From 950c50fbb72df8f336fc0be1eafdddf3a38756c6 Mon Sep 17 00:00:00 2001 From: Alexander Bergmann Date: Thu, 4 Jul 2024 09:06:01 +0200 Subject: [PATCH] Add Bridged VPN scenario descriptions. --- xml/security_vpnserver.xml | 45 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/xml/security_vpnserver.xml b/xml/security_vpnserver.xml index 8d8fa3d74e..1c2e2f7148 100644 --- a/xml/security_vpnserver.xml +++ b/xml/security_vpnserver.xml @@ -264,12 +264,53 @@ cd /etc/openvpn Bridging is a more complex solution. It is recommended when you need to browse Windows file shares across the VPN without setting up a - Samba or WINS server. Bridged VPN is also needed to use - non-IP protocols (such as IPX) or applications relying on network + Samba or WINS server. Bridged VPN uses network TAP devices, that + simulate a link layer between the VPN endpoints and operate in layer + 2 carrying Ethernet frames. This makes it possible to use non-IP + protocols (such as IPX) or applications relying on network broadcasts. However, it is less efficient than routed VPN. Another disadvantage is that it does not scale well. This scenario is depicted in the following figures. + + + + Scenario 1 + + + The TAP devices are only available on the VPN endpoints + themselves. Layer 2 VPN traffic comes only directly from the + Server (Machine 1) side or the Client (Machine 2). + + + + + Scenario 2 + + + The TAP device tap0 on the Server + (Machine 1) side is bridged to the eth1 + network interface connected to LAN 1. Layer 2 traffic reaching + tap0 via the bridge + br0 will be forwarded via the VPN bridge + to the Client (Machine 2) system. + + + + + Scenario 3 + + + On both sides, the Server (Machine 1) and Client (Machine 2), the + TAP device tap0 is bridged to a local + network interface eth1. Layer 2 traffic + from the client network LAN 2 will be forwarded to the server + network LAN 1 and vice versa. + + + + +