GRE Tunneling

[Mornincupofhate]

So I've always been interested in tunneling over GRE but I had a question.

 

http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel.gre.html

 

Here's the guide I saw.

 

Basically I just want to rent a server and have any traffic sent through it go to my router and have all of my outbound traffic go through the server first.

Is it really as simple as configuring those few lines of code on each end? It seems like there would be a lot more to it.

 

I also saw that they were doing it on IP addresses from a local network. If I were to do it, would I just use the external IP addresses of the server and my home network?

[brwainer]

I don't have any experience with GRE except as the layer underneath PPTP - but I do know that in terms of tunnels, it is one of the simplest. That's why other things like PPTP get built as layers on top of it. GRE is a Layer 4 protocol, it doesn't use UDP or TCP. So all you have with GRE is the IP address, nothing else.

 

Once you have the GRE connection set up between the server and router, you would configure your router to use that as the default gateway, with just a static rule for the GRE server's IP set to your normal ISP. Of course you can set up your ISP as a fallback default gateway. On the server, you could just set it up as a normal router, with whatever static routes are needed.

 

Those instructions tell you how to set it up if you have a linux system at each end - the basic concepts can be converted into whatever router and server you are actually going to use.

 

One thing to note is that I'm fairly certain GRE is connectionless - meaning that if the server is down, the router will keep trying to send all the packets to it blindly. Therefore you'll have to use ping or some other method to control the fallback default gateway route, depending on what test methods your router allows. And ditto for your server - it won't know if the router goes down just from the state of the GRE tunnel - although at that point I imagine it would be pretty obvious from the router's side that you no longer have internet.

[Mornincupofhate]

2 minutes ago, brwainer said:

I don't have any experience with GRE except as the layer underneath PPTP - but I do know that in terms of tunnels, it is one of the simplest. That's why other things like PPTP get built as layers on top of it. GRE is a Layer 4 protocol, it doesn't use UDP or TCP. So all you have with GRE is the IP address, nothing else.

 

Once you have the GRE connection set up between the server and router, you would configure your router to use that as the default gateway, with just a static rule for the GRE server's IP set to your normal ISP. Of course you can set up your ISP as a fallback default gateway. On the server, you could just set it up as a normal router, with whatever static routes are needed.

 

Those instructions tell you how to set it up if you have an IOS router at each end - the basic concepts can be converted into whatever router and server you are actually going to use.

 

One thing to note is that I'm fairly certain GRE is connectionless - meaning that if the server is down, the router will keep trying to send all the packets to it blindly. Therefore you'll have to use ping or some other method to control the fallback default gateway route, depending on what test methods your router allows. And ditto for your server - it won't know if the router goes down just from the state of the GRE tunnel - although at that point I imagine it would be pretty obvious from the router's side that you no longer have internet.

So there's no port forwarding done or anything? My router will just forward and receive packets normally as long as I set the gateway to the server?

[brwainer]

21 minutes ago, Mornincupofhate said:

So there's no port forwarding done or anything? My router will just forward and receive packets normally as long as I set the gateway to the server?

you will probably need to open GRE (proto47 I believe) in the inbound firewall at both the router and server - note that this is *not* TCP port 47, or UDP port 47, or something else like that. But since both of your endpoints will have IP routing between them (they are both "on the internet"), and there is no intermediate NAT layer, there is no port forwarding to set up. Instead, on both the router and server, you have to set up Routing, which is the control of what IP packets should go out which interface in order to reach your destination.

 

Normally, a SOHO router will have the following routes (assuming 192.168.1.1/24 LAN, and 123.123.123.123/24 WAN IPs):
IP/subnet ----------- Gateway

192.168.1.0/24 ---- eth1

123.123.123.0/24 - eth0

0.0.0.0/0 ------------ 123.123.123.1

 

If you took the same router as above, and wanted all traffic to route through the server at 5.5.5.5/24 with a GRE-internal IP of 10.10.10.10/24, then the routing table would look like this:

IP/subnet ----------- Gateway

192.168.1.0/24 ---- eth1

123.123.123.0/24 - eth0

5.5.5.5/32 ----------- 123.123.123.1

10.10.10.0/24 ----- gre1

0.0.0.0/0 ------------ 10.10.10.10 (with possibly a rule that this becomes invalid if the server can't be pinged via the GRE-internal IP, or something like that)

 

And the server might look like (assuming the router's GRE-internal IP is 10.10.10.5/24):

IP/subnet ----------- Gateway

5.5.5.0/24 ---------- eth0

0.0.0.0/0 ------------ 5.5.5.1

10.10.10.0/24 ----- gre1

123.123.123.123/32 - 10.10.10.5

 

So in this way, the router will send all internet traffic to the server's link-local IP over GRE, and the GRE tunnel itself is what gets set through the ISP and such, encapsulating the other traffic. The server doesn't have to have this complicated setup since it is the endpoint where all traffic will exit the tunnel, so all it needs to know is that for the router's normal public IP, use the tunnel instead of sending it over the internet. With routing tables, the most precise match is used.

[Mornincupofhate]

8 minutes ago, brwainer said:

you will probably need to open GRE (proto47 I believe) in the inbound firewall at both the router and server - note that this is *not* TCP port 47, or UDP port 47, or something else like that. But since both of your endpoints will have IP routing between them (they are both "on the internet"), and there is no intermediate NAT layer, there is no port forwarding to set up. Instead, on both the router and server, you have to set up Routing, which is the control of what IP packets should go out which interface in order to reach your destination.

Lol the websites make it look so easier.

 

What if I did something like this:

Datacenter Server (GRE endpoint) --> Router --> Home Server (GRE endpoint)

And only configured GRE on the datacenter and home servers. Would it make things easier?

[brwainer]

10 hours ago, Mornincupofhate said:

Lol the websites make it look so easier.

 

What if I did something like this:

Datacenter Server (GRE endpoint) --> Router --> Home Server (GRE endpoint)

And only configured GRE on the datacenter and home servers. Would it make things easier?

Depends on the definition of easier. do you want only the home server's traffic to go through the GRE tunnel? In that case, you still need to tell it somehow "to get to the GRE server's IP, use this gateway, for everything else, use the GRE server itself" - which would mean creating a routing table on the home server that would look more or less the same as what I shared above for the router, minus the LAN subnet. If you wanted the home server to act as a proxy for other hosts, then congratulations, you just defined what a router is/does - any computer can be made into a router with the proper config, there are people out there who trust noone and set up their own routers starting from a standard linux or other OS. And either way, you would have to forward GRE from the router to the home server, which might not be possible if you don't have a router that gives you full control over the firewall/NAT. Most SOHO routers have a "VPN Passthrough" option where they detect a PPTP or similar VPN being set up, and they automatically set up GRE forwarding to match - but since you are trying to create just a GRE tunnel, this type of passthrough would never work. And the same routers probably only let you set up forwarding for TCP and UDP ports - but GRE isn't TCP or UDP.

 

By the way, these routing configurations I shared before are going to be the same no matter what type of tunnel or VPN (VPN being a tunnel-based technology) is being used - the routing table doesn't care what a particular connection is.

[Mornincupofhate]

5 hours ago, brwainer said:

Depends on the definition of easier. do you want only the home server's traffic to go through the GRE tunnel? In that case, you still need to tell it somehow "to get to the GRE server's IP, use this gateway, for everything else, use the GRE server itself" - which would mean creating a routing table on the home server that would look more or less the same as what I shared above for the router, minus the LAN subnet. If you wanted the home server to act as a proxy for other hosts, then congratulations, you just defined what a router is/does - any computer can be made into a router with the proper config, there are people out there who trust noone and set up their own routers starting from a standard linux or other OS. And either way, you would have to forward GRE from the router to the home server, which might not be possible if you don't have a router that gives you full control over the firewall/NAT. Most SOHO routers have a "VPN Passthrough" option where they detect a PPTP or similar VPN being set up, and they automatically set up GRE forwarding to match - but since you are trying to create just a GRE tunnel, this type of passthrough would never work. And the same routers probably only let you set up forwarding for TCP and UDP ports - but GRE isn't TCP or UDP.

 

By the way, these routing configurations I shared before are going to be the same no matter what type of tunnel or VPN (VPN being a tunnel-based technology) is being used - the routing table doesn't care what a particular connection is.

Would I still need to setup a routing table if the server has it's own unique external IP address?

[brwainer]

1 hour ago, Mornincupofhate said:

Would I still need to setup a routing table if the server has it's own unique external IP address?

Yes - because in order to connect to the tunnel it has to use its normal gateway, versus all other traffic it has to use the tunnel. All VPNs, all tunnels, are like this. If you connect to a normal VPN service then the program that connects you sets up the changes automatically. But you are trying to do it manually, which means there are no shortcuts to the setup.