TAP devices works fine either in routed or bridged forwarding. Hence, you can use Zeroshell and continue to split your LAN in the subnets you described.
Are you sure? The reason I ask is because of what it says about this in the OpenVPN howto. If you scroll down to the section “Including multiple machines on the client side when using a bridged VPN (dev tap)”, you’ll find this:
This requires a more complex setup (maybe not more complex in practice, but more complicated to explain in detail):
* You must bridge the client TAP interface with the LAN-connected NIC on the client.
* You must manually set the IP/netmask of the TAP interface on the client.
* You must configure client-side machines to use an IP/netmask that is inside of the bridged subnet, possibly by querying a DHCP server on the OpenVPN server side of the VPN.
Note that part that says “You must configure client-side machines to use an IP/netmask that is inside of the bridged subnet”. That seems to suggest that I can’t use TAP without rejigging my subnet addressing. If I’m wrong, could you please point me to some further reading about this? I could not find any documentation on the Zeroshell site about routing in the context of using the TAP device. My apologies if I’m very stupid.