on
DirectAccess VPN From Linux VMware Guest
I’m currently on my second office where the preferred computer setup for developers is to run Linux in a VM on a beefy laptop. From Windows the DirectAccess VPN works out of the box, but giving Linux in a VM the same access has proved to be non-trivial. What follows is a step by step configuration that worked for me.
Disclaimer
I set up my current VM on Xubuntu 16.04 LTS which uses dnsmasq as a local DNS cache by default. I believe that this has been replaced with systemd-resolved in the current LTS, I have not tried to port these instructions over to the newer stack, that is left as an exercise to the reader.
I’m currently on VMware, if using VirtualBox the steps for configuring IPv6 might be different.
Step 1: Enable IPv6 networking in VMware
DirectAccess works by routing intranet data over an IPv6 IPsec tunnel, therefore in order to get anything to work you need IPv6 enabled in the VMware network configuration. This was disabled by default on my standard machine, so had to ask an admin to enable it for me.
Step 2: Find the relevant DirectAccess configuration in Windows
Open up a command window in Windows and run the command netsh namespace show policy
this will produce output similar to the following;
Settings for .cluster.dev
----------------------------------------------------------------------
DNSSEC (Certification Authority) :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (Certification Authority) :
DirectAccess (DNS Servers) : dead:c0de:face:b00c::1
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Bypass proxy
Generic (DNS Servers) :
Generic (VPN Trigger) : disabled
IDN (Encoding) : UTF-8 (default)
Settings for .local.corporate-domain.com
----------------------------------------------------------------------
DNSSEC (Certification Authority) :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (Certification Authority) :
DirectAccess (DNS Servers) : dead:c0de:face:b00c::1
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Bypass proxy
Generic (DNS Servers) :
Generic (VPN Trigger) : disabled
IDN (Encoding) : UTF-8 (default)
The important thing to note here is the mapping from a domain name to a DNS Server.
Step 3: Configure Dnsmasq
The default configuration of NetworkManager configures dnsmasq which reads it’s
configuration from the /etc/NetworkManager/dnsmasq.d/ folder. Given the
output above I would create a vpn.conf file with the following contents;
server=/local.corporate-domain.com/dead:c0de:face:b00c::1
server=/cluster.dev/dead:c0de:face:b00c::1
This tells dnsdmasq to use the alternative DNS server available over IPv6 to perform lookups for the given domain names.
Step 4: Restart network manager
For the dnsmasq configuration to take effect I reloaded the network manager configuration with the command;
sudo service network-manager reload
After that I’m able to access all the intranet sites from within my linux guest VM.
Potential problem with IPv6 networking in VMware
I can’t rememeber having to run this command for a while, so this might have been fixed in updates to VMware but when first working this out I stumbled over a problem that the VMware networking stack was ACK-ing requests within the VM before the connection had been established outside the VM. This meant that the VM was sending data before the connection was ready, causing dropped packets.
The workaround for this was to artificially slow down the network inside the VM. After some playing with values from 10ms to 100ms I landed on 50ms as a value that fixed the problem but didn’t noticably affect browsing experience.
sudo tc qdisc add dev ens33 root netem delay 50ms
Remaining problems
While most tools seem to handle the IPv6 networking without problem, IntelliJ IDEA still causes me problems. I’m unable to run git commands that interact with the remote repository from within the IDE, but they work fine from the command line.
Similarly the database tooling doesn’t work from within IntelliJ IDEA but I was able to get SquirrelSQL to work after hacking the startup script to add an extra flag to the JVM.
Both mildly annoying but neither being a showstopper of a problem.
Returning to the office
When returning to the office you need to disable the dnsmasq configuration. I currently do this by commenting out the contents of the configuration file and reloading network-manager again… I should probably script this.