Host VPN Connection doesn't reach the Guest

[goncalolalmeida]

Configuration

• UTM Version: 2.3.1 (38)
• OS Version: macOS Big Sur 11.6.1
• Intel or Apple Silicon? Apple Silicon

config.plist.zip

I'm using Kali Linux arm version on UTM (kali 5.14 arm64, installed Kali's 2021.3 version) and I have no internet connection when using a VPN on the host.
My Network configuration on UTM is Shared (I doubt Bridged would solve it) and Emulated Network Card is virtio-net-pci, I'm not sure if it's a a misconfiguration, a bug or something else... but since I can't install Mobile Access Portal natively on Kali (no arm64 version) I really need my host's VPN connection to get to the guest inside UTM.

Looking for some help here, since I didn't find a related issue.
Many thanks in advance!

[conath]

Have you tried the emulated VLAN network mode? If any, that one would definitely go through the VPN since it's emulated in userspace. The other modes use macOS Virtualization features that might not respect the host's VPN settings.

[goncalolalmeida]

It works @conath ! Thank you so much!!

[voa257]

Hi!

Facing a similar issue, but with the following configuration:

• UTM Version: 3.0.4
• OS Version: macOS Monterey 12.1 (on Apple Silicon)

I'm emulating a Windows 11 Insider Preview Client (ARM64) (build 22523) with SPICE Guest Tools (0.164.3) correctly installed. When the Network configuration on UTM is Shared (Emulated Network Card: virtio-net-pci), the internet connection works fine on the emulated Windows.

However, I would like the host's VPN connection to get the guest. I tried to get it working both with Shared and Emulated VLAN network modes of UTM, but I didn't make it... Moreover, if I switch to the VLAN option, I have no internet connection on the guest.

Is there any specific network configuration that I should try given the Windows version?

Any help would be appreciated.
Thanks!

[conath]

@voa257 You should use emulated VLAN mode as suggested above. You might need to set manual DNS server in the VM to make it work.

[spyrospapp]

Have you tried the emulated VLAN network mode? If any, that one would definitely go through the VPN since it's emulated in userspace. The other modes use macOS Virtualization features that might not respect the host's VPN settings.

I spent a whole day because of this I finally found the solution you are the best

[ghost]

I'm having the same issue with a MacOS guest. How do I enable VLAN mode?

[conath]

@vimlohulmu It‘s in the VM configuration, Network tab.

[ghost]

@conath It's only showing None, Shared and Bridged there

.

[conath]

@vimlohulmu My bad, the emulated VLAN mode is only available for QEMU backend, not for Apple VMs.

[ghost]

@conath So is there a solution for me?

[conath]

@vimlohulmu I believe no. You could instead try to connect to the VPN from within the VM if that is possible for your use case.

[ghost]

@conath Unfortunately I'm out of connections. So I guess there's no workaround and I'll have to wait for a future update which may or may not include a possible solution?

[conath]

@vimlohulmu The Apple VM backend is not managed by UTM developers, so we can’t offer any promises or estimates when this feature might be added. You could file a Feedback Report with Apple to let them know you would like to have this feature.

[bradyap]

I'm having a similar issue. I'm on macOS (apple silicon) running a debian vm in UTM. I am connected to a socks5 proxy on my host machine, however vm traffic doesn't seem to be going through it even while using emulated VLAN mode.

[dylan-gluck]

Running into a similar issue Mac (Intel) host & Debian guest.

• Working network connection on guest with Shared interface & no vpn running on host
• No ping on guest with Shared interface and vpn connected
• No ping on guest with Emulated VLAN and vpn connected

Also, I noticed that none of the other network interfaces are working even without the vpn running on host

• No ping on guest with Emulated VLAN and no vpn connection on host
• No ping on guest with Bridged and no vpn connection on host

[conath]

@dylan-gluck Don‘t use ping to check internet connectivity in UTM VMs, it‘s not supported (at least in emulated VLAN mode, see #530)

Instead perform a DNS lookup like dig @1.1.1.1 DuckDuckGo.com. If it times out, no connection. Otherwise you’re connected.

[Moulick]

@bradyap did you ever find a solution?

[patryk4815]

@ghost @conath
Here workaround for apple.virtualization:

1. dump current rules using:

sudo pfctl -a com.apple.internet-sharing/shared_v4 -s nat 2>/dev/null > newrules.conf

(it should look like this:)

$ cat newrules.conf
nat on en0 inet from 192.168.64.0/24 to any -> (en0:0) extfilter ei
no nat on bridge100 inet from 192.168.64.1 to 192.168.64.0/24

2. Add your vpn interface (for me it is utun5, check in ifconfig) and vpn CIDR

echo "nat on utun5 inet from 192.168.64.0/24 to 10.0.0.0/8 -> (utun5) extfilter ei" >> newrules.conf

3. Reload pfctl rules

sudo pfctl -a com.apple.internet-sharing/shared_v4 -N -f newrules.conf 2>/dev/null

ref: https://communities.vmware.com/t5/VMware-Fusion-Discussions/Share-host-VPN-with-guest/m-p/2810095/highlight/true#M170151

[trenshaw]

Could support for a new 'NAT' option vs. 'Emulated VLAN' be added? This would function similar to how the 'NAT' option in VMware and VirtualBox work i.e. provide NAT between any of the networks visible to the host e.g. WiFi, LAN, VPN etc.

I need both my guest and local apps on my macOS host to be able to connect to hosts over the same Pritunl VPN connection. This would significantly simplify networking for those wishing to be able to route between all available networks on the host.

[MeiAnd]

I solved this issue like this:

Network: Bridge

nano /etc/resolv.conf
nameserver 8.8.8.8

[0xElmalky]

I changed it to bridged with en0 and it works now !

[zdeneksvarc]

@dylan-gluck Don‘t use ping to check internet connectivity in UTM VMs, it‘s not supported (at least in emulated VLAN mode, see #530)

Instead perform a DNS lookup like dig @1.1.1.1 DuckDuckGo.com. If it times out, no connection. Otherwise you’re connected.

Using fping is always better. And of course works in this case.

[HarishChalki]

1. Change it to bridged
2. In services.msc check for the following services, they should be enabled and running
   i) DNS Client
   ii) Function Discovery Resource Publication
   iii) SSDP Discovery
   iv) UPnP Device Host
3. Then in some cases you may have to disable/Off the windows firewall also

[aleksis-lv]

hey, unsure if anyone is still having this issue, the solution by @patryk4815 didn't end up working for me, but the following did after a few minutes with ai:

nat on en0 inet from 192.168.64.0/24 to any -> (en0) extfilter ei
no nat on bridge100 inet from 192.168.64.1 to 192.168.64.0/24
nat on utun6 inet from 192.168.64.0/24 to any -> (utun6) round-robin extfilter ei
# i think these aren't necessary, but were recommended to avoid local requests going through the vpn
no nat on utun6 inet from 192.168.64.0/24 to 192.168.0.0/16
no nat on utun6 inet from 192.168.64.0/24 to 10.0.0.0/8
no nat on utun6 inet from 192.168.64.0/24 to 172.16.0.0/12

utun6 being the vpn tunnel, and i'm using a script to run on startup to persist these settings :-)
hope this helps!