Block LAN Access from a Windows VM

[neupsh]

Hi,

I have a windows VM that I created for a family member for learning purposes. It worked great, and it was used from within our LAN. But now the family member has moved out and wants to access from outside the network.

I now have been thinking about how to secure two things:

1. Secure access to the VM from outside the LAN:
   1. Create a wireguard vpn profile for them and ask them to connect to it and use the vm as if they were in the LAN. (For some reason the computer they have now could not run wireguard because of some driver signing issue). or
   2. Use Apache guacomole and have the VM exposed through it with authentication enabled
2. Secure my LAN from that windows VM:
   1. Now they have moved away from the home and I cannot be over their shoulder, I don't trust the VM to not be compromised. I want to protect my unraid server and the LAN from anyone who could get access to that VM.

 

How can I block all LAN traffic from that VM and only allow internet traffic? What are your thoughts on sharing the VM outside of the network securely?

 

Thanks in advance

[neupsh]

bump

[PeteAsking]

You need a proper firewall to do this such as opnsense or pfsense that can create rules based on criteria such as a client connecting via openvpn etc. A vpn server alone acts more like a router not a firewall so is insufficient in completing all your requirements. 

[neupsh]

hi @PeteAsking

Thank you for your reply. I tried to setup pfsense before right infront of my home router, but I have Google Wifi which sucks as it does not let me use pfSense box as router without giving up the "Mesh" functionality.

I was thinking of running pfsense in the unraid box itself as a VM to act as firewall for just the Unraid box, but even with this, how would I prevent someone accessing the VM from accessing the box it self or the LAN.

 

Any pointers would help thanks again.

[PeteAsking]

It is quite complicated. You would need to create a double nat setup where PFSense/OpnSense has the WAN as an ip on your existing LAN and the LAN is a new subnet not used on your network. A connecting client via openvpn etc would be placed into the lan on the pfsense box and be provided internet via NAT and be unable to communicate with anything other than the PFSense box. I feel this solution will not be suitable long term, as it only resolves 1 issue and anytime you need to extend the functionality of it you would run into issues. If you are not able to run your own equipment you may be at the mercy of what functionality is provided by your provider unless you are willing to change.