which physical interface tun/tap device attached to

Question

I have a little problem understanding how the tun/tap device actually works, here is it from the wiki

1. How does Virtual network device actually work ? Virtual network device can be viewed as a simple Point-to-Point or Ethernet device, which instead of receiving packets from a physical media, receives them from user space program and instead of sending packets via physical media sends them to the user space program.

Let's say that you configured IPX on the tap0, then whenever the kernel sends an IPX packet to tap0, it is passed to the application (VTun for example). The application encrypts, compresses and sends it to the other side over TCP or UDP. The application on the other side decompresses and decrypts the data received and writes the packet to the TAP device, the kernel handles the packet like it came from real physical device.

Ok The application encrypts, compresses and sends it to the other side over TCP or UDP.

If you have 3 physical connections each routing to the internet , which physical device the tun/tap device will use to route to the internet ?

Im confused as no one actually talks about what is the real relation between the tun/tap interface and the actual physical interface/s

Ty in advance

Answer 1

There is no inherent relation.

It is important to understand that neither TUN/TAP nor any other device does routing. Internet Protocol (IP) routing is handled by the IP stack, and it can't really tell the difference between a TAP interface and a real Ethernet interface. Packets received by the IP stack from TUN/TAP interfaces are generated by a program on that same machine, and when the IP stack routes packets out a TUN or TAP interface they are received only by the software that opened the interface. Think of them as Ethernet ports that are wired to software instead of a real Ethernet network.

You seem to grasp the example you quoted well enough. Vtun (the software) opens both the tap0 interface and a socket that is then routed like any other IP traffic. Vtun takes packets it receives on tap0 and encapsulates them with encryption and compression and pushes them out the socket. Another instance of Vtun on the other end of that socket (probably running on a different machine) decapsulates the packets from the socket and pushes them out its TAP interface to be processed by its kernel's networking layer.

But the socket isn't part of TAP at all, and how it is routed is up to the IP stack. If both instances of Vtun run on the same system, the socket would not need to route out a physical interface. And in such a use case, the socket (and encryption and compression) can be removed entirely. You could have a single program dumbly copying data between two TAP interfaces. There is nothing in the TUN/TAP spec that requires a socket or physical interfaces; the example socket is incidental, a feature introduced by the nature of the Vtun program.

So your question about three physical connections to the internet is not related to TUN/TAP, but is about general IP routing instead. The answer there is highly dependent on your specific configuration.

Answer 2

TUN/TAPs are not connected to any physical interface (directly). They are used by programs to write/read L2/L3 packets to/from to a virtual entity - a user space program instead of a physical device.

A use case for TUN is below: You have a VM on a machine 'RealDeal'. VM has a NIC(virtual) which processes Ethernet frames for VM. But 'RealDeal' strips all the Ethernet frame headers and sends the IP packet upstream. This is a problem. Tap interface attached to the bridge tells OS not to strip the Ethernet headers if packets intended for VM.