Guest machine cannot reply via host's VPN

qemu-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Guest machine cannot reply via host's VPN

From:	May Doušak
Subject:	Guest machine cannot reply via host's VPN
Date:	Tue, 10 Dec 2024 09:16:32 +0100
User-agent:	Mozilla Thunderbird

Hi all,

I'm transitioning to QEMU from Virtualbox and have so far migrated one machine (home assistant OS [linux] guest).
It's been working OK, but there's one issue I can't solve: when I connect to the host (openvpn server) via VPN from external network, the guest cannot reply to me ("connection reset by peer").

Inside LAN, everything works fine (guest can see and reply to requests), the guest can also access the web - it just doesn't see the 10.8.0.0/16 network that VPN TUN uses.
From virtualbox, it also saw the VPN net (I set up a virtualbox "bridge" and let it do the magic automatically) but here it does not.

I guess I'm missing a route or forward rule?

Thanks,

May

--
Some further details:

QEMU/VPN/Virtualbox HOST IP: 192.168.99.20
QEMU guest static IP: 192.168.99.19
OPENVPN net: 10.8.0.0/24
Guest has a guest-specific network (no QEMU "default"): iface type:bridge, source vridge: br0, target dev=vnet2, model=virtio
physical device enp1s0 is enslaved to br0 bridge
openvpn creates TUN0 network

root@R3:~# nmcli connection show
NAME    UUID                                  TYPE      DEVICE 
br0     c66d9827-b2f3-4ab3-bfdd-6d1e5ffe383e  bridge    br0    
10G-BR  08aa8e2b-df95-408d-aeb2-a7f2b04ebf23  ethernet  enp1s0 
lo      e886dbf1-d7fd-4af3-a796-3e03a905db70  loopback  lo     
tun0    52629a83-8049-4f8e-992b-2a720abbf857  tun       tun0   
vnet2   cc718301-2dc7-4691-afb4-dcc4f6e6e317  tun       vnet2 


root@R3:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 04:92:26:d1:21:4a brd ff:ff:ff:ff:ff:ff
3: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 74:fe:ce:ea:d6:dc brd ff:ff:ff:ff:ff:ff
13: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ea:6e:5b:0a:b2:ff brd ff:ff:ff:ff:ff:ff
    inet 192.168.99.20/24 brd 192.168.99.255 scope global noprefixroute br0
       valid_lft forever preferred_lft forever
    inet6 2a00:ee2:1205:fc00:6e3:89aa:7e1d:f181/64 scope global temporary dynamic 
       valid_lft 889sec preferred_lft 889sec
    inet6 2a00:ee2:1205:fc00:210f:23c8:b78a:3007/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 889sec preferred_lft 889sec
    inet6 fe80::cfb8:a019:63af:9832/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
16: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000
    link/ether fe:54:00:72:34:28 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fe72:3428/64 scope link 
       valid_lft forever preferred_lft forever
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.8.0.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::ae8f:b2f9:8f98:a495/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever



root@R3:~# route 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    425    0        0 br0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.99.0    0.0.0.0         255.255.255.0   U     425    0        0 br0

And finally, some firewall rules on the host to make both LAN and WAN accessible via VPN:

root@R3:~# iptables -A FORWARD -o br0 -i tun0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
root@R3:~# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
root@R3:~# iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

[Prev in Thread]

Current Thread

[Next in Thread]

Guest machine cannot reply via host's VPN, May Doušak <=

Prev by Date: vmx_init and svm_init... are both called on all x86/x64 systems?
Next by Date: Re: Guestinfo alike info polling from Guest via guest-agent
Previous by thread: vmx_init and svm_init... are both called on all x86/x64 systems?
Next by thread: Re: Guestinfo alike info polling from Guest via guest-agent
Index(es):
- Date
- Thread