Page 1 of 1

VPN server on virtual box, clients can't access LAN

Posted: Sat Mar 13, 2021 8:51 am
by flimbar
I have a softether VPN server running on debian linux on a virtualbox guest hosted on OS X Snow Leopard.

The virtualbox guest ethernet adapter is bridged (promiscuous mode) so that the linux virtualbox guest appears on the same subnet as the virtualbox host
The virtualbox host has IP address and the virtualbox guest (vpn server) is, they both get their IP addresses from the DHCP server/router on my LAN and can both ping any machine on the LAN and both have full internet access via the router.

I have set up the vpn server with a bridge between the virtual hub and the physical ethernet (virtualbox guest adapter).

I have set up port forwarding on my router so that the vpn server ports are forwarded to my server

When I connect with vpn client from offsite over the internet, the client gets an IP address from the DHCP server on my LAN.

I can ping the virtualbox host from the client, but nothing else on the network.
if I try to ping the server-side router or any other IP address on the server-side LAN I get "no route to host".

It looks like the layer 2 bridge is working (when I disable the bridge the client DHCP request hangs), but some routing at layer 3 is not working.

When I run the vpn server on a physical machine on the same LAN with the same server config and same client config I have no problems i.e. the remote client can connect to any machine on the LAN via the VPN.

Here is the routing table on my client which is the same for the working(physical machine) and non-working(virtualbox) vpn servers:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG        0 0          0 vpn_vpn UGH       0 0          0 enp0s3   U         0 0          0 enp0s3   U         0 0          0 vpn_vpn is the client side LAN is the internet address of my vpn server (not really) is the server side LAN

I can't figure out why it is getting stuck between the virtualbox host and the LAN.

If you are wondering why I want to run the server under virtualbox, it is because my always-on server machine is locked away and if I screw up the networking while setting up a vpn server or whatever then I have to go and physically reset the machine, with a virtual server I can screw it up and just reboot the virtual machine remotely.

Re: VPN server on virtual box, clients can't access LAN

Posted: Sun Mar 14, 2021 8:25 am
by solo
flimbar wrote:
Sat Mar 13, 2021 8:51 am
I can't figure out why it is getting stuck between the virtualbox host and the LAN.
You have not mentioned anything about the host's firewall. It is the only obstacle between the clients and the LAN.

I have a similar setup. VirtualBox v6.1 in Linux host and a bridged SE server in Windows guest, is working flawlessly. My VB net:
If not the firewall then maybe try a different adapter type, should it have something to do with promiscuous mode issues.

Re: VPN server on virtual box, clients can't access LAN

Posted: Mon Mar 15, 2021 4:16 pm
by flimbar
Thanks for the advice.

I've figured out it is something to do with WiFi.

When the virtualbox host is connected to the LAN by wire then it all works regardless of which virtualbox host machine I use (Windows or Mac).

When the host is connected by WiFi then I get the problem of VPN clients not being able to get to the router, even though the virtualbox guest can access the router via the host's bridged WiFi connection.

I can't see any setting I can change on my router. I presume all the firewall settings apply to between the internet and LAN, not between machines on the LAN/WiFi.

I guess the next thing to try is if the server works running on a physical machine on the WiFi. Perhaps running as a guest on virtualbox is a red herring.
I suspect that it is WiFi that's the problem as another post says "Promiscuous mode will not supported on WiFi."

Re: VPN server on virtual box, clients can't access LAN

Posted: Mon Mar 15, 2021 9:37 pm
by solo
Yes, WiFi is different...
Bridging to a wireless interface is done differently from bridging to a wired interface, because most wireless adapters do not support promiscuous mode. All traffic has to use the MAC address of the host's wireless adapter, and therefore Oracle VM VirtualBox needs to replace the source MAC address in the Ethernet header of an outgoing packet to make sure the reply will be sent to the host interface. When Oracle VM VirtualBox sees an incoming packet with a destination IP address that belongs to one of the virtual machine adapters it replaces the destination MAC address in the Ethernet header with the VM adapter's MAC address and passes it on. Oracle VM VirtualBox examines ARP and DHCP packets in order to learn the IP addresses of virtual machines.
It may be counter-intuitive but in this case try to actually disable promiscuous mode and perhaps then the VB WiFi MAC Address Spoofing will work correctly.