In this tutorial, we will see the difference between OpenVPN TUN and TAP modes and why use
one or another.
Finally we will see how to setup an OpenVPN server in TAP mode behind a firewall Cisco
DIFFERENCE BETWEEN TUN AND TAP
Tun stands for network TUNnel. The term "tun" mode also refer to routing mode and
operate with layer 3 packets.
In routing mode, the VPN client is given an IP address on a different subnet than the
local LAN where the OpenVPN server is sitting.
This virtual subnet is created for connecting to any remote VPN computers.
In routing mode, the OpenVPN server creates a "tun" interface with its own IP address
pool which is different from the local LAN. Client 1 will get an IP address inside the
10.0.8.0 network and will have access only to the server where OpenVPN resides.
The problem with TUN mode is that OpenVPN client cannot communicate with other local LAN
resources. Local LAN machines already have a default gateway (10.10.10.1) while OpenVPN
client's default gateway is 10.0.8.1. If an OpenVPN client sends a packet destined to
10.10.10.11, the destination device will receive that packet and see that the packet is
coming from an IP address outside of its own local LAN and would send any reply packets to
their gateway (10.10.10.1) instead of sending the packets back to OpenVPN server.
The only way for a local machine to communicate with an OpenVPN client in TUN mode is to define a static routes on it. But it is a bit too
The other conventional solution is TAP mode.
The term "tap" mode refer to bridge mode and operates with layer 2 packets.
In bridge mode, the VPN client is given an IP address on the same subnet than the LAN
where reside the OpenVPN server, giving the OpenVPN client direct access to other LAN
resources. In bridge mode, the OpenVPN server creates two logical interfaces, "br0" and "tap". The role of the
"br0" interface is to link the "eth0" interface to the "tap" interface. When
that link is established, both "eth0" and "tap" interfaces are communicationg through "br0".
Client 1 will get an IP address inside the 10.10.10.0 network and will have access to
all resources and internet through the OpenVPN server.
If you want to give remote access to a single server to multiple clients without the
need to access to remote LAN resources, OpenVPN TUN mode is the simplest solution.
If you want to give remote access to the entire remote LAN to multiple clients, you need
to setup OpenVPn in bridge mode.
OpenVPN behind a firewall
OpenVPN can be setup as VPN server and firewall (IpTables or UFW) or behind a firewall
(ASA5520 IOS 8.4.2 here) performing NAT and protecting our network from the internet.
Here OpenVPN server will have a LAN ip address of 10.10.10.200 and will listen on port
1194 (default). We will need a static port forwarding on the ASA to allow outside incoming
connection to port 1194 to the OpenVPN server.
OpenVPN server configuration
This tutorial is using Ubuntu server 15.04. The configuration is the same on all debian
First we will need OpenVPN, easy-rsa and bridge-utils packages
sudo apt-get install openvpn bridge-utils easy-rsa
Note: bridge-utils is needed for this specific TAP configuration while TUN needs only
openvpn and easy-rsa
Configure the bridge interface
As we discussed earlier, the bridge interface is a logical interface that link TAP and
Eth0 interfaces together allowing OpenVPN clients to have an IP address in the same local
LAN for accessing local resources.
Edit /etc/network interfaces
Restart the networking service to apply changes
Certificate configuration and generation
Copy the necessary files to /etc/openvpn/easy-rsa/
cp –R /usr/share/doc/openvpn/examples/easy-rsa/*
Note: depending on the package version, sometime the path
To know where is the easy-rsa directory, just issue the command:
Edit the /etc/openvpn/easy-rsa/vars file
The vars file contains all necessary information used by PKI to generates server
and client certificates and some other files.
Setup CA and create the server certificate
This method is also valid
Create a script that will automatically brings up the “br0” interface at each
boot of the server
Create the script to shutdown the interface
Allow script execution
chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
Restart the openvpn service
service openvpn restart
Create the client certificate
Copy the files ca.crt, client.crt, client.key,
ta.key to your windows client in the OpenVpn "config" directory in
Add and configure the client.ovpn file on your windows client to the “config”
Now you can connect your client to OpenVPN. You should have a similar network
configuration on your server.
The server is not being NATd (pings does
not work on WAN ip)
Verify the ASA configuration
Verify interface are up and the ASA can ping outside ip addresses
Verify that the ASA has a default route
Verify the inspection policy
Verify the OpenVPN default route with “route
You can add a default route with “route default gw
TAP0 interface does not comes
Verify your script
Verify you add “security-script 2” or “security-script 3” in server.conf
Verify that you make the scripts executable with “chmod +x
The client when connecting is getting
stuck at “MANAGEMENT: >STATE:1435176030,WAIT,,”
Verify that the client have internet connectivity
Verify port 1194 is open on the ASA
Verify OpenVPN server is listening on port 1194