise but I'm willing to attempt anything. Do you happen to know of a good proxmox wiki page or other resource that would guide me through that?
Click to expand...
At the first step it's not a question of Proxmox - mainly depends on the VPN implementation you use (which I do not know) if it allows to specify tap devices as virtual NICs - these devices you can bridge to a "real" (which is in case of a VM also a virtual one, but looks for OS like a physical one) NIC then. Or in other words: before continuing with that idea clarify if you can create VPN tap devices.
 
Richard said:
At PVE host:
- Create a new bridge (without assigning any NIC to it) with a new subnet which exists only locally, choose e.g. 192.168.100.100/24 as address and specify 192.168.100.1 a gateway (yes, /etc/network/interfaces will contain that configuration, but nothing to edit there when you use Proxmox VE WEG-GUI)
Click to expand...
At this step, I got the error "Default gateway already exists on interface 'vmbr0'". vmbr0 is at 192.168.1.169/24 with gateway 192.168.1.1, I guess only one gateway can be defined at a time? I left the gateway for vmbr1 blank for now and moved on.

Richard said:
- Create new interfaces for both Ubuntu Desktop and Ubuntu server VM which are assigned to the new bridge

At Ubuntu Desktop VM:
- assign address 192.168.100.1 to the new NIC
Click to expand...
I did this with
Code: 
ifconfig ens19:0 192.168.100.1 up
not sure if that is right but the address can be pinged afterward.
Richard said:
- allow routing by
Code: 
echo 1 > /proc/sys/net/ipv4/ip_forward
- define NAT by
Code: 
iptables -t NAT -A POSTROUTING -j MASQUERADE
Click to expand...
The first line was successful but not the second, because the table NAT doesn't exist.
 
halpoins said:
At this step, I got the error "Default gateway already exists on interface 'vmbr0'". vmbr0 is at 192.168.1.169/24 with gateway 192.168.1.1, I guess only one gateway can be defined at a time? I left the gateway for vmbr1 blank for now and moved on.
Click to expand...

Depends on what you want to use as gateway from inside the host - and yes: only one default gateway can exist, otherwise it would not make any sense.
halpoins said:
I did this with
Code: 
ifconfig ens19:0 192.168.100.1 up
not sure if that is right but the address can be pinged afterward.
Click to expand...

It's correct, but note that the setting is not permanent (disappear latest after reboot but may also be overwritten by a parallel existing network management service.

halpoins said:
The first line was successful but not the second, because the table NAT doesn't exist.
Click to expand...
"nat" must be written in small letters, sorry for the typo.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back