TUN/TAP is used to provide packet reception and transmission for user space programs. TUN stands for network TUNnel) is a network layer device and TAP stands for network TAP and it’s a link layer device and both of them are virtual network kernel devices. TUN/TAP kernel module is required to be enabled in VPS for VPN configuration because TUN is used with routing and TAP is used for creating a network bridge. TUN/TAP can be viewed as a simple Point-to-Point or Ethernet device. It sent and receives packets from the user space program. TUN works with IP frames whereas TAP works with Ethernet frames.
TUN and TAP devices are most commonly used in two distinct application scenarios:
1) VPN software (such as OpenVPN): In this case, the kernel sends its network packets to the tun or tap devices and the VPN software will then encrypt and forward them to the opposite side of the VPN tunnel where they get decrypted and delivered to their destination.
2) System virtualization/emulation packages: in this scenario, the virtualized OS instance talks to a fake network device, and the virtualization software then creates a tap device and interconnects the two such the host system can ask the guest and vice versa.
The platforms are supported by TUN/TAP driver is Linux kernels 2.2.x, 2.4.x, FreeBSD 3.x, 4.x, 5.x and Solaris 2.6, 7.0, 8.0.
TUN Interfaces
TUN devices work at the IP level or layer three level of the network stack. TUN devices are usually point-to-point connections. TUN devices allow the VPN software an opportunity to encrypt the info before it gets put on the wire so the typical use for a TUN device is establishing VPN connections. TUN devices work on layer three it can only accept IP packets and in some cases, only IPv4 and they can’t be used in bridges and don’t typically support broadcasting.
TAP Interfaces
TAP devices work on the Ethernet level or layer two of the network stack so it behaves sort of a real network adaptor. It can transport any layer three protocol and isn’t limited to point-to-point connections because they’re run in layer two. TAP devices can be part of a bridge. TAP devices are commonly used in virtualization systems to supply virtual network adaptors to multiple guest machines.
Working
The TunTap package is consists of a pair of kernel extensions, tun and tap interfaces. They create a group of character devices /dev/tunX and /dev/tapX, respectively. X is a number between zero and the maximum number of supported virtual interfaces. A virtual network interface is made in the system when an application opens the character device, say /dev/tap0 and it’ll be named tap0. The network interface can be assigned addresses the equivalent of the other network interface. After interface configuration completes, packets that the kernel sends through this interface can be read one packet at a time from the character device and packets written to the character device will be sent into the kernel’s network stack. For tun interfaces, the packets that are read and written are IP packets and for tap interfaces, the packet format is Ethernet frames.
Enable TUN/TAP Module in OpenVZ
OpenVZ supports VPN inside a container via kernel TUN/TAP module and device.
1) Check tun module has already loaded on the Node.
# lsmod | grep tun
2) To load the tun module
# modprobe tun
3) Run the subsequent command in the node
# vzctl set CID –devnodes net/tun:rw –save
# vzctl set CID –devices c:10:200:rw –save
# vzctl stop CID
# vzctl set CID –capability net_admin: on –save
# vzctl start CID
# vzctl exec CID mkdir -p /dev/net
# vzctl exec CID chmod 600 /dev/net/tun
4) To see TUN/TAP is enabled or not
# cat /dev/net/tun
If the output is “File descriptor in a bad state” it means TUN/TAP is enabled.
If the output is “No such device” it means TUN/TAP isn’t enabled.
Benefits of TAP
1) It behaves sort of a real network adapter (except it’s a virtual network adapter)
2) It can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc)
3) Works in layer 2, which suggests that the Ethernet frames are passed over the VPN tunnel
4) It can be used in bridges
Drawbacks of TAP
1) It causes far more broadcast overhead on the VPN tunnel
2) Adds the overhead of Ethernet headers on all packets transported over the VPN tunnel
3) It scales poorly
4) It can’t be used with Android or iOS devices
Benefits of TUN
1) A lower traffic overhead, transports only traffic that’s destined for the VPN client
2) Transports only layer 3 IP packets
Drawbacks of TUN
1) Broadcast traffic isn’t normally transported
2) Can only transport IPv4 (OpenVPN 2.3 adds IPv6)
3) Can’t be used in bridges.
If you need any help please contact our support department.
- 0 Users Found This Useful
