Client Internet in an isolated QEMU virtual machine using port tunneling through the SPICE channel

The usual approach to connecting a virtual machine to the Internet is similar to connecting any other device to the network and consists of connecting a virtual or forwarding real network interface, as well as setting up and checking network connections, services, routing rules and filtering traffic and so on.

If the virtual machine is a server or is a virtual desktop and is assigned to a specific user, this approach is fully justified, but what if the virtual machine is a public virtual desktop and anyone can connect to it for free?

It is necessary to do so that the Internet in the virtual machine does not start from the host side, but from the client side.

Connecting a virtual machine to the client's Internet channel will allow:

• Reduce the computational load on network emulation and network interface.
• Exclude the possibility of a hacker attack on a virtual machine from the Internet and a virtual network.
• Remove responsibility from the host administrator for the actions of the virtual machine user in the following cases:
  
  • Spam mailing
  • Download / publish illegal / prohibited content,
  • Hacking or hacker attack on Internet resources of the hosting administrator, third parties,
  • Mining
  • and so on...
• Reduce the time to check and configure the Internet access of the virtual machine

The easiest way to start the Internet from the client is to send a USB network adapter or modem. But this method is very demanding on the quality of the network. If the virtual machine is located abroad there is a high probability that lags and freezes will occur.

An alternative to forwarding USB devices can be port tunneling between the client and the virtual machine through the SPICE channel, similar to port tunneling in SSH.

In QEMU virtual machines, there is a data channel from the client to the virtual machine, the so-called SPICE channel. This channel transmits input device data, the contents of the clipboard, and more.

Theoretically, you can forward the local client ports (IP address 127.0.0.1) to a virtual machine and arrange them as local.

An example algorithm for connecting to the client's Internet channel through port tunneling:

• On the client side, you can raise the proxy server or VPN server that will provide access to the network.
• In the SPICE client, port tunneling is configured so that the ports of the proxy server or VPN server in the virtual machine look like local ones.
• In the operating system and in the browser, a local proxy subsystem is configured to connect to the proxy server via the local port or a VPN client is configured that connects to the VPN server on the local host and emulates a virtual network device (tun or tap in the case of OpenVPN).

Implementation

All that remains to be done to make port tunneling a reality is to tweak the source code of the SPICE client and the SPICE guest add-ons, create patches, and send them to the developers. All this is possible because the SPICE source code is open.

Moreover, during the negotiations with the SPICE developers, it turned out that this functionality was implemented in the SPICE fork of FlexVDI . The source code of the fork is partially published in the repository [ https://github.com/flexvdi ]. It is said that there is a fragment responsible for tunneling.

The call recording is available on the " Spice-devel " topic " Feature suggestion: Port tunneling between VM & client over spice-channel ".

Application area

This technology can be widely distributed in demonstration and public virtual machines and in the usual VDI-hosting.

If anyone has a desire to help in the implementation of this functionality, you can implement this functionality and create patches. If there are any comments and suggestions, you can leave comments.