OpenVPN Server with Username/Password Authentication

Here are the answers to your questions:

1a) This is correct, this is probably the main reason why you want to use tunneling.

1b) There is another reason why you want to use tunneling. For example, IPsec doesn’t support multicast. If you want to encrypt multicast traffic with IPsec then you will have to create a GRE tunnel and then encrypt the GRE tunnel with IPsec.

2a) These are virtual interfaces yes but they aren’t really “attached” to the physical interface.

2b) This is correct but we don’t use the word gateway for this. From the router’s perspective, the IP address on the other side of the (GRE) tunnel is a next hop.

2c) That’s right, if you use a GRE interface then you can use it just like any other interface. If you only use IPsec then we don’t use IP addresses on the tunnel interface.

And your other questions:

  1. When you use client software then it will use a virtual interface on the pc. We don’t always have to use tunnel interfaces. You might want to try this example:

https://networklessons.com/security/cisco-ipsec-easy-vpn-configuration/

The physical interface is used to reach the remote VPN server, it’s not like virtual interface are attached to it.

  1. The VPN server can “push” routes to your PC. a computer also has a routing table, even though it doesn’t route between interfaces it will use it to select outgoing interfaces.

When you use a remote access VPN then your VPN client will get an IP address from the VPN server, there’s no need for the VPN server to know about the network that your PC is on.

The VPN traffic will be NAT translated just like any other traffic. With IPsec this can cause issues and we use NAT-T for this…that’s another story though :slight_smile: