TUN Mode¶
TUN mode provides full VPN functionality by creating a virtual network interface. All device traffic is routed through the VPN tunnel.
Overview¶
In TUN mode, R-VPN creates a virtual network interface (TUN device). All network traffic from the device is encrypted and routed through the VPN tunnel.
┌──────────────┐ ┌─────────────┐ ┌─────────────┐
│ Device │ │ R-VPN Client│ │ R-VPN Server│
│ (All Apps) │────────►│ (TUN) │────────►│ │
│ │◄────────│ │◄────────│ │
└──────────────┘ └─────────────┘ └─────────────┘
rvpn0: 10.200.0.2 NAT to Internet
Advantages¶
- Transparent - All apps use VPN automatically
- System-wide - Works with any application
- Split tunneling - Route specific traffic differently
- Full DNS - Complete DNS leak protection
Requirements¶
- Root/administrative privileges - Required to create and configure the TUN device
- TUN device support - Available on most modern operating systems (Linux, macOS, Windows)
Configuration¶
TUN mode is configured in the [tun] section of client.toml:
[tun]
# Interface name (default: "rvpn0")
interface_name = "rvpn0"
# Virtual IP address with CIDR notation (default: "10.200.0.2/24")
ip_address = "10.200.0.2/24"
# DNS servers used when VPN is active (default: ["1.1.1.1", "8.8.8.8"])
dns_servers = ["1.1.1.1", "8.8.8.8"]
# Routes to route through VPN (default: ["0.0.0.0/0"] - all traffic)
routes = ["0.0.0.0/0"]
# MTU - Maximum Transmission Unit (default: 1420)
mtu = 1420
Default Values¶
| Option | Default Value | Description |
|---|---|---|
interface_name |
rvpn0 |
Name of the virtual network interface |
ip_address |
10.200.0.2/24 |
Virtual IP address assigned to the TUN device |
dns_servers |
["1.1.1.1", "8.8.8.8"] |
DNS servers to use for name resolution |
routes |
["0.0.0.0/0"] |
Networks to route through VPN (CIDR notation) |
mtu |
1420 |
Maximum Transmission Unit size in bytes |
Starting TUN Mode¶
You can start TUN mode in two ways:
1. Using the --tun Command Line Flag¶
2. Setting Mode in Configuration¶
The client can be configured to run in TUN mode by default (implementation-specific).
Split Tunneling¶
Split tunneling works in both SOCKS5 and TUN modes, allowing you to route specific traffic outside the VPN.
Route Only Specific Networks Through VPN¶
[tun]
# Route only private networks through VPN
routes = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
# All other traffic uses regular routing
Advanced Split Tunneling¶
For application-level split tunneling (bypassing VPN for specific domains/countries), see Split Tunneling which works in both SOCKS5 and TUN modes.
[split_tunnel]
enabled = true
builtin_bypass_countries = ["CN"] # Bypass VPN for China traffic
block_ads = true # Block ads/trackers
DNS Configuration¶
Protect against DNS leaks by configuring DNS servers:
The specified DNS servers are used for all DNS queries when the VPN is active, preventing DNS leaks.
Platform-Specific Setup¶
Linux¶
The client automatically handles TUN device creation and routing configuration on Linux.
macOS¶
Windows¶
Run the client from an Administrator Command Prompt or PowerShell:
Troubleshooting¶
Permission Denied¶
TUN mode requires root/administrative privileges:
TUN Device Not Available¶
Some VPS providers or restricted environments disable TUN devices. Contact your provider to enable TUN support, or run on a system with TUN device support.
No Network Connectivity¶
Check: 1. Server is running and accessible 2. Firewall allows outbound connections 3. Routes are configured correctly 4. DNS servers are reachable
DNS Leaks¶
Ensure DNS servers are configured in the [tun] section:
You can verify DNS leak protection using online DNS leak test tools.
Security Considerations¶
- TUN mode routes ALL traffic through the VPN by default (when
routes = ["0.0.0.0/0"]) - Ensure your server has adequate bandwidth for your traffic
- Monitor data usage to avoid unexpected charges
- DNS queries are protected when using configured DNS servers
Next Steps¶
- Split Tunneling - Route local traffic outside VPN
- Configuration - Full configuration reference
- Key Management - Manage identity keys