How do Ubuntu-server network interfaces work?

Question

Yesterday I installed "Cockpit" on my Ubuntu-Server 23.04 (which is running on a Raspberry 4) so I can manage it from my Windows 10 PC. So far the Management interface is quite clear and understandable.

In the Network-tab of Cockpit there is the following overview:

Network-interface overview

Just for some clarification:

I disabled Wifi, so all traffic is going through eth0, which I understand is the ethernet port of my RP.

tun0 is the vpn-interface to which I bound all traffic on my RP.

So my questions are:

Since all network-traffic is supposed to go through the vpn-interface (tun0), how is it possible that the eth0 "Sending"- and "Receiving"-traffic is always a little bit higher than the tun0 traffic in the respective category? Shouldn't it be the same? Is my system sending/receiving traffic outside of the vpn tunnel? The RP is sending 7.35 Mbps over tun0 and 8.27 Mbps over eth0. Where do the additional 0.92 Mbps come from?

What exactly is "lo" supposed to do? I mean I know that it is the localhost/loopback but what exactly is it doing i.e. why is there traffic or what is it sending/receiving?

The main reason why I'm asking this is, it would be really really bad if my system is leaking my real IP or any kind of traffic. I mean I set up lockdown-mode, kill switch, auto-connect and god knows what in my vpn-settings, so I'm kinda concerned where this additional traffic in eth0 is coming from.

Thanks for the help.

Answer 1

Since all network-traffic is supposed to go through the vpn-interface (tun0), how is it possible that the eth0 "Sending"- and "Receiving"-traffic is always a little bit higher than the tun0 traffic in the respective category? Shouldn't it be the same?

Mostly but not exactly. The VPN is a tunnel, which means it encapsulates IP packets inside new IP packets. There's always some overhead to tunneling – it varies depending on the tunnel protocol, but you can assume 2-4% (the additional VPN protocol header and the "outer" UDP and IP headers, plus occasional "control" packets such as re-keys). The difference should usually be less than what you're seeing, but never zero.

Is my system sending/receiving traffic outside of the vpn tunnel? The RP is sending 7.35 Mbps over tun0 and 8.27 Mbps over eth0. Where do the additional 0.92 Mbps come from?

The easiest way to find out would be to use a packet capture tool, such as Wireshark or tcpdump or tshark, which lets you literally look at the traffic. Point it at eth0, set it to filter out the VPN traffic (and SSH traffic if you're running it via SSH), look at what remains.

# tcpdump -n -i eth0 'not (port <vpn_port>)'

What exactly is "lo" supposed to do? I mean I know that it is the localhost/loopback but what exactly is it doing i.e. why is there traffic or what is it sending/receiving?

Loopback is frequently used for communications between local programs, e.g. DNS queries to a locally-running cache service (Ubuntu most likely has systemd-resolved running), or internal communications between a program's components. While there are often better ways to do it, TCP over loopback is a simple and cross-platform approach.

(For example, some game launchers such as Battle.net consist of separate GUI and "Agent" components – all work such as installations or updates isn't done by the GUI app directly; it's done by the background "agent" service that the GUI talks to via http://localhost:<randomport>.)

Again, it's easy to find out by pointing a packet capture tool at the lo interface.