Network interface for VPN connection explanation

I'd like to know exactly what is happening when I create a connection with my company's VPN.

When I connect (using OpenVPN), I see the following network interface by using ifconfig:

utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 10.8.0.18 --> 10.8.0.17 netmask 0xffffffff

This looks different from other network interfaces in that it has two IP addresses separated by "-->".

Question(s)

Which is those two numbers is my actual IP address? What is the other one, then? How can the netmask be 0xffffffff? Seems to not leave any address space to identify individual hosts on the network.

I know this is kind of multiple questions, but they all seem very closely related so I figured I'd ask them all.

This is a point-to-point interface, also called a tunnel or a peer-to-peer interface. It doesn't behave like "shared medium" interfaces such as Wi-Fi or Ethernet, which connect you to multiple devices through use of layer-2 MAC addresses. Instead, it behaves like a cable that just has hosts on both ends.

(Indeed originally such interfaces meant a serial link cable running PPP or similar protocol. But for tun* and utun* interfaces, the "other end" is the VPN program.)

There are no layer-2 headers, no MAC addresses, and no ARP on a point-to-point interface, because everything sent through it reaches the same destination (the "peer" host).

Seems to not leave any address space to identify individual hosts on the network.

It doesn't actually have a "subnet mask" so to speak; it's just two single addresses. This is a common configuration for point-to-point links, although not exclusive to them.

With "normal" interfaces, configuring an address with subnet mask like 192.168.1.3/24 on eth0 is really just shorthand for saying "My address is 192.168.1.3 and I also have an on-link route 192.168.1.0/24 dev eth0". The on-link route is derived from combining the address & subnet mask.

With point-to-point interfaces, it's actually the same idea. Your example means "My address is 10.8.0.18 and I also have an on-link route 10.8.0.17/32 dev utun3." In this case the autogenerated route is a /32, indicating only one host – the "peer".

(Note: My examples use Linux iproute2-style syntax.)

So in the end, the difference between these two configuration styles is just that automatic route.

In fact, in some other operating systems (e.g. Linux) any interface can use either subnet-style or PtP-style configuration. Often VPNs and other point-to-point tunnels have a traditional subnet mask, because the autogenerated route makes a lot of sense for them (even if there's no actual MAC subnet). And in rare cases, normal Ethernet interfaces might use PtP-style X --> Y configuration because they're on a weird network.

By the way, another configuration you might see on point-to-point interfaces is /31, which is a subnet with only two addresses total and both are host addresses – /31 prefixes are actually exempt from the usual "netid and broadcast are reserved" rule (though not all operating systems have been updated to know this).