Logo Peer-to-peer VPN

Device types explained: TUN vs. TAP

VpnCloud supports two device types: TUN and TAP, but what is the difference and which one should you choose?

TAP devices are virtual devices that mimic physical Ethernet devices that send and receive Ethernet frames. Each TAP device has a random MAC address that is used as source address. In order to communicate via IPs, the ARP protocol (address resolution protocol) is used to find the MAC address for an IP. The IP packets are wrapped in Ethernet frames to send them via a TAP device.

TUN devices on the other hand, communicate directly via the IP protocol. This way, the overhead for wrapping IP packets in Ethernet frames is removed. For TUN devices, no ARP protocol is used since the IPs are already known.

TUN vs. TAP - Pros & Cons

TUN devices are a little bit more efficient than TAP devices because there is no Ethernet wrapper around the IP packets, saving 14 bytes per packet. Also, no ARP is required to look up IP addresses. ARP resolution usually causes the first packet to an address (after an idle period) to take longer than the rest since the IP address first has to be resolved. This only affects the first packet, since the ARP resolution is cached for some time.

Since the ARP protocol dynamically resolves addresses, it is more robust and requires less manual configuration than routing tables on TUN devices. This is especially important when using a more complex setup including whole networks.

Since TUN devices are limited to the IP protocol, there are some protocols that can't be used on TUN devices and require TAP devices instead. Those protocols include DHCP, PXE boot, and IPX.

So to summarize: TUN is slightly faster and TAP is more flexible concerning supported protocols and setups.