Virtual Machine Networking

Virtual machines can be connected to networks in many ways. This article focuses on using VDE for connectivity. It uses VDE for the software switch, iptables for NAT, and dnsmasq for the DHCP server.

VDE stands for Virtual Distributed Ethernet. It provides a set of software programs to simulate a network switch and even connect remote switches together. The switch can also create a network interface on the host computer. Together with some iptables rules, this switch can be connected to the real world.

Creating The Switch

The following command is used to create a VDE switch:

vde_switch --sock /tmp/vde.ctl
Creating a VDE switch instance.

This creates a VDE switch without any network interface. The control socket is /tmp/vde.ctl and is used by other applications to connect to the VDE switch. To create a VDE swtich with a network interface, you must also specify the tap interface to create. This should be done as the root user. 

vde_switch -sock /tmp/vde.ctl -tap vde
Creating a VDE switch instance with a host interface.

This will create a network interface on the host. This network interface must still be configured. In order to start the switch and configure it automatically, you can put the following in your /etc/network/interfaces file on Debian systems: 

auto vm
iface vm inet static
    address 192.168.29.1
    netmask 255.255.255.0
    pre-up /usr/bin/vde_switch --tap ${IFACE} --daemon --group vde2-net \
        --sock /var/run/vde2_${IFACE}.ctl --mod 666 --mgmtmode 770 \
        --mgmt /var/run/vde2_${IFACE}.mgmt --pidfile /var/run/vde2_${IFACE}.pid
    pre-up chmod o+t /var/run/vde2_${IFACE}.ctl
    pre-up sleep 1
    post-up sleep 1
    post-up dnsmasq --no-hosts -x /var/run/vde2_${IFACE}_dnsmasq.pid \
        --port 0 --listen-address 192.168.29.1 --bind-interfaces ${IFACE} \
        -R --server 192.168.29.1 \
        --dhcp-range 192.168.29.100,192.168.29.199,255.255.255.0,192.168.29.255
    pre-down kill -s TERM `cat /var/run/vde2_${IFACE}_dnsmasq.pid` || true
    post-down kill -s TERM `cat /var/run/vde2_${IFACE}.pid`
Automatically starting and configuring the VDE switch.

This will perform the following actions to bring up the interface:

  • Bring up the VDE switch as a daemon with a host interface.
  • Set the sticky flag on the control directory so users can only delete their own connections.
  • Pause a short period of time for the switch to come up. It seems this is needed otherwise sometimes the interface is not found to be configured.
  • Configure the interface with the associated address.
  • Run dnsmasq as a DHCP server on the interface specifying the address range and the address of the DNS server.

This will aslso perform the following actions when the interface goes down:

  • Shut down the dnsmasq server.
  • Bring down the interface.
  • Shut down the VDE switch.

Connecting To The Switch

Different virtual machine software connects to the switch in different ways. I know that both QEMU and VirtualBox support connecting to a VDE switch.

Connecting The Switch To A Real Network

To configure the switch to connect to a real network, the tap interface can be bridged to the real interface, or the host can be configured to route and masquerade IP traffic. Since the interface is given an address and DHCP server, I will configure the system to route the traffic.

The system must be configured to forward traffic. This is controled by the file /proc/sys/net/ipv4/ip_forward. On some systems, this can be achieved at system boot in /etc/sysctl.conf. 

echo 1 > /proc/sys/net/ipv4/ip_forward
Enable IP forwarding.

Since the host will already have default routes from its connection, I can simply configure a firewall rule to masquerade any traffic going out that interface. Such traffic will automatically be redirected to the correct IP address when incomming traffic is received. 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Enable NAT over eth0.