OpenVPN Support Forum

Hi Everyone,

I've been searching high and low for how exactly OpenVPN implements tun mode (l3 - routing). I've found a load of generic articles that explain the high-level view, but am looking for something a bit more detailed. I'd like to know how the tunneling procedure is actually implemented. Is it similar in nature to GRE?

In my particular implementation right now (I am just learning), I have an OpenVPN for Windows (not Open Access Server) running on a Windows Server 2019 instance. I then likewise installed it on my W10 lab laptop. As such, both devices are on the same LAN, but on different subnets. I have been able to get everything working properly, now I am just trying to understand how it works. I get the basics of what is going on - that packets are being encapsulated in packets - but I'd like a little more detail on how exactly that process is taking place.

I've run a route print (netstat -r) on both my server and my laptop. Here's what I see on my laptop:
So my device is receiving an IP of 192.168.50.6. The server IP is 192.168.50.1. The gateway (tunnel interface?) on my device is 192.168.50.5. However, I'm confused about what the 192.168.50.4 and 192.168.50.7 destinations refer to and why they are needed. Could someone enlighten me? Or perhaps point me to more detailed documentation? I do see in my arp table that 192.168.50.7 has an associated broadcast l2 address.

Maybe this helps:
https://build.openvpn.net/doxygen/
https://community.openvpn.net/openvpn/w ... acketsFlow
https://community.openvpn.net/openvpn/w ... gConflicts

Thanks, Pippin. The graphics are helpful. If I'm understanding it correctly, the initial IP/TCP (APPS) datagram is passed to the tunnel interface, which ultimately where OpenVPN does its thing. It encrypts to the original datagram in a new IP/UDP header set and sends it out the Ethernet interface to it's destination.

I guess my point of confusion is in reference to the fact that there are 5 different 192.168.50.X IP addresses in my routing table on my client device. I know the following:
Server: 192.168.50.1
Client: 192.168.50.6
Tunnel Int: 192.168.50.5 (? - I think, since it is the gateway for the server and has a low metric?)

I am trying to figure out the .4 and .7 references. Any idea on what these are for?

Oh, wait. I just noticed that when OpenVPN distributes an IP address from my selected subnet in the server config, it uses a /30 mask. That would make the 192.168.50.4 the subnet itself and the .7 the broadcast for said subnet. That accounts for both those addresses, but I guess I was expecting the client and server to have gateways that are in the same subnet as pictured in your third link. In the server's routing table, it has a OpenVPN address of 192.168.50.1/30 with a gateway of 192.168.50.2/30. In the client's routing table, it has an IP Address of 192.168.50.6/30 and a gateway of 192.168.50.5/30. This means they reside in two different subnets. Is this where the internal routing on the OpenVPN server comes into play?

Look up --topology in the manual.

TinCanTech wrote: ↑

Wed May 27, 2020 6:20 pm

Look up --topology in the manual.

Perfect. Thanks!