I’ve attempted to create a VM on my ubuntu host machine that is accessing the internet via a dedicated VPN app. I’m able to disconnect my host VPN and access the web within the VM, but cannot access the web when the host VPN is enabled. Ideally I’d like to enable the VPN on the host and pass through web access to the VM.

I have two questions:

  1. If my use case is to use a VM to increase privacy and security as well as isolate my operations within the VM from my host, is it better to have the VPN app from inside the VM or pass the host’s through to the VM?
  2. If it doesn’t make much of a difference, how can I go about passing the host’s VPN to the VM?

In either scenario, I’d still like to keep the host’s VPN active while being able to use the VM, which I currently cannot.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    7 months ago

    You might want to look at the qubes operating system architecture documents.

    For maximum privacy, you would want one container or VM to have access to the internet and run your VPN endpoint. This container would have firewall rules applied so it could only talk to the other side of the VPN on the internet interface. This container should also have another interface connecting to your guest VM.

    For your guest VM, it could only route traffic to the VPN container.

    You could also use network name spaces to do the same thing without containerization. Depending on your threat model and level of paranoia.

    The benefit of segmenting out the VPN program into its own working space, is that if there’s any bugs, any lapses, traffic doesn’t accidentally get to the main internet. It’s less leaky. Especially if you consider a hostile program running inside of your guest VM that’s trying to defeat any VPN program.