TurnKey Linux Virtual Appliance Library

Virtual Networking Explained

This wiki page specifically relates to Oracle VirtualBox (VBox), but should apply to most VM applications in general (such as VMware Player etc). Note that the names may be different (although the theory should remain the same).

Main network connection types:

  • Bridged ("Host Interface" in earlier versions of VBox) - This is probably the most useful setting for a TKL VM for general use. It allows the VM to be assigned its own IP address on the same subnet as your LAN. For all intents and purposes the VM appears as an independant machine to the network. It allows unlimited incoming and outgoing network connections. Whilst it is the most convienient it is also the least secure (though no less secure than a standard install to a bare metal machine on the same network).
  • Host Only - This is fairly self explanatory. It provides unlimited outgoing and incoming access to the VM but only to/from the host machine. If you are using a VM as a development tool then this setting can be quite useful as it allows unfettered access from the host, but is completely secure from the outside. You will not get any internet connection with this setting.
  • NAT (Network Address Translation) - For the purposes of an end user, NAT acts somewhat like an automatic firewall (but it isn't). With this setting your VM shares the host machine's IP externally, but internally will get it's own IP on a different subnet to your LAN. It allows unlimited outgoing network connections, and allows only incoming traffic initiated by the VM (ie replies to requests - unless port forwarding is set up). This is the default VBox networking option for a new VM installed from ISO (or CD/DVD). NAT is often a good option for a GUI based OS where you generally only want outgoing network connections (eg web browsing, email clients, updating apps, etc), and provides a degree of security whilst not being too intrusive for general desktop type use. OTOH it is painful for use with a server OS, where most connections are incoming. To use NAT with a server, you need to forward every port which the server listens on. It is not really practical if you have multiple TKL VMs running in VBox either as you can only forward a particular port to one machine. Eg if you had 2 TKL VMs running and you wanted to use Webmin on both, only one VM could use the default 12321 port, the other would need to use a different port.

Alternative network configuration:

  • Dual Virtual NICs: For secure local development purposes (i.e. no external access to TKL required) it may be desirable to use a dual virtual-NIC setup. One assigned as 'Host-only' (for communication between the host OS and the TKL appliance) and one assigned as 'NAT' (to provide limited internet access for security updates etc). This is really only of any value when used on a portable computer (e.g. Laptop) which may operate in a hostile environment (e.g. open public wifi). For general use on trusted LAN networks that are behind a Firewall and/or NAT'd gateway (eg consumer grade modem/router) this is an extra layer of complexity which is unrequired.