Client Internet in an isolated QEMU virtual machine using port tunneling through the SPICE channel

    The usual approach to connecting a virtual machine to the Internet is similar to connecting any other device to the network and consists of connecting a virtual or forwarding real network interface, as well as setting up and checking network connections, services, routing rules and filtering traffic and so on.

    If the virtual machine is a server or is a virtual desktop and is assigned to a specific user, this approach is fully justified, but what if the virtual machine is a public virtual desktop and anyone can connect to it for free?

    It is necessary to do so that the Internet in the virtual machine does not start from the host side, but from the client side.

    Connecting a virtual machine to the client's Internet channel will allow:

    • Reduce the computational load on network emulation and network interface.
    • Exclude the possibility of a hacker attack on a virtual machine from the Internet and a virtual network.
    • Remove responsibility from the host administrator for the actions of the virtual machine user in the following cases:
      • Spam mailing
      • Download / publish illegal / prohibited content,
      • Hacking or hacker attack on Internet resources of the hosting administrator, third parties,
      • Mining
      • and so on...
    • Reduce the time to check and configure Internet access to the virtual machine

    The easiest way to start the Internet from the client is to send a USB network adapter or modem. But this method is very demanding on the quality of the network. If the virtual machine is located abroad, it is likely that lags and hangs will occur.

    An alternative to forwarding USB devices can be port tunneling between the client and the virtual machine via the SPICE channel, similar to port tunneling in SSH.

    In QEMU virtual machines, there is a data channel from the client to the virtual machine, the so-called SPICE channel. This channel transmits data input devices, the contents of the clipboard and much more.

    Theoretically, you can forward the local ports of the client (IP address to a virtual machine and arrange them as local.

    An example algorithm for connecting to the client's Internet channel through port tunneling:

    • On the client side, you can raise the proxy server or VPN server that will provide access to the network.
    • In the SPICE client, port tunneling is configured so that the ports of the proxy server or VPN server in the virtual machine look like local ones.
    • In the operating system and in the browser, a local proxy subsystem is configured to connect to the proxy server via the local port or a VPN client is configured that connects to the VPN server on the local host and emulates a virtual network device (tun or tap in the case of OpenVPN).


    All that remains to be done to make port tunneling a reality is to tweak the source code of the SPICE client and the SPICE guest add-ons, create patches, and send them to the developers. All this is possible because the SPICE source code is open.

    Moreover, during negotiations with the SPICE developers, it turned out that this functionality was implemented in the SPICE fork of FlexVDI . The source code of the fork is partially published in the repository [ ]. They say there is a fragment responsible for tunneling.

    The call recording is available on the topic " Feature suggestion: Port tunneling between VM & client over spice-channel " on the " Spice-devel " distribution channel .

    Application area

    This technology can be widely distributed in demonstration and public virtual machines and in the usual VDI-hosting.

    If someone has a desire to help in the implementation of this functionality, you can implement this functionality and create patches. If there are any comments and suggestions, you can leave comments.

    Also popular now: