views:

6255

answers:

3

I saw this similar question for Hyper-V, but I don't think any of the answers there apply directly. If they do, please point me at the right one, and I'll close this as a dupe.

My question arises with using VMware's bridged networking - when I have X-many guests running in VMware Server, and I connect to my corporate VPN, none of the hosts "rebridge", they continue to get their IP address from my router.

If I start the VPN before starting VMware, the same behavior is seen.

Is there a configuration option I have merely missed somewhere that would put the guests onto the VPN also, getting their IPs from the DHCP server at the office, or is this a pipe dream at the moment?

A: 

In the future, you're going to want to provide a LOT more details if you expect someone to help you find a solution:

  1. What host OS?
  2. What router?
  3. What VPN client? Is it a function of the router, or the host OS?
  4. How were you planning to announce to your guests that the network routes had changed?

But even without all that data, I can give you some pointers ...

The usual way that a VPN works is that you instantiate a virtual network interface which has its own network address, and the network routing tables are changed to give the VPN interface preference for routing some or all packets. Thus requests to Google might go through your normal network, or they might be routed through the VPN and your company's network. Any packets that are routed to the VPN interface are encrypted and encapsulated and sent to the VPN server, which decrypts them and sends them on their merry way. Typically the VPN interface is assigned an IP address from the destination (work) network, but it can also be assigned addresses from a private network that is managed by the VPN server.

The usual way that bridged networking works is that the bridge switches the physical interface into promiscuous mode and assigns the virtual interfaces unique MAC addresses. When packets are sent from a virtual network interface in guest 1, the packet is sent out through the physical interface with guest 1's MAC address; when packets are received for that MAC address, the virtual bridge sends them on to the appropriate guest. This will require careful configuration of the host's routing tables as well. Note that if the guest OS is configuring it's network interface via DHCP, it is going to get its IP address from the first DHCP server that sees its request, be it virtual bridge, host, or router.

Let's suppose you set up a VPN client on the host. If you don't configure the virtual bridge to connect to the VPN interface, all of your VM traffic is still going to go to the physical interface, which is what you've described.

The first thing to try is to see if you can configure VMware's virtual networking to bridge to the VPN interface instead of the physical ethernet interface. This may not work -- I haven't tested it -- because virtual network interfaces aren't the same as physical network interfaces, and may not support the capabilities that VMware needs to establish a bridge.

If it does work AND you've got a static point-to-point VPN that is 'nailed up' all the time, then you're done. If you want to be able to turn the VPN on and off and have the guest VMs all 'do the right thing', then you're going to need to do some heavy scripting, such that when the VPN is connected, the VMware virtual networking is reconfigured, and vice versa.

If you can't configure VMware virtual networking to bridge to the VPN interface, then you're probably going to need to get very clever with your routing tables, possibly to include installing a routing service on your host (and possibly another in a VM, with all of the other VMs sharing a private network). Good luck -- that part of the map is labeled 'Here Be Dragons'.

Craig Trader
@W - it's an OS-agnostic question, and a VPN-agnostic one - I've seen the behavior under Linux and XP, OpenVPN and MS' pptp; I did consider re-flashing my router with dd-wrt so I could hold the vpn conection open there, but don't want to brick it
warren
I hardly see how that equates to warranting a mark-down. A lot of the information in the answer still applies even if the points about providing more information aren't directly relevant in this instance.
FerretallicA
+1  A: 

I don't think you can do this with bridged networking, I've only ever been able to do this using NAT networking in VMWare. I'm not sure exactly what you're wanting to do but if you're just trying to route your traffic through the VPN then NAT should work unless you need static IPs etc.

In addition to my own experiences I dug up this thread which seems to indicate the same:

Jay
+3  A: 

VMWare bridging is a layer two service. VPN is a layer three service.

You might be able to do what you want via VMWare NAT, but you won't be able to do it via a bridge.