OpenVPN is an open-source virtual private network (VPN) that allows users to securely access a private network and share data remotely through public networks. It uses customized security protocols based on SSL/TLS for key exchange and adds encryption and authentication on top of the OSI layer 2 or 3, which allows for routing capability while tunneling data through public networks.
An important configuration decision when setting up OpenVPN is whether to use TUN or TAP virtual network drivers. TUN and TAP are two different types of virtual network kernel drivers that handle IP packets in different ways. Understanding the difference between TUN and TAP and when to use each is key for configuring a secure and optimized OpenVPN connection.
TUN stands for network TUNnel. The TUN driver is a virtual point-to-point network link that operates at layer 3 of the OSI model, the network layer. TUN simulates a physical layer 1 (PHY) network interface card, but instead of sending packets over a physical wire, forwards them to and from a virtual tunnel.
When configured in OpenVPN, TUN functions similar to a network router. It handles traffic for multiple network layers protocols like IPv4, IPv6, etc. A key benefit of TUN is it can handle routing between multiple private subnets over an OpenVPN connection.
TAP stands for network tap. The TAP driver is a virtual ethernet adapter that operates at layer 2 of the OSI model, the data link layer. TAP simulates an ethernet device and operates with ethernet frames rather than routing IP packets like TUN. This allows it to handle things like ARP requests rather than just IP traffic.
When configured in OpenVPN, TAP functions similar to an ethernet bridge or switch. It handles traffic for ethernet protocols like IPv4, IPv6, ARP, etc that would flow over an ethernet network.
TUN vs TAP
Now that we understand TUN and TAP operate at different network layers, let’s compare some of the key differences.
The core difference comes down to layers 2 vs 3 handling of network traffic:
- TUN operates at OSI layer 3 as a virtual router, handling IP packets
- TAP operates at OSI layer 2 as a virtual ethernet adapter, handling ethernet frames
This means traffic handled by TUN doesn’t include layer 2 details like MAC addresses, while TAP traffic has the full layer 2 information.
- TUN can route between multiple private subnets across an OpenVPN tunnel since it operates at layer 3
- TAP bridges networks like a switch rather than routing
So for linking multiple private subnets over the VPN, TUN is advantageous.
- TUN has very broad platform support across all major operating systems
- TAP may have limited support on some platforms or require kernel updates
So when compatibility across platforms is important, TUN is likely the better option.
- Use TUN for connecting private subnets across different sites, routing traffic
- Use TAP for bridging ethernet segments across locations
- Use TUN if broader platform support is needed
So in summary, TUN is more flexible for site-to-site connectivity while TAP can mimic an ethernet connection.
Now that we’ve covered the differences from TAP, let’s dig deeper into the TUN virtual network driver.
Explanation of TUN
TUN devices are virtual network kernel drivers that function at OSI layer 3, handling IP packets. TUN stands for network “TUNnel”.
The TUN driver simulates a layer 1 physical network interface card, but instead of sending layer 3 packets over a physical wire, it routes them to/from a virtual tunnel. This tunnel can be encrypted by IPsec or other protocols to send the packets over a public network securely.
On Linux, TUN network devices are accessed through the special file /dev/net/tun. Overall, TUN provides a simple, virtual way to route layer 3 packets bidirectionally to/from tunnels.
Advantages of TUN
There are several major advantages to using the TUN driver for OpenVPN connections:
- As TUN operates at layer 3, it can handle routing traffic between multiple private subnets across an OpenVPN tunnel. This allows connecting full site-to-site networks.
Broad Platform Support:
- TUN has very wide support across all major platforms like Windows, Linux, MacOS, etc. So TUN tunnels work consistently across devices.
Simplicity & Speed:
- Handling traffic at layer 3 rather than layer 2 reduces processing overhead slightly. This can provide a small speed boost.
- Specific application access to the TUN device can be restricted by OS user permissions to improve security.
So in summary, the flexibility of routing traffic, wide platform support, and lean overhead provide good reasons to consider TUN.
Disadvantages of TUN
There are also some potential downsides to using the TUN driver to be aware of:
Limited Layer 2 Visibility:
- Since TUN handles layer 3 packets, it doesn’t maintain full ethernet frame information like MAC addresses.
No Ethernet Frame Handling:
- Protocols that rely on ethernet frames rather than IP packets won’t function over TUN. This includes ARP, IPv6 NDP, and more.
Can Require IFC Config:
- For routing across TUN, additional configuration like IP forwarding may be required for supporting larger networks.
So the lack of ethernet frame handling and visibility should be considered if lower level network visibility is needed.
Use Cases for TUN
Given its set of pros and cons, here are some of the top use cases where TUN shines:
Site-to-Site VPN Connectivity
- Connect entire private office networks together, routing traffic through the tunnel.
- Connect servers at different datacenters, routing traffic between them.
Remote Access Networks
- Allow remote user devices to route into private networks through the VPN.
- Bridge different subnets connected to the OpenVPN server.
In these cases, the layer 3 routing capability provides the flexibility needed without necessarily needing layer 2 visibility.
Now let’s examine the TAP virtual network driver that operates at layer 2 in more detail.
Explanation of TAP
TAP devices are virtual network kernel drivers that function at OSI layer 2, handling ethernet frames rather than just IP packets. TAP stands for network “tap”.
The TAP driver simulates an actual ethernet adapter or network interface card (NIC). This provides a virtual way to send layer 2 ethernet frames bidirectionally to/from tunnels instead of over a physical wire.
Much like TUN, on Linux TAP network devices are accessed through the special file /dev/net/tun. Overall, TAP allows monitoring at the ethernet frame level and bridging ethernet segments.
Advantages of TAP
There are some major advantages to using the TAP driver for OpenVPN connections, including:
Full Ethernet Visibility:
- As TAP operates at layer 2, it has visibility into the full ethernet frames including MAC addresses, letting you inspect traffic at this level.
Supports Non-IP Protocols:
- TAP can handle any protocol that functions over ethernet such as IPv6, Netbios, ARP and more since it bridges ethernet frames.
Can Bridge Ethernet Segments:
- TAP can bridge traffic between two ethernet networks over OpenVPN, acting like a transparent switch connection between two LANs.
So for cases where low-level visibility and ethernet protocol support are needed, TAP has advantages over TUN.
Disadvantages of TAP
There are also some potential downsides to using TAP to consider:
Limited Native Platform Support:
- While Linux has native TAP drivers, other platforms may require third-party kernel drivers for full support.
No Built-In Routing:
- As TAP bridges ethernet frames, it doesn’t handle routing IP between subnets. Additional routing capability would need to be configured.
- Operating at layer 2 means more data processing is required compared to the simpler layer 3 handling of TUN.
So platform compatibility, lack of routing, and overhead are factors to consider with TAP.
Use Cases for TAP
Given the pros and cons, here are the top use cases where TAP is most appropriate:
Bridging Physical LAN Segments
- Bridge two physical office networks that use ethernet switches across an OpenVPN connection.
Ethernet Protocol Analyzers
- Analyze any protocol that runs over ethernet by capturing full ethernet frames.
Media Streaming Networks
- Stream multicast network traffic such as video over ethernet links.
Legacy Protocol Support
- Encapsulate and tunnel protocols other than just standard IP over a secured VPN.
For these situations where handling traffic other than IP or having visibility into ethernet frames is valuable, TAP is likely the better fit.
How to Choose Between TUN and TAP
When setting up an OpenVPN connection, choosing whether to use TUN or TAP drivers comes down to a few key considerations of the tunnel’s purpose.
Factors to Consider
The most important factors to think through when deciding on TUN vs TAP are:
1. Routing Need – Will multiple subnets need to route over the tunnel? If so, TUN is likely better.
2. Visibility Need – Is ethernet frame visibility required? If so, TAP would allow seeing this.
3. Platform Compatibility – Will non-Linux platforms be connecting? If so, verify TAP support otherwise use TUN.
4. Traffic Type – Will both IP and non-IP ethernet traffic need encapsulation? If so, TAP can handle broader protocols.
Think through requirements around routing, visibility needs, cross-platform compatibility, and types of traffic to encapsulate.
When to Prefer TUN or TAP
Given those factors, here is guidance on when TUN or TAP configurations may be preferable:
Prefer TUN When:
- Routing traffic between multiple subnets
- Supporting mainly IP traffic
- Requiring broad platform compatibility
Prefer TAP When:
- Bridging ethernet segments like switch links
- Needing full ethernet frame visibility
- Handling non-IP protocols like IPv6, ARP
- Using solely Linux platforms
Consider the use case and technical constraints when deciding. TUN provides flexibility for routing while TAP gives visibility into ethernet details.
Deciding whether to configure OpenVPN tunnels using TUN or TAP drivers depends primarily on whether layer 3 routing capability or layer 2 ethernet handling is needed.
TUN operates at layer 3 for routing IP traffic providing flexibility to connect entire networks and subnets. TAP operates at layer 2 for handling ethernet frames providing more visibility and support for additional protocols.
Key factors to consider are visibility needs, routing needs, platform compatibility and types of traffic when deciding between TUN or TAP. TUN is simpler while TAP allows fuller control of ethernet links. Both fill important roles for configuring virtual network tunnels in OpenVPN.
Understanding the differences between TUN and TAP is crucial for setting up OpenVPN tunnels tailored to specific use case needs around routing, visibility and cross-platform compatibility.