OpenVPN – How to configure the Tunnel
These references are taken from the excellent book “Beginning OpenVPN”, (Feilner and Graf), packt publishing.
Each tunnel has 4 IP’s. 2 IP’s are real, the other 2 are virtual.
We configure the tunnel as a mirror image. When we troubleshoot VPN, we always start from the inner tunnel and work our way out.
The Four IP’s needed are:
Full credit to Feilner and Graf for their OpenVPN books.
- 1. The IP of your laptop or computer (real)
- 2. IP of the virtual tunnel (virtual for local side).
- 3. IP of the virtual tunnel (virtual for remote side).
- 4. IP of the Device at the other end of the tunnel (real).
MTU – Maximum Transmission Unit
All of the Four VPN MTU’s configurations have to match, or we may get unexpected and weird errors.
The standard MTU is 1500 bytes. It’s like the maximum weight of a suitcase on an airline – go over the weight-limit and the suitcase may be discarded.
If the sending device accepts suitcases of 1532, then it will happily accept a suitcase of 1500.
However the receiving baggage handler, will not accept a suitcase of 1532 bytes, where the limit is 1500 bytes – it will be discarded – which is pretty frustrating – as you’ve now lost all your data.
The client will notice this when they attempt to download a large file. The client will connect, and will function normally.. until they attempt a large download, as packets below the 1500 packet size will be transmitted without any problems.
For Ethernet with 1,500 bytes
We subtract the Ethernet header – 28 bytes
To get 1472 bytes.
The encryption algorithm will add extra overhead, and we may find that we need to set a data payload size as low as 1,300 bytes in order to avoid fragmentation (or packets over 1,500 bytes).
OpenVPN inserts SSL/TLS keys into the message to ensure that it hasn’t been changed in transit – this is called the HMAC.
As the packet thresholds are different, the HMAC’s will be wrong – causing Cipher errors.
The tunnel will believe the messages are being tampered with in transit.
This is just a basic draft explanation, of how tight security is with OpenVPN, and how much respect VPNBook need for setting up a free service.
They route your connections to Romania, whose courts have just struck down the EU’s Data Retention rules, as a “breach of privacy”. So all this routing, gives you privacy that you could not attain elsewhere in Europe, and shows advanced knowledge of privacy and Data Retention issues.