4

I have a windows 10 pro host with VMs running in Hyper-V. The VMs are on a private LAN with the host. I would like to provide internet connectivity to the VMs, and have the VM traffic go through the VPN connection configured on the host. The particular software VPN (pulse secure) doesn't create an interface that is "bridgeable" with the vswitch.

My hyper-V VMs are on 192.168.4.0/24, and my windows 10 host has a virtual interface on 192.168.4.215/24 which I would like to use as a gateway for the VMs traffic. I would like to use the routing tables on the windows host to route traffic from the VMs on 192.168.4.0/24 to go through a VPN interface configured on the host.

I normally provide internet connectivity to VMs by putting them on a LAN, creating a virtual interface for the host on that same LAN, and then bridging the virtual interface to a physical interface (either a physical NIC or a wireless NIC). In this case however, VM traffic would bypass the software VPN configured on the windows host -- I would like the VM traffic to be routed through the VPN, the same way that traffic from host applications are routed.

When I activate the VPN connection (pulse secure), a new virtual interface shows up on the host, at 10.0.0.100/32, and a default route is automatically added to the host's routing table to point to 10.0.0.100 as the default gateway. This effectively makes all of the external traffic generated by the windows host and its desktop applications go through the vpn interface.

I would like to configure the host to re-route/forward all incoming IP traffic from 192.168.4.0/24 onto the VPN interface, possibly NATed. Normally I would bridge the interfaces I want to connect together, but this particular vpn adapter will refuse to be bridged to anything.

Is there a way to achieve this in win10 pro, or do I need windows server? This is annoying also because this particular vpn software isn't well supported in Linux.

Improve this question
3
  • 1
    Why NAT, which is something you want to avoid if at all possible? This sounds like a simple case for routing.
    – Ron Maupin
    Commented Nov 19, 2018 at 18:42
  • Maybe I don't need NAT per-se. I would normally bridge a virtual interface (which is on the same LAN as the VMs) to a physical interface, but then I'd be bypassing the VPN interface. That pulse secure VPN interface can't be bridged to anything, and by virtue of the VPN using a /32 as its address (I wish I could change it) means I also can't place anything in its subnet and use it as a gateway. It seemed that my only option was to make the VM traffic re-enter the host's routing table. I thought of NAT as a potential solution.
    – init_js
    Commented Nov 19, 2018 at 18:48
  • Right, you route between networks. You only use NAT when you must (private-to-public or overlapping network addressing). Bridging is what you do on the same network, but routing is between networks.
    – Ron Maupin
    Commented Nov 19, 2018 at 18:51

1 Answer 1

Reset to default
2

I've managed to get something working on Windows 10, by creating a HyperV NAT interface. I believe you'll need windows 10 pro for that. Win10 home doesn't have Hyper-V (yet).

This has worked quite well:

https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/setup-nat-network

  1. Create a NAT interface using powershell using the instructions in the link above. There is apparently a limit of 1 such interface according to the documentation, but on my computer there are currently 2 active vNAT interfaces: one I've created myself, and one called DockerNAT, which got created by Docker for Windows. This step will give you a new vSwitch, and assign it an IP on the host.
  2. In Hyper-V, edit the VM's settings to add a new network interface connected to the NAT switch interface created in step 1.
  3. On the VM, assign the new nic a static IP on that NAT subnet (e.g. ip addr add dev ethX 192.168.0.100/24), and configure the default gateway to be the vSwitch IP, e.g. (route add default gw 192.168.0.1 ethX)
  4. Add any nameserver to /etc/resolv.conf (e.g. echo "nameserver 8.8.8.8" >> /etc/network/interfaces)

The effect of using the NAT interface is that the traffic coming out of any VM using the NAT vSwitch will be masqueraded behind the gateway IP (192.168.0.1 in my example), and will be re-routed internally using the routing table of the windows host. So, when I turn on the VPN, this will re-route all the Natted traffic to the VPN too.

There are many cases where I want to access the VM from the host directly, which the NAT makes difficult (everything will be behind 192.168.0.1). Rather than doing a bunch of dynamic port forwarding (which is also possible too with powershell), I've simply created another internal network between the host and the VM that is not NAtted (e.g. 192.168.5.0/24).

Improve this answer
3
  • NAT is a kludge that is simply intended to extend the life of IPv4 until IPv6 is ubiquitous. It is not intended to replace routing. If you have non-overlapping private networks, simply route between the networks, not use NAT.
    – Ron Maupin
    Commented Oct 6, 2019 at 22:00
  • I agree. But you need win 10 server (not pro) to configure decent routing, afaik. The routes would need to be modified whenever the software VPN kicks in and out too. This NAT thing is set and forget.
    – init_js
    Commented Oct 6, 2019 at 22:03
  • 1
    I have done the same thing (including step 4) and I can ping my vSwitch gateway as well as the actual router gateway and any other IP, however DNS just does not work... nslookup, dig, ping all fail miserably :-( I tried on Fedora and Ubuntu - I am pretty sure this is an issue with the vmswitch
    – Leonardo Seccia
    Commented May 16, 2020 at 19:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .