Reading about Tun/Tap from kernel documentation https://www.kernel.org/doc/Documentation/networking/tuntap.txt it is clear that this interface is not backed by hardware. If I setup iptables firewall to deny in/out traffic on all interfaces except tun0, how does OpenVPN client actually get the data on the wire?
When the kernel decides its time to put data on the wire, for tun0 interface it sends the data to a userspace program (openvpn client). I assume that this program must prepare the data for tunneling then open a socket and actually send data out using a non-virtual interface like eth0. But this is supposed to be blocked by firewall. Yet it works.
Does OpenVPN client somehow bypass the firewall mechanism (iptables)?