On 16 August 2018 at 08:11, Daniel Lenski <dlenski at gmail.com> wrote: > On Wed, Aug 15, 2018 at 7:31 AM, Jeroen Balduyck > <jeroen.balduyck at gmail.com> wrote: >> Why is the interface address also the gateway? It obviously works but >> it defies (my) common sense. When I do a traceroute the "real" gateway reveals itself: > > You are mixing up two different meanings of "gateway" here. > > What you call the "real gateway" is the external address of the SERVER > that's providing you with access to the VPN. Traffic is going > to-and-from this server over the public Internet as you use the VPN. > > In IP-based routing, the term "gateway" indicates a network-layer > address (IP address) through which traffic needs to be directed to > reach other addresses on the network. > > In order to send traffic to the hosts in the network behind/through > the VPN, they have to be sent through the VPN interface, utun2 in this > example. > If you try to send IP packets to, let's say, 10.23.167.56, but you > don't send them via the utun2 interface, they won't get delivered to > the intended destination. > A client-server VPN connection is effectively a point-to-point > network: each end of the connection can only (directly) address the > peer (client or server) on the other end. > Therefore, it's entirely logical to say that traffic to the default > route (0.0.0.0) needs to be sent via 10.23.167.57, the address of your > VPN tunnel interface. > So it's the gateway. ?\_(?)_/? > > -Dan Hey Daniel, That's not what I meant. Sorry if I caused some confusion. I'm talking solely about the *private* tunnel endpoints. So not the *public* tunnel endpoints. Let's untangle the question a bit. So this is my interface again: utun2: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1340 inet 10.23.167.57 --> 10.23.167.57 netmask 0xffffffff So 10.23.167.57 is my (= on my router) private tunnel (end)point. The "-->" points to the next hop gateway which is ...again the exact same private tunnel endpoint 10.23.167.57. I would have expected the private tunnel endpoint of the *ocserver* side here which cannot be 10.23.167.57 as that is the IP on my router. When I do a traceroute you see the next hop is actually 10.65.0.1: traceroute to google.be (172.217.13.163), 64 hops max, 52 byte packets 1 10.65.0.1 (10.65.0.1) 107.129 ms 109.283 ms 107.764 ms So my question is, why does not "-->" point to 10.65.0.1 as this is obviously the real gateway. Thus like so (*** added by me): utun2: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1340 inet 10.23.167.57 --> ***10.65.0.1*** netmask 0xffffffff I'm sure the ocserver pushes 10.65.0.1 to be used as gw but this is not visible in the routing table nor on the vpn interface.
