They both provide some form of network access, why are there two different things which seem to do the same thing? The answer is that they don't quite do the same thing.
The point-to-point protocol (ppp
), is designed around providing an IP network connection over a serial link. The most common thing providing a serial link is a modem, and these are present in mobile phones and were ubiquituous several years ago when you dialed up to your service provider to connect to the internet. Your ppp
connection goes from your pc to a receiver which converts the serial signal back into IP packets which are routed across the internet.
Nowadays, when you get a cable modem or ADSL modem from your service provider, it provides an IP network connection over an ethernet or WiFi link. The modem is actually doing the work of providing a connection back to your service provider, which could be seen as the same as a ppp
connection; it's just that your computer is no longer doing the translation work of going from IP packets to signals over an ADSL line or Cable connection. The separate modem is providing a layer away from the complexity of talking to the provider, you're just talking 'simple' Ethernet/WiFi.
The Tun/Tap mechanism is to allow you to access a virtual private network (vpn
) in a layer above your standard network connection; so for example if you're connecting to your cable modem via Ethernet, then this is providing access to the vpn over your ethernet connection. If you were accessing the internet over a modem that was plugged directly into your pc, then you would be accessing your vpn over ppp
. On it's own, the tun/tap interface does not provide internet access, it relies on a pre-existing connection. It's an example of network layering.
Asking how difficult is it to convert a program from using a tun/tap network connection to use a ppp connection misunderstands where the two interfaces sit in the provision of your network access - tun/tap would sit atop ppp. unencrypted packets enter the tun/tap interface, are encrypted, and then sent as IP packets to the ppp interface which converts them to serial signals which are sent to the remote end which turns them back into IP packets and forwards them on to the vpn
target which decrypts them and routes them through it's own private network.
If you remove the tun/tap interface then you would have to modify any application which wishes to communicate across the vpn so that for any of it's network communications you need to intercept them; encrypt them; forward them; receive responses and decrypt them. By having the tun/tap layer you allow the built-in IP routing to take the unencrypted packets encrypt them and forward them on - i.e. you don't need to modify any of the applications talking to the private network.
Pretty much every problem in computer science can be solved by adding a layer of indirection. By adding these layers, we reduce the complexity of individual components, but can build powerful systems. If we didn't have the ppp interface, every program would need to know how to talk serial, if we didn't have tun/tap every program would need to know how to talk vpn as well as need to know how to talk serial.
The only way you could remove the tun/tap connection would be if the ppp connection was made to a private system. You would have to use something akin to GSM data (which is 9600 bits/second, and it's an actual phone call), and even then you're not encrypting, and you're going over a cellular network, which kind of defeats the whole intention of a private network.
The following is a gross simplification of how the various tunneling protocols work, but should explain in enough detail that you should be able to understand why you can't just swap one for the other.
To understand why the different vpn protocols use different interfaces for doing their work, you have to understand how they were designed. TAP, L2TP and PPTP are all examples of a layer 2 protocol. TUN is an example of a layer 3 protocol.
To understand the differences, I'll use a postal analogy. Layer 2 (also known as the link layer), is the equivalent of a courier. You hand him a letter and he physically hands it to the recipient. The courier knows all the potential destinations in his area, any message for this local area can be dealt with by him.
If we stretch this analogy, a post-box can also be seen as a valid Layer 2 end-point. If you want to get letters across the country, you put them in the mailbox. This is analagous to L2TP, PPTP and TAP wrapping their packets for transmission across a network.
Layer 3 is the address on the letter - it can be used to move the letter from post office to post office where it finally gets into the hands of a postman. Ths is where the wrapped packet gets routed through the network.
It goes back to layer 2 at that point where the postman knows the destination within his delivery area and hands the letter to the intended recipient. This is where the wrapped packet gets unwrapped and then processed by the L2TP, PPTP or TAP end point
For TUN, it's a little bit easier. Your letters go directly to your local post office, get delivered en-masse to the destination post office where you collect them. There may be some details about getting the letters to the post office, or from the post office to the destination address, but that's not actually part of the protocol.
Then comes the awkward details of how they are implemented. Both L2TP and PPTP are defined in terms of ppp
, a well established mechanism for establishing a direct connection between two end-points, so in order to talk across this sort of system, both the origin and destination will need to speak the point-to-point protocol. The tunneling provides a virtual layer across which these ppp
messages travel (This tunneling is what gives them the T
in their name).
The TAP interface is defined in terms of the tunneling of ethernet packets - these are the packets that you would see whizzing along over your WiFi connection. It establishes a simple bridge between two networks over which these ethernet packets are passed. Ethernet packets typcially enclose IP packets, allowing you to put them straight out on the wire at the destination without needing to re-encapsulate them.
The TUN interface is defined in terms of the tunneling of IP packets - these are packets before they have been transformed so that they can travel over a physical connection such as Ethernet/WiFi. This means that you are establishing a routed virtual IP network between your computer and the destination network. IP packets that have a destination defined by the routes provided by this interface are sent to that interface.
The end product is another network interface on their system that IP packets can be sent to. This interface wraps the packet (in a ppp packet for PPTP/L2TP; in an ethernet packet for TAP; inside another IP packet for TUN). Encryption may be involved before the wrapping, or after the wrapping or at both points (depends on the protocol). A program which understands L2TP will be well versed in talking PPP
, but would not be able to talk other protocols without a significant rewrite.