Should I use tap or tun for openvpn?

vpn openvpn tun tap

What are the differences between using dev tap and dev tun for openvpn? I know the different modes cannot inter-operate. What is the technical differences, other then just layer 2 vs 3 operation. Are there different performance characteristics, or different levels of overhead. Which mode is better. What functionality is exclusively available in each mode.


Solution 1:

if it's ok to create vpn on layer 3 (one more hop between subnets) - go for tun.

if you need to bridge two ethernet segments in two different locations - then use tap. in such setup you can have computers in the same ip subnet (eg 10.0.0.0/24) on both ends of vpn, and they'll be able to 'talk' to each other directly without any changes in their routing tables. vpn will act like ethernet switch. this might sound cool and is useful in some cases but i would advice not to go for it unless you really need it. if you choose such layer 2 bridging setup - there will be a bit of 'garbage' (that is broadcast packets) going across your vpn.

using tap you'll have slightly more overhead - besides ip headers also 38B or more of ethernet headers are going to be sent via the tunnel (depending on the type of your traffic - it'll possibly introduce more fragmentation).

Solution 2:

I chose "tap" when setting up a VPN for a friend who owned a small business because his office uses a tangle of Windows machines, commercial printers, and a Samba file server. Some of them use pure TCP/IP, some seem to only use NetBIOS (and thus need Ethernet broadcast packets) to communicate, and some I'm not even sure of.

If I had chosen "tun", I would probably have faced lots of broken services — lots of things that worked while you are in the office physically, but then would break when you went off-site and your laptop couldn't "see" the devices on the Ethernet subnet anymore.

But by choosing "tap", I tell the VPN to make remote machines feel exactly like they're on the LAN, with broadcast Ethernet packets and raw Ethernet protocols available for communicating with printers and file servers and for powering their Network Neighborhood display. It works great, and I never get reports of things that don't work offsite!

Related

In a PowerShell script, how can I check if I'm running with administrator privileges?
Can Mac OS X be run inside Docker? [closed]
InnoDB: Error: log file ./ib_logfile0 is of different size
How to re-order windows, change the scroll shortcut, and modify the status bar contents in GNU Screen?
How to make Windows 7 USB flash install media from Linux?
How do I reattach to Ubuntu Server's 'do-release-upgrade' process?
How do I update a CentOS server's time from an authoritative time server?
What's the difference between include_tasks and import_tasks?
Nginx: How do I forward an HTTP request to another port?
How to restart nginx?
How can I automatically change directory on ssh login?
How can the little guys effectively learn and use Puppet? [closed]