Tweet
Hey all, I have a fully functioning TAP vpn right now with a bridge between the ethernet interface connected to the router and a virtual TAP device, but I leave it offline whenever possible because I don't think my setup is secure. I selected TAP over TUN because I need broadcast addresses as my use case is gaming. When going through the tutorial on https://openvpn.net/community-resour...rnet-bridging/ there's this sentence
I am assuming this "security hole" is the fact that anyone who could get into the VPN would be able to have full access to the entire internal network, rather than an isolated subnet as in the TUN case. If this isn't the security hole, can anyone explain what exactly it is?
Currently, the device hosting the server is a device with 1 ethernet port connected to the router in a residential network. Clients don't need to access devices on the internal network, just other clients connected to the same VPN and the VPN itself so I could set up the server's firewall to disallow connections from address range configured in the server configuration to all other clients in the internal network. Would this be considered secure? I just don't see how clients could connect if the TAP interface isn't bridged with an interface with internet connectivity.
Make sure to only bridge TAP interfaces with private ethernet interfaces which are protected behind a firewall. Never bridge a TAP interface with the same ethernet interface you use to connect to the internet, as that would create a potential security hole.
Currently, the device hosting the server is a device with 1 ethernet port connected to the router in a residential network. Clients don't need to access devices on the internal network, just other clients connected to the same VPN and the VPN itself so I could set up the server's firewall to disallow connections from address range configured in the server configuration to all other clients in the internal network. Would this be considered secure? I just don't see how clients could connect if the TAP interface isn't bridged with an interface with internet connectivity.