Changes between Version 12 and Version 13 of BridgingAndRouting


Ignore:
Timestamp:
11/30/12 10:44:18 (11 years ago)
Author:
David Sommerseth
Comment:

Reworded things a bit, to (hopefully) make things clearer

Legend:

Unmodified
Added
Removed
Modified

  • BridgingAndRouting

    v12 v13  
    1111= Bridging vs. routing =
    1212
    13 Bridging looks easier at first glance, but it brings a completely different can of worms.  First of all, there are no shortcuts in making networking easier except learning how to do it properly. Basically you want TAP devices if:
     13This discussion needs to start with TAP vs TUN devices.  You want TAP if:
    1414
    1515 * You want to transport non-IP based traffic, or IPv6 traffic on OpenVPN 2.2 or older releases
    1616 * You want to bridge
    1717
    18 You want bridging if:
     18And you want to bridge if:
    1919
    2020 * You want your LAN and VPN clients to be in the same broadcast domain
     
    2222 * You have Windows server(s) you want to access and require network neighbourhood discovery to work via VPN '''and''' WINS is not an option to implement.  If you have WINS, you don't want bridging.  Really.
    2323
    24 It might be a few more reasons, but these are the most typical ones.  And as you see, TAP is a requirement for bridging.  Now lets see benefits and drawbacks of TAP vs TUN.
     24It might be a few more reasons, but these are the most typical ones.  And as you see, TAP is a requirement for bridging.  TUN devices cannot be used for bridges and non-IP traffic.
     25
     26Bridging looks easier at first glance, but it brings a completely different can of worms.  Make no mistake: '''There are no shortcuts in making networking easier''' - except if learning how to do it properly.
     27
     28Now lets see benefits and drawbacks of TAP vs TUN.
    2529
    2630TAP benefits:
    2731
    28  * behaves like a real network card
     32 * behaves like a real network adapter (except it is a virtual network adapter)
    2933 * can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc)
     34 * Works in layer 2, meaning Ethernet frames are passed over the VPN tunnel
    3035 * ''Can'' be used in bridges
    3136
     
    3843TUN benefits:
    3944 * A lower traffic overhead, transports only traffic which is destined for the VPN client
     45 * Transports only layer 3 IP packets
    4046
    4147TUN drawbacks:
    4248
    4349 * Broadcast traffic is not normally transported
    44  * Can only support IPv4 (OpenVPN 2.3 will add IPv6)
     50 * Can only transport IPv4 (OpenVPN 2.3 adds IPv6)
    4551 * '''Cannot''' be used in bridges
    4652
    47 In both setups, basic network knowledge is a must.  You need to be able to understand basic routing and firewalling, no matter which one use setup.  And both TUN and TAP do traditional network routing.  But using bridges, you also need to know how bridges work and how this changes firewalling in addition.
     53Please understand that in both setups, '''basic networking knowledge is a must'''.  You do need to understand basic network ''routing'' and ''firewalling'', no matter if use use routing, bridging, TUN or TAP.  Both TUN and TAP devices supports traditional network routing, so you are not required to use bridging with TAP.  But using bridges, you need in addition to know how bridges work and how this changes your firewalling.  To say it simple: Bridging will complicate your setup further.  Of course, there are scenarios where bridging really is the right solution.  But in most cases you will most likely solve your VPN setup with basic routing.
    4854
    4955For more information about TCP/IP networking, the [http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf TCP/IP Tutorial and Technical Overview] (IBM Red Book) is recommended reading, especially chapter 3.1.