openvpn has two modes:
One is bridge mode,
One is routing mode
In computer networks, TUN and TAP are virtual network devices in the operating system kernel. Different from ordinary devices implemented by hardware network boards, these virtual network devices are all implemented by software, and provide the software running on the operating system with exactly the same functions as hardware network devices.
The operating system sends data to the user space program bound to the device through the TUN/TAP device. Conversely, the user space program can also send data through the TUN/TAP device like operating a hardware network device. In the latter case, the TUN/TAP device delivers (or “injects”) packets into the operating system’s network stack, simulating the process of receiving data from the outside.

openvpn provides two types of virtual network interfaces: TUN and TAP, tun is used to establish an IP tunnel, and tap is used to establish an Ethernet bridge. These two modes are also called routing mode and bridge mode. A TAP is equivalent to an Ethernet device that operates on Layer 2 packets such as Ethernet frames. TUN simulates a network layer device and operates on layer 3 data packets such as IP data packets.

Bridging is to create a virtual, wide-area Ethernet technology on a subnet. It is equivalent to a bridge connecting different LANs. The advantage of bridging is that broadcasts can penetrate VPN, allowing software that relies on LAN broadcasts to run. Bridging does not require Configure routing, it can work with any protocol on Ethernet, but the efficiency of bridging is lower than that of routing mode, and it is not easy to expand. When using bridging to connect to the remote network, the client is assigned a remote physical Ethernet IP address. In order to be able to communicate with other machines on the remote subnet, it is as if they are connected locally.

The advantage of routing is that it is highly efficient and scalable, and can better adjust the MTU. The disadvantage of routing mode is that broadcasts cannot pass through VPN and only support ipv4. If you use bridge mode, both ends of the C/S must be taps. If you use routing mode, Both ends of C/S can be tun or tap, but both ends must be consistent

By default, openvpn re-authenticates the identity once an hour. For the case of two-factor authentication, the secret key is one-time, and the re-authentication will inevitably fail, so there will be a classic problem of disconnection every hour. The solution:
Configure in server.conf:

reneg-sec 0

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *