Setting up TAP requires almost no additional work from the person setting it up.
Of course if you know how to setup TUN but don't understand what you're doing and simply following a tun tutorial, you will be fighting to setup TAP but not because it's more difficult but because you don't know what you're doing. Which easily can lead to network conflicts in a TAP environment and then it looks like it's more complicated.
fact is, if you don't need a tutorial because you know what you're doing, setting up tap takes as much time as setting up tun.
with tap there are many solutions about subnetting, i found myself the easiest way is to use a class B subnet.site1 (Network1) using 172.22.1.0/16 site2(network2) using 172.22.2.0/16site3 using 172.22.3.0/16etc.
you setup site1 with the oVPN server and to give clients the ip range172.22.254.2 - 172.22.254.255/16 so you can have over 200 ovpn clients (subnets)each subnet can have over 200 clients in itself. Makes a total of 40.000 clients you can handle (doubt oVPN can handle that but as you see, setting up proper subnetting will give you more then enough as you most likely ever need)
you use a tap and all clients are together as in a huge corporate network.
IF, however each site has it's own DHCP, and it should have, you need to make sure using ebtables or iptables or dnsmasq to block dhcp distribution to go wild. ebtables however will slow down the performance.using dnsmasq dhcp-host=20:a9:9b:22:33:44,ignore for example will be a huge task to setup on all dhcp servers.however, on modern hardware the impact of ebtables isn't that big. only 1 or 2 %
the overhead of the tap, roughly 32 to the tun, isn't that much a problem either (might be on unencrypted networks) but on encrypted networks it's usually the AES that will cause the slowdown.
On my wrt3200acm for instance unencrypted I get 360Mbps. Using encryption it goes down to 54-100Mbps depending on what kind of encryption I choose)but openvpn doesn't do encryption on 1500 and a 2nd encryption on the 32 overhead. Instead it does a 1 time encryption on 1500+32overhead.
So the impact here is minimal.
On older hardware you might notice the impact more, but on modern hardware it's really down to the minimum.
Encryption between 2 virtual machines with AES support gets me my ovpn with TAP to 120-150Mbps.
Some report dedicated routers WITH AES hardware encryption support getting as high as 400Mbps! 3 times faster then a i5-3570k can do (which on my test system couldn't get higher then 150Mbps at 100% of 1 core utilization)My other end: E3-1231 v3, then was roughly at 7% CPU utilization, around 25% of the core openvpn was using was utilized. So the E3 most likely could increase the connection by 3 to 4 times.
so you'd have something between 360Mbps and 600Mbps with a connection between E3-1231 v3 cpu doing tap AES265 cipher, auth SHA256 and ta.key, certificates tls-cipher I also used the highest TLS-DHE-RSA-WITH-AES-256-SHA256
To point this out, with tap: wrt3200acm gets up to 70-80mbps with encryption.i5-3570k gets to 120-150 with encryption.E3-1231 v3 gets at least 360Mbps with encryption (this is interpolated from my findings with case 1 and 2 because I didn't have 2 E3-1231 v3 to test with.)
These are my findings based on windows to windows copying between 2 clients in 2 different subnets connected by openvpn TAP