Set a GRE tunnel with Gcore
Use the following instructions to set up the GRE (Generic Routing Encapsulation) tunnel using Gcore infrastructure.
Configure a GRE tunnel on Cisco routers
These configuration steps are specific to Cisco routers. For information on configuring GRE tunnels and BGP sessions on other devices, refer to the respective documentation provided by the manufacturer.
Step 1. Check network availability between routers
Both routers in a tunnel must have routable interfaces connected to the internet, and their routes must be mutually visible and reachable. To verify the connectivity, run either of the following commands on a router platform:
show ip routeor
show routeThese commands will display the routing table of the router, showing the IP addresses of their interfaces that will be used as tunnel sources.
Step 2. Configure a tunnel
Follow these steps and use the configuration snippets below as a guideline.
1. Set the tunnel ID:
interface Tunnel102. Set the tunnel IP address and subnet mask:
ip address 10.20.30.1 255.255.255.03. Specify the source and destination IP addresses.
tunnel source 40.0.0.1
tunnel destination 50.0.0.1The user on the other end of the tunnel sets the similar configuration:
interface Tunnel 10
ip address 10.20.30.2 255.255.255.0
tunnel source 50.0.0.1
tunnel destination 40.0.0.1When you configure both ends of the tunnel with matching parameters, the GRE tunnel between two routers will be established.
Step 3. Set the MTU and MSS limits
Tunneling adds an extra header to the original IP packet, resulting in overhead. If you don’t adjust MTU and MSS limits, it may lead to packet delivery issues. Set the following MTU and MSS limits:
interface Tunnel10
ip mtu 1476
ip tcp adjust-mss 1436The standard MTU size allowed on the internet is 1500 bytes. When using GRE, typically an additional 24 bytes are added to the packet, consisting of 20 bytes of additional an outer IP header and 4 bytes of GRE itself. This means we must reduce the maximum allowed packet size over our GRE tunnel to 1476 bytes. Since we do not use any encryption in our example, no more headers are considered. If there was encryption, there would be 4 more bytes, but this is out of the scope of this article.
For TCP, the maximum segment size (MSS) value is 40 bytes less than the MTU size, as the TCP header is 40 bytes. Thus, the MSS value must be explicitly specified in the configuration. In our case, the MSS value must be 1436 bytes (1476 [the GRE MTU size] - 40 = 1436).
Step 4. Configure BGP
Open a BGP peering session, configure your BGP neighbor by specifying their IP address and number of remote AS, set BGP policies that will determine the best path for routing, and advertise network prefixes.
For example, imagine Side A (AS 10) and Side B (AS 20) on the two ends of the tunnel. Side A provides DDoS Protection, so it accepts specific routes from clients, denies the default for the routing security purposes, and does not advertise anything. On the other hand, Side B advertises only its own routes.
Let’s start with the Side A configuration.
1. Define the neighbor routes:
ip prefix DEFAULT_ROUTE seq permit 5 0.0.0.0/0
ip prefix CLIENT_ROUTES seq 5 permit 50.50.1.0/24
ip prefix CLIENT_ROUTES seq 10 permit 50.50.2.0/24Prefix-list lines are responsible for defining routes.
2. Define the inbound route policy:
route-map SIDE_A_POLICY_INBOUND deny 10
match ip address prefix-list DEFAULT_ROUTE
route-map SIDE_A_POLICY_INBOUND permit 20
match ip address prefix-list CLIENT_ROUTESThe SIDE_A_POLICY_INBOUND route policy processes incoming routes. The first line denies the default route, while the second line permits the client routes.
3. Define the outbound route policy:
route-map SIDE_A_POLICY_OUTBOUND deny 10The SIDE_A_POLICY_OUTBOUND route policy denies all routes coming out of the router.
The route policy configuration on Side B will be similar:
ip prefix DEFAULT_ROUTE seq permit 5 0.0.0.0/0
ip prefix CLIENT_ROUTES seq 5 permit 50.50.1.0/24
ip prefix CLIENT_ROUTES seq 10 permit 50.50.2.0/24
route-map SIDE_B_POLICY_OUTBOUND deny 10
match ip address prefix-list DEFAULT_ROUTE
route-map SIDE_B_POLICY_OUTBOUND permit 20
match ip address prefix-list CLIENT_ROUTES
route-map SIDE_B_POLICY_INBOUND deny 10The SIDE_B_POLICY_INBOUND and SIDE_B_POLICY_OUTBOUND route policies describe the routes coming in and going out of the Side B’s router, respectively. Side B doesn’t accept any routes from Side A, and advertises its own routes to Side A without the default route.
The BGP configuration on both ends of the GRE tunnel should be as follows:
Side A:
router bgp 10
neighbor 10.20.30.2 remote-as 20
neighbor 10.20.30.2 description SIDE_B_ROUTER
neighbor 10.20.30.2 route-map SIDE_A_POLICY_INBOUND in
neighbor 10.20.30.2 route-map SIDE_A_POLICY_OUTBOUND outSide B:
router bgp 20
neighbor 10.20.30.1 remote-as 10
neighbor 10.20.30.1 description SIDE_A_ROUTER
neighbor 10.20.30.1 route-map SIDE_B_POLICY_INBOUND in
neighbor 10.20.30.1 route-map SIDE_B_POLICY_OUTBOUND outThe configuration lines provided above enable you to establish BGP sessions with Gcore over GRE tunnels to protect your applications and servers from DDoS attacks and other types of malicious traffic.
Set a GRE tunnel on Ubuntu
Establish a tunnel on Linux-based servers functioning as endpoints in your network.
Step 1. Install required tools
Install the iproute2 package for managing GRE tunnels:
sudo apt update
sudo apt install iproute2Step 2. Configure the GRE tunnel
Configure the tunnel on the first endpoint with the example address 40.0.0.1:
1. Create the GRE tunnel:
sudo ip tunnel add gre1 mode gre local 40.0.0.1 remote 50.0.0.1 ttl 255Replace 40.0.0.1 with this system's public IP and 50.0.0.1 with the remote system's public IP.
2. Assign an IP address to the tunnel interface: sudo ip addr add 10.20.30.1/24 dev gre1.
3. Bring up the GRE interface: sudo ip link set gre1 up.
Configure the tunnel on the second endpoint with the example address 50.0.0.1:
1. Create the GRE tunnel:
sudo ip tunnel add gre1 mode gre local 50.0.0.1 remote 40.0.0.1 ttl 255 2. Assign an IP address to the tunnel interface: sudo ip addr add 10.20.30.2/24 dev gre1.
3. Bring up the GRE interface: sudo ip link set gre1 up.
Step 3. Enable IP forwarding
If the GRE tunnel is being used for routing, ensure that IP forwarding is enabled on both endpoints. Run the following command:
sudo sysctl -w net.ipv4.ip_forward=1 To make this setting persistent, add the following to the configuration file /etc/sysctl.conf: net.ipv4.ip_forward=1.
Apply the changes by running sudo sysctl -p.
Step 4. Adjust MTU and MSS settings
To handle the additional GRE header, set the MTU and MSS limits on both endpoints:
sudo ip link set gre1 mtu 1476
sudo iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu Step 5. Verify tunnel connectivity
On each endpoint, test the connectivity by pinging the opposite end of the GRE tunnel:
ping 10.20.30.2 # From endpoint 40.0.0.1
ping 10.20.30.1 # From endpoint 50.0.0.1Step 6. Configure routing (optional)
If you need to route specific traffic through the GRE tunnel, add routing rules. For example:
sudo ip route add <destination-network> via 10.20.30.2 dev gre1Step 7. Make the configuration persistent
To make the GRE tunnel configuration persistent across reboots, add the setup commands to /etc/network/interfaces or use systemd service files.
To update the setup in /etc/network/interfaces, add the following information to the file:
auto gre1
iface gre1 inet static
address 10.20.30.1
netmask 255.255.255.0
mtu 1476
pre-up ip tunnel add gre1 mode gre local 40.0.0.1 remote 50.0.0.1 ttl 255
post-down ip tunnel del gre1 Alternatively, create a custom systemd service to set up the tunnel at boot.
Was this article helpful?
Not a Gcore user yet?
Explore our DDoS protection for servers