TUN/TAP Study Notes networking vpn

TUN/TAP

In computer networking, TUN and TAP are kernel virtual network devices. Being network devices supported entirely in software, they differ from ordinary network devices which are backed by physical network adapters.

TUN/TAP provides packet reception and transmission for user space programs. It can be seen as a simple Point-to-Point or Ethernet device, which, instead of receiving packets from physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program.

In order to use the driver a program has to open /dev/net/tun and issue a corresponding ioctl() to register a network device with the kernel. A network device will appear as tunXX or tapXX, depending on the options chosen. When the program closes the file descriptor, the network device and all corresponding routes will disappear.

Depending on the type of device chosen the userspace program has to read/write IP packets (with tun) or ethernet frames (with tap). Which one is being used depends on the flags given with the ioctl()

Core Definition

TUN/TAP are virtual network interfaces implemented in software. They are created by the kernel driver:

/dev/net/tun

Userspace programs communicate with this driver using:

  • file descriptors
  • ioctl()
  • read()
  • write()

Outbound Direction vs Inbound Direction

tun0 is a virtual network interface. It behaves like a normal network card to the kernel, but instead of real hardware, it connects to a userspace program like OpenVPN.

Outbound

An application sends traffic. Example:

Firefox → kernel networking stack

Kernel decides:

Send through tun0

Instead of sending to Wi-Fi/Ethernet hardware, the kernel gives the packet to the VPN process.

Kernel → tun0 → OpenVPN process

Then OpenVPN sends it over the internet.

Inbound

OpenVPN receives encrypted VPN traffic from the internet. It processes the packet and writes the inner packet back into:

tun0

Kernel treats it like a packet that arrived from a real NIC.

OpenVPN → tun0 → kernel networking stack

Then the packet goes to the application.

TUN vs TAP Internals

TUN

Layer 3 device. Carries IP packets only.

No Ethernet header.

TAP

Layer 2 device. Carries raw Ethernet frames.

Creating TUN/TAP Devices using iproute2

Create TUN:

sudo ip tuntap add dev tun0 mode tun

Create TAP:

sudo ip tuntap add dev tap0 mode tap

Bring interface up:

sudo ip link set tun0 up

Assign IP:

sudo ip addr add 10.10.0.1/24 dev tun0

Inspect:

ip a

Example Routing:

ip route add 192.168.50.0/24 dev tun0

Now traffic goes into TUN device.

How WireGuard Differs

WireGuard exposes:

wg0

which behaves similarly to TUN. But encryption occurs mostly in kernel-space. Much faster.

TAP and Ethernet Bridging

TAP can participate in Linux bridges. Example:

sudo ip link add br0 type bridge
sudo ip link set tap0 master br0
sudo ip link set eth0 master br0

Now:

tap0 ↔ eth0

behave like switched Ethernet ports. Remote VPN client appears on same LAN.

TUN/TAP Root Privileges

Creating TUN/TAP usually requires:

CAP_NET_ADMIN

Because network interface manipulation is privileged.