openvpn + parallels desktop

I'm trying to route all traffic on a Windows7 guest to an OpenVPN connection on the Mac Host. I'm having trouble doing this. So far I've connected to the VPN fine on the host, but can't seem to get the traffic diverting from the guest.

OpenVPN is 10.8.0.0/24 and forwarding/natd is running on .1

I've tried doing a host-to-host connection, and running natd/ifpw from the host on tun0 but no packets from vnic1(the host-to-host connection) ever hit the divert rule, which is: ipfw add divert natd ip from any to any via tun0

I've added a route on the Guest and set my default gateway to my hosts vnic1. But again, no luck.

If I could just do sharing on tun0, that would also work but tun0 doesn't show up under the adapters to do it for. Any help or workarounds are appreciated, thanks.

 

Is there something in the vnic* adapters that would cause the packets to be dropped? Some security mechanism perhaps?

edit: what is weird is a 'tcpdump -n -i vnic1' isn't showing any of the traffic going to and from my machine, even a http request from guest to host. it's just broadcasts and arp requests. i think this could be symptomatic of why the guest's packets aren't hitting the divert rule.

any help much appreciated.

 

Hi,
tcpdump really will not work on vnics (it is not supported at the moment), but this should not prevent the setup you described. A couple years ago I've configured something similar to this and it worked.. but setup was not easy and there were a couple of unevident things.

May I ask, do you really need to configure this? VM should be able to access VPN-connection established on host in plain Shared Networking-mode, without setup of NAT.

Also, you mentioned tun0. It is unclear what you mean. If you are using Apple's nat/ipfw, I believe that you don't need anything except vnic1. But if you need tun/tap functionality, you can install MacOS tun/tap driver and bridge VM to it.

As a resume: unfortunately it is almost impossible to help you with the setup you described remotely. But may be you'll find something useful above.

 

Well, the thing is I don't want all traffic on the host to route through the VPN, I just want the VM to get tunneled through the VPN. The VPN will serve as a gateway, is setup to do forwarding, etc. I just ignore that particular directive in my client config.

For reasons unrelated and ones that I hate my life for I can't just VPN directly from the guest OS. tun0 is the interface that OpenVPN sets up on connect (on the mac host), and I can't share that b/c it doesn't show up as an option to share from either under network preferences pane, or inside parallels configuration itself.

I thought i could natd from my host OS and route everything through tun0, but the issue is nothing ever hits the natd rule in ipfw from the guest. I can ping the gateway, (the vnic1), and it's definitely my default route 0.0.0.0/0.0.0.0, but inside of os x ipfw shows 0 packets hitting the divert rule when I try to do anything inside the VM.

Sure, I can share the main wired connection from the guest, but I don't want the guest accessible to the external, or my internal networks.

Thanks for your help. Any further ideas would be appreciated (mainly if I could just directly share my tun0 interface that OpenVPN sets up to my guest, that would be awesome and likely solve all problems immediately.) But it doesn't show up, as I said, and cannot find out how to make it do so. (I appreciate the fact that it is more of an openvpn/os x issue, and has nothing to do with parallels)

Thanks

 

Hm... a couple of ideas - may be you'll find them usefull: I don't know whether it is possible on Mac, but remove IP-address from tun0 (using ifconfig), tune the VM to use this IP-address (that were previousky on tun0), enable IP-forwarding on Mac and setup routing on host to route all traffic from VM to tun0...

another option is to try to setup firewall and forbid to access this vpn-subnet to anyone except prl_naptd (VM is in Shared Networking)..

Or tune firewall in Windows VM to allow traffic only to VPN-subnet.. afaik Windows 7 firewall allows this