Advanced

5 MIN READ

Apr 13, 2026

What Is an IP Tunnel? The Secure Passage of Data

IP tunneling encapsulates one network protocol inside another, enabling VPNs, IPv6-over-IPv4 transit, and firewall bypass. This guide covers how it works and when to use each type.

What IP Tunneling Actually Means

IP tunneling is the technique of encapsulating one network packet inside another. The outer packet carries routing information that the transit network understands. The inner packet carries the original data, which may use a protocol the transit network does not support, or which you want to protect from inspection. When the outer packet reaches its destination — the tunnel endpoint — the outer header is stripped, and the inner packet is delivered to its actual destination.

This mechanism is the foundation of VPNs, IPv6 transition technologies, SD-WAN overlays, and container networking. Understanding how encapsulation works at the packet level makes troubleshooting, MTU problems, and performance tuning significantly easier.

How Encapsulation Works at the Packet Level

Consider a packet that originates from 10.0.1.5 (private network A) destined for 10.0.2.10 (private network B), separated by a public internet path that knows nothing about either private range.

At the tunnel ingress router, the following happens:

The original IP packet (with source 10.0.1.5 and destination 10.0.2.10) is treated as a payload.
A new outer IP header is prepended. The outer source address is the public IP of the ingress router (e.g., 203.0.113.1). The outer destination is the public IP of the egress router (e.g., 198.51.100.1).
The combined packet — outer header plus inner packet — is transmitted across the internet. Routers along the path see only the outer addresses and forward accordingly.
At the egress router, the outer header is removed. The original inner packet appears with its private addresses intact and is forwarded to its destination on network B.

The internet never sees 10.0.1.5 or 10.0.2.10. It only sees the two public tunnel endpoint addresses. The private topology is completely hidden from the transit network.

Tunnel Types and Protocols

Multiple protocol stacks implement this encapsulation model, each with different feature sets and overhead characteristics:

GRE (Generic Routing Encapsulation)

GRE, defined in RFC 2784, adds a 4-byte header and encapsulates almost any network layer protocol inside IP. GRE provides no encryption and no authentication — it is a pure encapsulation mechanism. It is widely used for site-to-site connectivity on enterprise routers (Cisco, Juniper) and is often combined with IPSec to add encryption. GRE adds 24 bytes of overhead (20 bytes outer IP header + 4 bytes GRE header).

IP-in-IP

IP-in-IP (RFC 2003) is the simplest tunnel type: an IPv4 packet encapsulated inside another IPv4 packet. The overhead is just 20 bytes for the outer IP header. No framing overhead beyond that. It carries no multicast or non-IP traffic. Linux has native support via the ipip kernel module.

6in4

A specific form of IP-in-IP that carries IPv6 packets inside IPv4 packets (protocol number 41). Used during IPv6 transition to carry IPv6 traffic across IPv4-only networks. 6in4 is the basis of many tunnel broker services that provide free IPv6 connectivity to IPv4-only hosts.

L2TP (Layer 2 Tunneling Protocol)

L2TP encapsulates Layer 2 frames (Ethernet or PPP) inside UDP packets. It was designed for ISP remote access deployments. L2TP itself has no encryption — it is almost always combined with IPSec (L2TP/IPSec). L2TP adds more overhead than simpler IP tunnels, but the ability to carry Layer 2 frames enables use cases like VLANs over WAN links.

VXLAN (Virtual Extensible LAN)

VXLAN encapsulates Ethernet frames inside UDP packets. It is the dominant overlay technology in data center virtualization and container networking (Kubernetes, Docker Swarm). VXLAN uses UDP port 4789, adds 50 bytes of overhead, and supports up to 16 million virtual network identifiers (VNIs), solving the 4096 VLAN limit of traditional 802.1Q.

WireGuard

WireGuard is a modern, high-performance VPN protocol that uses UDP encapsulation with integrated encryption (ChaCha20-Poly1305). It is built into the Linux kernel as of version 5.6. WireGuard's codebase is approximately 4,000 lines — orders of magnitude simpler than IPSec or OpenVPN.

Comparison: Common Tunnel Protocols

Protocol	Encryption	Overhead	Transport	Primary Use Case
GRE	None	~24 bytes	IP protocol 47	Enterprise site-to-site, multicast over WAN
IP-in-IP	None	~20 bytes	IP protocol 4	Simple IPv4 encapsulation
6in4	None	~20 bytes	IP protocol 41	IPv6 over IPv4 transit
GRE over IPSec	AES-256 (via IPSec)	~60 bytes	ESP/UDP 4500	Encrypted enterprise tunnels
L2TP/IPSec	AES-256 (via IPSec)	~60+ bytes	UDP 1701/4500	Remote access VPN
VXLAN	None (add IPSec separately)	~50 bytes	UDP 4789	Data center overlay, container networking
WireGuard	ChaCha20-Poly1305	~60 bytes	UDP (configurable)	Modern VPN, cloud connectivity

MTU and Fragmentation: The Critical Consideration

Every tunnel adds overhead bytes to each packet. The standard Ethernet MTU is 1500 bytes. If your tunnel adds 60 bytes of overhead, the effective payload MTU drops to 1440 bytes. Any inner packet larger than 1440 bytes must be fragmented before encapsulation or the outer packet will exceed the link MTU and require fragmentation at the IP layer.

Fragmentation is expensive. It increases CPU load, complicates reassembly at the destination, and can cause path MTU issues when firewalls block ICMP "fragmentation needed" messages (ICMP type 3 code 4). This is the single most common cause of intermittent tunnel failures — applications work for small transfers but fail or perform poorly for large file transfers.

The correct fix is to configure the tunnel interface MTU to account for encapsulation overhead. For a GRE tunnel on standard Ethernet, set the tunnel interface MTU to 1476 (1500 minus 24 bytes GRE overhead). For IPSec over GRE, set it to approximately 1400 to account for combined overhead. Additionally, configure TCP MSS clamping with iptables to prevent TCP from negotiating segment sizes that will result in oversized packets:

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Real-World Use Cases

Site-to-site VPN between offices: Two Cisco routers at different offices establish a GRE tunnel over the internet, encrypted with IPSec. Traffic between the 192.168.10.0/24 and 192.168.20.0/24 subnets flows as if the offices were on the same LAN, regardless of the public internet path between them.

IPv6 connectivity via tunnel broker: A home user on an IPv4-only ISP configures a 6in4 tunnel to Hurricane Electric's tunnel broker service. The user gets a routed /48 IPv6 prefix and native IPv6 connectivity without waiting for their ISP to deploy IPv6. The IPv6 packets travel encapsulated in IPv4 across the ISP's infrastructure.

Container overlay networking: Kubernetes uses VXLAN (via Flannel, Calico, or Cilium) to create a flat virtual network across nodes. Each pod gets an IP from the cluster's Pod CIDR. VXLAN encapsulates inter-pod traffic in UDP, allowing containers on different physical hosts to communicate as if they were on the same Layer 2 network.

SD-WAN: Software-defined WAN solutions use overlay tunnels (often VXLAN or proprietary variants) over multiple underlay transports (MPLS, broadband, LTE). The SD-WAN controller dynamically routes traffic across the best available underlay path based on measured latency, packet loss, and jitter.

Common Misconceptions

Tunneling and encryption are the same thing

They are not. Tunneling is encapsulation — wrapping one packet inside another. Encryption is a separate operation that scrambles the inner packet's contents. GRE and IP-in-IP tunnel without encrypting. IPSec and WireGuard encrypt and also use tunneling for transport. You can have tunneling without encryption (GRE), encryption without tunneling (TLS for application data), or both together (GRE over IPSec, WireGuard).

A tunnel is always slower than direct routing

Not necessarily. On modern hardware with kernel-level tunnel implementations, the per-packet overhead of encapsulation is negligible — a few microseconds of CPU time. The latency impact of the tunnel is dominated by the transit path, not the encapsulation processing. Where tunnels do cause measurable performance impact is through MTU overhead and fragmentation, which is a configuration issue rather than an inherent limitation of tunneling.

Split tunneling is a security risk by definition

Split tunneling routes only specific traffic through the VPN tunnel while direct internet traffic bypasses it. It is true that split tunneling reduces the visibility and control a security team has over non-tunneled traffic. However, forcing all traffic through a VPN gateway introduces its own latency penalty and creates a bottleneck at the VPN concentrator. Whether to use full tunneling or split tunneling is a policy decision that depends on threat model and bandwidth capacity.

Tunnel interfaces need their own IP addresses

Point-to-point tunnel interfaces do need IP addresses for the tunnel endpoints (the addresses used in the outer IP header), but the tunnel interface itself can be configured as a numbered or unnumbered interface depending on routing requirements. In some configurations, the tunnel endpoint IPs are the only addresses needed and routing uses those. Unnumbered tunnel interfaces reduce address consumption in large-scale deployments.

Pro Tips

Always configure tunnel interface MTU explicitly. Do not rely on defaults. Calculate the correct MTU based on your tunnel protocol overhead and set it on the tunnel interface configuration. Follow this with TCP MSS clamping to prevent large TCP sessions from discovering the reduced MTU through fragmentation failures.
Use WireGuard for new deployments where you have control of both endpoints. Its simplicity, performance, and built-in encryption make it the best choice for most new tunnel deployments. Reserve GRE and IP-in-IP for environments where you need multicast support or interoperability with legacy hardware.
Monitor tunnel endpoint reachability separately from tunnel traffic. A tunnel can appear up (both endpoints reachable) while the inner routing is broken. Test with traffic that traverses the actual tunnel path, not just pings to the tunnel endpoint addresses.
Document every tunnel with both endpoint IPs, inner subnets, and encryption parameters. Tunnels are invisible to traceroute by default. Without documentation, debugging an outage six months later — when the engineer who built it has left — requires packet captures and reverse engineering the configuration.
Add GRE keepalives or dead-peer detection for automated failover. Without keepalives, a tunnel endpoint failure may not be detected for minutes. Configure keepalive timers appropriate to your recovery time objective to ensure routing tables are updated promptly when a tunnel goes down.

Inspect your current tunnel status and connection routing details here.

Frequently Asked Questions

Q.Is IP tunneling always encrypted?

No. Tunneling refers to encapsulation — wrapping one packet inside another. Encryption is a separate and optional operation. GRE and IP-in-IP are pure encapsulation protocols with no encryption. IPSec and WireGuard combine tunneling with encryption. You can tunnel without encrypting, which is common for carrier backbone links where physical security is assumed.

Q.What is the difference between a GRE tunnel and a VPN?

A GRE tunnel is a specific encapsulation protocol that wraps packets in a GRE header for transport over IP networks. A VPN is a broader concept of creating a private network over a public transit. GRE is often used as the tunneling mechanism inside a VPN, combined with IPSec for encryption. GRE alone is not a VPN because it provides no confidentiality or authentication.

Q.Why does my tunnel connection have intermittent problems with large file transfers?

This is almost always an MTU problem. Your tunnel adds header overhead (20-60 bytes depending on protocol), reducing the maximum inner packet size. Large file transfers generate TCP segments sized to fill the full MTU, which exceed the tunnel's effective MTU and require fragmentation or get silently dropped by firewalls that block ICMP fragmentation-needed messages. Fix by setting the tunnel interface MTU explicitly and configuring TCP MSS clamping.

Q.What is VXLAN and why is it used in container networking?

VXLAN (Virtual Extensible LAN) encapsulates Ethernet frames inside UDP packets, creating Layer 2 overlay networks across Layer 3 infrastructure. Container networking platforms like Kubernetes use VXLAN to give each pod an IP address from a flat cluster-wide subnet, even when pods run on different physical hosts on different subnets. VXLAN supports up to 16 million virtual network identifiers, far exceeding the 4096 VLAN limit of 802.1Q.

Q.What is 6in4 tunneling and why is it still used?

6in4 encapsulates IPv6 packets inside IPv4 packets, allowing IPv6 traffic to traverse IPv4-only network paths. It is still used by tunnel broker services like Hurricane Electric to provide IPv6 connectivity to users whose ISPs have not yet deployed native IPv6. The IPv6 packet becomes the payload of an IPv4 packet with protocol number 41, transparent to the IPv4 transit network.

Q.How does split tunneling work in a VPN?

Split tunneling sends only specific traffic through the VPN tunnel while other traffic goes directly to the internet. Routes injected by the VPN client determine which destinations use the tunnel. Corporate traffic destined for internal subnets traverses the encrypted tunnel; browsing traffic goes directly out the local internet connection. Split tunneling reduces VPN gateway load and improves performance but reduces visibility over non-tunneled traffic.

Q.What is the overhead of different tunnel protocols?

IP-in-IP adds approximately 20 bytes (one extra IP header). GRE adds approximately 24 bytes (20-byte outer IP header plus 4-byte GRE header). VXLAN adds approximately 50 bytes. IPSec in tunnel mode adds approximately 60-80 bytes depending on cipher and authentication algorithms. WireGuard adds approximately 60 bytes. All of these reduce the effective payload MTU compared to a native Ethernet path.

Q.Can I run multiple tunnels between the same two endpoints?

Yes. You can create multiple tunnel interfaces between the same two physical endpoints for different purposes — separate traffic segregation, load balancing across different physical paths, or testing. Each tunnel interface has its own IP and routing configuration. In practice, VXLAN VNIs are used to multiplex many virtual networks over the same UDP encapsulation between the same two endpoints without separate tunnel interfaces.

Q.What is WireGuard and how does it differ from older VPN tunnel protocols?

WireGuard is a modern VPN protocol built into the Linux kernel since version 5.6. It uses UDP encapsulation with ChaCha20-Poly1305 encryption and the Noise Protocol Framework for key exchange. Its codebase is approximately 4,000 lines versus hundreds of thousands for IPSec implementations. WireGuard is faster in benchmarks on commodity hardware, simpler to configure, and has a significantly smaller attack surface.

Q.How do I troubleshoot a tunnel that shows as up but passes no traffic?

Start by checking the routing table — the tunnel may be up but no routes are pointing traffic into it. Verify the inner IP addresses and subnet masks on both ends are correctly configured. Check the tunnel interface MTU against actual packet sizes. Capture traffic at both tunnel endpoints to see if packets are being encapsulated and arriving. For IPSec tunnels, check that traffic selectors match on both sides.

Q.What is GRE keepalive and why should I configure it?

GRE keepalive sends periodic probe packets through the tunnel. If the remote endpoint stops responding, the local router marks the tunnel interface as down and withdraws associated routes. Without keepalive, the routing protocol may not detect the outage for minutes, during which traffic is black-holed. Configure keepalive timers to match your recovery time objective — typical values are 10-second intervals with 3-5 retries.

Q.Are tunnels visible to traceroute?

Not by default. Traceroute works by sending packets with incrementing TTL values and reading ICMP Time Exceeded responses from each router hop. Tunnel endpoints typically do not decrement TTL for the inner packet before re-encapsulation, so intermediate hops inside the tunnel are invisible. The traceroute output shows a hop from the ingress endpoint to the egress endpoint with no intermediate routers visible.

TOPICS & TAGS

ip tunneltunnelingencapsulationvpn basicsnetworking advancedwhat is an ip tunnel secure data passage guide 2026the car on the train analogy for network encapsulationhow wrapping one packet inside another allows global datathe digital passage for unsupported network protocolsit guide to vpn foundations and private business tunnelscarrying ipv6 traffic across older ipv4 only networksdisguising data types to bypass restrictive firewallstechnical tutorial for configuring gre and ip in ip tunnelsunmasking the difference between tunneling and encryptionimpact of tunnel overhead on network speed and latencysecuring the hidden infrastructure of the global internetprofessional grade networking for flexible and global appswhy tunnels are essential for cloud and hybrid systemsGRE tunnel configurationIPIP tunnel linux6in4 tunnel IPv6 over IPv4tunnel MTU overheadsplit tunneling VPNsite to site tunnelVXLAN overlay networktunnel endpoint IP