Highlighted
Contributor
Contributor

Share host VPN with guest

Hi,

I'm using VMware Fusion 12.0.0 (16880131) in macOS Big Sur Beta 10. In macOS (host), I'm connected to a VPN. I want to share the VPN connection with my Windows 10 2004 (guest), but this doesn't work. Internet connection is available but websites which are only available in VPN aren't. The guest network is connected via NAT. How can I archive the sharing or isn't this possible currently?

If you need any further information, please let me know.

Thanks!

0 Kudos
24 Replies
Highlighted
Contributor
Contributor

@Longstag I am facing similar issue with CiscoAnyConnect. These commands didn't work for me either. No luck.

0 Kudos
Highlighted
Contributor
Contributor

@AlishaMahajan , @Longstag unfortunately I have no experience with CiscoAnyConnect, probably it do a different aproach to build up net network part of the VPN. Just installed F12.1.0 and for me the workaround is still working.

My only suggestion to hunt down the problem (but probably you've already done these or at least a part of these...):

1. stop any vpn, vm and check that the vm networking set to 'share with my mac'

2. start ciscoanyconnect vpn

3. start the vm

4. check the NAT rules -> should reset the sharing_v4 anchor so there's should be no any custom added part

5. check ifconfig for any unusual thing 🙂 -> ciscoanyconnect can build a different netinterface than utun or other bridge, than you should change the custom part of the solution

6. check 'netstat -rn -f inet' (this will print the routing table of ip4 addresses) -> to see every route you need is defined or just to see a big table of addresses 😀

7. in the VM check that you can reach the VPN local ip by pinging it (only the local ip could be reachd!) -> if you can't then there is something different than the "basic" case, so it needs an other workaround

8. ping anything from the vm and check 'sudo tcpdump -i bridge100' which gives you a clue about what trafic leaves the vm netinterface. -> should see the outgoing ping

9. ping a behing vpn adress from the vm and check 'sudo tcpdump -i <vpn interface>' which gives you a clue about what trafic goest to the vpn netinterface -> should see the incoming ping source address is the guest's private ip, which is 'wrong'

9. add the custom rule and check from the VM if it can reach anything other than the default routes -> for example: internet, if it's not routed through the VPN

10. check the same tcpdump command to see if anything is changed

Any part fails, or do something unusual, then probably the soulution won't work and need a different approach to make it work or hopefully vmware will found something for you soon. 🙁

0 Kudos
Highlighted
Contributor
Contributor

This mostly worked for me....

I was able to ping the host in question which is behind our VPN, but when I went to try and use kubectl (kubernetes control cli) I got the following message:

Unable to connect to the server: net/http: TLS handshake timeout

running macOS 11.0.1 Big Sur

Fusion 12.1.0

guest os Ubuntu 18.0.4

kubectl 1.18.5

here's my updated rules that I applied on the Mac side (4th line is what I added)

nat on en1 inet from 192.168.2.0/24 to any -> (en1:0) extfilter ei
nat on en0 inet from 192.168.2.0/24 to any -> (en0:0) extfilter ei
no nat on bridge100 inet from 192.168.2.1 to 192.168.2.0/24
nat on utun2 inet from 192.168.2.0/24 to any -> (utun2) extfilter ei

 And this is the new output when I run pfctl...

nat on en1 inet from 192.168.2.0/24 to any -> (en1:0) extfilter ei
nat on en0 inet from 192.168.2.0/24 to any -> (en0:0) extfilter ei
no nat on bridge100 inet from 192.168.2.1 to 192.168.2.0/24
nat on utun2 inet from 192.168.2.0/24 to any -> (utun2) round-robin extfilter ei

so it added the part with "round-robin" not sure if that matters. 

it seems like something else from the VM is not getting passed to the nat ?

What can I do to assist in troubleshooting this?

0 Kudos
Highlighted
Contributor
Contributor

I wrote a python3 script that will build and apply a config to accept NAT to all utun/VPN interfaces.

Can be found at:

https://gitlab.com/-/snippets/2043124

Highlighted
Visitor
Visitor

Does your script make there permanent or do we run it every time we need to make a connection?

0 Kudos