OpenVPN TAP vs TUN in parallel – Valuable Tech Notes

I have a few questions about our existing OpenVPN server setup and a requirement that we have to expand our access.

Our current setup is as follows:

1 OpenVPN server (in TAP mode)
Multiple VM servers with host machine physically connected to the same subnet as OpenVPN server
Multiple VM servers connected to OpenVPN server as clients to access the above subnet
Multiple end users connected to OpenVPN server as clients to access the above subnet

For current usage, this setup works without issues. Each connected device/user gets an IP and all is well. However, we have a requirement to be able to connect with iOS/Android devices, and I understand from documentation and from https://community.openvpn.net/openvpn/wiki/BridgingAndRouting that this requires OpenVPN setup for TUN. Also, it appears that each instance of OpenVPN server can only run in one mode, you cannot have both TAP and TUN on the same OpenVPN config.

These are the questions:

If we setup another instance of OpenVPN on the current OVPN server, and set that to TUN mode: will a client device connecting to that OpenVPN be able to ONLY see what is local on the OVPN server? Or will it be able to see all devices on the subnet because of the TAP OVPN setup that already exists?
If the answer to the above is that that client device will only be able to see what is on the OVPN server and nothing else, are there alternatives to this setup that people have used to facilitate mobile device access? Could we setup a OVPN server on one of the VMs that is now connecting via TAP as a client, and use TUN there to allow access in to that one machine?

Unfortunately, due to limitations in the environment, we cannot switch the existing TAP OVPN to TUN and leave it (unless I am misunderstanding the TUN configuration and that would work as an alternative to our current setup and allow all the current VMs and client devices to connect as well as Android/iOS to connect?).

Thank you for any insight you can provide on this issue.

Best Answer

In TUN-mode the subnet providing IPs for the VPN clients is "virtual" on the VPN server. TUN-mode works on layer 3 and there is no layer 2 for this subnet. OpenVPN uses own mechanisms to put traffic directed to the VPN ip of a client into the correct tunnel (so that it reaches the client). Because of that there is no possibility to mix vpn clients and local machines in this same (vpn client) subnet. They need always to be in different subnets and need to be reachable in both directions by routing.

So unless you have local firewall rules in place, your vpn clients connected via tun should be able to reach all targets for whose the routing configuration on the openvpn server has a path and there is a path back. The last point is most important. On each local machine you want to connect to, there must exist a path to the vpn client subnet. The VPN server has to be known as the gateway for this subnet in the local routing configuration.

are there alternatives to this setup that people have used to facilitate mobile device access?

No good ones. There is an OpenVPN client in the Play Store, that emulates the layer 2 not available in the VPN api, which works in some (most?) cases. But that is kind of a hack and the developers of the official client decided against it.

Could we setup a OVPN server on one of the VMs that is now connecting via TAP as a client, and use TUN there to allow access in to that one machine?

Yes. You would the need to be able to connect to this OpenVPN server from anywhere you want to use the TUN-VPN-tunnel. So most likely you would need a public routed ip. If that's the case local routing on the machine should be no problem.

Best Answer

Related Solutions

OpenVPN – Should You Use TAP or TUN?

Openvpn – How to add multiple tap/tun, as I want to install multiple OpenVPN instance on one machine

Related Topic