OpenWRT for Routing VirtualBox Machines

I've been hoping for a while to get OpenWRT running as a network manager in VirtualBox. This took longer than it should have, probably because I didn't entirely understand what I was doing in the routing department - probably still don't. But it's now working much as I'd hoped.

The first step is to download the latest version of OpenWRT here - go to "Chaos Calmer 15.05" (currently the latest release), then "x86", then either "64" or "generic" (I've used both successfully, although I've occasionally had trouble with the 64-bit version and see no advantage to using it). Finally, you want the "combined-ext4" version. As detailed previously, you need to gunzip the file and then convert it from an "img" file to a VDI:

VBoxManage convertfromraw --format VDI openwrt-x86-generic-combined-ext4.img openwrt-CC-x86.vdi

Set this new VDI up as a virtual machine in VirtualBox with two network cards, the first going to "NAT", the second to "Internal Network" - I tend to create a new internal network called "OpenWRT," but this isn't necessary.

When you boot the machine, you'll find the default configuration doesn't work terribly well: you'll have no network connection. The critical file at this point is /etc/config/network, which starts out looking like this:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config globals 'globals'
        option ula_prefix 'fd9c:6b5b:e073::/48'

Some significant rearrangements are in order. Delete the 'wan6' stanza (at least if you don't care about IPv6, which I don't at the moment), and leave the 'loopback' and 'globals' stanzas alone. But the other two get significantly rearranged:

config interface 'wan'
        option ifname 'eth0'
        option type 'bridge'
        option proto 'dhcp'

config interface 'lan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.168.1'
        option netmask '255.255.255.0'

I'm sure there's a way to get this configuration working without rebooting ... but I don't know it and rebooting is fairly fast with a virtual OpenWRT.

After a reboot, you should be able to create new virtual machines with only one network card attached to the "Internal Network" (either "intnet" or the name you created earlier, in my case "OpenWRT") and they should get all the network information they need via DHCP from the OpenWRT machine.

Advantages

This means you can manage all firewalling for all your virtual machines in one place. You can also manage all names for remote machines in one place: I have a Digital Oceans droplet I use as a git server, and all I needed to do was add its IP and name to /etc/hosts in the OpenWRT instance and all virtual machines then knew that name (this service is provided by dnsmasq, which doesn't pick up changes to /etc/hosts automatically - you have to restart it after a change to /etc/hosts).

Disadvantages

The OpenWRT instance must always be running.

If you're using a laptop as a host machine, every time you change networks OpenWRT will become confused. I've found the easiest solution is to reboot the OpenWRT instance: as mentioned, this doesn't take too long. Better, it causes no problems with other machines that rely on the OpenWRT instance, aside from the already dropped network connections. They've already got OpenWRT as their connection to the outside world and their DNS, and neither of those settings needs to change.

Next Steps

  • set up OpenWRT to boot when the host machine boots
  • find out more about OpenWRT firewalling
  • find out how to do ad-blocking at the firewall