Remote access operation
OpenVPN also supports remote access VPN that uses a client-server mode. In this mode, one OpenVPN endpoint acts as the server and all remote endpoints operate as clients, which connect to the OpenVPN server to establish VPN tunnels, so that each established client has an independent tunnel to the server. The following figure shows a simple remote access VPN setup.
One major difference between site-to-site mode and remote access mode is that in remote access mode, all the VPN tunnels on the server side terminate at a single tunnel interface. A single termination point eliminates the need to set up separate tunnel interface IP addresses for each VPN tunnel. This single termination point is more convenient and operationally simpler for a remote access setup.
Another difference is that in remote access mode, the server-side OpenVPN process dynamically allocates all tunnel IP addresses from a configured subnet (192.168.200.0/24 in the example) instead of using fixed tunnel IP addresses for tunnel endpoints. Thus, when the OpenVPN process starts on the server, it creates the tunnel interface and assigns it an IP address from the subnet to the interface (for example, 192.168.200.1). Then, when a client establishes a VPN tunnel with the server, the server-side OpenVPN process also allocates the client an IP address from the same subnet (for example, 192.168.200.4) and the tunnel interface on the client adopts this address.