Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[OT] VPN inside or outside virtual machine ?

96 views
Skip to first unread message

Soviet_Mario

unread,
Jul 20, 2022, 9:18:49 AM7/20/22
to

If you are able, pls answer as if I were 100 % stupid :D I
mean, I'm really dumb about internet protocols and alike.


I was considering to subscribe to a VPN (which will be
mainly used in a VM, Linux guest inside linux host, possibly
but unlikely the same distro),
but when thinking about whether to use the VPN inside or
outside the VM (or both ????), I was at a loss.

I really dunno what a VPN is, I think the browser is to be
instructed to connect to a proxy ... but WHERE ?

Inside the VM ?
Oustide (if so, where to configure a proxy in this case, as
I won't be using a host-browser) ?
Both ?

Can sb tell in simple words which is possible and how, and
the pros and cons of the solutions ?

Tnx in advance.



--
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
Soviet_Mario - (aka Gatto_Vizzato)

Lew Pitcher

unread,
Jul 20, 2022, 1:57:29 PM7/20/22
to
On Wed, 20 Jul 2022 02:43:36 +0200, Soviet_Mario wrote:

> If you are able, pls answer as if I were 100 % stupid :D I
> mean, I'm really dumb about internet protocols and alike.
>
>
> I was considering to subscribe to a VPN (which will be
> mainly used in a VM, Linux guest inside linux host, possibly
> but unlikely the same distro),
> but when thinking about whether to use the VPN inside or
> outside the VM (or both ????), I was at a loss.
>
> I really dunno what a VPN is, I think the browser is to be
> instructed to connect to a proxy ... but WHERE ?
>
> Inside the VM ?
> Oustide (if so, where to configure a proxy in this case, as
> I won't be using a host-browser) ?
> Both ?
>
> Can sb tell in simple words which is possible and how, and
> the pros and cons of the solutions ?
>
> Tnx in advance.

Plain TCP/IP traffic can be compared to a postcard: source
address, destination address and message are readable by
any public station that the traffic passes through.

Encrypted TCP/IP traffic (like SSL traffic) can be compared
to a letter: source and destination address are readable by
any public station that the traffic passes through, BUT the
message is not.

TCP/IP traffic over a VPN can be compared to a courier
shipment: /while in the hands of the VPN/, neither the
source address nor destination address nor message are
readable by any public station that the traffic passes
through. However, the VPN provider can (and must) read at
least the source and destination addresses. The VPN provider
can also read the message, if the traffic through the VPN
is not encrypted by the originating application.

So, can you trust your VPN provider to keep the addresses
secret? Can you trust your VPN provider to not peek at your
data? Is your data valuable enough to employ a commercial
VPN?

--
Lew Pitcher
"In Skills, We Trust"

Tom Furie

unread,
Jul 20, 2022, 5:51:58 PM7/20/22
to
On 2022-07-20, Lew Pitcher <lew.p...@digitalfreehold.ca> wrote:

> Is your data valuable enough to employ a commercial VPN?

I'd rephrase that as "Is your data sensitive enough to need a VPN but not so
sensitive as to control the VPN yourself?"

Cheers,
Tom

Grant Taylor

unread,
Jul 20, 2022, 7:20:53 PM7/20/22
to
On 7/19/22 6:43 PM, Soviet_Mario wrote:
> If you are able, pls answer as if I were 100 % stupid :D I mean, I'm
> really dumb about internet protocols and alike.

You've demonstrated that you know enough to ask for help. That's more
than some people do. So it sound like you're off to a good start. :-)

> I was considering to subscribe to a VPN (...), but when thinking about
> whether to use the VPN inside or outside the VM (...), I was at a loss.

I think it depends what your motivation is for using the VPN.

> I really dunno what a VPN is, I think the browser is to be instructed to
> connect to a proxy ... but WHERE ?

Lew and Tom have spoken to encryption.

I'll add that simply a VPN is a virtual connection from your machine to
a VPN provider somewhere. The nuances of what that virtual connection
consists of are somewhat outside of your question.

Proxies are technically different than a VPN in a number of ways,
particularly in how they work. But in the end, what they do is similar
to a VPN.

I personally would set up the VPN outside of /the/ /VM/ that we're
talking about / you're asking about. -- This way the VM itself can't
have traffic accidentally leak around the VPN. Such leakage can happen
for for one of a myriad of reasons.

I would configure the VPN in a 2nd VM and have that VM act as the
gateway for the 1st VM. -- The 2nd VM would functionally be like a
gateway that provides the VPN connectivity endpoint.

Having the VPN inside of the 2nd VM means that you don't need to
complicate the host's network stack with complex (policy based) routing
and / or firewalls.

> Can sb tell in simple words which is possible and how, and the pros and
> cons of the solutions ?

Reply to ask questions based on what makes sense to you and what
doesn't. Those questions provide indication of what we should help you
with.



--
Grant. . . .
unix || die

stepore

unread,
Jul 20, 2022, 10:48:04 PM7/20/22
to
On 7/19/22 17:43, Soviet_Mario wrote:
> I really dunno what a VPN is, I think the browser is to be
> instructed to connect to a proxy ... but WHERE ?

You don't really even have or know a real use-case for having a VPN.
You're asking about proxies or VPNs inside or outside your VMs. You're
all over the place.

Figure out what you want to try.

VPNs are essentially a way for you to connect a host (or it's network)
to another network (or host) and the communications being sent over are
encrypted.

You can use a VPN to connect to a vpn server to browse the internet as
if you were on a different IP (network) to hide your traffic or use a
network that may not be available or accessible to you in your country
(geo-restricted sites), etc.

I don't use VPNs for that. I use a VPN to connect from my home network
to my work's network and use work resources (file shares, intranet, team
collaboration tools, etc) as if they were on my local PC and local network.

I also have my own VPN running on my internal network (in a VM) using
wireguard (best VPN available) :)
https://www.wireguard.com/

This way, when I'm away from home, I can connect to my VPN remotely
(with wireguard client) and access anything on my home network as if i
were actually at home.... etc etc etc.

I also set up Pi-Hole and VPN set up, so again if i'm away from home, I
connect my phone or laptop over VPN (wireguard) with pi-hole running and
blocking ads/malware and i can access all my resources on my local
network, etc. etc etc.

Pi-hole and wireguard are some of the best opensource tools i've seen. :)
https://pi-hole.net/


Soviet_Mario

unread,
Jul 22, 2022, 9:44:28 AM7/22/22
to
On 21/07/22 04:47, stepore wrote:
> On 7/19/22 17:43, Soviet_Mario wrote:
>  > I really dunno what a VPN is, I think the browser is to be
>  > instructed to connect to a proxy ... but WHERE ?
>
> You don't really even have or know a real use-case for
> having a VPN.
> You're asking about  proxies or VPNs inside or outside your
> VMs.  You're
> all over the place.
>
> Figure out what you want to try.

just HIDE my IP whatever activity I do on normal web
(upload, download).

>
> VPNs are essentially a way for you to connect a host (or
> it's network)
> to another network (or host) and the communications being
> sent over are
> encrypted.

even if encription is welcome, the top priority is not to
hide data (they are possibly encripted intrinsically), but
to cut the link by web activity and MYSELF.

>
> You can use a VPN to connect to a vpn server to browse the
> internet as
> if you were on a different IP (network) to hide your traffic
> or use a
> network that may not be available or accessible to you in
> your country
> (geo-restricted sites), etc.

My doubt is how to do this from within a virtual machine. I
mean, inside, I will setup Firefox to connect to the VPN,
but outside ?
I cannot understand well the concept of "tunnelling"
point-to-point, and how to disguise safely my IP.

>
> I don't use VPNs for that. I use a VPN to connect from my
> home network
> to my work's network and use work resources (file shares,
> intranet, team
> collaboration tools, etc) as if they were on my local PC and
> local network.
>
> I also have my own VPN running on my internal network (in a
> VM) using
> wireguard (best VPN available) :)
> https://www.wireguard.com/
>

intresting, I'm reading (understanding quite a little alas :\)

> This way, when I'm away from home, I can connect to my VPN
> remotely
> (with wireguard client) and access anything on my home
> network as if i
> were actually at home.... etc etc etc.

You are PRO !!!

>
> I also set up Pi-Hole and VPN set up, so again if i'm away
> from home, I
> connect my phone or laptop over VPN (wireguard) with pi-hole
> running and
> blocking ads/malware and i can access all my resources on my
> local
> network, etc. etc etc.
>
> Pi-hole and wireguard are some of the best opensource tools
> i've seen. :)
> https://pi-hole.net/

tomorrow I'll look at this too ... now unfortunately I have
to store and pack wood. I have 6,2 ton to store

Lew Pitcher

unread,
Jul 22, 2022, 10:26:13 AM7/22/22
to
On Thu, 21 Jul 2022 23:47:50 +0200, Soviet_Mario wrote:

> On 21/07/22 04:47, stepore wrote:

>> On 7/19/22 17:43, Soviet_Mario wrote:

>>  > I really dunno what a VPN is, I think the browser is to be

>>  > instructed to connect to a proxy ... but WHERE ?

>>

>> You don't really even have or know a real use-case for

>> having a VPN.

>> You're asking about  proxies or VPNs inside or outside your

>> VMs.  You're

>> all over the place.

>>

>> Figure out what you want to try.

>

> just HIDE my IP whatever activity I do on normal web

> (upload, download).

[snip]

My recommendation would be to run the VPN software on your
base machine. This isolates the VPN-related network routing
changes to just the base system, with no network routing
changes necessary in your virtual systems (they should all
route through your base system already).

As for the base system's routing,
1) route all local traffic through your normal interfaces,
(hardwired lan through your lan interface, virtual lan
through the requisite virtual lan interfaces)
2) route the VPN-destined traffic (from the VPN software)
through your internet-facing interface, and
3) route /all other/ internet-destined traffic through the
VPN virtual network interface.

You probably should research VPN providers to find out
what VPN software they provide, and how it must be
configured to give you the protection you need.

HTH

Lew Pitcher

unread,
Jul 22, 2022, 11:04:56 AM7/22/22
to
And, don't forget to firewall your internet-facing interface
so that it drops or denies any internet-originating traffic
/not/ originating at your VPN provider.

Grant Taylor

unread,
Jul 22, 2022, 1:02:22 PM7/22/22
to
On 7/21/22 3:47 PM, Soviet_Mario wrote:
> even if encription is welcome, the top priority is not to hide data
> (they are possibly encripted intrinsically), but to cut the link by web
> activity and MYSELF.

Depending on the VPN that you choose, there may very well be information
that associates information with the VPN as you during the time span
that you're connected to it. E.g. the VPN provider allocates an IP to
you for the duration of your connection and logs that fact. So if
(when) someone asks the VPN provider -- with proper credentials / court
order / etc. -- the VPN provider can say "$PERSON was using $IP at
$DATE_TIME". This is very much like what could be done with many
internet connections for the last 30+ years.

> My doubt is how to do this from within a virtual machine. I mean,
> inside, I will setup Firefox to connect to the VPN, but outside ?

Firefox, et al., inside the virtual machine will not know / be
configured to use the VPN per se. Rather it (they) will just use the
provided network connection. That network connection will be configured
by the host computer to send everything (from / to) the VM /through/ the
VPN.

> I cannot understand well the concept of "tunnelling" point-to-point, and
> how to disguise safely my IP.

A very loose analogy would be like Firefox running in the VM writing a
post card and addressing it to the server it wants to talk to. Then the
host would take the postcard and put it in an envelope that is addressed
to an intermediate on the Internet. The intermediate will take the
postcard out of the envelope and send it to the real server that Firefox
wanted to talk to. This way your local postal carrier will not have any
idea that Firefox is talking to the server and instead think that
someone at your address is talking to the intermediate.

> intresting, I'm reading (understanding quite a little alas :\)

Please, ask questions. :-)

> tomorrow I'll look at this too ... now unfortunately I have to store and
> pack wood. I have 6,2 ton to store

Wood, the fuel that heats you three times; harvesting, storing, and
consuming.

Grant Taylor

unread,
Jul 22, 2022, 1:07:05 PM7/22/22
to
On 7/22/22 8:26 AM, Lew Pitcher wrote:
> My recommendation would be to run the VPN software on your base
> machine. This isolates the VPN-related network routing changes to
> just the base system, with no network routing changes necessary in
> your virtual systems (they should all route through your base system
> already).

Running the VPN software on the base system will likely also route other
traffic from the host computer through the VPN. Something that I
believe that Soviet Mario wanted to avoid doing.

I would advocate for running the VPN software in a 2nd VM so that it can
handle the 1st VM's traffic as Lew is suggesting for the 1st VM.

(Internet)---[router]---[host]---[(2nd) VPN VM]---[(1st) VM sandbox]

Pancho

unread,
Jul 23, 2022, 4:14:02 AM7/23/22
to
On 21/07/2022 22:47, Soviet_Mario wrote:
> On 21/07/22 04:47, stepore wrote:
>> On 7/19/22 17:43, Soviet_Mario wrote:
>>   > I really dunno what a VPN is, I think the browser is to be
>>   > instructed to connect to a proxy ... but WHERE ?
>>
>> You don't really even have or know a real use-case for having a VPN.
>> You're asking about  proxies or VPNs inside or outside your VMs.  You're
>> all over the place.
>>
>> Figure out what you want to try.
>
> just HIDE my IP whatever activity I do on normal web (upload, download).
>
>>
>> VPNs are essentially a way for you to connect a host (or it's network)
>> to another network (or host) and the communications being sent over are
>> encrypted.
>
> even if encription is welcome, the top priority is not to hide data
> (they are possibly encripted intrinsically), but to cut the link by web
> activity and MYSELF.
>
>>
>> You can use a VPN to connect to a vpn server to browse the internet as
>> if you were on a different IP (network) to hide your traffic or use a
>> network that may not be available or accessible to you in your country
>> (geo-restricted sites), etc.
>
> My doubt is how to do this from within a virtual machine. I mean,
> inside, I will setup Firefox to connect to the VPN, but outside ?
> I cannot understand well the concept of "tunnelling" point-to-point, and
> how to disguise safely my IP.
>

I don't know how to do it in a single machine. I do know how to achieve
what you want with a second machine or VM acting as a router.

Once you have a VPN in a router you can make it act as a dual wan
router, where it directs traffic to the internet over the WAN or VPN
based upon specified connection characteristics such as: LAN IP, Ports,
Destination IP etc. Thus, you could assign an IP to a VM and direct all
traffic from that VM through the VPN tunnel.

You can actually do this with a lot of common internet routers, using
custom firmware like OpenWrt or Tomato. You can also set up a router in
a VM using software like pfSense or OpenWrt. I'm pretty sure there are
Linux firewalls too, I've just not used them.

Soviet_Mario

unread,
Jul 23, 2022, 7:50:27 AM7/23/22
to
On 22/07/22 19:06, Grant Taylor wrote:
> On 7/22/22 8:26 AM, Lew Pitcher wrote:
>> My recommendation would be to run the VPN software on your
>> base machine. This isolates the VPN-related network
>> routing changes to just the base system, with no network
>> routing changes necessary in your virtual systems (they
>> should all route through your base system already).
>
> Running the VPN software on the base system will likely also
> route other traffic from the host computer through the VPN.
> Something that I believe that Soviet Mario wanted to avoid
> doing.

it should be indifferent to also route the host traffic ...

>
> I would advocate for running the VPN software in a 2nd VM so
> that it can handle the 1st VM's traffic as Lew is suggesting
> for the 1st VM.
>
> (Internet)---[router]---[host]---[(2nd) VPN VM]---[(1st) VM
> sandbox]
>
>
>

the fact remains that I'm unable to understand PRACTICALLY
what you all are suggesting.
I can understand it in the general lines, endin up with
nothing done.

Not your fault obviously. I simply very often pose questions
whose answers I'm unable to understand later :\
0 new messages