KVM - Access from an external computer to the Virtual Machine

Question

I have the following setup:

Notebook (IP: 192.168.1.100)
Host: (IP:192.168.1.129)

Both Notebook and Host are connected to a router (Internet IP:192.168.1.1)¨

The host (Host) has two virtual machine on it (Development, Office). The host since it uses a DHCP server(KVM), assigns the following IP addresses to the VM's

Development: 192.168.122.45
Office: 192.168.122.46

The DHCP server for the host hast the IP address 192.168.122.1

Now I like to access the Development VM from my Notebook (192.168.1.100) on port 5900 to remotely work on this VM.

I used some iptables roules to achieve this on the host, where the VM's are located:

iptables -t nat -I PREROUTING -p tcp -d 192.168.1.129 --dport 5900 -j DNAT --to-destination 192.168.122.45
iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

Unfortunately I didn't get a connection with Spice to the Development VM.

 spice://192.168.1.129:5900

I edited my VM with

virsh edit VM-Development

and configured like this:

<graphics type='spice' port='5900' autoport='no' listen='127.0.0.1' keymap='de-ch'>
   <listen type='address' address='127.0.0.1'/>

After I made the iptables roules the XML-configuration files contains a new entry:

<video>
    <model type='qxiptables -t nat -I PREROUTING -p tcp -d 192.168.1.129 --dport 5900 -j DNAT --to-destination 192.168.122.45 iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT l' ram='65536' vram='65536' vgamem='16384' heads='1'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>

What's wrong? I used several hints, but I can't get it work. I also looked that the router has the port 5900 open.

Answer 1

You can use ssh HOST nc as a proxy:

Host *.saturnin.* *.saturnin bb-*
   ProxyCommand ssh -q -A saturnin.lab.eng.brq.redhat.com nc %h %p
   IdentityFile ~/.ssh/bot_rsa
   User root

Drawback: this requires having entries in /etc/hosts on the host.

Alternatively I am using nc with sed to get local name/IP:

Host tbb-*
   ProxyCommand ssh -q -A saturnin.lab.eng.brq.redhat.com sednc 's/^tbb-//' %h %p
   IdentityFile ~/.ssh/bot_rsa
   User root

Host 192.168.*.cimrman.* 192.168.*.cimrman
   ProxyCommand ssh -q -A cimrman.lab.eng.brq.redhat.com sednc 's/\.cimrman.*//' %h %p
   IdentityFile ~/.ssh/bot_rsa
   User root

sednc looks like this:

#!/bin/bash

if [[ $1 == -h || $1 == --help ]]; then
  cat <<END
sednc - nc to a HOST:PORT with HOST modified by an sed command SEDEXP

USAGE: sednc SEDEXP HOST [PORT]

Example:

    sednc 's/^bb-//' bb-rawhide

This is to be used with ssh to connect to a VMs inside a host. Add line like this to your .ssh/config:

    Host bb-*
        ProxyCommand ssh -q -A HOST sednc 's/^bb-//' %h %p

END
  exit 0
fi

HOST="$2"
TRANSLATED="$(sed -e "$1" <<<"$2")"

#echo "$TRANSLATED">&2
nc "$TRANSLATED" "${3:-"22"}"

Answer 2

Update:

 Installation of Spice client needs the following (Linux, Kubuntu)
 - spice-client
 - spice-vdagent
 - (optional) spice-vdagent

 (Windows - Works well with Windows10):

Windows binaries

Then you need to open ports on your host: 5900 (unsecure), 5901 (secure - needs additional configuration). I did this with gufw, a very simple tool to build a firewall. This tool creates entries for iptables. Next I made a routed network. For more comfort, I exported before the $EDITOR environment variable:

export EDITOR=nano

Now you have to now the name of your network: The name of your network you get from the Virtual Machine Manager:

virt-viewer  (sudo apt-get install virt-viewer)

There under a section NIC the name of your network is placed: in my case it's "default". Edit now the network settings:

virsh net-edit default

change the network settings do:

<network>
   <name>default</name>
   <uuid>cc45a671-e8d8-4149-a6a5-xxxxxxxxxx</uuid>
   <forward mode='route'/>
   <bridge name='virbr0' stp='on' delay='0'/>
   <mac address='AA:FF:DD:EE:55:77'/>
   <ip address='192.168.122.1' netmask='255.255.255.0'>
     <dhcp>
         <range start='192.168.122.2' end='192.168.122.254'/>
     </dhcp>
   </ip>
</network>

If you use a firewall don't forget to open the ports 5900, 5901 or additional ports for further VM's on the same host.

With these settings I could connect to my VM!

The only problem that was not solved is, that the VM's are not available to use the Internet, or in my case any connection to outside (only the opened ports).

I used a firewall rule to achieve this:

sudo iptables -t nat -A POSTROUTING -s 192.168.122.45 -j SNAT --to-source 192.168.1.129

Later I realized that with gufw I can simply made a roule to open specific ports on the Host to get working Internet and related things (ssh,..).

Now I was almost happy :-), but in fact my work was not yet finished. My system consisted of a Host with 4 VM's on it: I could connect them from my laptop through different port settings (5900, 5902, 5904, 5906). The problem was the monitor. I don't want to have a monitor on my host. Therefore I removed the HDMI cable and... was no longer able to connect, because the graphical window manager sddm (KDE 5) is not able to boot up without a monitor connected.

Further steps in progress:

 -- Installed a xorg dummy driver
       -- Didn't help, sometimes I wasn't able to start even a shell, I             made configuration changes to GRUB, to show me always a menu
          to start in recovery mode, so I could delete 
          xorg.conf int /etc/X11 securely from a shell. 
 -- I used several vnc viewers/servers to get access to my 
    KDE windows manager
        -- x11vnc, tigervnc, tightvnc
    No success:
 -- Installed a dummy driver for Xorg (below some links):

Headless X11, L'Xtreme..