So I work at a client site and we are given a Cisco VPN to use to access the internal network. This runs on our company laptops. The VPN creates a single tunnel so we don't have any outside network access so my solution was running the VPN in a VM for the internal network and outside the VM for everything else (company software, email, TWW).

I'd ideally like to just have a VM running on a remote computer and just remote into that VM which runs the VPN instead of having to run the VM on my laptop (internet is fast enough, save memory, resources etc). Obviously when the VPN is running I can't remote into the actual VM. My solution is remoting into the host machine and maximizing the VM. I don't really want to do this as it ties up the host machine.

This is mostly beyond my networking knowledge. I've tried a multitude of things but how would I open up just that one port on the network adapter (not the Cisco adapter) to remote into the VM? I don't know if this is even possible.

Any suggestions? Or some direction?

2/1/2013 12:20:58 PM

Where is the VM located?

2/1/2013 12:56:19 PM

My living room.

2/1/2013 12:59:47 PM

Going to try virtualboxes remote display feature.

2/1/2013 1:54:08 PM

I'm really confused as to how you have no internet access when connected to the VPN. Just set the vpn connection so that only traffic bound for that network goes over that device. Are you sure you don't have connectivity and it's not just a DNS issue?

2/1/2013 10:29:24 PM

It's a single tunnel VPN. It specifically cuts all traffic to all interfaces. That's the whole point of it. Maybe there's a way around but from what I'm read you can't really get around it.

2/1/2013 10:42:03 PM

try setting the VPN's NIC to a metric of 100 and your LAN to 10

2/2/2013 1:07:22 AM

Enable ipv6 and remote into it via ipv6, VPN tunnel shouldn't affect it

2/2/2013 1:28:48 AM

^interesting. Although I got virtual box working. It's built in remote display feature which is essentially hardware remote desktop let's me remote in using RDP while the vpn is connected. Pretty cool.

^^no as I said the vpn disables all interfaces. Doesn't matter the priority of them it still cuts all traffic.

2/2/2013 9:48:36 AM

nice, glad to hear you got it working.

years ago i had a similar problem, but it was that when i was VPN'd into work, I couldn't print to my local network printers. The printer i had at the time supported appletalk, and I had read something about being able to use this as a workaround, since ipsec only cared about ipv4, and I was able to use appletalk as a workaround to print.

now i just have hardware VPN so it's not really a problem.

2/2/2013 10:21:15 AM

Quote :

" My solution is remoting into the host machine and maximizing the VM. I don't really want to do this as it ties up the host machine. "

I've done this for work machines not due to your specific situation, but because I don't want a 10+ hour operation to quit on me in middle because my network connection at home drops. I'm a bit confused how it ties up the host machine though, the VM needs ... 1GB of memory and the host machine has 4GB (guessing here)? Otherwise, RDP/VNC/most remote protocols allow you to specify the size of the screen when remoting in. And if using console access, most host machine VM software *should* allow you to dynamically resize the guest OS screen. The IPv6 suggestion was good, but, might need an alternative in future if IPv6 isn't available.

Quote :

"Enable ipv6 and remote into it via ipv6"

Ouch, that kinda defeats the definition of single tunnel. Wonder how many folks are aware of this for newly provisioned machines that install both v4 and v6. "It's a feature!". Nice suggestion though.

2/2/2013 10:32:31 AM

I like the ipv6 idea On the bit of a workaround if ipv6 isnt available, I find that highly unlikely since everyone is moving to it. You normally now dont turn it off once its working. Might need a workaround for IPv4 in the near future though

You should be able to copy the cisco config files and install a copy. That or maybe ask your IT department to do so (always make friends with IT, might require brownies or other treats).

Just dont be running VPN on both boxes at once without permission. That will get alerted on and may get you in serious trouble.

[Edited on February 2, 2013 at 1:46 PM. Reason : ..]

2/2/2013 1:44:31 PM

Quote :

"I'm a bit confused how it ties up the host machine though, the VM needs ... 1GB of memory and the host machine has 4GB (guessing here)? Otherwise, RDP/VNC/most remote protocols allow you to specify the size of the screen when remoting in. And if using console access, most host machine VM software *should* allow you to dynamically resize the guest OS screen."

Eh gave the VM 2 and the host has 16. I think you're missing what i'm trying to accomplish though. The VPN completely ties up all interfaces and ports so I can't even remote into the VM naively (via a port from the host terminal or GUI) so VirtualBox allowed me to "hardware remote" using it's remote display feature which is compatible with RDP. This completely bypasses the host (VirtualBox runs in "headless" mode and just sits int he background in windows.

Prior to this I was actually remoting into the host server (the actual desktop) and loading the VM and just maximizing the window. That's what I meant by tieing up the host. This wasn't efficient.

^Eh the VPN is from our client not our actual IT. It's just a PITA to get any support from the client we just do what we do. I mean hell we've been using aircards on the client site because we haven't been able to get guest/vendor WIFI until just recently on a normal basis (which blocks the vendor VPN coincidentally). It's funny they give consultants/vendors guest wifi but then block the vendor VPN they provide to access their internal sites on non-branded laptops.

2/2/2013 3:27:17 PM

Quote :

"Ouch, that kinda defeats the definition of single tunnel."

oh most definitely-- it bypasses the intended security purposes, so from the perspective of infosec, bad idea, from the standpoint of user flexibility--- usable workaround

2/4/2013 11:23:36 AM