PPTP VPN for Virtualbox Guest – NAT Network / Host-Only Connections

cannot register hard disk virtualbox already exists

You can check out the guide below or an alternative guide that uses NAT Network for PPTP / GRE VPN connections in Virtualbox guest machines.

PPTP VPN connections from VirtualBox guests

My work requires that I use a PPTP VPN connection to the company’s corporate network, and (for unavoidable reasons which are irrelevant to this post) this connection be must made from a Windows machine.

The OS on my work laptop is Linux, and I use VirtualBox to run a set of VMs. This works well most of the time, but VirtualBox’s support for PPTP (in particular the GRE protocol) is a bit… well, lacking: The VirtualBox NAT implementation does not support GRE at all. Also, I could only get a PPTP connection to work over a bridged connection when using an ethernet NIC. Bridging to a wireless NIC hung at “verifying user name and password”.

Obviously, this was restricting where I could use my laptop for work…

The solution was based on this post in this thread about UFW and VPNs on the Ubuntu forums about how to use UFW to configure netfilter/iptables to route GRE packets. I had already configured UFW for router functionality (following the IP Masquerading section of the “Firewall” page in the  Ubuntu Server Guide), so I combined the two sets of instructions, and it worked.

Here’s what I did to get it working:

VirtualBox Networking

I have 2 host-only networks configured for use by all VMs. The only reason for having a 2nd network is that Windows starts up a DHCP server on the NIC it sees as the “home network gateway” when ICS is used and it seems this DHCP server cannot be disabled, so a 2nd network is used to prevent the unwanted DHCP server from allocating addresses to the other VMs.
The first host-only network is typical:
  • Name:            vboxnet0
  • IPAddress:
  • NetworkMask:

Personally I don’t use the built-in DHCP server VirtualBox provides for host-only networks because my DHCP needs are more complex that what it provides, but for basic usage it is fine (configuring DHCP is an exercise for the reader 😉 )

The second host-only is the network that traffic is sent over to be routed via the VPN:

  • Name:            vboxnet1
  • Dhcp:            Disabled
  • IPAddress:
  • NetworkMask:

Like I said above, Windows will run a DHCP server on  this network so disable the VirtualBox one for this network.

The subnet is dictated by the fact that the Windows VM will use ICS (Internet Connection Sharing), and this automatically configures the NIC that Windows treats as the “private network” to

Routing To External Networks
I followed the Ubuntu Server Firewall IP Masquerade instructions, modifying them slightly: I added 3 POSTROUTING rules, one for each physical NIC and one for the “route-to-VPN” virtual NIC :

# Forward traffic from vboxnet0 (aka “internal LAN”) through
# eth0, wlan0 or vboxnet1, depending on how they are routed

Also, after these lines….:

# allow dhcp client to work
-A ufw-before-input -p udp –sport 67 –dport 68 -j ACCEPT

….I added these lines to allow routing of GRE packets (according to this post in the Ubuntu forums thread about UFW and VPNs):

# Allow GRE packets through (required for PPTP VPN)
-A ufw-before-input -p 47 -j ACCEPT
-A ufw-before-output -p 47 -j ACCEPT

I then restarted UFW to pick up the changes:

sudo ufw disable && sudo ufw enable

Windows Internet Connection Sharing
The Windows VM has 2 virtual NICs, connected to the vboxnet0 and vboxnet1 host-only networks respectively.

  • The NIC on vboxnet0 is the one will have the PPTP VPN connection established across it. This is configured via DHCP.
  • The other NIC is on vboxnet1, and receives traffic to route over the VPN connection.

I enabled ICS on the PPTP VPN:

  1. Browse to “Control Panel\Network and Internet\Network Connections” in Windows Explorer
  2. Right-click on the VPN adapter icon and choose “Properties”.
  3. Click the “Sharing” tab
  4. Check the box beside “Allow other network users to connect through this computer’s Internet connection”
  5. In the drop-down under “Home networking connection” choose the NIC connected to vboxnet1
  6. Click OK

Routing Over the VPN
The final thing to configure is accessing the corporate network via the VPN from my other VMs and host OS. This only needs to be configured when I’m not in the office, so the following script is run as root whenever my laptop is connected to a new LAN to automatically adds or deletes the required route(s).

Note – you should modify the value of the CORP_SUBNET variable as required (and of course the routing table entries to add/remove)


# Determine add/delete depending on network that default gateway is on:
# – if gateway is not on corp. LAN segment, add routes because VPN
#   is required
# – otherwise delete routes because VPN is not required and routes may already
#   be present


# Obtain default gateway IP
DEFAULT_GATEWAY=$(route -n | awk ‘/^0\.0\.0\.0/ {print $2}’)
echo “default route is $DEFAULT_GATEWAY”

if [ -n “$(echo $DEFAULT_GATEWAY | grep -E $CORP_SUBNET_GW)” ] ; then
OPERATION=”delete”     # we are on the corp. LAN
OPERATION=”add”        # we are not on the corp. LAN

# do the add/delete operations…

# Example route #1 to access the Corp. LAN
route $OPERATION -net gw $VPN_GW dev $IFACE

# Example route #2 to access a specific machine on another LAN segment
route $OPERATION -host gw $VPN_GW dev $IFACE

Actually, I’ve saved this script as /etc/network/if-up.d/vboxnet-routes, and also added the following line to the end of the /etc/rc.local file:

 /etc/network/if-up.d/vboxnet-routes || true

…but this requires that the instructions in my previous post have been followed…

Leave a Reply