Use the following instructions to set up the GRE (Generic Routing Encapsulation) tunnel using Gcore infrastructure.

Configure a GRE tunnel on Cisco routers

These configuration steps are specific to Cisco routers. For information on configuring GRE tunnels and BGP sessions on other devices, refer to the respective documentation provided by the manufacturer.

Step 1. Check network availability between routers

Both routers in a tunnel must have routable interfaces connected to the internet, and their routes must be mutually visible and reachable. To verify the connectivity, run either of the following commands on a router platform:

show ip route

or

show route

These commands will display the routing table of the router, showing the IP addresses of their interfaces that will be used as tunnel sources.

Step 2. Configure a tunnel

Follow these steps and use the configuration snippets below as a guideline.

1. Set the tunnel ID:

interface Tunnel10

2. Set the tunnel IP address and subnet mask:

ip address 10.20.30.1 255.255.255.0

3. Specify the source and destination IP addresses.

tunnel source 40.0.0.1

tunnel destination 50.0.0.1

The user on the other end of the tunnel sets the similar configuration:

interface Tunnel 10

      ip address 10.20.30.2 255.255.255.0

      tunnel source 50.0.0.1

      tunnel destination 40.0.0.1

When you configure both ends of the tunnel with matching parameters, the GRE tunnel between two routers will be established.

Step 3. Set the MTU and MSS limits

Tunneling adds an extra header to the original IP packet, resulting in overhead. If you don’t adjust MTU and MSS limits, it may lead to packet delivery issues. Set the following MTU and MSS limits:

interface Tunnel10

  ip mtu 1476

  ip tcp adjust-mss 1436

Step 4. Configure BGP

Open a BGP peering session, configure your BGP neighbor by specifying their IP address and number of remote AS, set BGP policies that will determine the best path for routing, and advertise network prefixes.

For example, imagine Side A (AS 10) and Side B (AS 20) on the two ends of the tunnel. Side A provides DDoS Protection, so it accepts specific routes from clients, denies the default for the routing security purposes, and does not advertise anything. On the other hand, Side B advertises only its own routes.

Let’s start with the Side A configuration.

1. Define the neighbor routes:

ip prefix DEFAULT_ROUTE seq permit 5 0.0.0.0/0



ip prefix CLIENT_ROUTES seq 5 permit 50.50.1.0/24

ip prefix CLIENT_ROUTES seq 10 permit 50.50.2.0/24

Prefix-list lines are responsible for defining routes.

2. Define the inbound route policy:

route-map SIDE_A_POLICY_INBOUND deny 10

  match ip address prefix-list DEFAULT_ROUTE

route-map SIDE_A_POLICY_INBOUND permit 20

  match ip address prefix-list CLIENT_ROUTES

The SIDE_A_POLICY_INBOUND route policy processes incoming routes. The first line denies the default route, while the second line permits the client routes.

3. Define the outbound route policy:

route-map SIDE_A_POLICY_OUTBOUND deny 10

The SIDE_A_POLICY_OUTBOUND route policy denies all routes coming out of the router.

The route policy configuration on Side B will be similar:

ip prefix DEFAULT_ROUTE seq permit 5 0.0.0.0/0



ip prefix CLIENT_ROUTES seq 5 permit 50.50.1.0/24

ip prefix CLIENT_ROUTES seq 10 permit 50.50.2.0/24



route-map SIDE_B_POLICY_OUTBOUND deny 10

  match ip address prefix-list DEFAULT_ROUTE

route-map SIDE_B_POLICY_OUTBOUND permit 20

  match ip address prefix-list CLIENT_ROUTES



route-map SIDE_B_POLICY_INBOUND deny 10

The SIDE_B_POLICY_INBOUND and SIDE_B_POLICY_OUTBOUND route policies describe the routes coming in and going out of the Side B’s router, respectively. Side B doesn’t accept any routes from Side A, and advertises its own routes to Side A without the default route.

The BGP configuration on both ends of the GRE tunnel should be as follows:

Side A:

router bgp 10

  neighbor 10.20.30.2 remote-as 20

  neighbor 10.20.30.2 description SIDE_B_ROUTER

  neighbor 10.20.30.2 route-map SIDE_A_POLICY_INBOUND in

  neighbor 10.20.30.2 route-map SIDE_A_POLICY_OUTBOUND out

Side B:

router bgp 20

  neighbor 10.20.30.1 remote-as 10

  neighbor 10.20.30.1 description SIDE_A_ROUTER

  neighbor 10.20.30.1 route-map SIDE_B_POLICY_INBOUND in

  neighbor 10.20.30.1 route-map SIDE_B_POLICY_OUTBOUND out

The configuration lines provided above enable you to establish BGP sessions with Gcore over GRE tunnels to protect your applications and servers from DDoS attacks and other types of malicious traffic.

Set a GRE tunnel on Ubuntu

Establish a tunnel on Linux-based servers functioning as endpoints in your network.

Step 1. Install required tools

Install the iproute2 package for managing GRE tunnels:

sudo apt update 

sudo apt install iproute2

Step 2. Configure the GRE tunnel

Configure the tunnel on the first endpoint with the example address 40.0.0.1:

1. Create the GRE tunnel:

sudo ip tunnel add gre1 mode gre local 40.0.0.1 remote 50.0.0.1 ttl 255

Replace 40.0.0.1 with this system’s public IP and 50.0.0.1 with the remote system’s public IP.

2. Assign an IP address to the tunnel interface: sudo ip addr add 10.20.30.1/24 dev gre1.

3. Bring up the GRE interface: sudo ip link set gre1 up.

Configure the tunnel on the second endpoint with the example address 50.0.0.1:

1. Create the GRE tunnel:

sudo ip tunnel add gre1 mode gre local 50.0.0.1 remote 40.0.0.1 ttl 255 

2. Assign an IP address to the tunnel interface: sudo ip addr add 10.20.30.2/24 dev gre1.

3. Bring up the GRE interface: sudo ip link set gre1 up.

Step 3. Enable IP forwarding

If the GRE tunnel is being used for routing, ensure that IP forwarding is enabled on both endpoints. Run the following command:

sudo sysctl -w net.ipv4.ip_forward=1 

To make this setting persistent, add the following to the configuration file /etc/sysctl.conf: net.ipv4.ip_forward=1.

Apply the changes by running sudo sysctl -p.

Step 4. Adjust MTU and MSS settings

To handle the additional GRE header, set the MTU and MSS limits on both endpoints:

sudo ip link set gre1 mtu 1476 

sudo iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 

Step 5. Verify tunnel connectivity

On each endpoint, test the connectivity by pinging the opposite end of the GRE tunnel:

ping 10.20.30.2 # From endpoint 40.0.0.1 

ping 10.20.30.1 # From endpoint 50.0.0.1

Step 6. Configure routing (optional)

If you need to route specific traffic through the GRE tunnel, add routing rules. For example:

sudo ip route add <destination-network> via 10.20.30.2 dev gre1

Step 7. Make the configuration persistent

To make the GRE tunnel configuration persistent across reboots, add the setup commands to /etc/network/interfaces or use systemd service files.

To update the setup in /etc/network/interfaces, add the following information to the file:

auto gre1 

iface gre1 inet static 

    address 10.20.30.1 

    netmask 255.255.255.0 

    mtu 1476 

    pre-up ip tunnel add gre1 mode gre local 40.0.0.1 remote 50.0.0.1 ttl 255 

    post-down ip tunnel del gre1 

Alternatively, create a custom systemd service to set up the tunnel at boot.