Understanding the concepts used
In order to be effective in troubleshooting problems with VPN connections it helps if you know some of the basic concepts behind networking. Although we are assuming that people that install our product already have a background in computer technology and networking, nobody can be expected to know everything. Without requiring you to spend hours learning all the concepts we are explaining some of them here in a simplified manner to help understand how some of the technical terms apply and what they mean on a basic level.
IPv4 and IPv6 addressing, and private networks
We’re oversimplifying here but basically all the computers connected directly to the Internet have a unique ‘phone number’. Except the phone numbers used on the Internet are called IP addresses instead and look a little different from phone numbers. A valid IP address for example is 220.127.116.11. It’s always 4 numbers separated by 3 dots. The numbers can range from 0 to 255. Each IP address must be unique. You can’t have 2 IP addresses the same on the Internet or it won’t know who to contact. With 256 to the fourth power you get an amazing 4294967296 possible IP addresses. That’s a lot. But we also have a lot of devices on the Internet. So many in fact that we’re starting to run out. This method of making and using IP addresses is called IPv4. OpenVPN Access Server focuses on the use of IPv4 because it’s simpler to grasp and work with, and it offers enough possibilities.
Because we’re running out of addresses on the Internet a new method has been created, one that uses more characters to make up an IP address and also allows to use some letters instead of only numbers. An example IPv6 address looks like 2001:0db8:85a3:0000:0000:8a2e:0370:7334 for example. With this there a whole lot more possible addresses, so we won’t be running out anytime soon. Currently the Internet is a mix of using both IPv4 and IPv6. IPv4 is what Access Server uses mainly and is what Access Server requires to run, but IPv6 traffic in the OpenVPN tunnel itself is also supported in a limited fashion in Access Server.
NAT is an interesting solution to getting Internet access and at the same time firewall protection on an internal network using only one Internet IP. Pretty much all networks you encounter at home or at work are private networks. They’re private because you can only contact computers in this network when you are connected to this network directly. They are not reachable from the Internet directly. With NAT there’s a single router device at the head of the network that has one public Internet IP, and it is connected directly to the Internet. On one side it manages your private network, and on the other there’s the Internet. It uses Network Address Translation, or NAT, to translate information from one network to the other. Usually it will allow requests from the private network to the Internet without any problems, and replies coming back in response to those requests are allowed through just fine, but requests coming in from the Internet to try and reach devices on your private network will be blocked. That is the firewall function of NAT, in simple terms.
If you run a server like OpenVPN Access Server in your company’s private network, you can open up specific port numbers on the router’s Internet side, and have them forwarded to the private IP address of the OpenVPN Access Server. The default ports are TCP 443, TCP 943, and UDP 1194. Using this method you can make the OpenVPN Access Server reachable from the Internet, so that you can sit at home and connect to your Access Server and through the establish VPN tunnel connection then access files and programs in the private network at the company from home.
NAT, bridging, and routing, what are the differences
NAT is used in Internet gateway routers but also internally in the OpenVPN Access Server to make access to resources for OpenVPN clients easier. A private network is a closed system with the option of having a default gateway system (a router with Internet access) present in the network to access Internet resources. Traffic between computers in the private network itself is easy and doesn’t require any other parties. Just from one computer to the other over the cables in the building. But any traffic to networks outside of this private network is sent to the default gateway as the private network doesn’t know how to deal with this unknown traffic. It doesn’t know where it is. This can be a problem if the OpenVPN Access Server has a VPN client network with addresses that must by necessity be different from the private network it wants to give OpenVPN clients access to and the traffic from the OpenVPN clients is sent directly onto the private network. Then the computers there don’t know how to respond since they don’t know where this other VPN network is and sends replies to it to the default gateway hoping it will know where to send the traffic. If that default gateway doesn’t know the OpenVPN client subnet either and doesn’t have a static route set up for it that tells it where to find a computer system that does know how to deal with the traffic (the Access Server itself), then the traffic may simply get lost here or at the Internet provider. This is where NAT in the Access Server comes in; it makes it look like traffic coming from VPN clients are coming from the private IP address of the Access Server itself in the private network. Then the traffic is simple local traffic again and the default gateway doesn’t need to get involved. The Access Server automatically translates responses it receives back to the original OpenVPN client that made a request.
Routing is the logic used to send traffic from one system to another. For example when you open the Google homepage, there is a routing rule in your computer that says that requests for information for anything outside of your own private network, should be sent to the default gateway in your network. Unless you yourself are working for Google and have insider access, then normally your computer would send the request to your default gateway router device, and that device has access to the Internet via your Internet service provider. It sends the request on to your Internet service provider, and it then figures out the next step in the path between your computer and Google’s web servers. Eventually after a number of hops going from one router to another, Google’s web server is reached and sends a reply which goes back to your computer along the same path. All of this is done using routing, and in your own gateway router device, some NAT is involved as well. Routing is basically the traffic signs of the roads on the Internet, telling the packets of information which way to go. And OpenVPN Access Server can instruct connected OpenVPN clients to send traffic intended for specific IP addresses through the VPN tunnel to reach otherwise unreachable systems.
Bridging is where networks get connected seamlessly. Imagine 5 computers connected to each other using a network switch. Now introduce another network of a 100 computers connected to each other using another network switch. These two networks cannot reach each other, because they are on physically separate networks. If you take a cable and connect the one switch to the other switch, you form one big network with 105 computers in it. Now they can communicate. You have bridged the two networks together, to put it simply.
The disadvantage of using bridging is that if both separate networks had their own services for assigning IP addresses, their own Internet gateways and DHCP servers, that tying the two networks together by bridging them would mean chaos for the systems. Which Internet gateway should they now use? And each of the two Internet gateway router devices would try to force their DHCP servers on the network. DHCP is a system that tries to automatically assign a computer an IP address in the private network. With 2 DHCP servers doing the same task, but not being aware of each other, they could be assigning the same IP address to two different computers, which would block one or both of them from functioning properly. This is one of the reasons we do not recommend using OpenVPN to bridge networks.
Instead, OpenVPN Access Server uses routing mode which connects devices to networks in a sane manner, separating them into separate subnets that thanks to the routing tables know how to reach certain systems.
CIDR and subnet masks
These are two methods of notation for IP routes. When working with a routing table, which is basically a list of IP addresses and where to send traffic to, it’s rather impractical to have to name every single IP address individually. So instead we use subnet ranges. A subnet for example can be 192.168.70.0/24. That is CIDR notation and means to say: all addresses starting at 192.168.70.0 and ending with 192.168.70.255. So an address like 192.168.70.222 or 192.168.70.4 would fall within that subnet. The equivalent of this range notation with a subnet mask instead would look like 192.168.70.0 255.255.255.0. The method of writing it down is different but it means the same thing; the same range from 192.168.70.0 all the way to 192.168.70.255. There are large subnets and small subnets, and the larger a subnet is, the lower the mask or CIDR number is. And the other way around, the smaller a subnet is, the more specific it is, the higher the number on CIDR or subnet mask is. There is a mathematical logic behind calculating the subnet mask or CIDR number, but for ease of use we recommend using the cheat cheet below if you need to convert one to the other.
Cheat sheet for CIDR notation and subnet masks
|CIDR||Hosts||Netmask||Amount of a Class C|
OSI Layer 2 (bridging) and Layer 3 (routing)
When you’ve never heard of the conceptual OSI Layer model to represent computer network technology from hardware to software, then it’s understandable that when people refer to layer numbers it’s hard to understand what they mean. We’re not going to turn this page into an in-depth technical explanation of all of the concepts involved but just give you a very basic understanding. If you want to learn about the whole OSI Layer model check the WikiPedia page instead. The three layers that are most relevant here are the following three.
Layer 1 is the lowest layer and represents the cables, network cards, and network switches. It is called the physical layer for the obvious reasons: this is basically the network equipment itself.
Layer 2 is low level code that controls the flow of traffic between devices. It has some traffic control, and frames of information travelling on this layer can be of pretty much any protocol type.
Layer 3 is where protocols like TCP and UDP do their work. These protocols make packets of data that have a source and destination address so that routers can determine where to send it.
OpenVPN by default operates in layer 3 mode (also called tun or routing mode) where it can take for example TCP and UDP packets and transfer them through the VPN tunnel to a target location. For example you can configure the OpenVPN Access Server to send traffic from an OpenVPN client with a destination on the public Internet through the OpenVPN tunnel. This works using the routing table in the operating system and manipulating this to send traffic through the OpenVPN virtual network adapter instead. With the routing table it’s possible to specify a single IP address to go through the VPN tunnel, or a whole ranges of addresses. The advantage of this is that you can specify which IP addresses you do want to have sent through the VPN tunnel, and which IP addresses you do not want to have sent through the VPN tunnel. To extremely oversimplify it, think of an OpenVPN Access Server configured with layer 3 routing mode as a network router with good access control on IP routing basis where you can ‘plug’ your OpenVPN clients into. Each ‘port’ on the router has different access rules. Think of the OpenVPN tunnels connecting the clients to the Access Server as ‘virtual network cables’. And the Access Server then allows access to certain IP addresses or not.
OpenVPN can also operate in layer 2 mode (also called tap or bridging mode). But in this mode, every bit of broadcast traffic on the network also gets sent through all the VPN tunnels. And things like DHCP requests also get sent through the VPN tunnel, so if you connect 2 separate networks together with OpenVPN you may end up with a unified network that has 2 DHCP servers which can be confusing and problematic – you may then need to shut down one to have the other work. Basically, unwanted traffic can also pass through, and there is no control over which IP addresses do or do not go through the VPN tunnel. To extremely oversimplify it, think of an OpenVPN server configured with layer 2 bridging mode as a standard network hub or switch with no access control options. Think of the OpenVPN tunnels connecting the clients to the Access Server as ‘virtual network cables’. And any client connected to the Access Server then has access to the entire network that the Access Server is a part of, as if the VPN clients were plugged into the network directly. Sounds good and simple, but in reality it can be very bad security-wise and can cause reliability problems.