Setting Up a GRE Tunnel with a BerryByte DDoS-Protected Virtual Server

A GRE (Generic Routing Encapsulation) tunnel is a type of virtual private network (VPN) that allows you to connect two networks together over an existing network, such as the internet. This can be useful for creating a secure connection between two servers, bypassing network restrictions, or for using our powerful network and powerful network mitigation to protect your servers from DDoS attacks. All sorts of traffic can be forwarded with a tunnel, so there is no limitation on what you can protect with our powerful network.

Have a unprotected physical server from another provider? Simply deploy a GRE tunnel between it and one of our protected servers.. and voila! You now have a DDoS-protected server!

This guide will show you how to set up a GRE tunnel between a virtual private server (VPS) and a remote server. 104.167.215.164 will be the source server and 142.250.217.142 is the destination server.

In this case, the source server is the machine that is receiving incoming traffic, and the destination server is the machine to which the traffic is being forwarded.

The iptables command forwards incoming traffic from the source server to the destination server by modifying the kernel's routing table. When the kernel receives incoming traffic to the source server, it looks up the destination address in the routing table and sends the traffic to the corresponding machine. By using the iptables command, you can modify the routing table to specify that certain incoming traffic should be forwarded to a different destination than the one specified in the packet's header.

Prerequisites

Before setting up a GRE tunnel, you will need to ensure that the following requirements are met:

You have root access to both servers and have static IP addresses assigned to them.
Both servers have a working installation of Linux, with the iproute2 package installed.
A BerryByte DDoS-Protected Virtual Server (opens in a new tab) ($8/mo+)

(Although Windows can be used, we'll only be covering how to install with a linux-based system)

Setting Up the Tunnel

It's fairly simple to setup a GRE tunnel, but there are a few steps that need to be followed:

On the source server (104.167.215.164), enable IP forwarding and create a new interface for the tunnel using the ip command:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf  
sysctl -p
ip tunnel add gre1 mode gre remote 142.250.217.142 local 104.167.215.164 ttl 255

Bring the interface up using the following command:

ip link set gre1 up

Add an IP address to the interface:

ip addr add 10.0.0.1/24 dev gre1

On the destination server (142.250.217.142), repeat steps 1 to 3, using the same commands, but with the IP addresses reversed. For example:

ip tunnel add gre1 mode gre remote 104.167.215.164 local 142.250.217.142 ttl 255
ip addr add 10.0.0.2/30 dev gre1
ip link set gre1 up

Test the connection:

# On the source server:
ping 10.0.0.2
 
# On the destination server:
ping 10.0.0.1

If the ping is successful, the tunnel is working correctly!

Configuring Routing

To allow traffic to flow through the tunnel, you will need to configure routing on both servers.

On the source server, add a route to the destination network:

ip route add 142.250.217.0/30 dev gre1

On the destination server (142.250.217.142), add a route to the source network to ensure data goes in and out through the tunnel:

echo '100 BERRYBYTE' >> /etc/iproute2/rt_tables  
ip rule add from 10.0.0.0/30 table BERRYBYTE
ip route add default via 10.0.0.1 table BERRYBYTE

On the source server, we need to configure NAT which is used to translate the source IP address of the packets to the public IP address of the server. This is done using the following command:

iptables -t nat -A POSTROUTING -s 10.0.0.0/30 ! -o gre+ -j SNAT --to-source 104 104.167.215.164

Test the outbound connection which should show the public IP address of the source server:

# On the source server:
curl ipinfo.io

Port forwarding

To forward traffic from all ports, you can use the following command:

iptables -t nat -A PREROUTING -d 104.167.215.164 -j DNAT --to-destination 10.0.0.2
iptables -A FORWARD -d 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

TO forward traffic from a specific port, you can use the following command:

iptables -t nat -A PREROUTING -d 104.167.215.164 -p TCP -m TCP --dport 80 -j DNAT --to-destination 10.0.0.2

If the connection is successful, the tunnel and routing are configured correctly.

Saving the GRE tunnel configuration after reboot

Note that these changes will only persist until the next time the machine is rebooted. If you want to make the changes permanent, you can save the iptables rules by running:

# On the source server
sudo iptables-save > /etc/iptables/rules.v4

You can then restore the rules on boot by adding the following line to your /etc/rc.local file:

iptables-restore < /etc/iptables/rules.v4

The /etc/rc.local file is a script that is executed at boot time, before the system enters the normal runlevel. By adding the iptables-restore command to this file, you can ensure that the traffic forwarding configuration is restored every time the source server is rebooted.

Conclusion

In this guide, we have shown you how to set up a GRE tunnel between two servers using the iproute2 package. With a GRE tunnel in place, you can securely connect two networks together over the internet, allowing you to forward traffic and utilize our powerful network and powerful network mitigation.

If you experience issues with running GRE tunnels, you can ask for help on the BerryByte Discord Community (opens in a new tab) Server!

Subusers