OpenVPN with shared key encryption process

[sicfaith]

Hi, can someone explain to me from the beginning how the data encryption process of an OpenVPN tunnel using shared key works. In others words how dose the data gets encrypted and decrypted when using shared key for an site-to-site-tunnel.

[mwandelaar]

There's been a discussion some time ago about this question:
Topic 12275: SSL Tunneling where topicstarter and i tried to explain what's happening when packets travel through the stack.
Hope this answers your question.

[sicfaith]

Thanks for reply mwandelaar. What i don't understand is: when a shared key is been used, who/what is responsible for encryption/decryption of the data. Does the TUN/TAP driver take the data and use the cryptographic libraries of SSL/TLS to encrypt them?

[mwandelaar]

That's the way it works.

As the TUN/TAP interface is a "cleartext" interface (any application can talk to it, i.e. firefox doesn't need anything special to do so), packets are picked-up by the virtual interface and fed through the application, responsible for this virtual interface.

This is where OpenVPN does it's job and gets the ip- or ethernetpacket, depending on the type of tunneling. It encrypts it either using the sessionkey derived from the certificates or using the static key and sends it to the other side, where the does the work in the otherway around.
The crypto-suite is defined in the config, and if not, the application default is used.

To be real honest, i don't have the topology of the sourcecode of OpenVPN clear, but this is the way it should work.