I am trying to create a KVM/QEMU/Virt-Manager VM without exposing my IP/internet connection to it. I pay for a VPN subscription, and I typically access it through wireguard configs that integrate with my distro (Fedora 40 Workstation) and DE VPN menus. From my understanding, as I have them set up now, I can enable one of these configurations in my settings, and all of my traffic is routed through the VPN, except for my local network.
I want this VM guest to have all of its traffic sent to the VPN as well, with the exception of some connection between it and the host, so I could still access it from the host for utilities like ssh.
Is it possible to achieve this? When I looked online, it seemed to require some CLI configuration of IP routes, and I didn’t feel confident not understanding the changes I was making, as I want to make sure it is impossible to leak; it just shouldn’t have any access to my normal network. If my VPN is disabled on the host, then it simply shouldn’t be able to access the internet.
This can be handled pretty much entirely on the host by configuring your qemu settings; it’s got very robust virtual networking options. Basically just expose the host’s VPN interface (e.g. usually called something like
tun) for VPN access, and make a separate virtual interface that only the host and guest can access for the stuff like ssh.Here’s the qemu wiki about networking, definitely where you should start