I'm using VMware Fusion 12.0.0 (16880131) in macOS Big Sur Beta 10. In macOS (host), I'm connected to a VPN. I want to share the VPN connection with my Windows 10 2004 (guest), but this doesn't work. Internet connection is available but websites which are only available in VPN aren't. The guest network is connected via NAT. How can I archive the sharing or isn't this possible currently?
If you need any further information, please let me know.
Some VPN solutions block this either by default or by administrator policy. Do you know if that's the case here? With NAT it should just work (you may have to reboot the VM after connecting to the VPN if it doesn't pick up the revised DNS servers)
I've only been able to test this with Catalina and Cisco AnyConnect. It works for me in that I can VPN to a customer site (or into work from home) on the Mac, change my VM (Windows 10 Pro) to use NAT instead of a bridged connection, and then do things like RDP to remote servers, access shares on our NAS box at work (from the VM) etc. Not sure exactly what you mean about web sites that are only available in VPN aren't - ie. they're only available if you use a VPN on the MAC and then browse to them for some security or other reason? Or that you can't browse the Internet at all from your VM.
Currently not able to test with Big Sur
thank you for your replies.
I tried Parallels and in Parallels, it works (copied the virtual machine, so same state as in VMware Fusion). So macOS shares VPN with Windows 10. So I think that this is not blocking by anyone or anything.
I'm using OpenVPN with the application 'Tunnelblick'. If I set the network to NAT, I can browse the web in Windows 10 as I expected. But internal sites like JIRA (that are only reachable in VPN) doesn't work. Only if I also connect to OpenVPN in Windows 10, this is working again - but I don't want to connect to VPN twice.
I also tried using network mode bridged and also had no luck. In this case, I didn't have any internet access.
Thanks again for your help.
If the sites that you are connected to are going through the tunnel then it is most likely that the DNS settings from the VPN are not being used.
Eg. first see if the IP address is different when connected via the tunnel (for example via whatsmyip.org ) and not via the tunnel.
If that's the case then it is almost certain that you're not using the DNS settings from the tunnel in your guest OS.
I have the same problem and it's only exists on Big Sur with Fusion 12. Before on Catalina and Fusion 11.5 it works as excepted, without any special setup. (NAT network set in the guest settings - that's all)
This is not related to a wrong DNS settings, because in a command prompt a direct ping to a specific ip (x.x.x.x) behind the VPN is also not working. Rebooting the guest or restart the fusion app after the VPN established doesn't work either.
It looks something has broken on the Fusion 12 Player's side... if Parallels works as excepted.
With bridged networking it won't work by design, because it's not sharing the host's network connections at all.
So for now I didn't find a solution for this...
In my case the VPN clinet is Thunnelblick 3.8.4 (build 5600) which is the latest stable and tested with Big Sur. Today I try the beta, but actually the VPN itself is working on the host. The only problem that the host's VPN not used in the guest with nat networking. Which was worked before.
So first bet is that, there is a problem with the new version of fusion, but it's true, that can be anything: openvpn, vmware, big sur...
It would be great if somebody tests this wirh Fusion 12 Pro (and if it's not working, then can file a support tiket..)
I can confirm this.
Tunnelblick 3.8.4 build 5600 on Mac OS Catalina, running VMware Fusion 11.5, with guest OS Ubuntu 20.04.1: When VPN is connected on host and guest OS is connected via NAT, guest OS CAN access VPN.
Tunnelblick 3.8.4 build 5600 on Mac OS Big Sur running VMware Fusion Player 12.0 with guest os Ubuntu 20.04.1: When VPN is connected to host and guest OS is connected via NAT, guest OS CANNOT access VPN.
I have the same issue since upgrading to Fusion 12/Big Sur (and using OpenVPN).
I've traced the packets using Wireshark: traffic from the guest has the source ip of the guest (172.16.246.3) instead of the host.
Thanks @Donald_v, this helped me to found a workaround.
In Big Sur or in Fusion 12 the network handling changed. Previously there were no bridge interfaces to manage nat data it was inside the network stack of fusion vmnet devices. In F12 and BS there is a new bridge device bridge100 in my case which needs packetfilter nat rules to route through the other interfaces. (Big Sur disallow to load external kexts - so this is probably because of this new rule)
And the main reason is F12 only add the necessary rules to the main interfaces (en0, en1 - in my case) and the openvpn utun8 has no rules to allow address translations so that's why @Donald_v sees the patckets with the guest internal ips.
If you run this command in the terminal it will lists the created rules by vmware after the guest started:
sudo pfctl -a com.apple.internet-sharing/shared_v4 -s nat 2>/dev/null
The result would be something like this:
nat on en1 inet from 192.168.29.0/24 to any -> (en1:0) extfilter ei nat on en0 inet from 192.168.29.0/24 to any -> (en0:0) extfilter ei no nat on bridge100 inet from 192.168.29.1 to 192.168.29.0/24
If you are familiar with this or brave enough to run this commands, then here is the workaround:
I copied the output of this command to a text file newrules.conf with the first command
sudo pfctl -a com.apple.internet-sharing/shared_v4 -s nat 2>/dev/null >newrules.conf
Need to add a new rule with the tun interface of your vpn client. In my case this is utun8.
echo "nat on utun8 inet from 192.168.29.0/24 to any -> (utun8) extfilter ei" >>newrules.conf
It is really important, that the interface and ip address you see above needs to be changed to yours. The address can be copied from the results of the first command. You can find the vpn interface with the ifconfig terminal command.
And the last part it needs to be added to the specific anchor's nat rules. This command will do that and if something goes wrong you only need to reboot your computer and it will be repaired automatically.
sudo pfctl -a com.apple.internet-sharing/shared_v4 -N -f newrules.conf 2>/dev/null
You can check the result with the first command and if you see the utun device you specified, then you can try in the guest if you can reach the vpn network.
Important note: This ruleset is reset every time you start a vm, so it needs to be repeated every time after the vm starts.
As I see this problem is because VMWare don't add extra interfaces related to vpn, only active ethernet ones.
Hope it helps, but it's clearly a temporary fix for the problem!
@PimpaDev I have some doubts while running the commands.
1. The commands are to be run on host / guest OS ? I am tryinng to run the commands on host i.e. mac.
2. What should be networking connection set to - bridged / Share with Mac ? for these changes to work
While I am running the below pfct command I can see utun interface is already added in my case, but still VPN is not working on VM ( Ubuntu )
Any help would be appreciated. Thanks !
1. Yes you have to run these on the host
2. It's only works with the network connection is set to "Share with Mac"
If you use bridged networking in the quest, then you need to run vpn inside the quest os.
Hope it helps!
@PimpaDev Have you shared your findings in a ticket with VMWare? Are you able to conclude whether this is an issue with Fusion 12 or the VPN or even Big Sur in general?
I have same issue, only started after upgrading to Big Sur.
* Latest AnyConnect 4.9.04xx (Compatible with Big Sur)
* Fusion 12.1
thanks for your replies. So, this is a general issue here, not mine. VMware seems to be aware of this issue:
The virtual machine (VM) cannot access the same network as the host while macOS Big Sur host is connected to the virtual private network (VPN)
If the Big Sur host is connected to VPN, then the VM cannot access the same network as that of the host.
Workaround: Connect to the VPN in the VM instead of connecting to the VPN on the host."
So I think, this issue will be fixed in a later version. Just wanted to inform those who's watching this thread.
Thanks for this tutorial.
In my case nevertheless it seems to be different since on my F12.1.0 the NAT rule get's applied when I start Cisco AnyConnect first:
sudo pfctl -a com.apple.internet-sharing/shared_v4 -s nat 2>/dev/null
nat on en0 inet from 172.16.16.0/24 to any -> (en0:0) extfilter ei
nat on utun2 inet from 172.16.16.0/24 to any -> (utun2:0) extfilter ei
no nat on bridge100 inet from 172.16.16.1 to 172.16.16.0/24
However, it's only not working when I'm connected to the VPN but works as soon my VPN on host get's disconnected I perform a disconnect/connect on VMs NAT adapter again. 😕