3
How to set up and configure a Linux GRE tunnel
This guide will walk through the setup and configuration of a GRE tunnel between two Linux hosts. The two Linux hosts are running Ubuntu 22.04 LTS.
What is a GRE tunnel in networking?
GRE (Generic Routing Encapsulation) tunnels encapsulate network packets inside new network packets. A virtual link is established between two hosts, allowing the hosts to communicate as if they were directly connected. The Cisco-developed tunneling protocol can encapsulate most protocol packet types.
Is a GRE tunnel encrypted?
Though a GRE tunnel functions similarly to a VPN, packets traveling inside a GRE tunnel are not encrypted but are instead encapsulated inside a GRE header. You must configure IPSec separately if you want to maintain data confidentiality.
How to set up and configure a GRE tunnel
Setting up a GRE tunnel naturally requires work on both hosts. You will need to create a tunnel interface on each, set up firewall rules, and create routing tables. For clarity, we'll name one host "Host A" and the other "Host B".
GRE tunnel setup on Host A
Enabling IP forwarding
The first step is to enable IP port forwarding on our host. Without this the GRE tunnel will not work. This is possible with a single command:
Creating the GRE tunnel interface
Now we can create the GRE tunnel interface from Host A to Host B:
Naturally, you should replace <Host_B_IP> with the IP address of your target server and <Host_A_IP> with the IP address of the machine you are currently connected to.
Next, we need to assign an IP address to the GRE interface on our host:
You should replace <HOST_A_PRIV_IP_GRE> with an unused private IP, for example:
Now it's a simple matter of activating the GRE interface with the following command:
Setting up a firewall rule for source NAT
We'll now add a firewall rule to perform source NAT. This will translate the source IP address of packets leaving our GRE interface into public routable addresses:
EXAMPLE:
Creating routing table rules for the GRE tunnel interface
Finally, we can add a custom routing table for the GRE tunnel that will route traffic from the GRE tunnel's source IP through the GRE table:
EXAMPLE:
GRE tunnel setup on Host B
For host B, the setup is the same, except of course that we must use flip the IP addresses and use a different private IP.
Enabling IP forwarding
We can set up IP forwarding on Host B with the same command as Host A.
Creating the GRE tunnel interface
Now we can create the GRE tunnel interface from Host B to Host A:
You should replace <Host_A_IP> with the IP address of your first server and <Host_B_IP> with the IP address of the machine you are currently connected to.
Next, we need to assign an IP address to the GRE interface on our host:
You should replace <HOST_B_PRIV_IP_GRE> with an unused private IP, for example:
Now it's a simple matter of activating the GRE interface with the following command:
Setting up a firewall rule for source NAT
We'll now add a firewall rule to perform source NAT. This will translate the source IP address of packets leaving our GRE interface into public routable addresses:
EXAMPLE:
Creating routing table rules for the GRE tunnel interface
Finally, we can add a custom routing table for the GRE tunnel that will route traffic from the GRE tunnel's source IP through the GRE table:
EXAMPLE:
That's it! Your GRE tunnel should now be working. Remember, do not send any sensitive data via the tunnel without first setting up IPSec.
What is a GRE tunnel in networking?
GRE (Generic Routing Encapsulation) tunnels encapsulate network packets inside new network packets. A virtual link is established between two hosts, allowing the hosts to communicate as if they were directly connected. The Cisco-developed tunneling protocol can encapsulate most protocol packet types.
Is a GRE tunnel encrypted?
Though a GRE tunnel functions similarly to a VPN, packets traveling inside a GRE tunnel are not encrypted but are instead encapsulated inside a GRE header. You must configure IPSec separately if you want to maintain data confidentiality.
How to set up and configure a GRE tunnel
Setting up a GRE tunnel naturally requires work on both hosts. You will need to create a tunnel interface on each, set up firewall rules, and create routing tables. For clarity, we'll name one host "Host A" and the other "Host B".
GRE tunnel setup on Host A
Enabling IP forwarding
The first step is to enable IP port forwarding on our host. Without this the GRE tunnel will not work. This is possible with a single command:
sysctl -w net.ipv4.ip_forward=1Creating the GRE tunnel interface
Now we can create the GRE tunnel interface from Host A to Host B:
ip tunnel add gre1 mode gre remote <HOST_B_IP> local <HOST_A_IP> ttl 25Naturally, you should replace <Host_B_IP> with the IP address of your target server and <Host_A_IP> with the IP address of the machine you are currently connected to.
Next, we need to assign an IP address to the GRE interface on our host:
ip addr add <HOST_A_PRIV_IP_GRE>/30 dev gre1You should replace <HOST_A_PRIV_IP_GRE> with an unused private IP, for example:
ip addr add 10.0.0.1/30 dev gre1Now it's a simple matter of activating the GRE interface with the following command:
ip link set dev gre1 upSetting up a firewall rule for source NAT
We'll now add a firewall rule to perform source NAT. This will translate the source IP address of packets leaving our GRE interface into public routable addresses:
iptables -t nat -A POSTROUTING -s <HOST_B_PRIV_IP_GRE> ! -o gre+ -j SNAT --to-source <HOST_A_IP>iptables -t nat -A POSTROUTING -s 10.0.0.2 ! -o gre+ -j SNAT --to-source 1.1.1.1Creating routing table rules for the GRE tunnel interface
Finally, we can add a custom routing table for the GRE tunnel that will route traffic from the GRE tunnel's source IP through the GRE table:
echo '100 GRE' >> /etc/iproute2/rt_tables
ip rule add from <HOST_A_PRIV_IP_GRE>/32 table GRE
ip route add default via <HOST_B_PRIV_IP_GRE> table GREecho '100 GRE' >> /etc/iproute2/rt_tables
ip rule add from 10.0.0.1/32 table GRE
ip route add default via 10.0.0.2 table GREGRE tunnel setup on Host B
For host B, the setup is the same, except of course that we must use flip the IP addresses and use a different private IP.
Enabling IP forwarding
We can set up IP forwarding on Host B with the same command as Host A.
sysctl -w net.ipv4.ip_forward=1Creating the GRE tunnel interface
Now we can create the GRE tunnel interface from Host B to Host A:
ip tunnel add gre1 mode gre remote <HOST_A_IP> local <HOST_B_IP> ttl 225Next, we need to assign an IP address to the GRE interface on our host:
ip addr add <HOST_B_PRIV_IP_GRE>/30 dev gre1ip addr add 10.0.0.2/30 dev gre1ip link set dev gre1 upWe'll now add a firewall rule to perform source NAT. This will translate the source IP address of packets leaving our GRE interface into public routable addresses:
iptables -t nat -A POSTROUTING -s <HOST_B_PRIV_IP_GRE> ! -o gre+ -j SNAT --to-source <HOST_B_IP>iptables -t nat -A POSTROUTING -s 10.0.0.1 ! -o gre+ -j SNAT --to-source 2.2.2.2Creating routing table rules for the GRE tunnel interface
Finally, we can add a custom routing table for the GRE tunnel that will route traffic from the GRE tunnel's source IP through the GRE table:
echo '100 GRE' >> /etc/iproute2/rt_tables
ip rule add from <HOST_B_PRIV_IP_GRE>/32 table GRE
ip route add default via <HOST_A_PRIV_IP_GRE> table GREecho '100 GRE' >> /etc/iproute2/rt_tables
ip rule add from 10.0.0.2/32 table GRE
ip route add default via 10.0.0.1 table GREThat's it! Your GRE tunnel should now be working. Remember, do not send any sensitive data via the tunnel without first setting up IPSec.
Auf Facebook teilen
Auf Twitter teilen
Auf Reddit teilen
Auf Linkedin teilenBitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Kommentar vom Moderator colinardo am 19.04.2024 um 14:28:28 Uhr
Please stop adding commercial links with no relation to your post, advertising in user contributions is prohibited by our board rules! Thank you for your understanding.
##closed##
##closed##
Content-ID: 33388631356
Url: https://administrator.de/en/how-to-set-up-and-configure-a-linux-gre-tunnel-33388631356.html
Ausgedruckt am: 21.01.2025 um 23:01 Uhr
3 Kommentare
Neuester Kommentar
Nice tutorial but it would be much easier for all readers if you highlight the Linux commands either in boldface or use the code tags.
The other bad thing is the useless and unnecessary masquerading inside the tunnel. This is an also unnecessary waste of performance if you tunnel internal ip networks over the GRE tunnel. Other than that in modern Debian based Linux distros the firewall default is nftables and not anymore the old depricated iptables.
One other important thing readers should be aware of and which this tutorial correctly mentions is the fact that GRE is not encrypted. So in case the GRE tunnel is send over public networks its highly recommended to use a Stongswan setup with transport encryption. See for example other GRE tutorials HERE and HERE for transportation encryption with IPsec.
Away from that...well done!
The other bad thing is the useless and unnecessary masquerading inside the tunnel. This is an also unnecessary waste of performance if you tunnel internal ip networks over the GRE tunnel. Other than that in modern Debian based Linux distros the firewall default is nftables and not anymore the old depricated iptables.
One other important thing readers should be aware of and which this tutorial correctly mentions is the fact that GRE is not encrypted. So in case the GRE tunnel is send over public networks its highly recommended to use a Stongswan setup with transport encryption. See for example other GRE tutorials HERE and HERE for transportation encryption with IPsec.
Away from that...well done!
Thanks , codes added
You should also move the uploaded image under "Article image" (3rd button after the "edit"). That places the nice image as the articel image and not uselessly at the end. 
