What is tcp/ip packet flow in client with vpn tunnel

Question

I'm pretty newbie in VPN networking so I've got a conceptual question.

My scenario there's a client that connected to VPN with ruleset that tunnels some packets into remote VPN proxy for analysis and forwarding when the destination is permitted.

This tunnel, in case using encryption based protocol, will wrap each incoming packet with an additional layer that will be verified on the other side using certificate (for example).

The tunnel is also represented by a virtual interface, say we'll use utun0.

So my question relates to the case where a tcp/ip session is being established between the client and some remote service. So as for the outgoing packets I can assume that they will be wrapped with the vpn tunnel layer, and then unwrapped by the vpn itself.

But regarding the incoming packets, they will arrive with the vpn layer, so it first need to be verified by the VPN client, and then inner layer will have to be processes, but that happens on another interface (like the regular en0 which hold the ip of the client).

So first, i'd like to know how does the virtual interface utun0 gets its packets - Perhaps it uses specific port ?

And Second, when a tcp/ip incoming packet arrives to utun0, and its being deciphered by the tunnel client. Does it moves on to the regular interface (en0) unwrapped from it's vpn layer ?

Thanks !

Answer 1

So first, i'd like to know how does the virtual interface utun0 gets its packets - Perhaps it uses specific port ?

The VPN client (or server) “owns” the interface. Similar to how a real network interface is backed by hardware and a physical connection, the virtual network interface is backed by software. Anything that enters the interface (outgoing traffic) is passed to the VPN client process. Anything that exits the interface (incoming traffic) comes from the VPN client process.

The specifics change depending on the exact type of virtual interface. With macOS utun, it’s a file descriptor pointing at a socket.

The tunnel connection (IPSec, WireGuard, OpenVPN, …) is a regular network connection the VPN client makes.

And Second, when a tcp/ip incoming packet arrives to utun0, and its being deciphered by the tunnel client. Does it moves on to the regular interface (en0) unwrapped from it's vpn layer ?

You have it backwards: Incoming tunnel traffic arrives via the regular network interface (e.g. en0). The process that made the connection (VPN client) receives and processes it. After that, it is sent to utun0 where it appears as incoming unencrypted traffic.