OpenVPN server static IP
-
So I tried the TAP mode and now works great on my laptop. My phone is another issue. The OPENvpn IOS app will not accept TAP mode. TUN mode only. So I made two OPENvpns servers. One TUN for my phone and TAP for my laptop. Was really hoping to get both on TAP mode. So all in all, a success! Thanks for the help! Just a side note. I seem to be bottle necked with downloading or uploading. Bounces around 2 to 5 MB/s. I am on a gigabit network and my pfsense router cpu bearly cracks 2% load. Any way to speed up the VPN?
-
Try with these options
fast-io sndbuf 524288 rcvbuf 524288-Rico
-
To the server or the client config file?
-
Both sides.
-Rico
-
Thanks for the tip but no improvement. I would have to run it again without the mod but I think it might have gotten worst.
-
Well going to try something. Ill report back later.
-
Maybe you need to play around a bit with those parameters.
Check https://forum.netgate.com/topic/115495/openvpn-fast-io-and-sndbuf-rcvbuf-options-in-the-gui and https://redmine.pfsense.org/issues/7507-Rico
-
@rico said in OpenVPN server static IP:
You should stay in standard tun mode, only switch to tap if you really need to.
-Rico
He said "I see that but my goal is to be on the same subnet as the lan side. Is there a way?". The only way that's going to happen is with TAP. Tun requires a separate subnet.
Here's some info on what he wants to do:
-
I know what he asked and what a bridge is.
99% of people asking for this do not really need to carry layer 2 over VPN and just want to have the same subnet for some kind of cosmetic reason.
For most scenarios to cover layer 3 is just fine, in OpenVPN it is widely supported, more stable, less overhead.
If you really need to transfer layer 2 stuff...sure go for tap mode, but you need to live with the donwsides then.-Rico
-
Wanted to give an update. TAP VPN has been working great! Everything works and the speed issue was my connection where I was. Thank you for everyones help!! PFsense is awesome!!
-
By the way... What is the con of doing TAP vs TUN VPN?
-
TAP benefits:
- behaves like a real network adapter (except it is a virtual network adapter)
- can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc)
- Works in layer 2, meaning Ethernet frames are passed over the VPN tunnel
- Can be used in bridges
TAP drawbacks
- causes much more broadcast overhead on the VPN tunnel
- adds the overhead of Ethernet headers on all packets transported over the VPN tunnel
- scales poorly
- can not be used with Android or iOS devices
TUN benefits:
- A lower traffic overhead, transports only traffic which is destined for the VPN client
- Transports only layer 3 IP packets
TUN drawbacks:
- Broadcast traffic is not normally transported
- Can only transport IPv4 (OpenVPN 2.3 adds IPv6)
- Cannot be used in bridges
-Rico
-
Awesome write up! Do you know or heard when the IOS app will be possibly updated to work on TAP? I have some programs I have written but being on TUN VPN break certain features.
-
"The iOS VPN API supports only tun-style tunnels at the moment. This is a limitation of the iOS platform. If you try to connect a profile that uses a tap-based tunnel, you will get an error that only layer 3 tunnels are currently supported."
(https://openvpn.net/faq/why-doesnt-the-app-support-tap-style-tunnels/)-Rico
-
Oh I am aware. What I am asking is if you heard about any development on adding TAP to IOS?
-
As long as Apple does not open their API for TAP there will never be any support for it.
ATM it would only be possible in jailbreak mode.-Rico
-
I appreciate your input but not sure if thats the real reason. I know it can be done on the IOS platform becuase at work we have cisco anyconnect and sonic wall VPNs that do it just fine. So maybe in the future it will be added. Other wise, I am happy with PFsense and the community!
