Reply To: LAN-to-LAN (site-to-site) VPN with tun device

Home Page Forums Network Management ZeroShell LAN-to-LAN (site-to-site) VPN with tun device Reply To: LAN-to-LAN (site-to-site) VPN with tun device



I’ve done some reading on the Zeroshell site about the advantages of a layer 2 bridged VPN using the TAP device. I won’t repeat those advantages here but I will point the interested reader to the following pages:

On the other hand, there are also advantages to using a layer 3 routed VPN using the TUN device. Here’s a quote from the OpenVPN HOWTO:

Overall, routing is probably a better choice for most people, as it is more efficient and easier to set up (as far as the OpenVPN configuration itself) than bridging. Routing also provides a greater ability to selectively control access rights on a client-specific basis.

I would recommend using routing unless you need a specific feature which requires bridging, such as:

* the VPN needs to be able to handle non-IP protocols such as IPX,
* you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
* you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.

I don’t want to get into a religious debate about which device is better, TUN or TAP. My point is that since OpenVPN gives us the choice, Zeroshell should give us the same choice instead of restricting us to using only TAP for LAN-to-LAN VPNs. After all, this is why we all love free and open source software: it gives us choices that proprietary software take away from us.

For my own situation, we currently have a routed LAN-to-LAN VPN using proprietary VPN devices. I want to switch to Zeroshell. I really do. However, the switch is not so easy because Zeroshell does not appear to support routed LAN-to-LAN VPNs. Please correct me if I am wrong about this.

I’ll put my money where my mouth is. If Zeroshell makes a commitment to support routed LAN-to-LAN VPNs with a TUN device, I’ll gladly make some PayPal donations (although I’d rather buy some Zeroshell T-shirts, hehe).

Anyway, I don’t want to anger Fulvio, I just want to raise a healthy debate. I think Zeroshell is well on the way to being a fantastic product! Keep up the good work, Fulvio. 😀