What are TUN and TAP adapters?

If you use a VPN (particularly on a computer), there’s a good chance you noticed that your computer suddenly had a new network adapter: a TUN or a TAP adapter. But what exactly are TUN and TAP adapters? What are they used for? And are they necessary? Those are all questions we’re going to answer in this post.

TUN/TAP adapters

In the computing world, TUN and TAP adapters are kernel virtual network devices. They’re like your Ethernet or WiFi adapter, but instead of being hardware devices, like your Ethernet port, they’re supported entirely by software – hence the term ‘virtual.’

TUN and TAP drivers/adapters are primarily used by VPN client software to transfer packets over the VPN tunnel, using the virtual network adapter as if it were physical. Without TUN or TAP, your VPN client would have no way to securely forward packets to the VPN server.

TUN and TAP interfaces cannot be used simultaneously; your VPN client will use one or the other according to how it was set up. Let’s look at each one to better understand their similarities and differences.

TUN interfaces vs. TAP interfaces

The main difference between these two virtual network adapters is where they operate within the ISO network stack. The ISO network stack has seven levels. The higher levels are more restrictive than the lower levels. So, being lower in the network stack grants you more privileges, such as the ability to transfer more types of data.

TAP

TAP interfaces operate at layer two of the network stack rather than layer three, like TUN adapters. Being lower in the stack allows TAP adapters to transport non-IP-based traffic (Banyan VINES, LLDP, NetBEUI, among many others). Being lower in the network stack also means that TAP interfaces can be used for bridging. Bridging combines an ethernet interface with a virtual TAP interface, where the operating system considers the bridge a single interface.

In slightly more technical terms, TAP interfaces are considered physical Ethernet devices by the operating system (hence their use in bridging network segments together). As such, TAP interfaces send and receive Ethernet frames. Each TAP interface is assigned a random MAC address that the OS uses as the interface’s source address. The Address Resolution Protocol (ARP) is used to find the MAC address associated with a given IP address. The IP packets are then wrapped in Ethernet frames and sent over the TAP interface.

TUN

TUN interfaces operate at layer three of the network stack – the IP level. As such, TUN exclusively works with network protocol packets (i.e., IPv4 and IPv6). That also means that TUN interfaces are limited to routing packets and cannot be used for bridging interfaces together.

TUN interfaces communicate directly via IP address. Because of that, there’s no need to wrap IP packets in Ethernet frames, resulting in less overhead. TUN interfaces also don’t need ARP because their IP addresses are already known.

TUN interfaces are the most commonly used virtual adapters with VPN clients. That’s because a VPN client’s most common use case is one in which a VPN endpoint simply routes IPv4 or IPv6 packets to and from the VPN server. More complex setups may require TAP.

TAP or TUN by VPN protocol

Some VPN protocols can use either TUN or TAP; some only use TUN, while others use neither.

While that can seem confusing, it simply depends on how the VPN was set up. Here’s a breakdown of the three main open-source VPN protocols that commercial VPN providers commonly use.

  • OpenVPN: OpenVPN can use either TUN or TAP, based on the use case. Most of the time, TUN should be used. But in a network scenario where you want to bridge two network segments together over OpenVPN, you would use TAP.
  • WireGuard: WireGuard exclusively uses TUN to establish its connections.
  • IPsec: IPsec does not use either TUN or TAP interfaces to establish connections. If your VPN client only supports IPsec (quite a few go down this path on mobile), no TUN/TAP driver will be installed, and a TUN/TAP interface will not be created on your system. IPsec-based protocols include IKEv2 and L2TP.

How TUN/TAP interfaces work with VPNs

Both TUN and TAP interfaces are used to create the VPN tunnel and route packets through it. Without one of these interfaces present on your system, encrypted packets could not be routed to your VPN server. They would have to go through your default WAN. TUN/TAP interfaces can integrate into your network stack and reroute traffic to the VPN.

In order to create TUN or TAP interfaces on your system, you will need a driver (or kernel extension, in the case of macOS). But don’t worry; these are typically bundled with the VPN client software and are installed automatically. The software will automatically create the interface it needs, so you should have nothing to worry about.

Checking for TUN/TAP adapters

TUN and TAP adapters are used by all operating systems, although macOS recently dropped support for TAP and only uses TUN interfaces. In Windows, you’re likely to see both TUN and TAP interfaces when you install a VPN client. That’s because the bundled driver is for both TUN and TAP interfaces. It remains more than likely that only TUN is being used despite having both on your system.

Here’s how you can check if you have any TUN/TAP interfaces on your system for all three major desktop operating systems.

macOS

  1. Launch a terminal window.
  2. Type: ifconfig and hit Enter.
  3. Scroll down until you see utun# (where # represents a specific number on your system).

TUN_TAP_macOS_TUN

Linux

  1. Launch a terminal window.
  2. Type: ifconfig and hit Enter.
  3. Scroll down until you see either tun# or tap# (where # represents a specific number on your system).

TUN_TAP_Linux_TUN

Windows

  1. Click the Start button and select the Settings Gear icon. The Settings menu is displayed.TUN_TAP_Windows_1
  2. Type: ‘device manager’ in the search field. The Device Manager is displayed.TUN_TAP_Windows_2
  3. We can see that we have both a TUN and a TAP adapter for ExpressVPN on our system.TUN_TAP_Windows_DeviceManager

Troubleshooting TUN/TAP issues

As mentioned above, TUN/TAP interfaces/drivers are usually automatically installed when you install your VPN client. So you don’t need to install them manually. However, there are times when your TUN/TAP interfaces can become corrupt and cause VPN connectivity issues. When this happens, it is usually after multiple installs/uninstalls of VPN software.

There are a few things you can do if you find yourself in that situation.

Disabling and re-enabling the interface

There’s a good chance that disabling and re-enabling the interface will kick it back into working order.

macOS

  1. Launch a terminal window.
  2. Type: ifconfig utun# down and hit Enter.
  3. Then type: ifconfig utun# up and hit Enter.
  4. The interface is re-enabled, and you can try connecting to the VPN to see if it fixed your issues.

Linux

  1. Launch a terminal window.
  2. Type: ifconfig tun# down or ifconfig tap# down and hit Enter.
  3. Then type: ifconfig tun# up or ifconfig tap# up and hit Enter.
  4. The interface is re-enabled, and you can try connecting to the VPN to see if it fixed your issues.

Windows

  1. Launch the Device Manager as above and scroll to the adapter you want to disable under Network adapters.TUN_TAP_Windows_Troubleshooting_1
  2. Right-click the adapter to disable and select Disable device from the menu. In my example, I will select the ExpressVPN TAP Adapter.TUN_TAP_Windows_Disable_TAP
  3. A prompt appears on-screen asking you to confirm this action. Click Yes.TUN_TAP_Windows_Diable_TAP_Prompt
  4. The interface is disabled. A small icon is displayed to indicate this.TUN_TAP_Windows_TAP_Disabled
  5. Right-click the adapter again, but select Enable device from the menu this time.TUN_TAP_Windows_Enable_TAP
  6. The interface is re-enabled, and you can try connecting to the VPN to see if it fixed your issues.TUN_TAP_Windows_TAP-re-enabled

Removing the TUN/TAP interface(s)

Sometimes, disabling and re-enabling isn’t enough. In those cases, I’d recommend uninstalling the VPN software. In many cases, doing that will automatically delete the TUN/TAP interfaces it created, and you can reinstall the software and get it working.

Sometimes, however, the uninstall process fails to delete the interfaces, and you need to do it manually.

Here’s how to go about doing that.

macOS

  1. Launch a terminal window.
  2. Type: ifconfig utun# down and hit Enter.
  3. The interface is deleted. Do this for all the TUN interfaces associated with the VPN provider. After that, you can reinstall the VPN software and see if it fixed your issues.

Linux

  1. Launch a terminal window.
  2. Type: ifconfig tun# down or ifconfig tap# down and hit Enter.
  3. The interface is deleted. Do this for all the TUN/TAP interfaces associated with the VPN provider. After that, you can reinstall the VPN software and see if it fixed your issues.

Windows

  1. Launch the Device Manager as above and scroll to the adapter you want to disable under Network adapters.TUN_TAP_Windows_Troubleshooting_1
  2. Right-click the adapter to disable and select Uninstall device from the menu. In my example, I will select the ExpressVPN TAP Adapter.TUN_TAP_Windows_Uninstall_TAP
  3. A prompt appears on-screen asking you to confirm this action. Click Uninstall.TUN_TAP_Windows_Uninstall_TAP_Prompt
  4. The interface is uninstalled. Do this for all the TUN/TAP interfaces associated with the VPN provider. After that, you can reinstall the VPN software and see if it fixed your issues.

Wrapping Up

So, that was the lowdown on TUN and TAP interfaces. You may not have heard about them before, but if you use a VPN, you’ve likely used them before. And now that you have a better understanding of TUN/TAP interfaces, you may be better equipped to troubleshoot VPN issues and will know what to do if your issues are tied to these virtual interfaces.

As always, stay safe.