How can I set it up so I can SSH into my VMWare guest VM?
Actually, there are a whole bunch of good reasons to use NAT with your VMs, rather than bridged interface.. (This is an old question, but it came up as my first result searching how to do this, migrating from VirtualBox where I do it all the time, so I thought it worth adding)
Just a few reasons to use NAT are:
- It's easy and portable
- if you're on a customer LAN that requires a known MAC address to get an IP (otherwise you'll have to try guessing at unused ones and risking a conflict, and generally drawing bad attention to yourself :) ),
- things like allowing your VMs to use a single proxy server on your host (IE if you don't control the network you're on), or being able to firewall/filter their broadcast (windows etc) traffic on the way out in one convenient place.
- being able to assign them a fixed or reserved IP so you can refer to them by name/IP from outside the host (again, if you can't get reservations on the network with a bridged interface)
- but most of all, it allows you to hide behind a single firewall config on your host, and share things between you/them in a more protected way, rather than exposing every VM to the "wild" and having to protect them all individually etc.. Just like you do with an internet modem/router
Anyways, for my case (VMWare Workstation 10, Linux host, OS X Guest), and anyone who stumbles upon this, this is the overview of what worked for me. Apart from the waffling and what-ifs, there are really only 3 main steps.
- So, first you need to decide what you want to allow to your VM/guest from "outside" of your host (note as below, you'll be able to get to it easily from the host itself). A safe bet would just be to expose/allow only SSH (port 22), to machines on your subnet. You could also allow port 80/443 if you had a webserver on the VM, etc, and you can also use a "tunnel" to access other services using SSH (will give example below), and use FUSE/SSHFS to give your host filesystem access.. (Or the shared folder facility on VMWare, but I haven't used it yet).
So the idea is something like: "Allow things on my host's local network (Eg 10.1.1.0/24 , or 192.168.1.0/24) to connect to port 22222 on the host, which we'll forward along to port 22 of a specific guest". It has to be a specific guest of course (This makes being able to configure your IPs all the more useful, and you can change them all in one place without opening each VM), just like doing it through your internet router to allow gaming things through etc.
Next, having decided which services, you'll need to
allow connections on your host machine to the "external" port via iptables/firewall. Port 22 will possibly already be used on the host by sshd, so you you might use something like 22222. In this case, add something like this to /etc/ufw/before.rules (and restart ufw)
# Your local network/subnet mask might be something like 10.1.1.0/24...
-A ufw-before-input -p tcp --dport 22222 -m state --state NEW -s my_subnet_and_mask -j ACCEPT `
give your VM(s) a reserved IP in the main VMware DHCP config (optional, but easier to rely on if you want to "pinhole" to it from host), by adding something like this to the bottom of /etc/vmware/vmnet8/dhcpd/dhcpd.conf
# Just like a normal dhcpd reservation host my_vm_1 { hardware ethernet *your_vm_eth_mac_here**; # This is in default range for guests, but outside the 'pool'. # - check that it matches your vmware config fixed-address 192.168.198.10; # And/or your own internal nameserver etc option domain-name-servers 8.8.8.8; option domain-name "some_domain_suffix"; # This is the default default-route of the VM option routers 192.168.198.2; }
Tell VMWare to forward connections from 22222 to guest:22 by adding this to the [incomingtcp] section of /etc/vmware/vmnet8/nat/nat.conf, then restart vmware service(s) (see note below)
[incomingtcp]
22222 = 192.168.198.10:22
You may also need to allow port 22 connections in your guest, depending on what it is/if it has a firewall of it own. In this OS X guest case, it was to enable "remote login" via Sharing settings, on linux it might be via ufw as on host above, etc
So, once that's all done, you could be on your laptop or other machine on the LAN, ssh to your workstation (vmware host) on 22222, and you'd be squirreled away to the guest you told it to forward you to. As mentioned above, if you also say wanted to be able to connect to postgres server on the guest (or vnc server, which is often unencrypted), you could tunnel in the same command (instead of adding it also to the dhcp conf). For eg
console ~> ssh root@hostip -p 22222 -L 54320:localhost:5432
and you'd be ssh'ed in to the guest via the ip forward in vmware, and could point your pgadmin3 tool to localhost:54320 (non-priveleged) on your laptop, and your traffic on the network would be encrypted. (Note 'localhost' there is already forwarded to the guest)
Notes
- There are all sorts of ways to do this.. For one, you could just tunnel to host and specify the guest's ip in the -L and it would "break out" and point you there, but the nat.conf option is nice and convenient, and you don't have to type it each time. There are also other ways of port forwarding
- I had seen reference to on a couple of threads of a virtual network gui to do this (like virtualbox has), but I couldn't find it in this version
- I don't use windows, so even though I assume it would be very similar to configure as a host, I'm not sure. The NAT configs should work for any vmware guest though (although I haven't used any other versions of VMWare)
VMware sets up a route so that the host can contact the NAT guest directly, IE from the host's console, I can ping/ssh etc the NAT guest 192.168.198.10 (defined above) directly
console ~> route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface <snip> 192.168.198.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 192.168.233.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
- From a linux note, there is some fiddling with vmware with systemd init to start up nicely`automatically, and along with that I've found I can't just restart vmware (vmci doesn't load again), and I have to restart my machine to make the NAT/DHCP stuff above stick, but you might not have the problem. There are some threads with systemd solutions though
absolutely - its just a matter of using a local only, or bridged interface, and working out the ip address of the system running the ssh server (using the ifconfig command). install openssh-server on the VM, use your ssh client, and its done.
If you are using a NAT interface, it may be more complicated, and its generally not recommended.
To simplify things:
- Run your VM
- From the menu > Virtual Machine > Network Adapter > Bridged.
- In your VM, find your IP address, such as in linux:
ifconfig
. - From the host, ssh using
ssh user@ip
.
I am assuming you have an SSH service installed and running.