I am trying to create a KVM/QEMU/Virt-Manager VM without exposing my IP/internet connection to it. I pay for a VPN subscription, and I typically access it through wireguard configs that integrate with my distro (Fedora 40 Workstation) and DE VPN menus. From my understanding, as I have them set up now, I can enable one of these configurations in my settings, and all of my traffic is routed through the VPN, except for my local network.
I want this VM guest to have all of its traffic sent to the VPN as well, with the exception of some connection between it and the host, so I could still access it from the host for utilities like ssh.
Is it possible to achieve this? When I looked online, it seemed to require some CLI configuration of IP routes, and I didn’t feel confident not understanding the changes I was making, as I want to make sure it is impossible to leak; it just shouldn’t have any access to my normal network. If my VPN is disabled on the host, then it simply shouldn’t be able to access the internet.
I set up something like that once. What I basically did:
You can run a router OS like pfSense/opnSense/OpenWRT on the gateway VM to make your life a little easier because writing good network routes can be a pain. As your computer would also be connected to the internal network, you can SSH into the VMs no trouble. Make sure you don’t enable traffic routing for that interface on the host, though.
I think in my setup, I put a VM inside the second VM to add another layer of traffic blocking, but I don’t think that was quite necessary.