Novell Doc: Security Guide

15.1 Overview

This section gives you a brief overview of some scenarios which are possible with VPN and some relevant terminology.

15.1.1 Scenarios with VPN

There are many packages (and even more combinations) that enable the setting up and building of a VPN connection. This chapter focuses on OpenVPN. In comparison to other VPN software, OpenVPN can be operated in two modes:

Routed VPN: Routing is easier to set up. It is more efficient and scales better than bridged VPN. Futhermore it allows the user to tune MTU (Maximum Transfer Unit) to raise efficiency. However, in a hetergeneous environment NetBIOS broadcasts do not work if you do not have a Samba server on the gateway. If you need IPv6 each tun drivers on both ends must support this protocol explicitly.

Figure 15-1 Scenario 1
Bridged VPN: Bridging is more complicated and is recommended when you need to browse Windows file shares across the VPN without setting up a Samba or WINS server. Bridged VPN is also needed if you want to use non IP protocols (such as IPX) or applications relying on network broadcasts. However, this is less efficient than routed VPN. Another disadvantage is that it does not scale well.

Figure 15-2 Scenario 2

Figure 15-3 Scenario 3

Figure 15-4 Scenario 4

The major difference between bridging and routing is that a routed VPN cannot IP-broadcast while a bridged VPN can.

15.1.2 Tun and Tap Devices

Whenever you setup a VPN connection your IP packets are transferred over your secured tunnel. The connection between the client's device and the server's device is called a tunnel. A tunnel can use a so-called tun or tap device. They are virtual network kernel drivers which implement the transmission of ethernet frames or ip frames/packets:

tun device: A tun device simulates a point-to-point network (layer 3 packets in the OSI model such as Ethernet frames). A tun device is used with routing. It works with IP frames.
tap device: A tap device simulates an ethernet device (layer 2 packets in the OSI model such as IP packets). A tap device is used for creating a network bridge. It works with Ethernet frames.

The userspace program OpenVPN can attach itself to a tun or tap device to receive packets sent by your OS. The program is also able to write packets to the device. Read more details in /usr/src/linux/Documentation/networking/tuntap.txt.