I have a site to site VPN using Pritunl VPN. My data center servers IP address is assigned to the following sub-network 10.175.125.1/24. All of my IP address on-site shows up except one IP address. The following IP address does not show up 10.175.125.117. And I cannot access it over the VPN. The only difference between that specific IP address and the rest of the IP address within the subnet is that the server is a MACVTAP host for the VPN server. I need to pass the IP address from the MACVTAP host to my network switch, so I can use it as a server remotely. I am not sure how to resolve that issue, as the IP address does exit on the network and I can access it on-site without a VPN using the IP address. However, if I move off site into a different network while using the a VPN, I cannot access it. How would I resolve this issue, so I can pass-through my VPN IP address towards the network switch, while having the host machine also appear on the VPN private subnet for remote connection. (Not while not having my host machine also appear on the VPN). The virtualization software I use is KVM/QEMU/Virtual Manager.
If you’re referring to the QEMU host IP I believe this is a limitation of macvtap and also macvlan interfaces as explained in the libvirt documentation.
If you are using SNAT/DNAT to passthrough an IP to the guest and you can’t access that IP it could be a NAT reflection issue with the iptables configuration.
What would be the best way to resolve this issue without moving the VPN server to a different machine?
The libvirt documentation explains two solutions. When possible bridged networking should be used over macvtap/macvlan which wouldn’t have this issue.
Below is an example of adding a macvtap interface to the QEMU host where 8a:b8:31:04:d3:64 is a random mac address, bond0 is the host interface for the macvtaps and 10.175.123.123/16 is an additional IP address for the QEMU host.
I do have test servers with macvlan configurations for Pritunl Cloud and this allowed accessing the QEMU host from a guest. Interestingly once this is done the other QEMU host IP address started working also. I believe doing this effectively switches the host over to macvtap networking. You will need to verify that no firewalls are not impacted.
sudo ip link add veth0 addr 8a:b8:31:04:d3:64 link bond0 type macvtap mode bridge
sudo ip addr add 10.175.123.123/16 dev veth0
sudo ip link set dev veth0 up