How can I access a Web Application running locally on a Virtual Machine exclusively through a VPN server running on Host Machine?

Question

I know the question is vague and I’m a newbie when it comes to networking, so let me give you all the details:

My current setup is the following:
A) Physical server running Windows 10, referred to as Host below
B) Virtual Machine under Hyper-V running Ubuntu 18.04
C) Web Application, ERP (Odoo) deployed on Ubuntu 18.04 VM
D) Softether VPN Server running on Host (A, above)
E) Linksys Modem/Router connected directly to the ISP, assigned a private IP by the ISP (192.168.1.1) and distributing the connection among all connected devices creating a local network

The current setup is fully functional and I am able to access the web application (C, above) in the Host’s browser by typing the VM’s (B, above) IP address and specifying the designated port. So no problem here.

I have chosen to test the VPN tunnel on my local network, so when the Host (A, above) is connected to the local network, I am able to access it via VPN on any other device on the local network. So no problem here either.

However, once the Physical Server is connected to the local network (either by LAN directly to the router, or through wifi), the router (E, above) gives it a private IP address (192.168.1.33) and understandably, the VM is assigned an IP address by the same router as though it is a unique device connected to the local network (so 192.168.1.34).

I have created a Virtual Switch in Hyper-V, bound to the hardware network adapter of the Host in order to give the VM access to the Internet.

The problem is that I am obviously able to connect to the Web Application with no security whatsoever and on any device connected to the local network, just by typing the IP address of the VM and the designated port, regardless of whether said device is connected to Host via VPN or not.

My goal is to be able to gain access to the Web Application if and only if I am connected to the Host via VPN. In other words, how can I make the VM part of sub-network on the Host?

Thanks for your help and I apologize in advance for the misuse of technical terms.

P.S: I can provide more information, I just don’t know what you will need to be able to help

Answer 1

This calls for a network more reminiscent of a business network. You need a separate LAN that your VPN users land into. You may optionally want a third LAN, a "Demilitarized Zone" or DMZ, for your hosted services. You'll then put a firewall between these three networks to filter traffic. This is not simple at all and probably too difficult for a network newbie but I sense you are embracing adventure.

I cannot realistically give you a step-by-step answer, but some general pointers are as follows.

Start by creating two additional bridges on your Host that are not connected to your LAN. These bridges should only be bridging various VMs together. You'll need a new VM, a router appliance like VYOS or pfsense, to provide DHCP, gateway, and firewall services on these networks. You now have three LANs: one for the PCs in your home, one for your VPN guests, and one for your hosted applications. These all need their own subnets as well. 192.168.1.0/24 is your home, 192.168.2.0/24 might be your VPN zone, and 192.168.3.0/24 might be your DMZ. You'll need to set up a static IP address for your virtual router on your home network such as 192.168.1.2. You'll also want DHCP servers on your virtual router for the latter two networks. You now have your three LANs, but they are entirely isolated. Nobody can talk to anybody outside their LAN.

You'll need to set up routing configuration to allow everybody to talk to everybody across LANs. First, your ISP router needs to know that there are two LANs inside your network. These are called 'static routes', basically you are telling your ISP router that in order to get to 192.168.1.0/24 and 192.168.2.0/24, it needs to talk to the virtual router. Since your virtual router is on all three networks, it will automatically know how to get between all of them, but it needs to know how to reach the internet. This is another static route that says that "0.0.0.0/0" (the entire internet) is connected via 192.168.1.1. Once this is done, every PC on your network should be able to ping every other PC. For example, when PCs in your home network try to reach PCs that connected via VPN, they go to their gateway, the ISP router, which will redirect traffic to the virtual router. The virtual router then redirects traffic onto the VPN bridge, and your VPN appliance will pass it on to the correct VPN tunnel. This is great, but we still haven't done what you originally asked for. Everybody can still talk to the webserver.

Finally you'll need to institute firewall rules to limit what types of traffic can go from LAN to LAN. Here's where you'll put rules like nobody can access the DMZ, unless they are on the VPN network using ports 80/443 to talk to the webserver or they are on the Home network using port 22 to ssh into the webserver.

It's a lot of work, but it's the correct way to get what you want.