Categories
Linux

A gateway to forward all traffic to a remote VPN server

Suppose you’ve setup a VM and configured it as a site-to-site VPN with OpenVPN, using iroute and staticclients. You are using this VM as a default gateway for other VMs and now want to forward all traffic from the VMs not through the default gateway‘s adapter, but through the VPN tunnel.

Why would you want to do this? One use-case might be because you want your VMs to have the same originating IP address as the VPN server.

To get started, make sure you add these commands in a terminal on your default gateway:

  • ip route add ip-address-of-vpn-server/32 via default-gateway-ip dev enp0s5 (providing enp0s5 is your current adapter)
  • ip route del default
  • ip route add default via 192.168.159.14 dev tun0 (providing 192.168.159.14 is the private IP you got from your VPN)

The commands above will make sure your gateway can still reach the VPN server. Once the default route is deleted, we add a new default route that goes through the tunnel.

On the other side of the tunnel, on your VPN server, you will need to add these commands:

  • iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  • iptables -I FORWARD -i tun0 -o eth0 -s 192.168.159.0/24 -m conntrack --ctstate NEW -j ACCEPT
  • iptables -t nat -I POSTROUTING -s 192.168.159.0/24 -o eth0 -j MASQUERADE
  • iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
  • iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
  • iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
  • iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Now the VMs will be able to connect through the VPN tunnel and use the VPN server as default gateway.

Categories
OSX

VMsvga2

If you’re running macOS with QEMU, you’ll notice that the UI might be slow. This is because, by default, QEMU will use a basic display adapter with low display memory (VRAM).

There’s two ways to fix this problem:

  • Pass-through your GPU with vfio
  • Use another display adapter, such as VMsvga2

This post will focus on VMsvga2, which is a macOS kext that enables you to use the vmvga video model with libvirt.

Unfortunately VMsvga2 is an old project that is no longer maintained, same goes for the vmvga QEMU driver. Currently there’s no QXL driver available for macOS so this is the only choice we have.

Simply replace your existing video XML with this:

<video>
  <model type='vmvga' vram='16384' heads='1'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/> 
</video>

You can increase the vram to the amount you desire.
If you are using the Clover bootloader, you might have to add wmv_option_fb=0x06 to the arguments section in your config.plist

You will also need to make sure you have the VMsvga2 kext installed on your system.

Once you reboot, you’ll notice a more responsive UI.

Categories
OSX

Resizing an OSX VM with apfs and QEMU

Looking to resize an existing qcow2 or raw data volume with QEMU?

I had to do the same thing and went through some trouble in trying to do this. My first idea was to use GParted and boot from the live-cd iso to extend the apfs partition. However, it turns out that GParted does not support apfs (yet?).

First, you’ll need to expand the disk space available to the VM. Depending on the disk format, you can use:

  • qcow2: qemu-img resize image.qcow2 +20G
  • lvm: lvextend -L /dev/lvmpool/vm +20G

Now you can expand the apfs container from inside the OSX VM. Simply find out the identifier of your partition:

/usr/sbin/diskutil info / | awk '/Part of Whole/ {print $4}'

And use that identifier together with this command:

/usr/sbin/diskutil apfs resizeContainer /dev/{identifier} 0

This will expand to use up all available free disk space.

Categories
QEMU

Hyper-V Enlightenments with Libvirt

With Windows 10, it’s helpful to enable Hyper-V Enlightenments, to save CPU and increase VM responsiveness.

To use these enlightenments, edit your libvirt xml:

<features>
  <acpi/>
  <apic/>
  <pae/>
  <hyperv>
    <relaxed state='on'/>
    <vapic state='on'/>
    <spinlocks state='on' retries='8191'/>
    <vpindex state='on'/>
    <synic state='on'/>
    <stimer state='on'/>
    <reset state='on'/>
  </hyperv>
</features>

More information available on https://fossies.org/linux/qemu/docs/hyperv.txt

Another interesting note: if you want to run Windows 10 or similar in a VM, you might want to use these clock timer settings, to avoid high load even when your VM is idle:

<clock offset='localtime'>
  <timer name='rtc' tickpolicy='catchup'/>
  <timer name='pit' tickpolicy='delay'/>
  <timer name='hpet' present='no'/>
  <timer name='hypervclock' present='yes'/>
</clock>
Categories
OSX

Content Caching on OSX VMs

Apple’s Content Caching is not available when running OSX in a VM.

It seems Apple is detecting if it’s running inside a VM:

$ sudo /usr/bin/AssetCacheManagerUtil activate
AssetCacheManagerUtil[] Failed to activate content caching: Error Domain=ACSMErrorDomain Code=5 "virtual machine"...

To get around this, you can patch the kernel to remove the cpuid features check:

  • First disable SIP
  • Next: sudo mount -uw /
  • kernel_autopatcher.py /System/Library/Kernels/kernel
  • sudo kextcache -i /

Reference: https://github.com/kholia/OSX-KVM/blob/master/reversing-notes.md