nihilist`s Blog
Previous Page

nihilist@mainpc - 2024-08-08

Route QEMU VMs through a Host OS VPN

Initial Setup

First, install the VPN like we saw previously here, but the only difference being that we now install it on the Host OS, rather than inside the VM.


# Download the Mullvad signing key
sudo curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc

# Add the Mullvad repository server to apt
echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list
# Or add the Mullvad BETA repository server to apt
echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/beta $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list

# Install the package
sudo apt update
sudo apt install mullvad-vpn

# Connect to Mullvad VPN
mullvad account login
Enter an account number: 91320912809328832
Mullvad account "91320912809328832" set

# Connect to the VPN:
mullvad lockdown-mode set on
mullvad connect

curl ifconfig.me
194.127.199.92

Then, configure mullvad as follows:

From there you'll have the tun0 network interface available, which we can use in the QEMU VM XML configuration:

As you can see here, we have the tun0 interface, with the 10.5.0.0/16 subnet, so we'll use a smaller subnet within that same subnet to create our VPN NAT configuration:

Then use it on your VM configuration like so:

And then once applied, you can check if it works as intended from inside the VM, by going to https://mullvad.net/en/check

Whonix VPN -> Tor Setup



As we explained previously here, if your ISP does not allow Tor traffic, you need to hide it behind a VPN. And when you want to use Anonymity on the VM itself. One simple way to do it is to route the network traffic (via NAT) through a Host-based VPN like we showcased above.

The existing Whonix-External network looks like so by default:


<network>
  <name>Whonix-External</name>
  <uuid>1775d1fe-1606-4962-a3a6-b7b451b9442e</uuid>
  <forward mode="nat">
    <nat>
      <port start="1024" end="65535"/>
    </nat>
  </forward>
  <bridge name="virbr1" stp="on" delay="0"/>
  <mac address="52:54:00:66:89:bb"/>
  <ip address="10.0.2.2" netmask="255.255.255.0">
  </ip>
</network>

And it needs to be changed to the following:


<network>
  <name>Whonix-External</name>
  <forward dev='tun0' mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0'/>
  <ip address='10.0.2.2' netmask='255.255.255.0'>
  </ip>
</network>

So do the following:

And that's it! We now have a (VPN -> Tor) setup, in case if your ISP doesn't allow Tor traffic, concealing it behind the VPN.

Nihilism

Until there is Nothing left.

My Links

RSS Feed
Matrix Chat

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@nihilism.network (PGP)