TUN vs. TAP



  • I managed to set up a site to site/internet setup with the tun interface. i.e. one site's public IP addresses are routed via OpenVPN to a remote location that's the routing endpoint for that class-C net.

    While I managed to get a few (hacks?) done, such as OpenVPN traffic graphs on the dashboard, by assigning, activating, but not configuring the ovpnc1 interface, I still seem to have no control over routing.
    The site's remote network is 0.0.0.0/0 (the entire internet), which is fine since I normally want to route all LAN traffic that way, it also routes the (ISP DHCP assigned) WAN address that way, i.e. the moment OpenVPN is up, my pfSense unit is no longer reachable by its WAN address, only through it's LAN address. It's also seemingly impossible to do some policy based routing, e.g. regular web browsing/downloading traffic would be nice to NAT out the WAN address, rather than to tunnel through OpenVPN with public IPs.

    I used to (until yesterday) use IPsec for the same tunnel, and was hoping that OpenVPN would give me better filtering/routing options, but so far, I'm not sure that's the case. At least under IPSec I could reach by box both via the LAN and WAN address, even though IPSec seems to snatch packets before they can processed by the filters properly.

    So here's the question:

    • any chance that going from tun to tap can improve the control I have over the traffic?
    • what needs to be changed, should I want to try that, since simply switching on both sides from tun to tap without any other modifications in the setup results in connection failures with some messages about routing in the log.
    Jan 1 06:48:43	openvpn[64670]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 0.0.0.0
    Jan 1 06:48:43	openvpn[64670]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
    

Log in to reply