I always set up tun. Tap is used by ethernet bridging in OpenVPN and introduces an unprecendented level of complexity that is simply not worth bothering with. Usually when a VPN needs to be installed, its needed now, and complex deployments don't come fast. The OpenVPN FAQ and the Ethernet Bridging HOWTO are excellent resources on this topic.

TUN vs. TAP interface Most operating systems nowadays support something called a tunnel -device, which makes it possible to divert IPv4 (and often other protocols, too) into a user space daemon like gvpe. There are two interface types within OpenVPN, that are used. tun, RouterOS defines this as ip. tap, which is needed for bridge mode gateways. RouterOS defines this as ethernet. Device Mode: tun; Interface: set it to whatever external interface you want to have your OpenVPN server listening on. Local port: set it to the port you want the local OpenVPN server to listen on. Default is '1194'. TUN works with IP frames whereas TAP works with Ethernet frames. TUN and TAP devices are most commonly used in two distinct application scenarios: 1) VPN software (such as OpenVPN): In this case, the kernel sends its network packets to the tun or tap devices and the VPN software will then encrypt and forward them to the other side of the VPN. The only way I could let OpenVPN run as it should was to disable firewall completely on the TUN/TAP adapter. If not, even though access to the vpn was ok from the client to the vpn network, no access was enabled to the client by the vpn network, because windows firewall was blocking any access to the "considered public and unidentified" network.

HOW TO Introduction. OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface.

