--ifconfig option, which configures local and peer IP address for point-to-point tunnel interface, is a mandatory configuration option for OpenVPN. However, what is the purpose of local and peer IP addresses? Only purpose I can think of is that one can use those IP addresses to route traffic to tunnel. For example ip route add 10.10.3.0/24 via 192.168.1.2 dev tun0 where 192.168.1.2 is the peer IP address. However, for point-to-point links, one should be able to route traffic directly onto interface, e.g. ip route add 10.10.3.0/24 dev tun0.
Asked
Active
Viewed 1.4k times
11
Martin
- 7,516
1 Answers
15
Historically in IPv4, unnumbered interfaces were not possible. The only possible way to configured a point-to-point interface was with a local address and a remote address. The only way to route some other IP address through the point-to-point interface in question was to install a route using the interface's remote address as the gateway (there was no option in the route command or in the kernel to specify the destination by interface name). In those days, you'd see oodles and oodles of precious IP addresses consumed as interface addresses on SLIP connections.
Even now, an IPv4 interface requires at least some kind of address configured on it if only to serve as the source address for ICMP errors sourced from that interface (and that's how traceroute detects which interface on a router was traversed).
But what you can do now (and couldn't do historically) is make the interface unnumbered. That means giving it the same IP address as some other interface on the system. Usually a stable always-up interface (such as a loopback interface or the router's "main" interface) serves as the donor for the IP address. As for the remote IP address, you do not have to supply one at all (but see next paragraph). Without a remote IP address specified, you can use ip route ... dev <interface> instead of ip route ... via <address> to direct traffic into the interface, as you know. All in all, this can lead to a tremendous savings in IP addresses. (As an aside, it's interesting to note that while in UNIX an unnumbered interface is implicit in the fact that the local IP address is not unique, on other operating systems such as Cisco's IOS, it's quite explicit: the command is ip unnumbered <donor-interface-name>.
Notwithstanding this, it appears that in OpenVPN, specifying the remote IP address is not optional. However, what you can do is specify a somewhat arbitrary remote address. For example, if the other end of the tunnel is another router, you can use the remote router's loopback or "main" IP address (basically reflecting an unnumbered configuration at the remote end), thus consuming no IP addresses for the tunnel. If you are willing to make the routing table look a little bit ugly, you can actually use a completely bogus IP address for the ifconfig remote address; everything will work fine and the bogus address will never even appear anywhere (even in traceroutes).
Celada
- 44,132
openvpn --ifconfig 1.1.1.1 222.222.222.222 --dev tunat one tunnel end-point andopenvpn --ifconfig 111.111.111.111 2.2.2.2 --dev tun --remote 146.185.187.48at other tunnel end-point, then actually the VPN tunnel is operational. So in a nutshell, in case of OpenVPN, the tun interface local and peer IP addresses have no purpose? – Martin Apr 25 '15 at 15:05