dhyve vm can not access VPN'ed resources

[lmb]

It seems dhyve does not cope well with Cisco AnyConnect based VPNs. Servers behind the VPN are pingable from the host, but not from the dhyve guest.

I'm assuming the host does not know that it should route between the bridge and the VPN. Any ideas on how to achieve this?

[nlf]

this would require a bit different network setup than what dhyve currently does.. i think you'd have to set up a tun interface and tell xhyve (the virtualization software) to use that instead of the standard virtio-net interface that it currently uses. i'd have to do some research to figure out how to make this work.

[lmb]

Hi Nathan,

Thanks for your help. Did some more digging:

• The two relevant devices are bridge100 and utun0 (VPN)
• Packets coming in via bridge100 and leaving to the public internet are properly NATed
• Packets coming in via bridge100 and exiting to utun0 still carry the internal, host-only IP address

Seems like there is a special case in virtio-net somewhere that makes the NAT happen. Any idea where that might be?

[nlf]

i honestly couldn't tell you. this sounds like something that we need to solve at the xhyve level

[lmb]

Filed machyve/xhyve#84, maybe we can find out some more that way.

[nlf]

great, thanks for linking to it here. that'll be useful information