Network interface for VPN connection explanation


I'd like to know exactly what is happening when I create a connection with my company's VPN.

When I connect (using OpenVPN), I see the following network interface by using ifconfig:

utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet --> netmask 0xffffffff

This looks different from other network interfaces in that it has two IP addresses separated by "-->".


Which is those two numbers is my actual IP address? What is the other one, then? How can the netmask be 0xffffffff? Seems to not leave any address space to identify individual hosts on the network.

I know this is kind of multiple questions, but they all seem very closely related so I figured I'd ask them all.

asked on Super User Jun 7, 2019 by wheresmycookie • edited Jun 7, 2019 by Daniel K

1 Answer


This is a point-to-point interface, also called a tunnel or a peer-to-peer interface. It doesn't behave like "shared medium" interfaces such as Wi-Fi or Ethernet, which connect you to multiple devices through use of layer-2 MAC addresses. Instead, it behaves like a cable that just has hosts on both ends.

(Indeed originally such interfaces meant a serial link cable running PPP or similar protocol. But for tun* and utun* interfaces, the "other end" is the VPN program.)

There are no layer-2 headers, no MAC addresses, and no ARP on a point-to-point interface, because everything sent through it reaches the same destination (the "peer" host).

Seems to not leave any address space to identify individual hosts on the network.

It doesn't actually have a "subnet mask" so to speak; it's just two single addresses. This is a common configuration for point-to-point links, although not exclusive to them.

With "normal" interfaces, configuring an address with subnet mask like on eth0 is really just shorthand for saying "My address is and I also have an on-link route dev eth0". The on-link route is derived from combining the address & subnet mask.

With point-to-point interfaces, it's actually the same idea. Your example means "My address is and I also have an on-link route dev utun3." In this case the autogenerated route is a /32, indicating only one host – the "peer".

(Note: My examples use Linux iproute2-style syntax.)

So in the end, the difference between these two configuration styles is just that automatic route.

In fact, in some other operating systems (e.g. Linux) any interface can use either subnet-style or PtP-style configuration. Often VPNs and other point-to-point tunnels have a traditional subnet mask, because the autogenerated route makes a lot of sense for them (even if there's no actual MAC subnet). And in rare cases, normal Ethernet interfaces might use PtP-style X --> Y configuration because they're on a weird network.

By the way, another configuration you might see on point-to-point interfaces is /31, which is a subnet with only two addresses total and both are host addresses – /31 prefixes are actually exempt from the usual "netid and broadcast are reserved" rule (though not all operating systems have been updated to know this).

answered on Super User Jun 7, 2019 by user1686 • edited Jun 8, 2019 by user1686

User contributions licensed under CC BY-SA 3.0