Windows 10: How to share Pulse Secure VPN (NDIS Light Weight Filter) connection with VMs?

networking vpn hyper-v bridge
5,310

The short answer is to create a software NAT, and give the VM a vNIC on that NATted subnet.

This particular VPN software, once a connection is established, will setup a new VPN virtual adapter on the host, configured on a /32 IP (e.g. 10.1.1.17/32). When that VPN is "connected", it will modify the windows host's routing table with a new preferential default gateway route entry, causing outgoing host traffic to pass through the VPN interface. The VPN software then passes encrypted packets on a particular physical device.

The traffic flowing through the Ethernet bridge (physical ethernet interface + VM virtual ethernet), does not flow through that routing table however, so it flows the same way regardless of the VPN preferential gateway. By that, I mean that bridged traffic will exit the host without going through the VPN route. That explains why I can't get VM guest traffic to go through the tunnel. At least that's my understanding.

My next attempt was to add another bridge between the VMs and the VPN virtual adapter**, so that I could, from the VMs, also have a route to that default gateway of 10.1.1.17/32. However,this particular VPN virtual adapter** is picky, and just refuses to work if moved into a bridge. Also, in windows 10, as far as I can tell, there can only be one bridge device, so that would not have been an ideal option anyway.

Having realized that it was an L3 issue, I tried to configure my Windows 10 host to route between two subnets (VMs <=> VPN). After all, the host is assigned an address on both the VM subnet 192.168.4.0/24 and the VPN subnet (the only such address 10.1.1.17/32). But it would seem configuring windows 10 as an actual router is a nightmare (you need Server edition).

I ended up using a software NAT to fix the issue. It turns out that windows 10 can create native NATs (no extra service or software needed). To allow a VM's traffic to flow through the VPN, I give them a vNIC on that NATted subnet, and windows takes care of forwarding that traffic with its main table, which does go through the VPN. I can also get rid of some of my bridges that way too, because when the software VPN's down (aka disconnected), traffic then just automatically reroutes to whatever other physical connection I have (wifi, or wired)!

I've posted the steps to configure the NAT there:

https://serverfault.com/questions/911578/windows-10-pro-as-a-nat-between-two-interfaces

Note on NAT limits on windows 10: I have read reports that there is a limit of 1 NAT interface on Win10, but that doesn't seem to match my personal experience. I have docker for windows installed, and it creates its own "DockerNat" interface when you install it. My custom NAT interface is able to live side by side with the DockerNat device just fine.

** It's called " Pulse Secure - Juniper networks virtual adapter"

Share:
5,310

Related videos on Youtube

init_js
Author by

init_js

Computer Scientist, Experienced Software Engineer.

Updated on September 18, 2022

Comments

  • init_js
    init_js almost 2 years

    I have a Windows 10 host connected with wired Ethernet. Its Ethernet interface is bridged with a Hyper-V vEthernet interface. Both the host and the VM guest are configured using DHCP on a home network, and both get internet connectivity.

    When I enable a Pulse Secure VPN (v5.3.3) connection, the host's traffic gets tunnelled, but not the guest's (the guest still uses the underlying non-vpn'd connection). The guest is running Ubuntu 16.04.

    How do I get both to go through the tunnel?

    I know, based on a knowledge base article that the software uses a lightweight filter on physical devices. Is there a limitation of this type of filter driver what would make it difficult to use with bridges?

    Maybe there is a workaround to share the tunnelled connection?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting up bridged OpenVPN server with single public IP NIC
Docker on CentOS with bridge to LAN network
How to support multicast network in Docker
Send all OpenVPN traffic through proxy or TOR proxy?
ssh: connect to host [ip] port 22: No route to host
Ubuntu 12.04 in Win 8.1 Hyper-V VM won't reach internet
How do I setup routing through a PPTP VPN?
/dev/ppp can't be opened
How to configure L2TP/IPsec VPN on Ubuntu 18.04 gui?
OpenVPN setup with PIA - Connects but no internet