The following figure illustrates a simple site-to-site VPN operation. This operation could represent, for example, a connection between a branch office and a data center.

At each of the two VPN tunnel endpoints, the OpenVPN process creates a routable “tunnel interface” and establishes a secure tunnel with the other endpoint. Subsequently, the two interfaces appear to be on the same network, although packets flowing between these two interfaces are actually processed and sent through the secure tunnel by the OpenVPN process.

Note that each endpoint has two relevant IP addresses.

• The tunnel IP address: This address is the virtual IP address (VIP) on each end of the tunnel. The tunnel IP address at each end of the tunnel must be on the same subnet. In the previous figure, the tunnel IP addresses of the two endpoints are 192.168.200.1 and 192.168.200.2.
• The physical IP address: This address is the IP address that is configured for the physical network interface over which the VPN tunnel is established. In the preceding figure, the physical IP addresses of the two endpoints are 12.34.56.78 and 87.65.43.21.

In most operations, the VPN tunnel transports traffic from different private subnets across the wide area network (WAN). In the preceding figure, each of the 192.168.100.0/24 and 192.168.101.0/24 private subnets is “behind” a VPN tunnel endpoint. Therefore, on each endpoint, you must add a static route that directs traffic to and from the remote private subnet through the tunnel interface.

In site-to-site mode, a single host can establish multiple OpenVPN tunnels, each of which may be to distinct sites. Even if all tunnels originate from a single physical interface, each tunnel is represented by a different tunnel interface IP address and operates independently.