How do I achieve 2 ip addresses using VirtualBox and VPN?

Discussion in 'sandboxing & virtualization' started by illumins, Jan 13, 2011.

Thread Status:
Not open for further replies.
  1. illumins

    illumins Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    26
    I am running Win XP on both Host and Guest.

    I am connected to a VPN (OpenVPN) and all my applications will have my VPN's ip address. I want to make some of my apps use my real ip address (instead of my vpn ip address) while the rest of my apps continue using my vpn ip address.

    Here, Panagiotis instructs how to achieve this:



    I've been trying to set this up on my PC but so far I can't seem to make it work. So far I set up 2 NICs for my VM (Bridged and Host). Next I am trying to do Step 1, V2 instructions but here is where I don't know if I am doing it correctly:

    I go to Network Connections, and go to VirtualBox Host Only Network's properties, TCP/IP Properties, then would I change the default gateway to my guest's IP? (let's say this ip address is 192.168.195.3). And would I find this ip address by running ipconfig /all on my guest or host?

    Then I go to firefox and would change the proxy settings to this same ip address (192.168.195.3), and then what do I put in as the port?

    Does anyone know what I am doing wrong and how I can correctly implement this? Panagiotis? I would really appreciate it, thanks!
     
  2. illumins

    illumins Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    26
    Does anyone know?

    I've been googling for answers, reading forums posts, trying to work with Panagiotis's instructions all night yesterday and this morning... I cant figure this thing out. o_O
     
  3. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Hi and welcome to wilders.

    Can you point me to the thread? ...I cannot find it anywhere (seems deleted).

    On your guest (virtual) machine, have you enabled Internet Connection Sharing?
    You'll find that ip by running ipconfig on your guest.

    ps. if you wish to use only a handfull of applications, why don't you run them from your virtual machine (bridged networking mode)?

    Panagiotis
     
    Last edited: Jan 14, 2011
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Why not just use forcebind per application? The openvpn uses a virtual nic, correct? Can you forcebind the chosen program then to either nic?

    Can you run the openvpn in the vm only? Then whatever you do in the vm would be the vpn ip, and the host the normal ip?

    Sounds like a lot of vm for somthing like this, perhaps you must do it this way, but it seems like you could modify your attack differently without using 2 vms. Maybe not, just an idea.

    Sul.
     
  5. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    This won't work because usually windows bridges the real nic and the vpn nic, when a vpn connection is initiated.
    Or the opposite as I posted above.
    Another way is to use Split Tunneling.
    http://technet.microsoft.com/en-us/library/bb878117.aspx
    http://www.stevens.edu/itwiki/w/index.php/VPN_on_Windows_XP_with_Split_Tunneling
    It allows you to access resources on the VPN (remote devices, printers, etc.) and at the same time allows the other applications (e.g. browsers) to connect directly to the internet.

    Here http://technet.microsoft.com/en-us/network/bb545442 you'll find some good information about vpns.


    Panagiotis
     
    Last edited: Jan 14, 2011
  6. illumins

    illumins Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    26
    First of all thank you Pandlouk for taking the time to help me make this work and thank you Sully for your suggestions ;) :



    I am not so sure if I want do use this method, as the technet thread says there are potentially security issues with tunnel splitting. But even if we can fix it, does this work with OpenVPN? I don't use L2P2.




    I've actually been using the method you and Sul suggest, I connect to my VPN(OpenVPN) on my host machine and all my apps will have my VPN's ip address and on my guest all my apps have my real IP address.

    What I am trying to do now is somehow route specific apps on my host to use my guest's internet connection so these specific apps will have my real ip address (on my host).

    And the thread which I quoted you from is now deleted. it was located here:
    https://www.wilderssecurity.com/printthread.php?t=278247


    Internet connection sharing was off, but I then re-tested it on and still it did not work. Well here is what I have tried to do step by step:


    On My Host
    1. I have a firewall (Online armor), that I set to untrust all networks (Including VirtualBox Host Only network)- I also set "Trusted" to VirtualBox Host Only and still did not work.
    2. I Connect to my VPN (Through OpenVPN)
    3. I run this in the command prompt "route delete 0.0.0.0 192.168.165.1"
    So if my VPN connection is disconnected, my real IP address does not leak.
    (https://www.wilderssecurity.com/showthread.php?t=264849)
    4. Now all my applications on my Host will have my VPN's ip address.

    On my Guest: (Using Virtualbox)
    1. I create 2 NIC's 1) Bridged and 2) Host Only.
    2. In my Guest, Ip config /all will list
    a) LAC 1: IP Address 192.168.165.103 (This is Bridged NIC?)
    b) LAC 2: IP Address 192.168.56.101 (This is the Host Only NIC?)
    3. I set LAN 2 to share internet connection & run IP config /all and there are new IP's listed
    a) LAC 1: 192.168.0.1
    b) LAC 2: 192.168.56.101
    Q) Which of these IP addresses should I be using?

    Back on my Host:
    1. So now I go to Network Connections and it will list 3 NIC's
    a) LAC 1 (Physical NIC)
    b) LAC 2 (VPN NIC)
    c) LAC 3 (VirtualBox Host only Ethernet Adapter)
    2. I go to LAC 3 Properties, click on Internet Protocol TCP/IP, and IP address + Subnetmask is listed but Default Gateway is "blank."
    3. Now do I add 1 of the ip addresses (I've listed above) into the Default Gateway field?
    (I've tried all 4 IP addresses and none "worked")
    4. Now I go to firefox, and add into the proxy settings the same ip address as I've entered into the Default Gateway field above? And I can use any port? Ex: 80
    For example, 192.168.165.103 port 80


    I've tried this will all four ip addresses and nothing will connect on firefox. Am I doing something wrong?
     
  7. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Something seems wrong:
    LAC 1: when bridged should give you an IP in the same range of you real nic not 192.168.165.103.
    For example, if 192.168.0.1 is the adress of your real nic your bridged nic should have an IP 192.168.0.x inside the virtual xp; your router should see two different pcs connected to the network. Does your virtual machine have access to the net when the virtual nic is configured as bridged?

    What is the IP of your real nic? (post it only if you are behind a router)

    ps.Here is really late, time to sleep. I'll check again tomorrow.

    Panagiotis
     
  8. illumins

    illumins Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    26

    Hmmm, just to make sure I have correctly explained my settings:

    The 4 ip addresses I listed all came from the guest using ipconfig /all. There are only 2 ip addresses when I run ipconfig /all, and after I set LAC #2 to share internet, I run ipconfig again and get 2 different ip addresses. I have also not bridged any connections in the guest and have only enabled 2 network adapters for guest (Bridged and Host-Only). Do I need to bridge the two connections (LAC #1 and #2) together in guest? (If I do this, I can no longer share any of the internet connections)

    The ip of my real nic (Host) is 192.168.165.107, so that format seems to match my guest ip 192.168.165.103.

    Yes, my virtual machine has access to the net when I use Bridged network adapter.
     
    Last edited: Jan 15, 2011
  9. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Ok, thanks. You have confirmed that Lac 1 is your bridged adapter.

    Now, go to the settings of LAC 2 adapter on your host machine and use the following settimgs under the "Internet Protocol (TCP/IP) Properties".

    IP Address 192.168.0.x (any adress in the range of 192.168.0.2 to 192.168.0.254 will be fine).
    Subnet mask 255.255.255.0
    Default gateway 192.168.0.1

    (for DNS you can use 192.168.0.1 if you want to obtain the dns from your virtual pc, on that nic.)

    And try again to connect with an app. in the host. If you do not want to use ForceBindIP on your host, you can use AnalogX Proxy on your virtual machine and then use the proxy settings in your apps on your real system.

    Panagiotis
     
    Last edited: Jan 15, 2011
  10. illumins

    illumins Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    26

    I just remembered that that I hardened some network settings, so maybe something here is keeping this from working:

    Hardened network settings on Host:
    1. Turned off a) file sharing and b) client for microsoft network on all LAC #1, 2 and 3 on my host and LAC #1 (bridged) on my guest.
    2. I also disabled ports 135, 137-139, 445, on my host: (Using these instructions)
    (-http://ssj100.fullsubject.com/t181-how-to-disable-ports-135-137-139-445-windows-xp-)
    3. Disabled service/s: TCP/IP NetBios Helper
    4. Host firewall also is set to "Untrust" host and bridge network interfaces

    So now I am going to try your updated instructions:

    On my Guest machine:
    1. So LAC #1 is confirmed as bridged and LAC #2 is Host only.
    2. I will turn on Internet Sharing on LAC #2 (LAC #2 Properties, Advance, Allow ICS- No Wizard)
    3. I just noticed that Internet on guest stops working after I turn Internet sharing on LAC #2 (It works fine before)
    4. I then install and run AnalogX Proxy (Which loads and gives warning being in "Open state"- will look at this later)

    Back to my Host Machine I will input IP addresses into LAC #2 (VPN adapter):
    (192.168.0.2, 255.255.255.0, 192.168.0.1)
    1. If I am currently connected to my OpenVPN, after enter ip addresses into LAC #2 tcp/ip properties my VPN internet no longer works. Should I enter ip addresses into LAC #2 before I connect to my OpenVPN? (For now I will try both ways)
    2. I will then load up firefox and enter proxy information.

    I've tried to enter each ip address into firefox's proxy with port 80 and for some reason its still not working? I've also tried to do Internet sharing on LAC #1 (Bridged) and the internet works in the VM, although I still cannot get my Host apps proxy settings to work.
    (Tried 192.168.0.1, 192.168.56.101, 192.168.165.103 all on port 80)

    I will attempt to try ForceIPBind and then disable security settings next but have I done everything correct so far?
     
    Last edited by a moderator: Jan 16, 2011
  11. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Hi, I'll try to clear the confusion by explaining in various steps from the beginning.

    1. We first create a bridged connection (LAC 1) for the virtual machine. This allows the machine to connect directly with the router.

    2. We create a host only connection (LAC 2) for the virtual machine. This will allow the virtual machine and the host to communicate in their own private network.

    3. In the virtual machine, go at the settings of LAC 1 (bridged connection) and enable I.C.S. (internet connection sharing), sometimes a reboot of the virtual machine is required. Windows will change the LAC 2 IP to 192.168.0.1.

    4. In the host machine go to LAC 2 adapter (host only connection) and change the "Internet Protocol (TCP/IP) Properties" to:
    IP Address 192.168.0.x (x= any number from 2 to 254)
    Subnet mask 255.255.255.0
    Default gateway 192.168.0.1

    Now your Internet connection sharing is configured. And is time to test if it works properly (without running the vpn, yet).
    -----------------------------

    Go at your host machine connections and select your real NIC properties; there untick the box "Internet Protocol (TCP/IP) Properties" and press apply.
    This will force windows internet requests to go through the LAC 2 instead of your real nic. If your programs can connect with the internet it means that your virtual network ICS is properly configured and your host firewall allows the connections to pass through. If not, check your firewall on your host machine, because it blocks the connections.

    Now tick again the box "Internet Protocol (TCP/IP) Properties" for your real NIC.
    --------------------------------

    Finally use either "ForceIPBind" on your host or "AnalogX Proxy" on your virtual machine to redirect the traffic for the desired programs through your virtual machine.

    I hope it's clear now,

    Panagiotis
     
    Last edited: Jan 16, 2011
  12. illumins

    illumins Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    26

    Panagiotis, you are very knowledgeable and explain things very well. I followed your last post and spent yesterday trying to make it work. It took some time but I finally got it to work, It was amazing. Thank you for all your help!

    To get it to work, I had to turn off OA FW in guest machine and used Windows FW. ForcebindIP didn't work and I had to install AnalogX Proxy to finally get it to work. It actually lagged really bad so I found another proxy software which finally worked fast!

    Would I be able to do this with a real pc on my network instead of vm/guest?

    Okay last thing, if its okay with you... Is using ICS between guest and host in this manner safe? My settings are below and if there is something I should change or add, please let me know. I am also behind a router with other computers.


    My ICS Security Setup: (To protect your host from being attacked while using ICS with guest)
    1. On my guest machine, Windows XP Firewall is turned on and LAC #1 & LAC #2 are "firewalled" status. (On Windows Firewall, Advanced Tab, LAC and LAC #2 are checkmarked).
    2. On my host, Online Armor Firewall set "untrust" towards all networks
    3. File Sharing and Client for Microsoft Network are disabled on all LAC/NIC on both host and guest.
    4. secure settings for proxy software on guest (Allegrosurf- allow only my ip address to connect)

    My Privacy Setup: (To protect against leaking your real ip address when your VPN disconnects)
    (www.wilderssecurity.com/showthread.php?t=264849)
    1. I connect to my VPN and then I run "route delete 0.0.0.0 192.168.165.1" to keep my real NIC gateway from leaking if my VPN disconnects
    2. I go to Network Connections and change the TCP/IP IP addresses for Host-Only LAC (As you have instructed in your last post)
    3. I run a second command "route delete 0.0.0.0 192.168.0.1" to keep my Host-Only LAC from leaking my real ip (once ICS on guest is turned on)
    4. I turn on my VM that has a snapshot of ICS enabled on LAC #1 (Bridged), and proxy server software running.
    5. Now I can run any programs on my host with A) my VPN ip address and B) my real ip address
    (To have programs use real ip address you put into proxy 192.168.0.1 port 80)
     
    Last edited: Jan 17, 2011
  13. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    You are welcome. :)

    Yes, is safe using ICS. In ICS the computer providing the connection (in this case the virtual machine) works like a router gateway for the other computers (in this case for your real machine). Al the attacks go at the ICS enabled pc and it should be protected by a firewall (windows firewall is more than enough), and since the other pcs are behind NAT they are protected by the gateway.

    Yes, you can use ICS between real machines, but the ICS machine should have 2 NICS.

    Your settings are ok... but you should always remember, that a firewall should be placed after the vpn, if you want to be protected inside the vpn network from the other vpn clients (if you have hardened your OS and closed all incoming ports you should be ok). Some examples:
    [Operating system <-> external firewall <-> VPN client that acts as a gateway] = protected from other vpn clients
    [Operating system + software firewall <-> VPN client that acts as a gateway] = protected from other vpn clients.
    [Operating system + software firewall + VPN client software] = unprotected from other vpn clients.

    Panagiotis
     
Loading...
Thread Status:
Not open for further replies.