Trying to understand how OVPN client works

New OpenWRT user here. I've got a RPI3 that I'm setting up as a travel router. I've got my VPN provider set up on it as a OVPN client.

Everything works. That's not what I'm trying to figure out. It worked right away. My issue is that all the tutorials say something along the lines of:
1 - install OVPN (ok I understand)
2 - Create interface TUN0 - Ok, I still follow
3 - upload your ovpn config file - gotcha
4 - configure firewall - starting understand how all that works

But, I don't see how the heck it manages to link TUN0 to my OVPN configuration. What is going on here? Like I said, it works fine but I don't see why it works!

In your OpenVPN config file, there is almost certainly directive that will say something like

device tun


device tun0

(if it's just tun, the system will make it tun0 (as in the first instance of tun, zero referenced). By linking tun0 to your firewall (option device 'tun0' in the firewall zone), or by creating a network with tun0 (and unamanaged protocol) and then linking that network into the covered networks in the firewall zone, that informs the firewall how to handle and route the tun0 device.

Now, what is tun0? This is simply short for tunnel... all of the traffic that flows between your endpoint and your VPN provider traverses the internet via this tunnel. The tunnel is encrypted and provides a private channel for your data to flow between the two endpoints securely.

Does that answer your questions?


Sorry for leaving you hanging. Yes, this answers my question. I didn't realize that it was automatically detecting the TUN0 devices and associating it. Good to know.


If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Actually the OpenVPN program at runtime (once it has successfully connected to its server) entirely handles creating the tun0 device and assigning it an IP. In recent versions of OpenWrt you can use list device lines in the firewall config to assign the tun0 device (once it exists) to a firewall zone. There is no longer a need to create a stub VPN network in /etc/config/network. The only reason for that before was to associate a network interface name with the device.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.