4

tl;dr Host connects via VPN to the internet and a VM on this host doesn't go through this VPN (but it should). I think the network config isn't quite correct.

The host

The host (arch Linux) connects to a VPN network using openvpn and a config file, so there's a TUN device (tun0) created by openvpn. The physical device is called eno1.

I searched a lot in the internet and wrote a script to create a bridged network where the VM can connect to. This script creates a bridge br0 and a TAP device tap0. It also edits the routing table, so that I have normal internet access on the host through my VPN. The table looks like this:

~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.1.102.1      128.0.0.0       UG        0 0          0 tun0
10.1.102.0      0.0.0.0         255.255.255.0   U         0 0          0 tun0
81.95.5.34      192.168.178.1   255.255.255.255 UGH       0 0          0 br0
128.0.0.0       10.1.102.1      128.0.0.0       UG        0 0          0 tun0
192.168.178.0   0.0.0.0         255.255.255.0   U         0 0          0 br0

The addresses and configuration look like this:

~# ip addr
2: eno1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
    link/ether e0:3f:49:48:eb:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.29/24 brd 192.168.178.255 scope global eno1
       valid_lft forever preferred_lft forever
95: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.1.102.248/24 brd 10.1.102.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fdbf:1d37:bbe0:0:22:6:0:1248/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5ee5:c367:ab47:5928/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
96: tap0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master br0 state DOWN group default qlen 1000
    link/ether 7a:22:5d:99:01:06 brd ff:ff:ff:ff:ff:ff
97: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 7a:22:5d:99:01:06 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.120/24 brd 192.168.178.255 scope global noprefixroute br0
       valid_lft forever preferred_lft forever
    inet6 fe80::d731:e2c8:a4f8:224e/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::7822:5dff:fe99:106/64 scope link 
       valid_lft forever preferred_lft forever
98: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN group default qlen 1000
    link/ether fe:54:00:10:76:e0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::790c:464b:74f6:6754/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::fc54:ff:fe10:76e0/64 scope link 
       valid_lft forever preferred_lft forever

The VM

As mentioned above, it's a centos 7 VM I run using the virt-manager and /usr/bin/qemu-system-x86_64 as emulator. In the network settings I use a shared device (br0) with virtio as device model.

On the VMs side it looks much simpler. The routing table:

~# netstat -rn
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
0.0.0.0         192.168.178.1   0.0.0.0         UG        0 0          0 eth0
192.168.178.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0

And the addresses:

~# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:10:76:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.105/24 brd 192.168.178.255 scope global noprefixroute dynamic eth0
       valid_lft 860890sec preferred_lft 860890sec
    inet6 fe80::47ed:5e58:2c27:6b50/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

My Problem:

The VM doesn't seem so send the traffic through my VPN (VM has faster ping times to google then the host and mtr is different too). Instead directly to the internet. I think I have to edit the routing tables, but I don't know how.

I tired to change the IP of the default route to 192.168.178.120 (br0 IP) and also to 192.168.178.29 (eno1 IP) but that didn't work. I also created an IP for the tap0 and set it as default route in the VM, but that didn't work either.

theo_retiker
  • 41
  • 1
  • 2
  • There's already an anomaly since eno1 part of the br0 bridge and br0 both have an IP. Only br0 should have an IP (or neither of them, but that's a different config requiring an additional pair of veth) preferably from a config with eno1 enslaved first to inherit its MAC address, which wasn't the case here . Is it mandatory for the VM to be in the "physical" LAN instead of a routed/nated LAN? The later case should be easier to handle. So why is the setup as it is? – A.B Aug 28 '18 at 17:53
  • So br0 should have the MAC address of eno1 and eno1 shouldn't have an IP address (but br0 should)? I'll try to achieve that. The VM needs internet access and a connection to the host (for an NFS-share). I actually don't know if being part of the physical device is needed for that. There's no specific reason why it is as it is. I just tried many things, because none of the tutorials (on the Arch-Wiki, on StackOverflow, on many forums) worked. – theo_retiker Aug 28 '18 at 19:16

0 Answers0