TUN/TAP devices are virtual interfaces used by VPN clients to establish virtual instances of physical networking connections.
Although slightly different from each other (because they work at different network layers), both TUN and TAP devices function to pass data from one host to another.
What is TUN/TAP?
Unlike regular network devices in a system (physical devices routing packets around via ethernet cables), TUN/TAP is a completely virtual interface that simulates those physical connections within the operating system's kernel (the part of the operating system that is always active in your device's memory and has complete control over everything in the system).
The advantage of TUN/TAP is that user-space applications, such as VPN clients, can interact with those devices as if they were real. This permits the operating system to inject packets into the regular networking stack as needed – resulting in data being passed back and forth as if physical network devices were in use.
Although very similar, Tun and Tap devices are designed to achieve different things within the kernel. VPN clients that provide OpenVPN primarily make use of TUN devices – which is why the installation phase for an OpenVPN client usually includes the installation of a TUN/TAP driver.
Below, we will take a closer look at both of these virtual interfaces to explain what each device does, and how it permits a VPN connection to occur.
TUN devices are virtual point-to-point connections that work at layer three (the IP level) of the networking stack. They are commonly used by VPN clients to establish a connection between the client and the OS networking stack. This allows a VPN to encrypt your data before forwarding it onto the VPN server through the tunnel.
Because TUN works at layer three of the networking stack, it deals exclusively in network protocol packets (IPv4 and IPv6 packets). What's more, because TUN devices are at layer three, they can only be used for routing (not for bridging).
TAP interfaces work at layer two of the networking stack (the data-link layer) and are necessary if you want to transport non-IP based traffic and if you want to bridge.
The benefit of TAP devices is that despite being virtual they operate and behave just like real network adapters, and they can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc) and Ethernet frames.
How TUN/TAP drivers work to provide a VPN connection?
Both TUN and TAP devices are used by VPN clients for the purposes of establishing the tunnel. Without the drivers for these virtual devices, data encrypted by a VPN client would not be able to move from the client to the networking stack. In the case of VPNs, TAP is used to carry Ethernet frames and for bridging and TUN is used to carry IP packets (routing).
It is worth noting that TUN/TAP devices are only used by certain VPN protocols (such as OpenVPN and WireGuard) and not others (such as IKEv2).
In practice, TAP devices are used to create a user-space network bridge for which they act as switches. TUN devices, on the other hand, are used to route packets through the VPN tunnel. This makes the TUN device the most commonly used of the two because it is employed by the VPN client to pass your encrypted data through to the VPN tunnel.
For TAP and TUN devices to work, they require drivers/adapters to be present on your system. The good news is that VPN clients install TUN/TAP drivers for you when you install the VPN client. As a result, you rarely need to know about these devices – or worry about them.
That said, users who have installed various VPN clients may, over time, begin to experience errors caused due to the presence of multiple TAP adapters. Under these circumstances, it is a good idea to uninstall any old VPN clients and TUN/TAP drivers already present in your system. Following that, simply install your new VPN client again, and the necessary drivers should be installed in a fully functioning manner.
Should I install TUN/TAP driver when prompted by the VPN installer?
Yes. The TUN/TAP driver provides packet reception and transmission for the VPN client and is necessary for tunneling your data. These important drivers allow the virtual TUN and TAP devices to act as simple Point-to-Point or Ethernet devices, which, rather than receiving packets from physical hosts, receive them from the user space program (the VPN client). This is vital to the functioning of the client, and you will need to install these drivers for your VPN software to work.