1.1 Tun/Tap
TUN (namely network TUNnel) simulates a network layer device and it operates with layer 3 packets like IP packets. TAP (namely network tap) simulates a link layer device and it operates with layer 2 packets like Ethernet frames. TUN is used with routing, while TAP is used for creating a network bridge.
Packets sent by an operating system via a TUN/TAP device are delivered to a user-space program which attaches itself to the device. A user-space program may also pass packets into a TUN/TAP device. In this case the TUN/TAP device delivers (or "injects") these packets to the operating-system network stack thus emulating their reception from an external source.
1.2 Usage
- ip tuntap
#ip tuntap help
Usage: ip tuntap { add | del | show | list | lst | help } [ dev PHYS_DEV ]
[ mode { tun | tap } ] [ user USER ] [ group GROUP ]
[ one_queue ] [ pi ] [ vnet_hdr ] [ multi_queue ]
Where: USER := { STRING | NUMBER }
GROUP := { STRING | NUMBER }
- tunctl (man tunctl for help)
#tunctl help
Create: tunctl [-b] [-u owner] [-g group] [-t device-name] [-f tun-clone-device]
Delete: tunctl -d device-name [-f tun-clone-device]
The default tun clone device is /dev/net/tun - some systems use
/dev/misc/net/tun instead
-b will result in brief output (just the device name)
1.3 See also
2.1 veth
The veth devices are virtual Ethernet devices. They can act as tunnels between network namespaces to create a bridge to a physical network device in another namespace, but can also be used as standalone network devices.
2.2 Usage
veth devices are always created in interconnected pairs. A pair can
be created using the command:
# ip link add <p1-name> type veth peer name <p2-name>
In the above, p1-name and p2-name are the names assigned to the two connected end points. Packets transmitted on one device in the pair are immediately received on the other device. When either devices is down the link state of the pair is down.
veth device pairs are useful for combining the network facilities of the kernel together in interesting ways. A particularly interesting use case is to place one end of a veth pair in one network namespace and the other end in another network namespace, thus allowing communication between network namespaces. To do this, one first create the veth device as above and then moves one side of the pair to the other namespace:
# ip link set <p2-name> netns <p2-namespace>
ethtool can be used to find the peer of a veth network interface, using commands something like:
ip link add ve_A type veth peer name ve_B # Create veth pair
ethtool -S ve_A # Discover interface index of peer
NIC statistics:
peer_ifindex: 16
ip link | grep '^16:' # Look up interface
16: ve_B@ve_A: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc ...
