OpenVpn and tcpdump output shows activity on two ip ranges.

bulgin · 04-09-2018, 10:36 AM

Ubuntu 16.04
OpenVPN 2.3.10 x86_64-pc-linux-gnu

Pardon if this belongs in a different forum but it seems like security to me.

A basic OpenVpn question:

When OpenVpn is operating and I open two terminals and tcpdump both the tunnel to the remote OpenVpn server which is:

tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
valid_lft forever preferred_lft forever

and tcpdump the local ip address:

enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.2.7/24 brd 192.168.2.255 scope global dynamic enp2s0
valid_lft 74527sec preferred_lft 74527sec

I witness as expected activity on the tun0 interface, but I'm also seeing lots of traffic on the local network between the local internal ip address of 192.168.2.7 and the foreign server public ip address.

Is this normal? I would expect to see traffic in the tun0 but not so sure about the local address which is showing traffic to the remote server that hosts the OpenVpn server.

sundialsvcs · 04-09-2018, 05:05 PM

This is normal. You are seeing the encrypted traffic that is generated by the OpenVPN service processes themselves, and you should observe that it uses the UDP protocol, not TCP/IP.

OpenVPN acts as a virtual network router. It communicates with its peers over public IP-addresses using the UDP protocol, which has no "open ports." (Yes, it can be configured to use TCP/IP, instead, but this is inadvisable.) All of these packets are encrypted.

This is the physical side of OpenVPN.

Meanwhile, logically, OpenVPN reserves the 10.8.x.x IP-address range for itself. Any computer that is directly logged-on to the VPN will have a server-assigned IP-address range here, serviced by a tunX virtual network device. (This is the address-range of "the virtual routers themselves.") Meanwhile, any internal-IP addresses corresponding to remote systems that have also been routed through the tunnel ("handled by the virtual router") are also handled by the tunX device, which is the mechanism that transfers the data to/from the OpenVPN service process.

Clients communicate using only this logical view. The traffic could actually be being sent using carrier pigeons, for all the clients know or care.

Instead of bothering the poor birds, however, the traffic is encrypted and sent to its destination using encrypted UDP-packets sent to the appropriate physical IP addresses.