Question about Virtual Address



  • Hi all,

    I have a stupid question that I havent been able to find the answer to it anywhere!
    So why do we have a virtual address in the openvpn client? what is the use for that?
    I mean in my mind, we just connect to the VPN server and all the traffic is passed from the server to our ISP IP, right? so why do we have need a virtual IP?

    apologies if this is so basic!

    Thanks


  • Netgate

    Because it is still routed. The server and client addresses are used as the next-hop addresses for the VPN traffic.



  • Every network interface has to have an IP address for sending and receiving traffic under TCP/IP because otherwise the source address (where the replies are sent back from the destination address) of the IP packets can't be determined. The IP addresses used on network interfaces on a single system must be unique because otherwise routing would be ambiguous. From all of this follows that if you want to have a VPN connection like OpenVPN the VPN connection (the virtual network interface used) must use a unique IP address for operation, the virtual IP addresses assigned by OpenVPN are exactly that.



  • @kpa said in Question about Virtual Address:

    Every network interface has to have an IP address for sending and receiving traffic under TCP/IP because otherwise the source address (where the replies are sent back from the destination address) of the IP packets can't be determined. The IP addresses used on network interfaces on a single system must be unique because otherwise routing would be ambiguous. From all of this follows that if you want to have a VPN connection like OpenVPN the VPN connection (the virtual network interface used) must use a unique IP address for operation, the virtual IP addresses assigned by OpenVPN are exactly that.

    Not quite. Point to point links do not need an address. Routing tables end up with the exit interface and that's all that's needed for P-P. Also, on IPv6, link local addresses are generally used for routing and only have to be unique on the link. It's entirely permissible to have multiple instances of a link local address on a system, provided they're unique on the link. This is because with link local addresses, the interface ID is always required.



  • Ok then I will re-phrase. Every interface used for sending and receiving TCP/IP traffic trough a bound socket must have an IP address. Routing is a special case because there is always a logical "other end of the pipe" (with the exception of a default gateway in a broadcast network with multiple hosts).



  • But why do we need a virtual IP? Why not just use the public IP assigned by the ISP?

    So If I understood correctly the connection is:
    pfSense Gateway (IP assigned by ISP) => Virtual IP => VPN Server => Internet

    if this is the case then, where is this virtual IP? if it is created by the OpenVPN client. what is the advantage of using this made up IP over the actual IP?
    Is this just for privacy? so the VPN server doesn't get the actual IP information? The virtual IP is a private IP domain (10.0.0.0) how is that allowed to work with the internet?

    Also as a side question, is there any way that I can check if my data is 100% encrypted on the WAN side of pfSense? just to confirm the VPN is encrypting the outgoing data correctly. or should I be sure that it is being encrypted?

    Thanks for the information!


  • Netgate

    Because you are routing over the tunnel, not the Internet / WAN port.

    The computer connected to the VPN is not the firewall which actually holds the WAN address, it is a different host connected to that firewall.

    May I ask why you are sweating this? Maybe that will help get you an answer. It's very normal - I would say expected - to assign VPN clients a tunnel address.



  • You can't use IP addresses assigned by your ISP for your VPN because you don't "own" those addresses (well unless you have a proper routed subnet that you pay for but that's a different case). Also, you'd run into all kinds of routing problems if the connections routed over the VPN were actually sourced from the WAN or LAN interface that hold a public routable IP address.



  • @sasansgh said in Question about Virtual Address:

    But why do we need a virtual IP? Why not just use the public IP assigned by the ISP?

    When a computer on your network has a packet to send to the device at the other end of a VPN, it will send it to the router (pfSense), which will in turn forward it to the destination via the appropriate route. If you use the public IP, the router will send it out the WAN port, instead of the VPN. By providing addresses for both ends of the VPN, the router can determine the packet has to travel via the VPN and use the tunnel addresses to do that.