I'd like to know exactly what is happening when I create a connection with my company's VPN.
When I connect (using OpenVPN), I see the following network interface by using
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 10.8.0.18 --> 10.8.0.17 netmask 0xffffffff
This looks different from other network interfaces in that it has two IP addresses separated by "-->".
Which is those two numbers is my actual IP address? What is the other one, then? How can the netmask be
0xffffffff? Seems to not leave any address space to identify individual hosts on the network.
I know this is kind of multiple questions, but they all seem very closely related so I figured I'd ask them all.
This is a point-to-point interface, also called a tunnel or a peer-to-peer interface. It doesn't behave like "shared medium" interfaces such as Wi-Fi or Ethernet, which connect you to multiple devices through use of layer-2 MAC addresses. Instead, it behaves like a cable that just has hosts on both ends.
(Indeed originally such interfaces meant a serial link cable running PPP or similar protocol. But for
utun* interfaces, the "other end" is the VPN program.)
There are no layer-2 headers, no MAC addresses, and no ARP on a point-to-point interface, because everything sent through it reaches the same destination (the "peer" host).
Seems to not leave any address space to identify individual hosts on the network.
It doesn't actually have a "subnet mask" so to speak; it's just two single addresses. This is a common configuration for point-to-point links, although not exclusive to them.
With "normal" interfaces, configuring an address with subnet mask like
192.168.1.3/24 on eth0 is really just shorthand for saying "My address is
192.168.1.3 and I also have an on-link route
192.168.1.0/24 dev eth0". The on-link route is derived from combining the address & subnet mask.
With point-to-point interfaces, it's actually the same idea. Your example means "My address is
10.8.0.18 and I also have an on-link route
10.8.0.17/32 dev utun3." In this case the autogenerated route is a /32, indicating only one host – the "peer".
(Note: My examples use Linux iproute2-style syntax.)
So in the end, the difference between these two configuration styles is just that automatic route.
In fact, in some other operating systems (e.g. Linux) any interface can use either subnet-style or PtP-style configuration. Often VPNs and other point-to-point tunnels have a traditional subnet mask, because the autogenerated route makes a lot of sense for them (even if there's no actual MAC subnet). And in rare cases, normal Ethernet interfaces might use PtP-style
X --> Y configuration because they're on a weird network.
By the way, another configuration you might see on point-to-point interfaces is /31, which is a subnet with only two addresses total and both are host addresses – /31 prefixes are actually exempt from the usual "netid and broadcast are reserved" rule (though not all operating systems have been updated to know this).
User contributions licensed under CC BY-SA 3.0