Concept
From the Linux kernel documentation:
TUN/TAP provides packet reception and transmission for user space programs. It can be seen as a simple Point-to-Point or Ethernet device, which, instead of receiving packets from physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program.
In other words, TUN/TAP interfaces are virtual interfaces that does not have physical devices associated. A user space program can attach to a TUN/TAP interface and handle the traffic sent to the interface.
Difference
A TUN interface is a virtual IP Point-to-Point interface and a TAP interface is a virtual Ethernet interface. That means the user program can only read/write IP packets from/to a TUN interface and Ethernet frames from/to a TAP interface.
Use Cases
The typical use case of a TUN interface is IP tunneling. For example,
OpenVPN receives packets from a TUN interface such as
tun0
and encrypts it before sending to the real ethernet interface eth0
.
Then the OpenVPN client on the peer receives the packet from eth0
and decrypts
it before sending it to tun0
. In other words, OpenVPN works as a proxy between
tun0
and eth0
and creates a encrypted UDP connection over the internet
between two hosts[5].
(Image credit [6])
The typical use case of a TAP interface is virtual networking. For example, in
Linux Bridge Part 1, we’ve seen that when we
create a VM in the KVM with bridged network, it creates a TAP interface like
vnet0
and adds it to the Linux bridge. In this case, KVM is the userspace
program which reads from and writes to the TAP interfaces. When VM0 sends a
packet to its eth0
, KVM sends it to TAP interface vnet0
so that the bridge
will forward it to vnet1
. Then KVM receives it and sends it to VM1’s eth0
.
Managing TUN/TAP interfaces
ip tuntap
can be used to manage TUN/TAP interfaces. For example:
$ ip tuntap help
Usage: ip tuntap { add | del | show | list | lst | help } [ dev PHYS_DEV ]
[ mode { tun | tap } ] [ user USER ] [ group GROUP ]
[ one_queue ] [ pi ] [ vnet_hdr ] [ multi_queue ]
Where: USER := { STRING | NUMBER }
GROUP := { STRING | NUMBER }
Reference
[1] Understanding TUN TAP
Interfaces
[2] tuntap
[3] Tun/Tap interface
tutorial
[4] TUN, TAP and Veth - Virtual Networking Devices
Explained
[5] What is the principle behind OpenVPN
tunnels?
[6] OpenVPN: how secure virtual private networks really work