difference tun/tap, is the interfaces that handle protocols or the OS?
I have difficulties to understand difference between tap and tun interface. I know it is an often asked question and I apologize for that. I asked the same questions on stackoverflow and someone told me to try this forum so I hope I’m in a good place. Moreover, I’m only curious about networks but I’m not a network student or professional so forgive me if my questions are too easy for you. I read tap work at layer 2 and tun works at layer 3. I also read that tap is used for bridging and tun is used for routing. I already heard things like «ROUTERS work at layer 3» or «BRIDGES work at layer 2» : this make sense for me because routers manipulate layer 3 protocols and bridge manipulate layer 2 protocols? but, because tap and tun are «interfaces», it means the sentence like «INTERFACES work at layer 3» has a sense but I don’t understand what it is : I mean interfaces doesn’t manipulate protocols(the OS do that but not an interface) so it sounds like tun interface == tap interface: If I create two tap interfaces(with tunctl) with two ip that are on different networks (192.168.2.1/24 and 192.168.3.1/24), then I link these to two kvm virtual machine (one tap interface match to one VM) and if I enable routing on the host, my two VM can communicate. So tap interfaces can also be used for routing : what is the difference with tun ? maybe a tap is also a tun interface? Also I can create a tap interface with tunctl command but how can I create a tun interface with the same command(the command is called TUNctl not TAPctl. )? Moreover someone told me :
a TUN device is a virtual Ethernet adapter whereas a TAP device is a virtual point-to-point IP link (in case these don’t make sense, ask your search engine what is the difference between point-to-point ip link and an Ethernet)
- what is a «point-to-point ip link»? According to me, a point-to-point link is, when we have a network of several machine, the fact of communicate between two machines without the others machines know it. So I guess a «point-to-point ip link» is a specific case of one could call «layer 3 point-to-point link» meaning the point-to-point connection is ensure by the level 3 is that right?
- if I have several PC connected to a switch by Ethernet , all links can be consider as «point-to-point ip link». the Wiki Ethernet page say a similar thing («(. )which was designed for point-to-point links»). Same thing here : http://ethernetdirect.com/support_faqs.asp «Ethernet is a point to point network scheme» so what is the difference between «point-to-point ip link» and Ethernet link?
Can you help me to clarify that?
thank you for the answer. I already read these documents but it doesn’t really help : first on wiki they use tun/tap-«DEVICE» terminology. so what is the difference between a device and an interface(when i execute tunctl and then ifconfig I saw interfaces). on openvpn.com FAQ : «When you are bridging, you must always use —dev tap on both ends of the connection. If you are routing you can use either —dev tap or —dev tun, but you must use the same on both ends of the connection. —dev tun tends to be slightly more efficient for the routing case.» why tun is more efficient?
I’ve concluded that everyone in the world that knows this distinction is either too busy, or just doesn’t care/have the time to explain it to anyone else/document it. Sigh.
3 Answers 3
The essential difference between TUN and TAP is the OSI layer at which they function (That does not include the programming required for each type of device):
- TAP (OSI Layer 2) — Name TAP is from to TAP into where you make a physical connection to the material (not just ethernet cables, you could TAP into a barrel of beer for example)
TAP functions as a physical extension to the ethernet cable your computer is connected to. This means it can pass any frame which exist on that wire. eg IPv4/6, Netware IPX and Appletalk etc. - TUN (OSI Layer 3) — Name TUN from TUNnel
Functions as an end point to a TUNnel and only passes routable IPv4 packets (and IPv6 where supported). It also requires routing be correctly setup so that those packets can be correctly routed to the next hop.
OpenVPN provides this information.
Moreover someone told me :
a TUN device is a virtual Ethernet adapter whereas a TAP device is a virtual point-to-point IP link
As you can now see, that is the wrong way around ..
A system can have multiple different types of network adapter.
A TAP interface represents a virtual Ethernet adapter. Packets passing over the virtual adapter will be in the form of Ethernet frames with source and destination MAC addresses (though I think they may omit the frame check sequence, not sure on that). Just like with a real Ethernet adapter the kernel will use ARP/ND to translate the «next hop IP address» into a MAC address and will perform MAC filtering on incoming packets. Just like with a real Ethernet adapter a tap interface can (if desired) be included as part of an Ethernet bridge.
A TUN interface represents a virtual «raw» adapter. Packets passing across the virtual adapter are raw packets from the layer 3 protocol, with an optional header to indicate the packet type and flags. The kernel will make no attempt to translate the next hop IP address to any form of lower level address.
I know it’s been a long time since this question was asked, and other answers have provided technical information about the difference between TAP and TUN so I won’t bother to repeat what has been said.
I want to reply to the question from the perspective of «language confusion».
Reading through the question, I feel a large part of your confusion and frustration came from the confusing and conflicting uses/meanings of words from the materials he/she read. I think the key problem is: A word/term can be used to denote different things according to the context. If the writer of the document wants to deliver the point to his/her readers, the writer must be able to let the readers see the context. However, it also partially depends on whether the readers have sufficient or the right knowledge to clearly see the context.
When the writer and the readers are somehow not in the same context, confusion happens.
It’s hard to blame either party, but I personally think the writers should be blamed more because it’s them who want to deliver a point to the readers so they naturally undertake the burden of speaking clearly.
To clarify your confusion below:
this make sense for me because routers manipulate layer 3 protocols and bridge manipulate layer 2 protocols? but, because tap and tun are «interfaces», it means the sentence like «INTERFACES work at layer 3» has a sense but I don’t understand what it is : I mean interfaces doesn’t manipulate protocols(the OS do that but not an interface) so it sounds like tun interface == tap interface:
You need to know that the word «interface» actually refers to two objects here.
Think about a physical bridge or a router: it is a box with ports. These ports are where you plug in cables. The manipulation of the Layer-2 or -3 protocol does not happen on those ports but happens inside the box by the software that’s running there. So if somebody says «the ports on a bridge/router work at layer 2/3» would sound weird, because it’s the box that works at layer 2/3, not the ports themselves.
However, if we look at a bridge or a router in a larger context, i.e., in the context of the entire networks that sit behind them, it may be OK to say that the bridge or the router is the «interface» between the networks. Here, we are no longer seeing the bridge/router as a «box» but a «dot» that is connected to the larger systems behind. Yes, it’s still true that a bridge or a router is a box with ports, but in this larger context, we don’t care much about the details on this box. We see this box as a whole thing. Therefore, in this context, the word «interface» does not merely refer to the ports on the box; it includes the box which is able to manipulate the Layer-2/3 protocols.
So, back to the question about tap and tun . I think:
- A tap or a tun is an interface (in the sense of a port) because it doesn’t manipulate the protocols.
- When we look at a larger context where we view the tap / tun interface together with the program/OS/VM sitting behind it as a whole thing, we could say this is the «interface» that other systems talk to. The meaning of the word «interface» slightly changes here, and if you don’t notice that or the writer fails to let you notice it, confusion happens.
difference tun/tap, is the interfaces that handle protocols or the OS?
I have difficulties to understand difference between tap and tun interface. I know it is an often asked question and I apologize for that. I read tap work at layer 2 and tun works at layer 3. I also read that tap is used for bridging and tun is used for routing. I already heard things like «ROUTERS work at layer 3» or «BRIDGES work at layer 3» : this make sense for me because routers manipulate layer 3 protocols and bridge manipulate layer 2 protocols? but, because tap and tun are «interfaces», it means the sentence like «INTERFACES work at layer 3» has a sense but i don’t understand what it is : I mean interfaces doesn’t manipulate protocols(the OS do that but not an interface) so it sounds like tun interface == tap interface: If I create two tap interfaces(with tunctl) with two ip that are on different networks (192.168.2.1/24 and 192.168.3.1/24), then I link these to two kvm virtual machine (one tap interface match to one VM) and if I enable routing on the host, my two VM can communicate. So tap interfaces can also be used for routing : what is the difference with tun ? maybe a tap is also a tun interface? Also I can create a tap interface with tunctl command but how can I create a tun interface with the same command(the command is called TUNctl not TAPctl. )? Can you help me to clarify that? Thank you.
I think the community in general and you too would benefit, should you spend some time reading about what topics are welcome here. Please consider closing your question and asking it instead in Unix & Linux or Super User. To answer your question, the difference is this: a TUN device is a virtual ethernet adapter whereas a TAP device is a virtual point-to-point IP link (in case these don’t make sense, ask your search engine what is the difference between point-to-point ip link and an ethernet).
«Questions on professional server, networking, or related infrastructure administration are off-topic for Stack Overflow unless they directly involve programming or programming tools. » ok you’re all right I’m sorry. Because of your answer i did (and i continue) research about point-to-point ip link and an ethernet link but it still not clear : it seems ethernet can be a point-to-point link(and not broadcast link) and with ip i can do broadcast. I will ask ly question in Unix & Linux .