Reply To: LAN-to-LAN (site-to-site) VPN with tun device

Home Page Forums Network Management ZeroShell LAN-to-LAN (site-to-site) VPN with tun device Reply To: LAN-to-LAN (site-to-site) VPN with tun device

#48634

cyboc
Member

Fulvio, thank you for your reply.

@fulvio wrote:

Let me to understand why you would prefer tun instead of tap devices.

I wouldn’t say that I prefer one or the other. I would just like the choice of which one to use. As described in the OpenVPN documenation, in some circumstances, TAP might be better and in others TUN might be better.

@fulvio wrote:

you are free to bridge TAP device with other ethernet interfaces or just assign an IP address an route traffic across them.

The “route traffic across them” idea sounds promising but I’m not quite sure what you mean. Perhaps if I describe my situation a little better, you can tell me if TAP will work without having to make lots of changes to our subnet addressing.

I have a main office with subnet 172.16.1.0/24 and remote offices with subnets 172.16.2.0/24, 172.16.3.0/24 and 172.16.4.0/24. Following the examples in the OpenVPN howto, we have created an “experimental” routed layer 3 VPN with the tun device.

The VPN endpoints used in the “experiment” were a combination of VMs running Ubuntu and WRT54GLs running Tomato. For production, we were hoping to use Alix or Soekris boxes running pfSense, Voyage Linux or perhaps Zeroshell.

Now, as far as I know, if we were forced to use a TAP device on Zeroshell, we would have to make all computers run on 172.16.1.0/24 subnet or we would have to reduce the number of bits in the subnet mask so that all addresses are on same subnet (e.g. 172.16.0.0/16). Either way, I think it’s probably a hassle for us to make those changes. Correct me if I am wrong and there is a way making TAP work with our current subnets.