4

I have the following configuration:

  • Windows 10 Host
  • Hyper-V running on host
  • Windows 10 Guest
  • AnyConnect VPN optionally running on host

Desired Behavior:

  • The guest OS to have internet connectivity whether or not the host connected to the VPN
  • The guest OS to have access to VPN resources when the host is connected to the VPN

As described here (and similarly on other blogs etc.) I ran the following commands on the host:

New-VMSwitch -SwitchName "WindowsNAT" -SwitchType Internal
New-NetIPAddress -IPAddress 192.168.50.1 -PrefixLength 24 -InterfaceAlias "vEthernet (WindowsNAT)"
New-NetNAT -Name "WindowsNAT" -InternalIPInterfaceAddressPrefix 192.168.50.0/24

Then I:

  • Change the guest to use WindowsNAT
  • Change the guest TCP settings to:
    • Static IP: 192.168.50.3
    • Netmask: 255.255.255.0
    • Gateway: 192.168.50.1
    • DNS Primary: 8.8.8.8
    • DNS Secondary: 4.2.2.1

Actual Behavior:

  • Internet connectivity on the guest when the host is not connected to the VPN.
  • No internet connectivity on the guest when the host is connected to VPN
  • No VPN connectivity on the guest when the host is connected to VPN

Additional Information:

  • The VPN is full tunnel
  • The behavior I want works out of the box with VirtualBox

Any advice on how I can make this work? Does my sysadmin need to set up split-tunnel? If so, how can virtualbox accomplish the same behavior using full tunnel?

user109078
  • 141

2 Answers2

0

I have researched this issue for a long time. There is a simple solution (or maybe workaround?) but I can't really explain why it works.

I replicated the scenario described in the question and experienced the problem: no internet on VM when host is connected to Cisco AnyConnect VPN.

On your host, go to the Control Panel -> Network and Sharing center -> Change adapter settings Right click on your Cisco AnyConnect Secure Mobility Client Connection and choose 'Properties'. Go to the 'Sharing' tab and check 'Allow other network users to connect through this computer's Internet connection' and 'Allow other network users to control or disable the shared Internet connection'. Here's the magic: In the 'Home networking connection:' drop-down you choose the Default Switch for your Hyper-V (I've named my own vEthernet (Default Switch)). Click OK and test the internet connection on your VM.

Someone better than me might be able to explain why this works but it does! There are some drawbacks: When VPN is disconnected on the host and you reconnect VPN you may have to redo the sharing bit. When the host restarts you must redo the steps described above.

Hope it helps some of you! Cheers!

MatthiasPettersson
  • 1
0

Here are the issues I was experiencing with AnyConnect and the guest VM, and I'll tell you what fixed it for me.

The solution by MatthiasPettersson doesn't work anymore because the Default Switch doesn't show up in the list of network adapters. It's either hidden (Windows 11), or else using some other mechanism. I'm not sure when that behaviour changed... but that's how it is now.

  • Guest OS could not access the internet while AnyConnect on the host was connected to the VPN.
  • Host could not establish a secure network connection to the guest "Trust Relationship Between This Workstation And The Primary Domain Failed"
  • Domain resolution was not working correctly. Previously I needed to use guestosname.mshome.net to access my vm named guestosname, but recently that also stopped working.

The solution: Uninstall Hyper-V, then reinstall it. You can do this via the "Windows Features" menu (run command: optionalfeatures) After I did this every issue listed above was resolved without further changes.

HankScorpio
  • 105