In Linux, network interfaces are software-based configuration which can be activated or deactivated, while network devices are physical networking card or adapter connected to the system. All network communications occur between configured network interfaces and physical network devices before the data packets are sent or transmitted. Typically a network device in a system, for example eth0, has a physical device associated with it which is used to put packets on the wire. In contrast a TUN or a TAP device is entirely virtual and managed by the kernel. User space applications can interact with TUN and TAP devices as if they were real and behind the scenes the operating system will push or inject the packets into the regular networking stack as required making everything appear as if a real device is being used [2].

0. Physical Network Adapter

Computer systems typically consist of a (or set of) networking devices, i.e eth0, eth1 etc. These network devices are associated with a physical network adapter, who is responsible for placing the packets onto the wire.s

            Physical Network Adapter             
                +-------------+   
                | Socket API  |   
                +-------------+              
User Space             |
-----------------------------------------------
Kernel Space           |
                 raw packets
                       |              
                +-------------+  
                |Network Stack|   
                +-------------+  
                       |                  
                +-------------+   
                |    eth0     |  
                +-------------+  
                       |                  
                +-------------+   
                |     NIC     |  
                +-------------+      
                       |   
                      wire

1. TUN Interfaces

TUN devices work at the IP level or layer three level of the network stack and are usually point-to-point connections. A typical use for a TUN device is establishing VPN connections since it gives the VPN software a chance to encrypt the data before it gets put on the wire. Since a TUN device works at layer three it can only accept IP packets and in some cases only IPv4. If you need to run any other protocol over a TUN device you’re out of luck. Additionally because TUN devices work at layer three they can’t be used in bridges and don’t typically support broadcasting.

2. TAP Interfaces

TAP devices, in contrast, work at the Ethernet level or layer two and therefore behave very much like a real network adaptor. Since they are running at layer two they can transport any layer three protocol and aren’t limited to point-to-point connections. TAP devices can be part of a bridge and are commonly used in virtualization systems to provide virtual network adaptors to multiple guest machines. Since TAP devices work at layer two they will forward broadcast traffic which normally makes them a poor choice for VPN connections as the VPN link is typically much narrower than a LAN network (and usually more expensive).

                      TUN                TAP
                +-------------+    +-------------+
                | Socket API  |    |  Socket API |
                +-------------+    +-------------+
                       |                  |
                +-------------+    +-------------+
                |     APP     |    |     APP     |
                +-------------+    +-------------+
                       |                  |
User Space      +-------------+    +-------------+
----------------|  /dev/tunX  | ---|  /dev/tapX  | ----------------
Kernel Space    +-------------+    +-------------+
                       |                  |
                  l3 packets        raw packets
                       |                  |
                +-------------+    +-------------+
                |Network Stack|    |Network Stack|
                +-------------+    +-------------+
                       |                  |
                +-------------+    +-------------+
                |    tunX     |    |    tapX     |
                +-------------+    +-------------+

3. VETH Pairs

A pair of connected interfaces, commonly known as a veth pair, can be created to act as virtual wiring. Essentially what you are creating is a virtual equivalent of a patch cable. What goes in one end comes out the other.

                             Veth Pair
                +-------------+    +-------------+
                | Socket API  |    |  Socket API |
                +-------------+    +-------------+
User Space             |                  |
-------------------------------------------------------------------s
Kernel Space           |                  |
                       |                  |
                  raw packets        raw packets
                       |                  |
                +-------------+    +-------------+
                |Network Stack|    |Network Stack|
                +-------------+    +-------------+
                       |                  |
                +-------------+    +-------------+
                |    vethX    |    |    vethX    |
                +-------------+    +-------------+
                       |                  |
                       +------------------+

REF

  1. TUN, TAP and Veth - Virtual Networking Devices Explained
  2. Understanding TUN TAP Interfaces
  3. 虚拟网络设备 tap/tun 原理解析
  4. Linux 虚拟网络设备 veth-pair 详解
  5. 猿大白@公众号「Linux云计算网络」