Matthias Andree <ma+ov...@dt.e-technik.uni-dortmund.de> said: > On Mon, 15 Sep 2003, James Yonan wrote: > > > Yes, this is a problem. For OpenBSD to talk to Windows over OpenVPN, we > > need > > either a tun driver for Windows or a tap driver for OpenBSD. > > > > My guess is that the easier and better solution would be to solve the tap on > > OpenBSD problem, rather than the tun on Windows problem. > > I'd like to challenge the "better" claim:
I mean "better" only in the sense of simpler configuration -- i.e. not needing to set up a WINS server to make cross-subnet browsing work. I agree that tun is more scalable, secure, etc. > The tap driver gives full ethernet tunnelling, so the Windows box gets > to choose the IP, gets ARP traffic tunnelled and all that. That's pretty > much power IMO. > > The tun driver, in contrast, only works for a specific IP, if the > Windows box chooses another one, it's not getting any traffic back. > > I consider this a security relevant choice, if I have "half-trusted" > users, tap isn't really an option. I would agree that tun is a better choice for less than fully-trusted users. > Background for the challenge is that OpenVPN might be useful as an > additional security layer on top of WLAN-WEP, but tap somewhat defeats > the purpose. > > > I think that Windows users are going to prefer a tap interface anyways, > > because it carries the kind of traffic and protocols which Windows > > applications generate, such as broadcast traffic and non-IP protocols. > > I for one don't need Windoze broadcast traffic gated, and "my" Windows > boxes hardly generate non-IP traffic. IPX or NetBEUI drivers aren't > installed on the Windows machines I maintain. ARP isn't needed. Granted, > if you need IGMP, you'll want tap, but I'd guess that the SMB browsing > can deal with most of the "problems". I totally agree that a tun driver for Windows would be nice to have. In fact I would guess that the TAP-Win32 driver might even be close to the task, if you could figure out the right DDK magic to export a point-to-point WAN interface that binds to IPv4 instead of 802.3. Interested in doing some driver development? James