The way I look at it (and hopefully I'm correct - I've never used tap so I haven't tested that), "tun" interfaces are like traditional physical point-to-point WAN links - and one WAN link cannot see the traffic from another WAN link. Similarly, "tap" interfaces are equivalent to a *switch* - not an old-fashion *bridge*: one device plugged into a switch cannot see the traffic flows of another device (except for broadcasts - which is the only reason you'd use tap anyway). Of course - as Gert mentioned - taps do suffer from the same security issues as switches, you can subvert that general rule by doing tricks with arp spoofing/etc.
-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
