OpenVPN Server in TAP mode on the 4.x firmware

sashkent3 · 2022-12-07T19:54:34.854Z

Hello everyone! Basically, I have an AX1800 Flint router with the latest 4.1.0 firmware. I want to set up OpenVPN server there in bridge mode, however I’ve only found that feature in 3.x docs here not in 4.x docs. The feature doesn’t seem to be present on my router either. The only available device mode is TUN. Is my only option to downgrade?

jdub · 2022-12-07T21:08:46.028Z

If you’re willing to ssh in and write your own configuration manually you can do that, then enable the openvpn server as normal for a Linux system. I’m not sure how well this will play with GLI’s generic firewall rules, but you can always dump a more stock-ish build on to get rid of that if you have to.

@wcs2228 will tell me I should just answer your question without offering suggestions, but is there a reason you need to do TAP instead of TUN? It’s a extra headache and overhead unless you really need the functionality.

sashkent3 · 2022-12-07T22:33:22.623Z

Thank you for the answer! I’m not very comfortable with networking unfortunately so I rather opt for a downgrade than for manual editing of configuration files.
What I’m trying to set up is a VPN server which would bridge it’s client to be able to access my whole LAN. I have read that TAP is more suitable for the task. I have no luck with it unfortunately even on the 3.x firmware.

jdub · 2022-12-08T02:42:35.750Z

Someone else recently said they’d read similar things, but the truth is that you can access your network perfectly well using TUN. If you’re familiar with the OSI model, TAP is effectively emulating layer 2, while TUN is emulating Layer 3. What this means from a practical perspective is that if you use a TAP network you can access all of the devices on your LAN, but you don’t get all of the overhead network traffic, particularly with things like multicast and network discovery. With TAP you do get those things, because it’s like you are physically plugged into the network switch (You can think of TAP as transferring Ethernet frames, rather than IP packets). TUN is more like a router deciding what traffic needs to go to the other network and forwarding it along (as opposed to just sending everything, because, whether it’s bound for the remote network or not.)

So if you’re goal is, for example, to be able to read files off your remote network or remote desktop into a machine, TUN is more than sufficient. If your goal is to Chromecast a song to a TV connected to your remote network, or to play to remote Sonos speakers while you’re out of town, you’ll need TAP. Otherwise, you’ll probably be fine with TUN.

groentjuh · 2022-12-08T08:45:29.990Z

I wouldn’t do tap mode on the 4.x firmwares. That firmware does not set that up correctly and I can understand that; Basically it would disable a lot of the features of the router as doing tap would basically change it into a access point (to that bridged vpn-network.)

It can be done using luci (advanced settings in gl-inet), but I doubt the gl-inet firmware will like the changed and not undo them partially.

alzhao · 2022-12-08T10:29:14.048Z

Better use TUN rather than TAP for the router.

If TUN works, just stay with it.

sashkent3 · 2022-12-08T14:04:56.453Z

I was specifically in need for broadcasting to work which doesn’t work with layer 3 (TUN) if I’m not mistaken. However, I have since reconsidered other parts of my setup so it doesn’t require the VPN at all anymore. Thanks for you are answer, I will mark it as a solution for people with similar problems. I guess if you think you need TAP the first thing is to understand why you don’t need TAP.

jdub · 2022-12-08T14:36:46.511Z

Yeah, if you need broadcast packets to traverse the VPN, you need TAP - but that’s a pretty edge use case these days. But you are absolutely correct. If you can’t technically articulate why you need TAP, you probably don’t need TAP.