LinuxCommandLibrary

ip-tuntap

Create TUN/TAP virtual network interfaces

TLDR

Show all existing TUN/TAP devices

$ ip [[tunt|tuntap]]
copy

Create a TUN device with a specific name
$ sudo ip [[tunt|tuntap]] [[a|add]] [[d|dev]] [tun0] [[m|mode]] [[t|tun]]
copy

Create a TAP device with a specific name
$ sudo ip [[tunt|tuntap]] [[a|add]] [[d|dev]] [tap0] [[m|mode]] [[ta|tap]]
copy

Delete a TUN or TAP device
$ sudo ip [[tunt|tuntap]] [[d|delete]] [[d|dev]] [tun0|tap0] [[m|mode]] [tun|tap]
copy

Set the owner (UID) of a TUN/TAP device
$ sudo ip [[tunt|tuntap]] [[a|add]] [[d|dev]] [tun0|tap0] [[m|mode]] [tun|tap] [[u|user]] [username]
copy

Set both owner (UID) and group (GID) for a TUN/TAP device
$ sudo ip [[tunt|tuntap]] [[a|add]] [[d|dev]] [tun0|tap0] [[m|mode]] [tun|tap] [[u|user]] [username] [[g|group]] [group_name]
copy

SYNOPSIS

ip tuntap add dev NAME mode { tun | tap } [user UID] [group GID] [pi|nopi] [vnet_hdr|novnet_hdr] [multi_queue [N]] [persist]
ip tuntap del dev NAME mode { tun | tap }
ip tuntap show [[dev] NAME]

PARAMETERS

add
    Create a new TUN/TAP device

del
    Delete a TUN/TAP device

show
    Display TUN/TAP devices

dev NAME
    Interface name (required for add/del)

mode { tun | tap }
    Device mode: tun for L3 IP, tap for L2 Ethernet (required for add/del)

user UID
    Set owning user ID

group GID
    Set owning group ID

pi
    Include protocol info header (default)

nopi
    Exclude protocol info header

vnet_hdr
    Enable virtio net header

novnet_hdr
    Disable virtio net header (default)

multi_queue [N]
    Enable multi-queue with optional queue count

persist
    Keep device after last close

DESCRIPTION

ip tuntap is a subcommand of the ip utility from the iproute2 package, used to create, delete, and display TUN/TAP devices. These are virtual network kernel devices that enable user-space programs to communicate with the kernel's networking stack as if connected to a physical network interface.

TUN mode handles layer 3 IP packets, while TAP mode handles layer 2 Ethernet frames. Common uses include VPN implementations (e.g., OpenVPN, Tinc), virtual machine networking, and network namespaces bridging.

Key features include setting ownership for non-root access, adding protocol info (PI) headers, virtio net headers for performance, multi-queue support, and persistence. After creation, use ip link set dev NAME up to activate, then configure IP with ip addr. Requires CAP_NET_ADMIN privileges.

CAVEATS

Requires root or CAP_NET_ADMIN. Device not up by default; use ip link set up. Cannot reuse name immediately after del.

EXAMPLE: CREATE TUN

ip tuntap add dev tun0 mode tun user 1000
ip link set tun0 up
ip addr add 10.0.0.1/24 dev tun0

EXAMPLE: PERSISTENT TAP

ip tuntap add dev tap0 mode tap group 100 persist
Device survives program close.

HISTORY

Added to iproute2 in Linux 2.6.23 (2007) to support enhanced TUN/TAP driver features like multi-queue and vnet_hdr.

SEE ALSO

ip-link(8), ip(8), tun(4)

Copied to clipboard