Virtual Networking Devices

In physical world, computer systems typically consist of one or more physical network adapter something like ethx, enox.

However, in virtual networking world, TUN, TAP and veth Pairs are used for virtual network connectivity on host. which we can assign an IP to it, analyze the traffic, route traffic to it etc.^[1]

Ref - packetcoders io

Basic aspects and limitations of standard Linux bridges^[2]

• A “tap” device attached to one Linux bridge cannot be attached to another Linux bridge.
• All attached devices are switched into the promiscuous mode.
• The bridge itself (not a tap device at a port!) can get an IP address and may work as a standard Ethernet device. The host can communicate via this address with other guests attached to the bridge.
• Properly configured the bridge transfers packets directly between two specific bridge ports related to the communication stream of 2 attached guests – without exposing the communication to other ports and other guests. The bridge may learn and update the relevant association of MAC addresses to bridge ports.
• The virtual bridge device itself – in its role as an Ethernet device – does not work in promiscuous mode. However, packets arriving through one of its ports for (yet) unknown addresses may be flooded to all ports.
• You cannot bridge a Linux bridge directly by or with another Linux bridge (no Linux bridge cascading). You can neither connect a Linux bride to another Linux bridge via a “tap” device.

vtap (network tap)^[3]

A virtual “tap” device is a virtual single point to point device - a file descriptor (fd) is read/written, operates in layer 2 carrying raw Ethernet frames - in user space program or inside of virtual machine. KVM/qemu virtualization uses vtap.^[4]

Because it works at layer two, vtap transport any network protocols (IPv4, IPv6, Netalk, IPX, etc) and Ethernet frames but non-IP based traffic that can work with bridge not router.

vtun (tunnel)^[5]

like vtap, vtun device is a single point to point device in user space program. however, it operates at layer 3 carrying IP based packets^[4].

vtun is commonly used by VPN clients to establish a connection between the client and the OS networking stack. This allows a VPN to encrypt your data before forwarding it onto the VPN server through the tunnel. Because vtun works at layer three of the networking stack, it deals exclusively in network protocol packets (IPv4 and IPv6 packets) and can only be used for routing (not for bridging)

VPN connection driver

Both vtun and vtap devices are used by VPN clients to establish the tunnel. Without them, data encrypted by a VPN client would not be able to move from the client to the networking stack. In the case of VPNs, TAP is used to carry Ethernet frames and for bridging and TUN is used to carry IP packets (routing)

Because VPN clients install TUN/TAP drivers on host system for you when you install the VPN client, installed various VPN clients may, over time, begin to experience errors caused due to the presence of multiple TAP adapters. Under these circumstances, it is a good idea to uninstall any old VPN clients and TUN/TAP drivers already present in your system

veth

A virtual "eth" devices are a pairs of connected virtual Ethernet interfaces like physical network cable with both end. each veth-device of a pair can be attached to different virtual networking components together, such as Linux bridges, OVS bridges and LXC containers or VMware network.

*KVM guest need to have macVtap/macVlan to bridge a veth^[6].

Managing TUN/TAP interfaces

• ip tuntap can be used to manage TUN/TAP interfaces in Linux. For example:

$ ip tuntap help
Usage: ip tuntap { add | del | show | list | lst | help } [ dev PHYS_DEV ]
          [ mode { tun | tap } ] [ user USER ] [ group GROUP ]
          [ one_queue ] [ pi ] [ vnet_hdr ] [ multi_queue ] [ name NAME ]

Where: USER  := { STRING | NUMBER }
       GROUP := { STRING | NUMBER }

• tun/tap basic python package is also available at this page
• tun/tap C programing example is also available at this page

References