Nat – Windows 10 pro as a NAT between two interfaces (to route VM traffic trough a VPN connection on the host)

nat;networkingvpnwindows 10

I have a windows 10 pro host with VMs running in Hyper-V. The VMs are on a private LAN with the host. I would like to provide internet connectivity to the VMs, and have the VM traffic go through the VPN connection configured on the host. The particular software VPN (pulse secure) doesn't create an interface that is "bridgeable" with the vswitch.

My hyper-V VMs are on 192.168.4.0/24, and my windows 10 host has a virtual interface on 192.168.4.215/24 which I would like to use as a gateway for the VMs traffic. I would like to use the routing tables on the windows host to route traffic from the VMs on 192.168.4.0/24 to go through a VPN interface configured on the host.

I normally provide internet connectivity to VMs by putting them on a LAN, creating a virtual interface for the host on that same LAN, and then bridging the virtual interface to a physical interface (either a physical NIC or a wireless NIC). In this case however, VM traffic would bypass the software VPN configured on the windows host — I would like the VM traffic to be routed through the VPN, the same way that traffic from host applications are routed.

When I activate the VPN connection (pulse secure), a new virtual interface shows up on the host, at 10.0.0.100/32, and a default route is automatically added to the host's routing table to point to 10.0.0.100 as the default gateway. This effectively makes all of the external traffic generated by the windows host and its desktop applications go through the vpn interface.

I would like to configure the host to re-route/forward all incoming IP traffic from 192.168.4.0/24 onto the VPN interface, possibly NATed. Normally I would bridge the interfaces I want to connect together, but this particular vpn adapter will refuse to be bridged to anything.

Is there a way to achieve this in win10 pro, or do I need windows server? This is annoying also because this particular vpn software isn't well supported in Linux.

Best Answer

I've managed to get something working on Windows 10, by creating a HyperV NAT interface. I believe you'll need windows 10 pro for that. Win10 home doesn't have Hyper-V (yet).

This has worked quite well:

https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/setup-nat-network

Create a NAT interface using powershell using the instructions in the link above. There is apparently a limit of 1 such interface according to the documentation, but on my computer there are currently 2 active vNAT interfaces: one I've created myself, and one called DockerNAT, which got created by Docker for Windows. This step will give you a new vSwitch, and assign it an IP on the host.
In Hyper-V, edit the VM's settings to add a new network interface connected to the NAT switch interface created in step 1.
On the VM, assign the new nic a static IP on that NAT subnet (e.g. ip addr add dev ethX 192.168.0.100/24), and configure the default gateway to be the vSwitch IP, e.g. (route add default gw 192.168.0.1 ethX)
Add any nameserver to /etc/resolv.conf (e.g. echo "nameserver 8.8.8.8" >> /etc/network/interfaces)

The effect of using the NAT interface is that the traffic coming out of any VM using the NAT vSwitch will be masqueraded behind the gateway IP (192.168.0.1 in my example), and will be re-routed internally using the routing table of the windows host. So, when I turn on the VPN, this will re-route all the Natted traffic to the VPN too.

There are many cases where I want to access the VM from the host directly, which the NAT makes difficult (everything will be behind 192.168.0.1). Rather than doing a bunch of dynamic port forwarding (which is also possible too with powershell), I've simply created another internal network between the host and the VM that is not NAtted (e.g. 192.168.5.0/24).

Related Solutions

How to Route Different Traffic Through Different Network Interfaces in Windows

The command you're looking for is route add:

route | Microsoft Docs

For your setup, I think the syntax is:

route add 10.183.0.0 mask 255.255.0.0 10.183.148.5

This will send all the traffic for 10.183.x.x to the next hop address of 10.183.148.5 which your system already knows is off of your ethernet nic, and any traffic that doesn't match a route, will be grabbed by your default route and head through your 3g connection. It also looks like your network assigns multiple routers, so you might want to double it up and add the routes for 10.183.148.6 and .7 as well.

You might need to be careful if your network has stuff not in the 10.183 range, you may need to add more routes. You may also be able to get away with routing all of 10.0.0.0/8 to your corporate network, since windows will have a more specific route, but i'm not 100% sure on that since your 3g card is giving you an IP in the 10.x.x.x range.

How to keep general internet traffic off Windows 2008 R2 VPN and only handle VPN traffic

Use the CMAK to create a connectoid that has the option to not use the remote connection as the default gateway. Deploy that connectoid to your users. If you can't deploy the connectoid, simply have your users edit the properties of the connection thusly: Properties >> Networking Tab >> TCP/IP v4 properties >> Advanced >> Disable "Use default gateway on remote network". Works like a charm.

Best Answer

Related Solutions

How to Route Different Traffic Through Different Network Interfaces in Windows

How to keep general internet traffic off Windows 2008 R2 VPN and only handle VPN traffic

Related Topic