What is TUN/TAP? How to enable it in OpenVZ?

Posted on October 28th, 2016

TUN/TAP is used to provide packet reception and transmission for user space programs. TUN stands for network TUNnel) is a network layer device and TAP stands for network TAP and it is a link layer device and both of them are virtual network kernel devices. TUN/TAP kernel module is needed to be enabled in VPS for VPN configuration because TUN is used with routing and TAP is used for creating a network bridge. TUN/TAP can be viewed as a simple Point-to-Point or Ethernet device. It sent and receives packets from user space program. TUN works with IP frames whereas TAP works with Ethernet frames.


TUN and TAP devices are most commonly used in two distinct application scenarios:

1) VPN software (such as OpenVPN): In this case, the kernel sends its network packets to the tun or tap devices and the VPN software will then encrypt and forward them to the other side of the VPN tunnel where they get decrypted and delivered to their destination.

2) System virtualization/emulation packages: In this scenario, the virtualized operating system instance talks to a fake network device and the virtualization software then creates a tap device and interconnects the two such that the host system can talk to the guest and vice versa.

The platforms are supported by TUN/TAP driver are Linux kernels 2.2.x, 2.4.x, FreeBSD 3.x, 4.x, 5.x and Solaris 2.6, 7.0, 8.0.


TUN Interfaces

TUN devices work at the IP level or layer three level of the network stack. TUN devices are usually point-to-point connections. TUN devices allows the VPN software a chance to encrypt the data before it gets put on the wire so the typical use for a TUN device is establishing VPN connections. TUN devices work at layer three it can only accept IP packets and in some cases only IPv4 and they can’t be used in bridges and don’t typically support broadcasting.


TAP Interfaces

TAP devices work at the Ethernet level or layer two of the network stack so it behaves like a real network adaptor. It can transport any layer three protocol and aren’t limited to point-to-point connections because they are run in layer two. TAP devices can be part of a bridge. TAP devices are commonly used in virtualization systems to provide virtual network adaptors to multiple guest machines.



The TunTap package is consists of a pair of kernel extensions, tun and tap interfaces. They create a set of character devices /dev/tunX and /dev/tapX, respectively. X is a number between zero and the maximum number of supported virtual interfaces. A virtual network interface is created in the system when an application opens the character device, say /dev/tap0 and it will be named as tap0. The network interface can be assigned addresses same as any other network interfaces. After interface configuration completes, packets that the kernel sends through this interface can be read one packet at a time from the character device and packets written to the character device will be sent into the kernel’s network stack. For tun interfaces, the packets that are read and written are IP packets and for tap interfaces, the packet format is Ethernet frames.


Enable TUN/TAP Module in OpenVZ

OpenVZ supports VPN inside a container via kernel TUN/TAP module and device.

1) Check tun module has already loaded on the Node.

# lsmod | grep tun

2) To load the tun module

# modprobe tun

3) Run the following command in node

# vzctl set CID –devnodes net/tun:rw –save

#  vzctl set CID –devices c:10:200:rw –save

# vzctl stop CID

# vzctl set CID –capability net_admin:on –save

# vzctl start CID

# vzctl exec CID mkdir -p /dev/net

# vzctl exec CID chmod 600 /dev/net/tun

4) To check TUN/TAP is enabled or not

# cat /dev/net/tun

If the output is “File descriptor in bad state” it means that TUN/TAP is enabled.

If the output is “No such device” it means TUN/TAP is not enabled.


Benefits of TAP

1) It behaves like a real network adapter (except it is a virtual network adapter)

2) It can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc)

3) Works in layer 2, it means that the Ethernet frames are passed over the VPN tunnel

4) It Can be used in bridges


Drawbacks of TAP

1) It causes much more broadcast overhead on the VPN tunnel

2) Adds the overhead of Ethernet headers on all packets transported over the VPN tunnel

3) It scales poorly

4) It cannot be used with Android or iOS devices


Benefits of TUN

1) A lower traffic overhead, transports only traffic which is destined for the VPN client

2) Transports only layer 3 IP packets


Drawbacks of TUN

1) Broadcast traffic is not normally transported

2) Can only transport IPv4 (OpenVPN 2.3 adds IPv6)

3) Cannot be used in bridges.


If you need any further assistance please contact our support department.



Leave a Reply