Broadcast network (site-to-site, client, server)
By default, an OpenVPN interface is configured as a “tun” device. A tun device is a virtual network interface that operates on Layer 3 (network layer) traffic, such as IP packets. There are cases in which the virtual interface needs to operate on Layer 2 (link layer) traffic. One example of this need is when subnets on each end of a tunnel must reside on the same subnet. In this case, the two subnets must be bridged across the tunnel. Bridging occurs on Layer 2. Another example is when a DHCP Relay resides on one side of a tunnel and the DHCP Server or DHCP clients reside on the other side. Clients must broadcast DHCP discovery messages and require a broadcast network to broadcast these messages. Because of this necessity, DHCP Relay requires that all interfaces to which it binds are broadcast interfaces.
A “tap” device is a virtual network interface that operates on Layer 2 (link layer) traffic and provides a broadcast network. A tap device is automatically configured by the system if the OpenVPN tunnel is to be used to bridge two subnets. If an OpenVPN tunnel is added to a bridge group then a tap device is implied and does not need to be configured explicitly. For cases that do not involve bridging, a tap device must be configured explicitly by using the interfaces openvpn vtunx device-type tap command.