RDP over Wireguard tunnel to a QEMU VM

Hardware Hub Networking
,
1

Let me start with a brief explanation:

  • PC1 is a Debian box on LAN1
  • PC2 is my home machine on LAN2
  • I have a Wireguard tunnel from PC2 (10.0.0.2) to PC1 (10.0.01)
  • VM1 is a Windows Server VM running on PC1

I need to RDP from PC2 to VM1. I’m afraid I’m in a bit over my head with QEMU networking, but I’m willing and trying to learn. Most things I’ve read on the subject involve the QEMU command. However, I am using virt-manager, and I don’t know of a way to edit QEMU command line options therein. I’ve tried setting up Wireguard with VM1 as 10.0.0.5, but I can’t ping or RDP to it. Port 3389 is open on the host and the VM.

Any help would be appreciated!

2

Would you like to leave the Windows Server VM bound to 0.0.0.0 and do a port passthrough using UFW (Uncomplicated FireWall) in PC1?

OR ideally, configure a dedicated ip for your vm
$ virsh net-edit default
look for the host mac of your vm
configure your ip address there
$ virsh net-destroy default && virsh net-start default //restarts

3

Wouldn’t the second option pass the NIC through to the VM, rendering it otherwise unusable by the host?
I’ll see what I can do with UFW, but I’m still learning the ropes of this stuff.
Either way, thank you for taking the time to help me out!

4

I’d brake it down to steps.
Can PC2, actually speak to PC1 over the Wiregard tunnel?
Can Win VM reach the PC1’s Wireguard tunnel?

If so, then perhaps it’s a routing thing.

If PC2 is on a lan with 192.168.0.0/24
And PC1 & Win VM are on 172.16.0.0/12
Then route the other subnet, via the WG interface?

then add routing rules in PC1 so traffic for the other side’s subnet, goes over the WG interface’s IP address, and vice versa for PC2?
so on PC2:
ip route add 172.16.0.0/12 via 10.0.0.2 dev WG

and on PC1:
ip route add 192.168.0.0/24 via 10.0.0.1 dev WG

if PC2 is running windows, then try setting the route in the network > advanced > NIC / interface card setting for the wg interface, and edit the place where the IP address goes, and add the destination route.

wireguard itself, should allow for setting up “allowed IP’s” but I’ve had mixed results and replicated the IP ranges there, as well as routing table. I may be over-complicationg it…

or whatever the wireguard interfaces are called.
if both lan PC’s are on the local lan subnet, 192.168.0.0/24, then I would add an explicit rule, for traffic to specifically the VM’s ip address /32 to use the tunnel, but it’s more tricky.

Also, ensure PC1 has net.ipv4.ip_forward=1 un-commented in /etc/sysctl.conf
It may help to forward ICMP traffic, so Ping can be forwarded, un-commentating and changing net.ipv4.conf.all.accept_redirects = 0 to 1 and net.ipv4.conf.all.send_redirects = 0 also to 1

just me $0.02

5

Hey, sorry for the late reply.
I’ve tried a bunch of stuff, including much of what you said.

Here’s where we’re at now:

  • I’ve set up a bridge on the host PC and now have that connected to the vm
  • All members of the Wireguard network can ping one another
  • The relevant lines in /etc/sysctl.conf are now uncommented
  • I went on-prem today and tested RDP over the physical LAN. That works.
  • RDP over Wireguard still does not work.

For clarification:

  • Both LANs are using 192.168.1.0.0/24 subnet, so trying your routing suggestion didn’t work
  • The Wireguard subnet is 10.0.0.0/24
  • Both physical machines run Linux, and the VM is on Windows

If it helps, here’s the tcpdump output when I try to RDP:

root@PC2:/# tcpdump -i wg0 src 10.0.0.4 and dst 10.0.0.5 and dst port 3389
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
20:01:18.665333 IP 10.0.0.4.53996 > 10.0.0.5.ms-wbt-server: Flags [S], seq 3051447255, win 64860, options [mss 1380,sackOK,TS val 84011253 ecr 0,nop,wscale 7], length 0
20:01:19.674856 IP 10.0.0.4.53996 > 10.0.0.5.ms-wbt-server: Flags [S], seq 3051447255, win 64860, options [mss 1380,sackOK,TS val 84012264 ecr 0,nop,wscale 7], length 0
[...]