host1> ip route add default dev veth2.tun2

is sorta meaningless when the dev is one side of a veth pair, and this
side has no IP address (the other side inside the container has the IP
address).  But this:

host1> ip route add default via 10.1.1.2 dev veth2.tun2

has no meaning either since the root context knows nothing about
10.1.1.2 (cause its inside the container).

But if I add the magic "onlink" option the the command above, it
works. ÊIt says "pretend that the nexthop is directly attached to this
link, even if it does not match any interface prefix." I am not
entirely sure what actually happens to the packet to make it work. I
checked with tcpdump, and the ethernet src/dst address are the same
when heading down the veth, but look fine after that.