The data itself is read from a character device file, the so-called virtual network device. This device is associated with a network interface. Any data sent to this interface can be read from the device, and any data written to the device gets sent from the interface. There are two possible types of virtual network devices: ‘tun’ style, which are point-to-point devices which can only handle IPv4 and/or IPv6 packets, and ‘tap’ style, which are Ethernet devices and handle complete Ethernet frames.
So when tinc reads an Ethernet frame from the device, it determines its type. When tinc is in its default routing mode, it can handle IPv4 and IPv6 packets. Depending on the Subnet lines, it will send the packets off to their destination IP address. In the ‘switch’ and ‘hub’ mode, tinc will use broadcasts and MAC address discovery to deduce the destination of the packets. Since the latter modes only depend on the link layer information, any protocol that runs over Ethernet is supported (for instance IPX and Appletalk). However, only ‘tap’ style devices provide this information.
After the destination has been determined, the packet will be compressed (optionally), a sequence number will be added to the packet, the packet will then be encrypted and a message authentication code will be appended.
When that is done, time has come to actually transport the packet to the destination computer. We do this by sending the packet over an UDP connection to the destination host. This is called encapsulating, the VPN packet (though now encrypted) is encapsulated in another IP datagram.
When the destination receives this packet, the same thing happens, only in reverse. So it checks the message authentication code, decrypts the contents of the UDP datagram, checks the sequence number and writes the decrypted information to its own virtual network device.
If the virtual network device is a ‘tun’ device (a point-to-point tunnel), there is no problem for the kernel to accept a packet. However, if it is a ‘tap’ device (this is the only available type on FreeBSD), the destination MAC address must match that of the virtual network interface. If tinc is in its default routing mode, ARP does not work, so the correct destination MAC can not be known by the sending host. Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface and overwriting the destination MAC address of the received packet.
In switch or hub modes ARP does work so the sender already knows the correct destination MAC address. In those modes every interface should have a unique MAC address, so make sure they are not the same. Because switch and hub modes rely on MAC addresses to function correctly, these modes cannot be used on the following operating systems which don’t have a ‘tap’ style virtual network device: OpenBSD, NetBSD, Darwin and Solaris.