VirtualBox: VPN networking test environment

Question

I want to setup VirtualBox instances of Ubuntu guest to make a VPN test network. The host is Windows 7 Ultimate.

My hope is to setup a VirtualBox instance which represents a gateway for the test network. Additional nodes could be added to this network as needed.

Putting VPN configuration aside, I'm concerned with the required virtual networking configuration required for this test.

1) What would I need to get this to work? Host-only networking?

2) How do I make an instance to become a gateway? This post does not elucidate this point

3) How many instances minimum are required for this?

4) what ifconfig and route commands do i need to run (or add to configuration) in order to create a gateway node and other nodes behind the gateway?

Answer 1

I've done a similar setup. Let me clarify right off the bat that my VPN went from VM1, through VM2 (acting as gateway) to end at VM3 -- the host was not involved. If this isn't what you're looking for, stop reading right here.

If you're still with me, I'll answer your questions in a slightly different order:

3) You'll need a minimum of 3 instances. 4 if you want to test accessing additional systems inside your simulated LAN (e.g. for testing the VPN in a "road warrior" or other telecommuting environment where you need to access multiple services inside the remote network).

1) Use "private networking". Set up two named networks, e.g. "LAN" and "Internet". Your gateway VM will need two interfaces, one on each of these networks; your "outside" VM(s) will need a single interface on the "Internet" network, while your "inside" VM(s) will need a single interface on the "LAN" network.

2) Making a VM a gateway is not a function of VirtualBox. I continue to hope that they'll eventually provide an in-built means of connecting different networks in different ways, but until then you will need to do this part yourself. There are easily dozens of ways to do this with an Ubuntu VM; my preferred method is with Shorewall, which you'll want the two-interface example config included in the shorewall-doc package in Aptitude (also on their website): apt-get install shorewall-perl shorewall-doc (it might be just shorewall now, not shorewall-perl, as the old shorewall-shell is now dead and gone; either way you'll still want shorewall-doc). If you have questions setting this, up Google (you're making a Linux box a router/firewall) or ask separately, as the scope is well beyond what's appropriate for a sub-question here.

Answer 2

I've recently done something similar to this, using a VirtualBox Machine as a gateway, although my gateway device was running m0n0wall, which serves as an internal DHCP server and was being used as a captive portal, I reccomend you use this.

(have a look at my question to see if that helps)

On my host machine I had 4 VMS, three client and one gateway device. The gateway device was running m0n0wall, a BSD-based distro, and was configured with two network cards, one set as a bridged adaptor (and this would go to the internet) and the other would be a internal connection. The three guest clients would also be connected to the internal network, and the m0n0wall VM would be configured as the DHCP server and the gateway so all traffic was passed through the m0n0wall VM.

In my (rather poor) picture below, the green box is the host machine, the black boxes are the guest VMS, the red is the internal network connection, and the green is the bridged cable to the outside world. The monowall VM will have to do the portforwarding and may have VPN support off the bat, although I've not looked into that part.

Answer 3

Basic information

I created a lab at home a few days ago. I used VMware Workstation but it should work with virtualbox too:

First, I set up all VMs that belong to my lab as "host only networking" (even the gateway, but I come to this in a few words...).

You need one VM to be the gateway. For this purpose I used a Debian 6. First I set it up as host-only-networking. The automatically added NIC will be the internal interface for your VMs that belong to the lab. Then I added an additional NIC that is bridged to my physical NIC (this will be the "external" NIC). I configured static IPs for my gateways internal NIC and configured the lab-DHCP (runs on a Windows 2008 R2 Server) to tell his clients the internal-ip of my gateway to use it as default-gateway. My external NIC needs an IP of my LAN to communicate with my regular gateway and the internet (this external NIC needs your regular-lan-gateway-ip to be configured as default gateway since this IS your lan-gateway).

In order to get your lab-gateway working as a gateway, it's neccessary to activate routing:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then you have to add your desired services like your VPN-service (my gateway runs DNS as well). You have to configure your services and iptables/firewall (basic NAT, rules to accept VPN-requests etc.).

With this environment, you can use your local network to simulate WAN. Set up a VPN-Client on your windows-host and try to connect to the "external-ip" (the regular-lan-ip) of your lab-gateway.

Edit: configure a linux-gateway

I assume, that your desired gateway-VM was installed as host-only-networking-VM and got an additional NIC bridged to your physical NIC. I used debian but it should work with ubuntu. I don't know if zeroconf disturbs manual configurations. I think ubuntu server will be more friendly to manual network configurations. If you have problems with ubuntu, try debian.

At first, you have to make sure that your gateway has a static internal IP. You configure that in /etc/network/interfaces. Here is my example-configuration:

root@lab-fw01:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

#external interface
auto eth0
iface eth0 inet static
        address 192.168.69.2
        network 192.168.69.0
        netmask 255.255.255.0
        gateway 192.168.69.1

#internal interface
auto eth1
iface eth1 inet static
        address 10.0.0.1
        network 10.0.0.0
        netmask 255.255.255.0

In my environment, the lab-gateway is at 10.0.0.1. That means, you have to configure the default-gateway of your clients to 10.0.0.1 (maybe via DHCP).
Internet-traffic will be forwarded to the gateway of my lab-gateways external interface (192.168.69.1), since the network-traffic is destined for an external IP-Subnet.
To get your firewall forwarding traffic for your clients, you have to enable ipv4-forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Your next step is to configure iptables. Because explaining how to configure iptables would oversize my answer, I'll just lead you to a good basic tutorial for iptables.

However, basic configurations for iptables may be:

• MASQUERADE all your outgoing traffic
• FORWARD ESTABLISHED and RELATED traffic to your internal network
• FORWARD outgoing traffic
• allow INPUT traffic for ssh

That's all you have to do to get the gateway running. If you're ready with this and tests are ok, you can start to install your VPN-server and configure it. Remember to add rules for VPN to iptables to allow VPN-traffic.