Matthias Andree <ma+ovpnd@...> said:
> On Mon, 15 Sep 2003, James Yonan wrote:
> > Yes, this is a problem. For OpenBSD to talk to Windows over OpenVPN, we need
> > either a tun driver for Windows or a tap driver for OpenBSD.
> > My guess is that the easier and better solution would be to solve the tap on
> > OpenBSD problem, rather than the tun on Windows problem.
> I'd like to challenge the "better" claim:
I mean "better" only in the sense of simpler configuration -- i.e. not needing
to set up a WINS server to make cross-subnet browsing work. I agree that tun
is more scalable, secure, etc.
> The tap driver gives full ethernet tunnelling, so the Windows box gets
> to choose the IP, gets ARP traffic tunnelled and all that. That's pretty
> much power IMO.
> The tun driver, in contrast, only works for a specific IP, if the
> Windows box chooses another one, it's not getting any traffic back.
> I consider this a security relevant choice, if I have "half-trusted"
> users, tap isn't really an option.
I would agree that tun is a better choice for less than fully-trusted users.
> Background for the challenge is that OpenVPN might be useful as an
> additional security layer on top of WLAN-WEP, but tap somewhat defeats
> the purpose.
> > I think that Windows users are going to prefer a tap interface anyways,
> > because it carries the kind of traffic and protocols which Windows
> > applications generate, such as broadcast traffic and non-IP protocols.
> I for one don't need Windoze broadcast traffic gated, and "my" Windows
> boxes hardly generate non-IP traffic. IPX or NetBEUI drivers aren't
> installed on the Windows machines I maintain. ARP isn't needed. Granted,
> if you need IGMP, you'll want tap, but I'd guess that the SMB browsing
> can deal with most of the "problems".
I totally agree that a tun driver for Windows would be nice to have. In fact
I would guess that the TAP-Win32 driver might even be close to the task, if
you could figure out the right DDK magic to export a point-to-point WAN
interface that binds to IPv4 instead of 802.3. Interested in doing some