TUN, TAP and Veth - Virtual Networking Devices Explained
Computer systems typically consist of a (or set of) networking devices, i.e eth0, eth1 etc. These network devices are associated to a physical network adapter, which is responsible for placing the packets onto the wire (Figure 1).
Figure 1. Physical network adapter.
However, in the world of virtual networking, a degree of internal plumbing is required to patch, tunnel and forward packets within the system. This "internal plumbing" is built using virtual networking devices, such as - TUN, TAP and Veth Pairs.
TUN/TAP provides packet reception and transmission for user space programs. It can be seen as a simple Point-to-Point or Ethernet device, which, instead of receiving packets from physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program.
Or in other words, the TUN/TAP driver builds a virtual network interface on your Linux host. The interface functions like any other interface, i.e you can assign an IP to it, analyze the traffic, route traffic to it etc. When traffic is sent to the interface, the traffic is sent to your user space program rather than the real network.
There are 2 driver modes for TUN/TAP, yep you guessed it - TUN and TAP.
- TUN (tunnel) devices operate at layer 3, meaning the data (packets) you will receive from the file descriptor will be IP based. Data written back to the device must also be in the form of an IP packet.
- TAP (network tap) operates much like TUN however instead of only being able to write and receive layer 3 packets to/from the file descriptor it can do so with raw ethernet packets. You will typically see tap devices used by KVM/Qemu virtualization, where a TAP device is assigned to a virtual guests interface during creation.
Figure 2. TUN/TAP virtual devices.
Veth devices are built as pairs of connected virtual ethernet interfaces and can thought of as a virtual patch cable. What goes in one end will come out the other.
This makes veth pairs ideal for connecting different virtual networking components together such as Linux bridges, OVS bridges and LXC containers.
One common use case you will see for veth pairs is within Openstack Neutron. Where veth pairs are used to connect multiple Linux bridges together, something that you cannot currently do with tap based devices.
Figure 3. Veth virtual devices.
And finally we provide a side by side comparison of the previously described network devices (Figure 4).
Figure 4. Physical, TUN/TAP and Veth networking devices.