Skip to content

OpenVPN – How to configure the Tunnel


These references are taken from the excellent book “Beginning OpenVPN”, (Feilner and Graf), packt publishing.

Each tunnel has 4 IP’s.  2 IP’s are real, the other 2 are virtual.

We configure the tunnel as a mirror image.  When we troubleshoot VPN, we always start from the inner tunnel and work our way out.

VPN - work from the central tunnel out

The Four IP’s needed are:

vpn - 4 IP's needed for each tunnel

Full credit to Feilner and Graf for their OpenVPN books.

  • 1. The IP of your laptop or computer (real)
  • 2. IP of the virtual tunnel (virtual for local side).
  • 3. IP of the virtual tunnel (virtual for remote side).
  • 4. IP of the Device at the other end of the tunnel (real).

MTU – Maximum Transmission Unit

All of the Four VPN MTU’s configurations have to match, or we may get unexpected and weird errors.

The standard MTU is 1500 bytes.  It’s like the maximum weight of a suitcase on an airline – go over the weight-limit and the suitcase may be discarded.

If the sending device accepts suitcases of 1532, then it will happily accept a suitcase of 1500.

However the receiving baggage handler, will not accept a  suitcase of 1532 bytes, where the limit is 1500 bytes – it will be discarded – which is pretty frustrating – as you’ve now lost all your data.

The client will notice this when they attempt to download a large file.   The client will connect, and will function normally.. until they attempt a large download, as packets below the 1500 packet size will be transmitted without any problems.

Ethernet MTU

For Ethernet with 1,500 bytes

We subtract the Ethernet header –  28 bytes

To get 1472 bytes.

The encryption algorithm will add extra overhead, and we may find that we need to set a data payload size as low as 1,300 bytes in order to avoid fragmentation (or packets over 1,500 bytes).

Cipher Keys

OpenVPN inserts SSL/TLS keys into the message to ensure that it hasn’t been changed in transit – this is called the HMAC.

As the packet thresholds are different, the HMAC’s will be wrong – causing Cipher errors.

vpn stop hmac attack

The tunnel will believe the messages are being tampered with in transit.

This is just a basic draft explanation, of how tight security is with OpenVPN, and how much respect VPNBook need for setting up a free service.

They route your connections to Romania, whose courts have just struck down the EU’s Data Retention rules, as a “breach of privacy”.  So all this routing, gives you privacy that you could not attain elsewhere in Europe, and shows advanced knowledge of privacy and Data Retention issues.

From → Uncategorized, VPN, VPN

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: