Difference tun/tap, is the interfaces that handle protocols or the OS

ethernetnetwork-interfacetap

I have difficulties to understand difference between tap and tun interface. I know it is an often asked question and I apologize for that.
I asked the same questions on stackoverflow and someone told me to try this forum so I hope I'm in a good place.
Moreover, I'm only curious about networks but I'm not a network student or professional so forgive me if my questions are too easy for you.

I read tap work at layer 2 and tun works at layer 3. I also read that tap is used for bridging and tun is used for routing. I already heard things like "ROUTERS work at layer 3" or "BRIDGES work at layer 2" : this make sense for me because routers manipulate layer 3 protocols and bridge manipulate layer 2 protocols? but, because tap and tun are "interfaces", it means the sentence like "INTERFACES work at layer 3" has a sense but I don't understand what it is : I mean interfaces doesn't manipulate protocols(the OS do that but not an interface) so it sounds like tun interface == tap interface:

If I create two tap interfaces(with tunctl) with two ip that are on different networks (192.168.2.1/24 and 192.168.3.1/24), then I link these to two kvm virtual machine (one tap interface match to one VM) and if I enable routing on the host, my two VM can communicate.

So tap interfaces can also be used for routing : what is the difference with tun ? maybe a tap is also a tun interface?

Also I can create a tap interface with tunctl command but how can I create a tun interface with the same command(the command is called TUNctl not TAPctl…)?

Moreover someone told me :

a TUN device is a virtual Ethernet adapter whereas a TAP device is a
virtual point-to-point IP link (in case these don't make sense, ask
your search engine what is the difference between point-to-point ip
link and an Ethernet)

So I do research about point-to-point ip link and Ethernet link and i have others questions :

what is a "point-to-point ip link"? According to me, a point-to-point link is, when we have a network of several machine, the fact of communicate between two machines without the others machines know it. So I guess a "point-to-point ip link" is a specific case of one could call "layer 3 point-to-point link" meaning the point-to-point connection is ensure by the level 3 is that right?
if I have several PC connected to a switch by Ethernet , all links can be consider as "point-to-point ip link".
the Wiki Ethernet page say a similar thing ("(…)which was designed for point-to-point links").
Same thing here : http://ethernetdirect.com/support_faqs.asp "Ethernet is a point to point network scheme"
so what is the difference between "point-to-point ip link" and Ethernet link?

Can you help me to clarify that?

Best Answer

The essential difference between TUN and TAP is the OSI layer at which they function (That does not include the programming required for each type of device):

TAP (OSI Layer 2) - Name TAP is from to TAP into where you make a physical connection to the material (not just ethernet cables, you could TAP into a barrel of beer for example)
TAP functions as a physical extension to the ethernet cable your computer is connected to. This means it can pass any frame which exist on that wire. eg IPv4/6, Netware IPX and Appletalk etc.
TUN (OSI Layer 3) - Name TUN from TUNnel
Functions as an end point to a TUNnel and only passes routable IPv4 packets (and IPv6 where supported). It also requires routing be correctly setup so that those packets can be correctly routed to the next hop.

OpenVPN provides this information.

Moreover someone told me :
a TUN device is a virtual Ethernet adapter whereas a TAP device is a virtual point-to-point IP link

As you can now see, that is the wrong way around ..

Related Solutions

Understanding tun0 addresses

Hardware network links can be either point to point or point to multipoint. ppp links are point to point, ethernet is point to multipoint. tun can act as either, in your case it is acting as a point to point link. a point to multipoint interface has four addresses associated with it, specifically ip address (the address of the interface), network address, broadcast address, and netmask. A point to point link has two addresses associated with it, specifically ip address (the near address) and the point to point peer address (the far address). Since the point to point link will only work with the two addresses, the broadcast, and network addresses and the netmask do not have useful data or have flag values.

A final point tun interfaces can have mac addresses, they just don't have default mac addresses.

Networking – Bridged Interfaces and VLAN Tags

Yes: you can set the bridge to be VLAN aware.

The bridge will then handle VLAN IDs attached to frames crossing it, including tagging and untagging them according to configuration, and will send a frame belonging to a given VLAN only to ports configured to accept it. This moves all the settings to the bridge itself rather than having to use VLAN sub interfaces (those sub interfaces can still be used in some settings of course).

This feature is not available through the obsolete brctl command, but requires the newer replacement bridge command (along with the usual ip link command). It is a simpler setup (one bridge, no sub-interface).

The method is to configure tap1 as a tagged bridge port with VLAN ID (VID) 5, and eth0 also with VID 5, but set as untagged: output gets untagged, and with this VID as PVID (Port VLAN ID): input gets tagged with it inside the bridge. There can be only one PVID per port.

At the same time optionally remove VLAN ID of 1 assigned by default to each port (unless a more complex setup would require multiple VLANs of course) to keep a clean configuration.

your setup, so far, with newer commands only should look like this:

ip link set eth0 up
ip link set tap1 up

# the following line could have directly included at bridge creation the additional parameter `vlan_filtering 1`
ip link add name br0 type bridge

ip link set tap1 master br0
ip link set eth0 master br0

The specific VLAN aware bridge settings, starting by activating the feature:

ip link set dev br0 type bridge vlan_filtering 1

bridge vlan del dev tap1 vid 1
bridge vlan del dev eth0 vid 1

bridge vlan add dev tap1 vid 5
bridge vlan add dev eth0 vid 5 pvid untagged

ip link set br0 up

Note that the bridge's self implicit port is still using VID 1, so assigning an IP directly on the bridge as is done on some settings will now fail to communicate properly. If such configuration is really needed, you can set the bridge's self port in VLAN 5 too, with a slightly different syntax (self) because it's the bridge itself:

bridge vlan del dev br0 vid 1 self
bridge vlan add dev br0 vid 5 pvid untagged self

It's usually cleaner to (still delete the default VID 1 of the bridge to prevent it from any possible interaction,) add a veth pair, plug one end on the bridge, configure its bridge vlan settings the same as eth0 and assign an IP on the other end.

Good blog series on this topic:

Fun with veth-devices, Linux bridges and VLANs in unnamed Linux network namespaces
I II III IV V VI VII VIII

Best Answer

Related Solutions

Understanding tun0 addresses

Networking – Bridged Interfaces and VLAN Tags

Related Question