I am trying to create a KVM/QEMU/Virt-Manager VM without exposing my IP/internet connection to it. I pay for a VPN subscription, and I typically access it through wireguard configs that integrate with my distro (Fedora 40 Workstation) and DE VPN menus. From my understanding, as I have them set up now, I can enable one of these configurations in my settings, and all of my traffic is routed through the VPN, except for my local network.

I want this VM guest to have all of its traffic sent to the VPN as well, with the exception of some connection between it and the host, so I could still access it from the host for utilities like ssh.

Is it possible to achieve this? When I looked online, it seemed to require some CLI configuration of IP routes, and I didn’t feel confident not understanding the changes I was making, as I want to make sure it is impossible to leak; it just shouldn’t have any access to my normal network. If my VPN is disabled on the host, then it simply shouldn’t be able to access the internet.