Skip to content

Full Tunnel (TUN) Mode

TUN mode creates a virtual network interface and routes all IP traffic on your machine through the VPN — not just apps that support SOCKS5. This is equivalent to a traditional VPN.

Note: TUN mode requires root or administrator privileges to create a network interface.

Enabling TUN Mode

TUN mode is enabled via the [tun] section in client.toml, not a command-line flag:

[tun]
enabled = true

Connect with your usual command (no --tun flag needed):

sudo rvpn -c ~/.config/rvpn/client.toml

IP Address and Gateway Assignment

Your client IP address and gateway IP are assigned dynamically by the server via the VirtualIp message. You do not need to specify them in the configuration. The server also provides the DNS servers to use for tunnel traffic.

Configuration

The [tun] section in client.toml supports the following fields:

Field Default Description
enabled false Set to true to enable TUN mode.
interface_name (auto) TUN interface name. On macOS the OS assigns a name like utunN. On Linux defaults to rvpn0. Optional — omit to use the OS-assigned name.
mtu 1420 MTU of the TUN interface. Lower values reduce fragmentation on high-latency links.
routes ["0.0.0.0/0"] Routes to send through the tunnel. Default routes all traffic. Specify individual CIDRs for split-routing. 
[tun]
enabled = true
# interface_name = "rvpn0"  # optional, OS-assigned by default
mtu     = 1420
routes  = ["0.0.0.0/0"]

Route only specific traffic

Instead of routing everything, you can route only certain subnets:

[tun]
enabled = true
routes = [
    "91.108.0.0/16",    # Telegram
    "149.154.0.0/16",   # Telegram
    "172.217.0.0/16",   # Google
]

Split Tunneling in TUN Mode

Split tunneling works the same as in SOCKS5 mode. With builtin_bypass_countries = ["CN"], Chinese IPs are excluded from the tunnel routes automatically:

[split_tunnel]
enabled = true
builtin_bypass_countries = ["CN"]

This means domestic Chinese traffic continues to use your normal connection while everything else goes through the VPN.

Linux: Required Permissions

On Linux, the rvpn binary needs to create a TUN interface and modify routing tables. Either run as root:

sudo rvpn -c /etc/rvpn/client.toml

Or grant the binary the required capabilities:

sudo setcap cap_net_admin+ep /usr/local/bin/rvpn
rvpn -c ~/.config/rvpn/client.toml

macOS: System Extension

On macOS, creating a TUN interface requires elevated privileges. Run with sudo or configure a LaunchDaemon:

sudo rvpn -c ~/.config/rvpn/client.toml

Verifying the Tunnel

Check your exit IP: 

curl https://api.ipify.org

The returned IP should be your VPN server's IP address.

Check the interface is up (the exact name varies): 

# macOS
ifconfig utun

# Linux
ip addr show rvpn0
ip route show