RouterOS supports tap mode and tun mode, working on layer 2 and layer 3 respectively.
I'm trying to build a remote access VPN, for employees to connect to the office network and access LAN resources. Specifically, I hope they can use the same IP range and be treated as if they were plugged in the office LAN.
For example, their laptops are usually plugged in VLAN 1 through a switch in the office, and use 192.168.1.0/24 addresses. Printer is at 192.168.1.221 and NAS is at 192.168.1.240. They can access the printer and NAS without routing.
Now they are working remotely, connecting through OpenVPN. I hope they are still allocated an IP address within 192.168.1.0/24 and still in VLAN 1, so that they are still able to access the printer and NAS the same way.
Feels like TAP mode is more suitable, but why do most guides on internet recommend TUN mode? What mode do you use in a production environment? And why?
Re: Choice of OpenVPN mode - TAP or TUN
It depends what you would like to achieve.
TAP:
I have always used TAP between 2 routers for site-to-site VPN.
It has some advantages and disadvantages over TUN
Advantage:
- TAP works at level 2, you bridge together the tapxx network interface with the rest of the LAN (wifi, ethernet , etc) , this way, all devices will be in the same LAN.
- You won't need explicit routing, every machine behind any of the routers will see each other, and you can access all services, as if they are on the same LAN
- All mulitcast based services work seemlessly
- Good if you want to bridge 2 sites and you want that all machines see each other as if they were on the same LAN
Disadvantage:
- TAP uses more bandidth than TUN, as it incapsulates all traffic.
- You will generally get slower speed due to previous point
- If you have 2 routers with each of them having DHCP server, you will have to filter out the DHCP requests with ebtables or something similar, as otherwise one of the DHCP servers from the "remote" location might answer quicker and assign ip address and it's own gateway to the local host.
TUN:
Advantage:
- It operates on IP level (layer 3)
- It's faster than TAP
- It can be more secure, as you need explcit routing
- It has more support from Windows, for example
- Good for classic VPN solutions, like accessing securely the resources from workplace via VPN from remote (home, for example)
DIsadvantage:
- Basically it works as your WAN and LAN, there are 2 separate network and you have to route from one to another (so you have to create routing rules to be able to access the resources)
- Requires configuration of routing rules
- Multicast is not working by default, can be done via explicit routing (I guess?)
TAP:
I have always used TAP between 2 routers for site-to-site VPN.
It has some advantages and disadvantages over TUN
Advantage:
- TAP works at level 2, you bridge together the tapxx network interface with the rest of the LAN (wifi, ethernet , etc) , this way, all devices will be in the same LAN.
- You won't need explicit routing, every machine behind any of the routers will see each other, and you can access all services, as if they are on the same LAN
- All mulitcast based services work seemlessly
- Good if you want to bridge 2 sites and you want that all machines see each other as if they were on the same LAN
Disadvantage:
- TAP uses more bandidth than TUN, as it incapsulates all traffic.
- You will generally get slower speed due to previous point
- If you have 2 routers with each of them having DHCP server, you will have to filter out the DHCP requests with ebtables or something similar, as otherwise one of the DHCP servers from the "remote" location might answer quicker and assign ip address and it's own gateway to the local host.
TUN:
Advantage:
- It operates on IP level (layer 3)
- It's faster than TAP
- It can be more secure, as you need explcit routing
- It has more support from Windows, for example
- Good for classic VPN solutions, like accessing securely the resources from workplace via VPN from remote (home, for example)
DIsadvantage:
- Basically it works as your WAN and LAN, there are 2 separate network and you have to route from one to another (so you have to create routing rules to be able to access the resources)
- Requires configuration of routing rules
- Multicast is not working by default, can be done via explicit routing (I guess?)