SSL tunnelling

[vag_26]

Hello everybody,

I am new to OPENVPN and networking and I have one fundamental question. I know that OPENVPN utilizes SSL to encrypt messages and create the cryptographic tunnel. This means that it encrypts information to the application layer. So the question is:

How it changes the real IP sources and MAC addresses to be transparent to the internet? It uses some kind of other protocol?

A link to a good source would be enough for answer since all that I can find through google search is just confusing with more answers.

Many thanks!

[mwandelaar]

A quote from:
http://en.wikipedia.org/wiki/TUN/TAP :

Packets sent by an operating system via a TUN/TAP device are delivered to a user-space program that attaches itself to the device. A user-space program may also pass packets into a TUN/TAP device. In this case TUN/TAP device delivers (or "injects") these packets to the operating system network stack thus emulating their reception from an external source.

This means as much as a virtual interface (layer 2 or 3, depending on tun/tap) delivering the packets to a userspace program.

In this case, openvpn is the userspace program which takes care of transmitting the packets to and from there destination.
Because we want some kind of encryption, openvpn uses the standard SSL/TLS for encrypting the content (which are the ip- or ethernet-frames). This means that the 2 layers are complimantairy to each-other:
- tun/tap for the packets on your virtual interface
- ssl/tls for encrypting the previous gathered content. And sending it out using the hardware-bound ip-address.

Analogue situation:
I'm sending you a letter and address the envelope correctly.
Inside the envelope there's an envelope (with letter included) with entire different ip-addresses on it. But the mailman never will see these as he only can read the outer envelope.

[vag_26]

That was a very good point mwandelaar. However, I am still confused since I know that SSL operates at layer 4 and above. Below is my understanding up to now.

Suppose I configured the OPENVPN server at address 10.8.0.1, and I used TUN device. The real IP address of my machine is e.g 170.23.23.23/24.

So, 1) the application layer will send the data through to the TUN interface (10.8.0.1) which is attached to the OPENVPN (user space program). OPENVPN then 2)will encrypt the data which are the IP datagram with address 10.8.0.1 containing all the information from the actual's machine application e.g credit-card number. Lastly, openvpn which is application thus, works on the Application layer 3) will deliver the data to transport protocol, then transport to Internet protocol which will attach the real IP address namely 170.23.23.23 and so forth.

Consequently, a malicious user cannot see the application content neither the address 10.8.0.1. The only thing he can see is the real IP address and MAC. I am right?

P.S sorry for the too much talking.

[mwandelaar]

Consequently, a malicious user cannot see the application content neither the address 10.8.0.1. The only thing he can see is the real IP address and MAC. I am right?

You sure are!

Yes, this is the actual situation. When monitoring the network (i.e. (bad) ISP, Law-enforcement, advisory) you can clearly see 2 machines talking to each other using encrypted traffic. It's impossible to see if it's a flashmovie or ip-packets being transfered.

I have to admit that it indeed sounds a little confusing when following a single packet going up and down again through the OSI-model, but this is the way it works.

[vag_26]

Thanks for your help and understanding ( maybe silly to you questions ) mwandelaar!! I think that now I can at least understand the principles!!

[venus]

Nice information. Thanks.