Last active
August 10, 2024 08:09
-
-
Save oddmario/a8ca0d160c4c55451aa61add2acd0678 to your computer and use it in GitHub Desktop.
Revisions
-
oddmario revised this gist
Aug 10, 2024 . 1 changed file with 2 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,12 +1,7 @@ # UPDATE - Moved to https://github.com/oddmario/GRE-setup-guide - Or alternatively, a similar WireGuard guide is available at https://github.com/oddmario/WireGuard-setup-guide # Setup a GRE tunnel between two Linux servers -
Aug 8, 2024 . 1 changed file with 10 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,13 @@ # UPDATE I eventually had to move to WireGuard instead of GRE tunnels. Main reasoning for that is because of how, so randomly, the GRE tunnels kept dying on my network (mainly because Linux doesn't have a keepalive implementation for them). I found WireGuard to be more mature when it comes to this setup specifically. You can find an updated guide, which achieves the exact same purpose as this one (but using WireGuard), here -> https://github.com/oddmario/WireGuard-setup-guide # Setup a GRE tunnel between two Linux servers TL;DR network engineering is hard 🫠 -
Aug 7, 2024 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -14,17 +14,17 @@ It is the "backend server" or the destination server. i.e. the server which we a - Setting up a GRE tunnel to link between two Linux servers (server A and server B) - Setting up the proper routing to make server A forward all the traffic to & from server B through the tunnel. If you would like to use WireGuard (or even OpenVPN) instead of a GRE tunnel to link between the two servers, you can absolutely give that a go! Generally, we just need a way to link between the two servers (either GRE, WireGuard or even OpenVPN). Then the rest of the commands to setup the routing through iproute2 and iptables should be similar. ## Requirements Server A needs to have a primary public IP address that we are going to use as the peer address for our GRE tunnels. And you CAN NOT use the primary IP address of server A as a GRE tunnel since it will be the IP used by server B to connect to server A. So in order to start GRE tunneling, you need additional IPs linked to server A by the provider of it. ----- ### `makeGRE.sh` on Server A -
Aug 7, 2024 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,9 +15,9 @@ It is the "backend server" or the destination server. i.e. the server which we a - Setting up the proper routing to make server A forward all the traffic to & from server B through the tunnel. ## Requirements Server A needs to have a primary public IP address that we are going to use as the peer address for our GRE tunnels. And you CAN NOT use the primary IP address of server A as a GRE tunnel since it will be the IP used by server B to connect to server A. So in order to start GRE tunneling, you need additional IPs linked to server A by the provider of it. -
Aug 7, 2024 . 1 changed file with 12 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -14,6 +14,13 @@ It is the "backend server" or the destination server. i.e. the server which we a - Setting up a GRE tunnel to link between two Linux servers (server A and server B) - Setting up the proper routing to make server A forward all the traffic to & from server B through the tunnel. ## Requirements Server A needs to have one primary public IP address that we are going to use as the peer address for our GRE tunnels. You CAN NOT use the primary IP address of server A as a GRE tunnel since it will be the IP used by server B to connect to server A. So in order to start GRE tunneling, you need additional IPs linked to server A by the provider of it. If you would like to use WireGuard (or even OpenVPN) instead of a GRE tunnel to link between the two servers, you can absolutely give that a go! Generally, we just need a way to link between the two servers (either GRE, WireGuard or even OpenVPN). Then the rest of the commands to setup the routing through iproute2 and iptables should be similar. @@ -31,7 +38,7 @@ Generally, we just need a way to link between the two servers (either GRE, WireG # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # This cannot be the same value of GRE_VPS_MAIN_IP. check the requirements at the top of the guide for more information BACKEND_IP="[backend server public ip address here]" GRE_VPS_IP_MAIN_INTERFACE="eth0" @@ -147,7 +154,7 @@ net.ipv6.route.flush = 1 # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # This cannot be the same value of GRE_VPS_MAIN_IP. check the requirements at the top of the guide for more information BACKEND_IP="[backend server public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" @@ -201,7 +208,7 @@ ethtool -K $GRE_TUNNEL_INTERFACE_NAME gro off gso off tso off # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # This cannot be the same value of GRE_VPS_MAIN_IP. check the requirements at the top of the guide for more information GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" @@ -376,7 +383,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # This cannot be the same value of GRE_VPS_MAIN_IP. check the requirements at the top of the guide for more information BACKEND_IP="[backend server public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" @@ -440,7 +447,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # This cannot be the same value of GRE_VPS_MAIN_IP. check the requirements at the top of the guide for more information GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" -
Aug 7, 2024 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -182,8 +182,8 @@ ip route add default via $GRE_TUNNEL_GREVPS_IP table $GRE_TUNNEL_RTTABLES_NAME iptables -o $GRE_TUNNEL_INTERFACE_NAME -t nat -I POSTROUTING -j SNAT --to-source $GRE_VPS_IP # dns servers are required otherwise all dns resolutions will fail echo 'nameserver 1.1.1.1' > /etc/resolv.conf echo 'nameserver 1.0.0.1' >> /etc/resolv.conf tc qdisc replace dev $GRE_TUNNEL_INTERFACE_NAME root fq ip link set $GRE_TUNNEL_INTERFACE_NAME txqueuelen 15000 @@ -415,8 +415,8 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME iptables -o $GRE_TUNNEL_INTERFACE_NAME -t nat -I POSTROUTING -j SNAT --to-source $GRE_VPS_IP # dns servers are required otherwise all dns resolutions will fail echo 'nameserver 1.1.1.1' > /etc/resolv.conf echo 'nameserver 1.0.0.1' >> /etc/resolv.conf # finally cut over our routing # NOTE: this will cut all access to your original BACKEND IP! -
Aug 7, 2024 . 1 changed file with 4 additions and 74 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -273,7 +273,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 6. If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or to **the same backend server**, you can create multiple GRE tunnels. **On both** the GRE VPS (Server A) and the backend server (Server B), create new `makeGRE-2.sh` and `delGRE-2.sh` files so we can create new GRE setup scripts. The content of the files should be the same scripts that are at the top of this guide. Then edit this configurable part on the new scripts: ``` @@ -363,79 +363,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): You will need to use these scripts **on server B [the backend server]** instead of the ones that were shown initially at the top of this whole guide [they are the same scripts with just a few additional commands]: makeGRE.sh on Server B (the backend server): ``` @@ -538,6 +466,8 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME down ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` As for the scripts of server A [the GRE VPS], leave them unchanged. 9. Reboot the GRE VPS (and preferably but not necessarily the backend server[s] too) after setting up or modifying any GRE tunnels to ensure that no unneeded leftovers are there. This really makes a difference most of the time. -
Aug 7, 2024 . 1 changed file with 0 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -157,8 +157,6 @@ GRE_TUNNEL_RTTABLES_ID="100" GRE_TUNNEL_RTTABLES_NAME="GRE" GRE_TUNNEL_KEY="1" # ---------------------------------- modprobe ip_gre @@ -210,8 +208,6 @@ GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_NAME="GRE" # ---------------------------------- iptables -t nat -D POSTROUTING -o $GRE_TUNNEL_INTERFACE_NAME -j SNAT --to-source $GRE_VPS_IP -
Aug 7, 2024 . 1 changed file with 0 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -161,8 +161,6 @@ BACKEND_SERVER_MAIN_INTERFACE_NAME="eth0" # ---------------------------------- modprobe ip_gre # https://www.linuxquestions.org/questions/linux-networking-3/how-to-turn-on-keepalive-on-linux-interface-4175541981/#post6320771 @@ -216,8 +214,6 @@ BACKEND_SERVER_MAIN_INTERFACE_NAME="eth0" # ---------------------------------- iptables -t nat -D POSTROUTING -o $GRE_TUNNEL_INTERFACE_NAME -j SNAT --to-source $GRE_VPS_IP ip rule del from $GRE_VPS_IP lookup $GRE_TUNNEL_RTTABLES_NAME @@ -286,7 +282,6 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME Then edit this configurable part on the new scripts: ``` GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_ID="100" @@ -298,7 +293,6 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` GRE_TUNNEL_INTERFACE_NAME="gre2" GRE_TUNNEL_GREVPS_IP="192.168.169.1" # NOTE: uses 169 instead of 168 GRE_TUNNEL_BACKEND_IP="192.168.169.2" # NOTE: uses 169 instead of 168 GRE_TUNNEL_RTTABLES_ID="200" -
Aug 7, 2024 . 1 changed file with 43 additions and 40 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,7 +36,6 @@ BACKEND_IP="[backend server public ip address here]" GRE_VPS_IP_MAIN_INTERFACE="eth0" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_KEY="1" @@ -51,18 +50,17 @@ tc qdisc replace dev $GRE_VPS_IP_MAIN_INTERFACE root fq ip link set $GRE_VPS_IP_MAIN_INTERFACE txqueuelen 15000 modprobe ip_gre iptables -F iptables -P FORWARD ACCEPT sysctl -w net.ipv4.conf.$GRE_VPS_IP_MAIN_INTERFACE.proxy_arp=1 # https://www.linuxquestions.org/questions/linux-networking-3/how-to-turn-on-keepalive-on-linux-interface-4175541981/#post6320771 sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_MAIN_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ip link set $GRE_TUNNEL_INTERFACE_NAME up ip addr add $GRE_TUNNEL_GREVPS_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip route add $GRE_VPS_IP/32 via $GRE_TUNNEL_BACKEND_IP tc qdisc replace dev $GRE_TUNNEL_INTERFACE_NAME root fq ip link set $GRE_TUNNEL_INTERFACE_NAME txqueuelen 15000 @@ -83,20 +81,15 @@ ethtool -K $GRE_VPS_IP_MAIN_INTERFACE gro off gso off tso off GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" # ---------------------------------- ip route del $GRE_VPS_IP/32 via $GRE_TUNNEL_BACKEND_IP ip addr del $GRE_TUNNEL_GREVPS_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME down ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` ### `/etc/sysctl.conf` on Server A @@ -158,15 +151,18 @@ GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to for BACKEND_IP="[backend server public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_ID="100" GRE_TUNNEL_RTTABLES_NAME="GRE" GRE_TUNNEL_KEY="1" BACKEND_SERVER_MAIN_INTERFACE_NAME="eth0" # ---------------------------------- GATEWAY_IP=$(ip route show dev $BACKEND_SERVER_MAIN_INTERFACE_NAME | grep default | awk '{print $3}' | awk 'NR==1{print; exit}') modprobe ip_gre # https://www.linuxquestions.org/questions/linux-networking-3/how-to-turn-on-keepalive-on-linux-interface-4175541981/#post6320771 @@ -179,12 +175,20 @@ then fi ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote $GRE_VPS_MAIN_IP ttl 255 key $GRE_TUNNEL_KEY ip link set $GRE_TUNNEL_INTERFACE_NAME up ip addr add $GRE_TUNNEL_BACKEND_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip addr add $GRE_VPS_IP/32 dev $GRE_TUNNEL_INTERFACE_NAME ip rule add from $GRE_VPS_IP lookup $GRE_TUNNEL_RTTABLES_NAME ip route add default via $GRE_TUNNEL_GREVPS_IP table $GRE_TUNNEL_RTTABLES_NAME iptables -o $GRE_TUNNEL_INTERFACE_NAME -t nat -I POSTROUTING -j SNAT --to-source $GRE_VPS_IP # dns servers are required otherwise all dns resolutions will fail echo 'nameserver 4.2.2.1' > /etc/resolv.conf echo 'nameserver 4.2.2.2' >> /etc/resolv.conf tc qdisc replace dev $GRE_TUNNEL_INTERFACE_NAME root fq ip link set $GRE_TUNNEL_INTERFACE_NAME txqueuelen 15000 ethtool -K $GRE_TUNNEL_INTERFACE_NAME gro off gso off tso off @@ -200,16 +204,25 @@ ethtool -K $GRE_TUNNEL_INTERFACE_NAME gro off gso off tso off # Variables # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # Set this to the same value of GRE_VPS_MAIN_IP if you have only one IP address on your GRE VPS and it's the IP that you are attempting to setup a GRE tunnel for GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_NAME="GRE" BACKEND_SERVER_MAIN_INTERFACE_NAME="eth0" # ---------------------------------- GATEWAY_IP=$(ip route show dev $BACKEND_SERVER_MAIN_INTERFACE_NAME | grep default | awk '{print $3}' | awk 'NR==1{print; exit}') iptables -t nat -D POSTROUTING -o $GRE_TUNNEL_INTERFACE_NAME -j SNAT --to-source $GRE_VPS_IP ip rule del from $GRE_VPS_IP lookup $GRE_TUNNEL_RTTABLES_NAME ip route del default via $GRE_TUNNEL_GREVPS_IP table $GRE_TUNNEL_RTTABLES_NAME ip addr del $GRE_VPS_IP/32 dev $GRE_TUNNEL_INTERFACE_NAME ip addr del $GRE_TUNNEL_BACKEND_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME down ip tunnel del $GRE_TUNNEL_INTERFACE_NAME @@ -248,27 +261,24 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME If this solves the problem but you would like to keep your firewall enabled, make sure the public IP address(es) of the GRE VPS and the private IP address(es) of the GRE VPS on the GRE tunnel (e.g. 192.168.168.1) are trusted on the firewall of the backend server. 5. ⚠️ Make sure that NO additional IP addresses are linked to the operating system of the GRE VPS. Just keep the main IP address linked and that's it. **Yes the GRE tunnels will magically make use of the additional IPs work even when they are not linked to the OS of the GRE VPS.** To make sure of this, you can use `ip a` to ensure that the main interface (e.g. `eth0`) has ONLY the main IP address of the GRE VPS linked to it. In case there are multiple IPs linked (for example as `eth0:1`, `eth0:2`, etc [or even on network interfaces with different names such as `eth1`]), you need to remove them first before attempting to setup **ANY** GRE tunnels. On AlmaLinux, the configuration files of any additional IPs are mostly found at `/etc/sysconfig/network-scripts/` So for example if you have `eth0:1` and `eth0:2` configured, you can remove them using: ``` rm -rf /etc/sysconfig/network-scripts/ifcfg-eth0:1 rm -rf /etc/sysconfig/network-scripts/ifcfg-eth0:2 ``` Then restart the networking service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` ⚠️ **NOTE:** You must restart your GRE tunnel (or all of your tunnels if you have multiple) after restarting the networking. This can be done by `./delGRE.sh && ./makeGRE.sh` [make sure to do the same for all your GRE tunnels if you have multiple scripts]. 6. If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or to **the same backend server**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), create new `makeGRE-2.sh` and `delGRE-2.sh` files so we can create new GRE setup scripts. The content of the files should be the same scripts that are at the top of this guide. @@ -363,14 +373,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): You will need to use these scripts instead of the ones that were shown initially at the top of this whole guide [they are the same scripts with just a few additional commands]: makeGRE.sh on Server A (the GRE VPS): ``` -
Aug 7, 2024 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -364,8 +364,9 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): ⚠️ For this setup specifically, you need to ignore note number 5 that we stated above. If you don't ignore it, you may end up with: - No outgoing internet connectivity on the backend server - The GRE tunnel may work for some time then will die randomly after some time So first of all, make sure that the GRE VPS IP that you want to use as the backend server IP is not configured on the operating system of the GRE VPS. **If it is configured,** make sure to delete its config file (for example `/etc/sysconfig/network-scripts/ifcfg-eth0:1`) then restart the networking service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` -
Aug 7, 2024 . 1 changed file with 11 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,6 +10,14 @@ One recommended provider for Server A is BuyVM.net [especially with their DDoS p ## Server B It is the "backend server" or the destination server. i.e. the server which we are trying to hide/protect the IP address of. ## This guide covers - Setting up a GRE tunnel to link between two Linux servers (server A and server B) - Setting up the proper routing to make server A forward all the traffic to & from server B through the tunnel. If you would like to use WireGuard (or even OpenVPN) instead of a GRE tunnel to link between the two servers, you can absolutely give that a go! Generally, we just need a way to link between the two servers (either GRE, WireGuard or even OpenVPN). Then the rest of the commands to setup the routing through iproute2 and iptables should be similar. ----- ### `makeGRE.sh` on Server A @@ -355,7 +363,9 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): ⚠️ For this setup specifically, you need to ignore note number 5 that we stated above. If you don't ignore it, you may end up with: * No outgoing internet connectivity on the backend server * The GRE tunnel may work for some time then will die randomly after some time So first of all, make sure that the GRE VPS IP that you want to use as the backend server IP is not configured on the operating system of the GRE VPS. **If it is configured,** make sure to delete its config file (for example `/etc/sysconfig/network-scripts/ifcfg-eth0:1`) then restart the networking service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` -
Aug 6, 2024 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -43,6 +43,7 @@ tc qdisc replace dev $GRE_VPS_IP_MAIN_INTERFACE root fq ip link set $GRE_VPS_IP_MAIN_INTERFACE txqueuelen 15000 modprobe ip_gre iptables -F # https://www.linuxquestions.org/questions/linux-networking-3/how-to-turn-on-keepalive-on-linux-interface-4175541981/#post6320771 sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 @@ -160,6 +161,7 @@ GRE_TUNNEL_KEY="1" modprobe ip_gre # https://www.linuxquestions.org/questions/linux-networking-3/how-to-turn-on-keepalive-on-linux-interface-4175541981/#post6320771 sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 @@ -391,6 +393,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME iptables -F iptables -P FORWARD ACCEPT sysctl -w net.ipv4.conf.$GRE_VPS_IP_MAIN_INTERFACE.proxy_arp=1 # https://www.linuxquestions.org/questions/linux-networking-3/how-to-turn-on-keepalive-on-linux-interface-4175541981/#post6320771 sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 @@ -459,6 +462,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME modprobe ip_gre # https://www.linuxquestions.org/questions/linux-networking-3/how-to-turn-on-keepalive-on-linux-interface-4175541981/#post6320771 sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 -
Aug 6, 2024 . 1 changed file with 10 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -43,6 +43,8 @@ tc qdisc replace dev $GRE_VPS_IP_MAIN_INTERFACE root fq ip link set $GRE_VPS_IP_MAIN_INTERFACE txqueuelen 15000 modprobe ip_gre iptables -F sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_MAIN_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ip addr add $GRE_TUNNEL_GREVPS_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME @@ -158,6 +160,9 @@ GRE_TUNNEL_KEY="1" modprobe ip_gre sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 if ! grep -Fxq "$GRE_TUNNEL_RTTABLES_ID $GRE_TUNNEL_RTTABLES_NAME" /etc/iproute2/rt_tables then echo "$GRE_TUNNEL_RTTABLES_ID $GRE_TUNNEL_RTTABLES_NAME" >> /etc/iproute2/rt_tables @@ -386,6 +391,8 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME iptables -F iptables -P FORWARD ACCEPT sysctl -w net.ipv4.conf.$GRE_VPS_IP_MAIN_INTERFACE.proxy_arp=1 sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_MAIN_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ip link set $GRE_TUNNEL_INTERFACE_NAME up @@ -451,6 +458,9 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME GATEWAY_IP=$(ip route show dev $BACKEND_SERVER_MAIN_INTERFACE_NAME | grep default | awk '{print $3}' | awk 'NR==1{print; exit}') modprobe ip_gre sysctl -w net.ipv4.conf.default.accept_local=1 sysctl -w net.ipv4.conf.all.accept_local=1 if ! grep -Fxq "$GRE_TUNNEL_RTTABLES_ID $GRE_TUNNEL_RTTABLES_NAME" /etc/iproute2/rt_tables then -
Aug 6, 2024 . 1 changed file with 20 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -233,24 +233,27 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME If this solves the problem but you would like to keep your firewall enabled, make sure the public IP address(es) of the GRE VPS and the private IP address(es) of the GRE VPS on the GRE tunnel (e.g. 192.168.168.1) are trusted on the firewall of the backend server. 5. ⚠️ If you have multiple IP addresses on your GRE VPS, make sure they are linked to the operating system first before attempting to involve them in a GRE tunnel! **This is super important! you can't start magically using an IP address when the operating system does not know about it.** For example, if your GRE VPS has the public IP address `a.b.c.d` as the main IP, and it also has `e.f.g.h` as an additional IP. Make sure the latter is configured on the GRE VPS system. On AlmaLinux this can be done by creating `/etc/sysconfig/network-scripts/ifcfg-eth0:1` and placing the following in it: ``` DEVICE=eth0:1 IPADDR=e.f.g.h NETMASK=[netmask here] GATEWAY=[gateway here] BOOTPROTO=none IPV4_FAILURE_FATAL=no PROXY_METHOD=none ``` Make sure to replace everything with their proper values then restart the network service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` ⚠️ **NOTE:** You must restart your GRE tunnel (or all of your tunnels if you have multiple) after restarting the networking. This can be done by `./delGRE.sh && ./makeGRE.sh` [make sure to do the same for all your GRE tunnels if you have multiple scripts]. You can absolutely do the same for all the IP addresses you would like to link. Just replace the `eth0:1` with `eth0:2`, etc. 6. If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or to **the same backend server**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), create new `makeGRE-2.sh` and `delGRE-2.sh` files so we can create new GRE setup scripts. The content of the files should be the same scripts that are at the top of this guide. @@ -345,7 +348,11 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): ⚠️ For this setup specifically, you need to ignore note number 5 that we stated above. So first of all, make sure that the GRE VPS IP that you want to use as the backend server IP is not configured on the operating system of the GRE VPS. **If it is configured,** make sure to delete its config file (for example `/etc/sysconfig/network-scripts/ifcfg-eth0:1`) then restart the networking service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` Then you will need to use these scripts instead of the ones that were shown initially at the top of this whole guide: makeGRE.sh on Server A (the GRE VPS): ``` -
Aug 6, 2024 . 1 changed file with 15 additions and 20 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -233,27 +233,24 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME If this solves the problem but you would like to keep your firewall enabled, make sure the public IP address(es) of the GRE VPS and the private IP address(es) of the GRE VPS on the GRE tunnel (e.g. 192.168.168.1) are trusted on the firewall of the backend server. 5. ⚠️ Make sure that NO additional IP addresses are linked to the operating system of the GRE VPS. Just keep the main IP address linked and that's it. **Yes the GRE tunnels will magically make use of the additional IPs work even when they are not linked to the OS of the GRE VPS.** To make sure of this, you can use `ip a` to ensure that the main interface (e.g. `eth0`) has ONLY the main IP address of the GRE VPS linked to it. In case there are multiple IPs linked (for example as `eth0:1`, `eth0:2`, etc [or even on network interfaces with different names such as `eth1`]), you need to remove them first before attempting to setup **ANY** GRE tunnels. On AlmaLinux, the configuration files of any additional IPs are mostly found at `/etc/sysconfig/network-scripts/` So for example if you have `eth0:1` and `eth0:2` configured, you can remove them using: ``` rm -rf /etc/sysconfig/network-scripts/ifcfg-eth0:1 rm -rf /etc/sysconfig/network-scripts/ifcfg-eth0:2 ``` Then restart the networking service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` ⚠️ **NOTE:** You must restart your GRE tunnel (or all of your tunnels if you have multiple) after restarting the networking. This can be done by `./delGRE.sh && ./makeGRE.sh` [make sure to do the same for all your GRE tunnels if you have multiple scripts]. 6. If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or to **the same backend server**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), create new `makeGRE-2.sh` and `delGRE-2.sh` files so we can create new GRE setup scripts. The content of the files should be the same scripts that are at the top of this guide. @@ -348,11 +345,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): You will need to use these scripts instead of the ones that were shown initially at the top of this whole guide: makeGRE.sh on Server A (the GRE VPS): ``` @@ -521,6 +514,8 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` 9. Reboot the GRE VPS (and preferably but not necessarily the backend server[s] too) after setting up or modifying any GRE tunnels to ensure that no unneeded leftovers are there. This really makes a difference most of the time. ## ⚠️ An important note if you are using BuyVM as your GRE VPS + a DDoS protected IP (or more) from them Make sure that the main IP address of your BuyVM VPS is the normal non-DDoS protected IP address. You can set the main IP address through the BuyVM Stallion panel. -
Aug 6, 2024 . 1 changed file with 20 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -233,24 +233,27 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME If this solves the problem but you would like to keep your firewall enabled, make sure the public IP address(es) of the GRE VPS and the private IP address(es) of the GRE VPS on the GRE tunnel (e.g. 192.168.168.1) are trusted on the firewall of the backend server. 5. ⚠️ If you have multiple IP addresses on your GRE VPS, make sure they are linked to the operating system first before attempting to involve them in a GRE tunnel! **This is super important! you can't start magically using an IP address when the operating system does not know about it.** For example, if your GRE VPS has the public IP address `a.b.c.d` as the main IP, and it also has `e.f.g.h` as an additional IP. Make sure the latter is configured on the GRE VPS system. On AlmaLinux this can be done by creating `/etc/sysconfig/network-scripts/ifcfg-eth0:1` and placing the following in it: ``` DEVICE=eth0:1 IPADDR=e.f.g.h NETMASK=[netmask here] GATEWAY=[gateway here] BOOTPROTO=none IPV4_FAILURE_FATAL=no PROXY_METHOD=none ``` Make sure to replace everything with their proper values then restart the network service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` ⚠️ **NOTE:** You must restart your GRE tunnel (or all of your tunnels if you have multiple) after restarting the networking. This can be done by `./delGRE.sh && ./makeGRE.sh` [make sure to do the same for all your GRE tunnels if you have multiple scripts]. You can absolutely do the same for all the IP addresses you would like to link. Just replace the `eth0:1` with `eth0:2`, etc. 6. If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or to **the same backend server**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), create new `makeGRE-2.sh` and `delGRE-2.sh` files so we can create new GRE setup scripts. The content of the files should be the same scripts that are at the top of this guide. @@ -345,7 +348,11 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): ⚠️ For this setup specifically, you need to ignore note number 5 that we stated above. So first of all, make sure that the GRE VPS IP that you want to use as the backend server IP is not configured on the operating system of the GRE VPS. **If it is configured,** make sure to delete its config file (for example `/etc/sysconfig/network-scripts/ifcfg-eth0:1`) then restart the networking service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` Then you will need to use these scripts instead of the ones that were shown initially at the top of this whole guide: makeGRE.sh on Server A (the GRE VPS): ``` -
Aug 6, 2024 . 1 changed file with 15 additions and 56 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -233,27 +233,24 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME If this solves the problem but you would like to keep your firewall enabled, make sure the public IP address(es) of the GRE VPS and the private IP address(es) of the GRE VPS on the GRE tunnel (e.g. 192.168.168.1) are trusted on the firewall of the backend server. 5. ⚠️ Make sure that NO additional IP addresses are linked to the operating system of the GRE VPS. Just keep the main IP address linked and that's it. **Yes the GRE tunnels will magically make use of the additional IPs work even when they are not linked to the OS of the GRE VPS.** To make sure of this, you can use `ip a` to ensure that the main interface (e.g. `eth0`) has ONLY the main IP address of the GRE VPS linked to it. In case there are multiple IPs linked (for example as `eth0:1`, `eth0:2`, etc [or even on network interfaces with different names such as `eth1`]), you need to remove them first before attempting to setup **ANY** GRE tunnels. On AlmaLinux, the configuration files of any additional IPs are mostly found at `/etc/sysconfig/network-scripts/` So for example if you have `eth0:1` and `eth0:2` configured, you can remove them using: ``` rm -rf /etc/sysconfig/network-scripts/ifcfg-eth0:1 rm -rf /etc/sysconfig/network-scripts/ifcfg-eth0:2 ``` Then restart the networking service using `systemctl restart NetworkManager.service && sleep 5 && nmcli networking off && nmcli networking on` ⚠️ **NOTE:** You must restart your GRE tunnel (or all of your tunnels if you have multiple) after restarting the networking. This can be done by `./delGRE.sh && ./makeGRE.sh` [make sure to do the same for all your GRE tunnels if you have multiple scripts]. 6. If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or to **the same backend server**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), create new `makeGRE-2.sh` and `delGRE-2.sh` files so we can create new GRE setup scripts. The content of the files should be the same scripts that are at the top of this guide. @@ -348,11 +345,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): You will need to use these scripts instead of the ones that were shown initially at the top of this whole guide: makeGRE.sh on Server A (the GRE VPS): ``` @@ -522,44 +515,10 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` ## ⚠️ An important note if you are using BuyVM as your GRE VPS + a DDoS protected IP (or more) from them Make sure that the main IP address of your BuyVM VPS is the normal non-DDoS protected IP address. You can set the main IP address through the BuyVM Stallion panel. Also make sure to use that same normal non-DDoS protected IP address as the value of the `GRE_VPS_MAIN_IP` variable in the scripts. The main reason we do this is to avoid getting the IP address of our backend server from getting blocked by the BuyVM (Path.net) DDoS protection. -
Aug 6, 2024 . 1 changed file with 18 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -22,7 +22,8 @@ It is the "backend server" or the destination server. i.e. the server which we a # Variables # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # Set this to the same value of GRE_VPS_MAIN_IP if you have only one IP address on your GRE VPS and it's the IP that you are attempting to setup a GRE tunnel for BACKEND_IP="[backend server public ip address here]" GRE_VPS_IP_MAIN_INTERFACE="eth0" @@ -43,7 +44,7 @@ ip link set $GRE_VPS_IP_MAIN_INTERFACE txqueuelen 15000 modprobe ip_gre iptables -F ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_MAIN_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ip addr add $GRE_TUNNEL_GREVPS_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME up @@ -68,7 +69,7 @@ ethtool -K $GRE_VPS_IP_MAIN_INTERFACE gro off gso off tso off # Variables # GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GATEWAY_IP="192.168.168.0" @@ -141,7 +142,8 @@ net.ipv6.route.flush = 1 # Variables # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # Set this to the same value of GRE_VPS_MAIN_IP if you have only one IP address on your GRE VPS and it's the IP that you are attempting to setup a GRE tunnel for BACKEND_IP="[backend server public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" @@ -161,7 +163,7 @@ then echo "$GRE_TUNNEL_RTTABLES_ID $GRE_TUNNEL_RTTABLES_NAME" >> /etc/iproute2/rt_tables fi ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote $GRE_VPS_MAIN_IP ttl 255 key $GRE_TUNNEL_KEY ip addr add $GRE_TUNNEL_BACKEND_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME up @@ -362,7 +364,8 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME # Variables # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # Set this to the same value of GRE_VPS_MAIN_IP if you have only one IP address on your GRE VPS and it's the IP that you are attempting to setup a GRE tunnel for BACKEND_IP="[backend server public ip address here]" GRE_VPS_IP_MAIN_INTERFACE="eth0" @@ -384,7 +387,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME iptables -P FORWARD ACCEPT sysctl -w net.ipv4.conf.$GRE_VPS_IP_MAIN_INTERFACE.proxy_arp=1 ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_MAIN_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ip link set $GRE_TUNNEL_INTERFACE_NAME up ip addr add $GRE_TUNNEL_GREVPS_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME @@ -406,7 +409,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME # Variables # GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" @@ -430,7 +433,8 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME # Variables # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # Set this to the same value of GRE_VPS_MAIN_IP if you have only one IP address on your GRE VPS and it's the IP that you are attempting to setup a GRE tunnel for BACKEND_IP="[backend server public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" @@ -453,7 +457,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME echo "$GRE_TUNNEL_RTTABLES_ID $GRE_TUNNEL_RTTABLES_NAME" >> /etc/iproute2/rt_tables fi ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote $GRE_VPS_MAIN_IP ttl 255 key $GRE_TUNNEL_KEY ip link set $GRE_TUNNEL_INTERFACE_NAME up ip addr add $GRE_TUNNEL_BACKEND_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME @@ -471,7 +475,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME # finally cut over our routing # NOTE: this will cut all access to your original BACKEND IP! ip route add $GRE_VPS_MAIN_IP via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ip route replace default via $GRE_TUNNEL_GREVPS_IP tc qdisc replace dev $GRE_TUNNEL_INTERFACE_NAME root fq @@ -489,7 +493,8 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME # Variables # GRE_VPS_MAIN_IP="[the main public ip address of the gre vps here]" GRE_VPS_IP="[the public ip address of the gre vps that you are attempting to forward to the backend server]" # Set this to the same value of GRE_VPS_MAIN_IP if you have only one IP address on your GRE VPS and it's the IP that you are attempting to setup a GRE tunnel for GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" @@ -505,7 +510,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME iptables -t nat -D POSTROUTING -o $GRE_TUNNEL_INTERFACE_NAME -j SNAT --to-source $GRE_VPS_IP ip route del default ip route del $GRE_VPS_MAIN_IP via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ip route replace default via $GATEWAY_IP ip rule del from $GRE_VPS_IP lookup $GRE_TUNNEL_RTTABLES_NAME -
Aug 6, 2024 . 1 changed file with 0 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -367,7 +367,6 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME GRE_VPS_IP_MAIN_INTERFACE="eth0" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_KEY="1" @@ -410,7 +409,6 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME GRE_VPS_IP="[gre vps public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" @@ -436,7 +434,6 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME BACKEND_IP="[backend server public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_ID="100" @@ -495,7 +492,6 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME GRE_VPS_IP="[gre vps public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_NAME="GRE" -
Aug 6, 2024 . 1 changed file with 7 additions and 11 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -254,11 +254,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 6. If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or to **the same backend server**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), create new `makeGRE-2.sh` and `delGRE-2.sh` files so we can create new GRE setup scripts. The content of the files should be the same scripts that are at the top of this guide. Then edit this configurable part on the new scripts: ``` @@ -283,7 +279,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME GRE_TUNNEL_KEY="2" ``` then modify `GRE_VPS_IP` and `BACKEND_IP` to be the additional public IP of the GRE VPS and the IP of the new (or the same) backend server respectively. ⚠️ **Also, super importantly,** make sure that the `iptables -F` line on the `makeGRE.sh` script of the GRE VPS is executed only once by ONLY ONE script. Otherwise the script of each GRE tunnel will keep clearing the iptables rules as they are executed, resulting in an unwanted behaviour. @@ -340,7 +336,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME /root/delGRE.sh ``` ⚠️ Notice how `deinitGRE` is in the inversed order of `initGRE` (the last executed `makeGRE` script is the first executed `delGRE` script). Then edit `/etc/systemd/system/gre.service` to execute the newly created managing scripts instead: ``` @@ -350,7 +346,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): ⚠️ For this setup specifically, you need to ignore note number 5 that we stated above. So first of all, make sure that the GRE VPS IP that you want to use as the backend server IP is not configured on the operating system of the GRE VPS. **If it is configured,** make sure to delete its config file (for example `/etc/sysconfig/network-scripts/ifcfg-eth0:1`) then restart the networking service using `systemctl restart NetworkManager.service && nmcli networking off && nmcli networking on` @@ -524,7 +520,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` ## ⚠️ An important note if you are using BuyVM as your GRE VPS + a DDoS protected IP (or more) from them In the `makeGRE.sh` file of Server A (the GRE VPS), replace: ``` ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY @@ -545,7 +541,7 @@ ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote [the and leave the rest of the `$GRE_VPS_IP` values in the scripts unchanged [the changes just need to be applied to the `ip tunnel add` commands]. ⚠️ **But** if you followed note no. 8 above, you will also need to replace this part in the `makeGRE.sh` file of Server B (the backend server): ``` ip route add $GRE_VPS_IP via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ``` @@ -562,7 +558,7 @@ with: ip route del [the main non-DDoS protected public IP address of the BuyVM VPS here] via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ``` ⚠️ If you have multiple `makeGRE` and `delGRE` scripts, make sure to apply the same to ALL of them. The main reason we do this is to avoid getting the IP address of our backend server from getting blocked by the BuyVM (Path.net) DDoS protection. -
Aug 6, 2024 . 1 changed file with 1 addition and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -387,9 +387,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME modprobe ip_gre iptables -F iptables -P FORWARD ACCEPT sysctl -w net.ipv4.conf.$GRE_VPS_IP_MAIN_INTERFACE.proxy_arp=1 ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ip link set $GRE_TUNNEL_INTERFACE_NAME up -
Aug 6, 2024 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -248,7 +248,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME Make sure to replace everything with their proper values then restart the network service using `systemctl restart NetworkManager.service && nmcli networking off && nmcli networking on` ⚠️ **NOTE:** You must restart your GRE tunnel (or all of your tunnels if you have multiple) after restarting the networking. This can be done by `./delGRE.sh && ./makeGRE.sh` [make sure to do the same for all your GRE tunnels if you have multiple scripts]. You can absolutely do the same for all the IP addresses you would like to link. Just replace the `eth0:1` with `eth0:2`, etc. @@ -547,7 +547,7 @@ ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote [the and leave the rest of the `$GRE_VPS_IP` values in the scripts unchanged [the changes just need to be applied to the `ip tunnel add` commands]. ⚠️ **Also** if you followed note number 8 above, you will need to replace this part in the `makeGRE.sh` file of Server B (the backend server): ``` ip route add $GRE_VPS_IP via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ``` -
Aug 6, 2024 . 1 changed file with 205 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -202,9 +202,9 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ## Notes > 📌 each individual note is prefixed with a number. any dotted points are sub-points of a note. 1. On the GRE VPS: * It is recommended to use AlmaLinux * Make sure the system is up to date (dnf update) * Disable SELinux permanently @@ -221,17 +221,17 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` * Reboot the VPS after updating the system & disabling SELinux 2. A bad provider for the GRE tunnel will cause packet loss. An example of that is Aeza.net. See https://lowendtalk.com/discussion/192513/aeza-sweden-and-probably-other-locations-network-issues 3. Setting the incorrect MTU for the gre1 interface will cause packet loss. It is recommended to always keep the default MTU values set by the provider and Linux. 4. If you are facing issues after setting the GRE tunnel up, try disabling the firewall (ufw/firewalld) on the destination (backend) server [if it's enabled]. If this solves the problem but you would like to keep your firewall enabled, make sure the public IP address(es) of the GRE VPS and the private IP address(es) of the GRE VPS on the GRE tunnel (e.g. 192.168.168.1) are trusted on the firewall of the backend server. 5. ⚠️ If you have multiple IP addresses on your GRE VPS, make sure they are linked to the operating system first before attempting to involve them in a GRE tunnel! **This is super important! you can't start magically using an IP address when the operating system does not know about it.** For example, if your GRE VPS has the public IP address `a.b.c.d` as the main IP, and it also has `e.f.g.h` as an additional IP. Make sure the latter is configured on the GRE VPS system. @@ -247,10 +247,12 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` Make sure to replace everything with their proper values then restart the network service using `systemctl restart NetworkManager.service && nmcli networking off && nmcli networking on` ⚠️ **NOTE:** You must restart your GRE tunnels (or all of them if you have multiple) after restarting the networking. This can be done by `./delGRE.sh && ./makeGRE.sh`, and do the same for all your GRE tunnels if you have multiple scripts. You can absolutely do the same for all the IP addresses you would like to link. Just replace the `eth0:1` with `eth0:2`, etc. 6. If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or to **the same backend server**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), copy makeGRE.sh and delGRE.sh so we can create new GRE setup scripts: ``` @@ -296,7 +298,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME You can do the same for as many additional IP addresses as you want. Just create `makeGRE-3.sh` and `delGRE-3.sh`, and change the `192.168.169` part to something else like `192.168.179` 7. To make the GRE tunnel(s) persistent, create a file at `/etc/systemd/system/gre.service` with the following content: ``` [Unit] @@ -345,6 +347,184 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ExecStart=/root/initGRE.sh ExecStop=/root/deinitGRE.sh ``` 8. If you want to make one of the GRE VPS IPs act like the primary IP of the backend server (i.e. all the internet requests on the backend server will see the GRE VPS IP as the public IP of the backend server): For this setup specifically, you need to ignore note number 5 that we stated above. So first of all, make sure that the GRE VPS IP that you want to use as the backend server IP is not configured on the operating system of the GRE VPS. **If it is configured,** make sure to delete its config file (for example `/etc/sysconfig/network-scripts/ifcfg-eth0:1`) then restart the networking service using `systemctl restart NetworkManager.service && nmcli networking off && nmcli networking on` Then you will need to use these scripts instead of the ones that were shown initially at the top of this whole guide: makeGRE.sh on Server A (the GRE VPS): ``` #!/bin/bash # This script is placed on the GRE VPS # # Variables # GRE_VPS_IP="[gre vps public ip address here]" BACKEND_IP="[backend server public ip address here]" GRE_VPS_IP_MAIN_INTERFACE="eth0" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GATEWAY_IP="192.168.168.0" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_KEY="1" # ---------------------------------- sysctl -p systemctl stop firewalld systemctl disable firewalld modprobe tcp_bbr tc qdisc replace dev $GRE_VPS_IP_MAIN_INTERFACE root fq ip link set $GRE_VPS_IP_MAIN_INTERFACE txqueuelen 15000 modprobe ip_gre iptables -F iptables -P FORWARD ACCEPT sysctl -w net.ipv4.conf.eth0.proxy_arp=1 sysctl -w net.ipv4.conf.default.proxy_arp=1 sysctl -w net.ipv4.conf.all.proxy_arp=1 ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ip link set $GRE_TUNNEL_INTERFACE_NAME up ip addr add $GRE_TUNNEL_GREVPS_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip route add $GRE_VPS_IP/32 via $GRE_TUNNEL_BACKEND_IP tc qdisc replace dev $GRE_TUNNEL_INTERFACE_NAME root fq ip link set $GRE_TUNNEL_INTERFACE_NAME txqueuelen 15000 ethtool -K $GRE_TUNNEL_INTERFACE_NAME gro off gso off tso off ethtool -K $GRE_VPS_IP_MAIN_INTERFACE gro off gso off tso off ``` delGRE.sh on Server A (the GRE VPS): ``` #!/bin/bash # This script is placed on the GRE VPS # # Variables # GRE_VPS_IP="[gre vps public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GATEWAY_IP="192.168.168.0" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" # ---------------------------------- ip route del $GRE_VPS_IP/32 via $GRE_TUNNEL_BACKEND_IP ip addr del $GRE_TUNNEL_GREVPS_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME down ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` makeGRE.sh on Server B (the backend server): ``` #!/bin/bash # This script is placed on the backend server # # Variables # GRE_VPS_IP="[gre vps public ip address here]" BACKEND_IP="[backend server public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GATEWAY_IP="192.168.168.0" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_ID="100" GRE_TUNNEL_RTTABLES_NAME="GRE" GRE_TUNNEL_KEY="1" BACKEND_SERVER_MAIN_INTERFACE_NAME="eth0" # ---------------------------------- GATEWAY_IP=$(ip route show dev $BACKEND_SERVER_MAIN_INTERFACE_NAME | grep default | awk '{print $3}' | awk 'NR==1{print; exit}') modprobe ip_gre if ! grep -Fxq "$GRE_TUNNEL_RTTABLES_ID $GRE_TUNNEL_RTTABLES_NAME" /etc/iproute2/rt_tables then echo "$GRE_TUNNEL_RTTABLES_ID $GRE_TUNNEL_RTTABLES_NAME" >> /etc/iproute2/rt_tables fi ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote $GRE_VPS_IP ttl 255 key $GRE_TUNNEL_KEY ip link set $GRE_TUNNEL_INTERFACE_NAME up ip addr add $GRE_TUNNEL_BACKEND_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip addr add $GRE_VPS_IP/32 dev $GRE_TUNNEL_INTERFACE_NAME ip rule add from $GRE_VPS_IP lookup $GRE_TUNNEL_RTTABLES_NAME ip route add default via $GRE_TUNNEL_GREVPS_IP table $GRE_TUNNEL_RTTABLES_NAME iptables -o $GRE_TUNNEL_INTERFACE_NAME -t nat -I POSTROUTING -j SNAT --to-source $GRE_VPS_IP # dns servers are required otherwise all dns resolutions will fail echo 'nameserver 4.2.2.1' > /etc/resolv.conf echo 'nameserver 4.2.2.2' >> /etc/resolv.conf # finally cut over our routing # NOTE: this will cut all access to your original BACKEND IP! ip route add $GRE_VPS_IP via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ip route replace default via $GRE_TUNNEL_GREVPS_IP tc qdisc replace dev $GRE_TUNNEL_INTERFACE_NAME root fq ip link set $GRE_TUNNEL_INTERFACE_NAME txqueuelen 15000 ethtool -K $GRE_TUNNEL_INTERFACE_NAME gro off gso off tso off ``` delGRE.sh on Server B (the backend server): ``` #!/bin/bash # This script is placed on the backend server # # Variables # GRE_VPS_IP="[gre vps public ip address here]" GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GATEWAY_IP="192.168.168.0" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_NAME="GRE" BACKEND_SERVER_MAIN_INTERFACE_NAME="eth0" # ---------------------------------- GATEWAY_IP=$(ip route show dev $BACKEND_SERVER_MAIN_INTERFACE_NAME | grep default | awk '{print $3}' | awk 'NR==1{print; exit}') iptables -t nat -D POSTROUTING -o $GRE_TUNNEL_INTERFACE_NAME -j SNAT --to-source $GRE_VPS_IP ip route del default ip route del $GRE_VPS_IP via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ip route replace default via $GATEWAY_IP ip rule del from $GRE_VPS_IP lookup $GRE_TUNNEL_RTTABLES_NAME ip route del default via $GRE_TUNNEL_GREVPS_IP table $GRE_TUNNEL_RTTABLES_NAME ip addr del $GRE_VPS_IP/32 dev $GRE_TUNNEL_INTERFACE_NAME ip addr del $GRE_TUNNEL_BACKEND_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME down ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ``` ## ⚠️ An important note if you are using BuyVM as your GRE VPS + a DDoS protected IP from them In the `makeGRE.sh` file of Server A (the GRE VPS), replace: @@ -367,6 +547,23 @@ ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote [the and leave the rest of the `$GRE_VPS_IP` values in the scripts unchanged [the changes just need to be applied to the `ip tunnel add` commands]. ⚠️ **Also** if you followed note number 8 above, you also need to replace this part in the `makeGRE.sh` file of Server B (the backend server): ``` ip route add $GRE_VPS_IP via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ``` with: ``` ip route add [the main non-DDoS protected public IP address of the BuyVM VPS here] via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ``` and in the `delGRE.sh` file of Server B (the backend server), replace: ``` ip route del $GRE_VPS_IP via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ``` with: ``` ip route del [the main non-DDoS protected public IP address of the BuyVM VPS here] via $GATEWAY_IP dev $BACKEND_SERVER_MAIN_INTERFACE_NAME onlink ``` ⚠️ If you have multiple `makeGRE` and `delGRE` scripts [either for multiple GRE tunnels linking to different backend servers, or for linking to the same backend server], make sure to apply the same to ALL of them. The main reason we do this is to avoid getting the IP address of our backend server from getting blocked by the BuyVM (Path.net) DDoS protection. -
Aug 6, 2024 . 1 changed file with 13 additions and 87 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,6 +30,7 @@ GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GATEWAY_IP="192.168.168.0" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_KEY="1" # ---------------------------------- @@ -42,7 +43,7 @@ ip link set $GRE_VPS_IP_MAIN_INTERFACE txqueuelen 15000 modprobe ip_gre iptables -F ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ip addr add $GRE_TUNNEL_GREVPS_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME up @@ -149,6 +150,7 @@ GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_ID="100" GRE_TUNNEL_RTTABLES_NAME="GRE" GRE_TUNNEL_KEY="1" # ---------------------------------- @@ -159,7 +161,7 @@ then echo "$GRE_TUNNEL_RTTABLES_ID $GRE_TUNNEL_RTTABLES_NAME" >> /etc/iproute2/rt_tables fi ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote $GRE_VPS_IP ttl 255 key $GRE_TUNNEL_KEY ip addr add $GRE_TUNNEL_BACKEND_IP/30 dev $GRE_TUNNEL_INTERFACE_NAME ip link set $GRE_TUNNEL_INTERFACE_NAME up @@ -244,11 +246,11 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME PROXY_METHOD=none ``` Make sure to replace everything with their proper values then restart the network service using `systemctl restart NetworkManager.service && nmcli networking off && nmcli networking on` You can absolutely do the same for all the IP addresses you would like to link. Just replace the `eth0:1` with `eth0:2`, etc. - If you have multiple IP addresses on the GRE VPS and you would like to use them to forward either to **multiple different backend servers** or for **the same backend server**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), copy makeGRE.sh and delGRE.sh so we can create new GRE setup scripts: ``` @@ -264,6 +266,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_ID="100" GRE_TUNNEL_RTTABLES_NAME="GRE" GRE_TUNNEL_KEY="1" ``` to be: @@ -275,91 +278,14 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME GRE_TUNNEL_BACKEND_IP="192.168.169.2" # NOTE: uses 169 instead of 168 GRE_TUNNEL_RTTABLES_ID="200" GRE_TUNNEL_RTTABLES_NAME="GRE2" GRE_TUNNEL_KEY="2" ``` then modify `GRE_VPS_IP` and `BACKEND_IP` to be the additional public IP of the GRE VPS and the IP of the new backend server respectively. ⚠️ **Also, super importantly,** make sure that the `iptables -F` line on the `makeGRE.sh` script of the GRE VPS is executed only once by ONLY ONE script. Otherwise the script of each GRE tunnel will keep clearing the iptables rules as they are executed, resulting in an unwanted behaviour. Now running `makeGRE-2.sh` on both the backend and the GRE VPS should set this up properly [make sure `makeGRE.sh` was run first because it has the `iptables -F` command which clears any unwanted iptables leftovers]. Accessing the additional IP of the GRE VPS should forward the traffic to the same backend server that we set the main GRE tunnel up for. To confirm the setup, run this on the backend server: ``` @@ -423,20 +349,20 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ## ⚠️ An important note if you are using BuyVM as your GRE VPS + a DDoS protected IP from them In the `makeGRE.sh` file of Server A (the GRE VPS), replace: ``` ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_IP remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ``` with: ``` ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local [the main non-DDoS protected public IP address of the BuyVM VPS here] remote $BACKEND_IP ttl 255 key $GRE_TUNNEL_KEY ``` And in the `makeGRE.sh` file of Server B (the backend server), replace: ``` ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote $GRE_VPS_IP ttl 255 key $GRE_TUNNEL_KEY ``` with: ``` ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote [the main non-DDoS protected public IP address of the BuyVM VPS here] ttl 255 key $GRE_TUNNEL_KEY ``` and leave the rest of the `$GRE_VPS_IP` values in the scripts unchanged [the changes just need to be applied to the `ip tunnel add` commands]. -
Aug 5, 2024 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -359,9 +359,9 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME - Comment or remove the `ip link set $GRE_TUNNEL_INTERFACE_NAME down` line - Comment or remove the `ip tunnel del $GRE_TUNNEL_INTERFACE_NAME` line Now running `makeGRE-2.sh` on both the backend and the GRE VPS should set this up properly [make sure `makeGRE.sh` was run first because it's the script that creates the `gre1` tunnel that `makeGRE-2.sh` links an additional IP to]. Accessing the additional IP of the GRE VPS should forward the traffic to the same backend server that we set the main GRE tunnel up for. To confirm the setup, run this on the backend server: ``` curl --interface 192.168.168.2 https://icanhazip.com curl --interface 192.168.169.2 https://icanhazip.com -
Aug 5, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -283,7 +283,7 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME - **However** if you have multiple IP addresses on the GRE VPS and you would like to make them forward to the **same backend server**, you have two options: ### Option 1: Make your backend server see a single `GRE_TUNNEL_BACKEND_IP` (e.g. 192.168.168.2) and a single `GRE_TUNNEL_GREVPS_IP` (e.g. 192.168.168.1) for all the additional IPs: Add this below the `iptables -t nat -A POSTROUTING -s $GRE_TUNNEL_GATEWAY_IP/30 ! -o gre+ -j SNAT --to-source $GRE_VPS_IP` and `iptables -t nat -A PREROUTING -d $GRE_VPS_IP -j DNAT --to-destination $GRE_TUNNEL_BACKEND_IP` lines in the `makeGRE.sh` script of the GRE VPS: ``` -
Aug 5, 2024 . 1 changed file with 7 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -250,7 +250,13 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME - If you have multiple IP addresses on the GRE VPS and you would like to use them for **multiple different backend servers**, you can create multiple GRE tunnels. On both the GRE VPS (Server A) and the backend server (Server B), copy makeGRE.sh and delGRE.sh so we can create new GRE setup scripts: ``` cp makeGRE.sh makeGRE-2.sh cp delGRE.sh delGRE-2.sh ``` Then edit this configurable part on the new scripts: ``` GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GATEWAY_IP="192.168.168.0" -
Aug 5, 2024 . 1 changed file with 22 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -388,13 +388,31 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME - make the GRE tunnel(s) automatically get created on the system boot. - make the management of the GRE tunnel(s) easier. just use `systemctl stop gre.service` to delete the tunnel(s), and the same for `start`. Note that if you have multiple GRE tunnels setup by multiple scripts, it is better to create two scripts called `initGRE.sh` and `deinitGRE.sh` initGRE.sh: ``` #!/bin/bash /root/makeGRE.sh /root/makeGRE-2.sh ``` deinitGRE.sh: ``` #!/bin/bash /root/delGRE-2.sh /root/delGRE.sh ``` Notice how `deinitGRE` is in the inversed order of `initGRE` (the last executed `makeGRE` script is the first executed `delGRE` script). Then edit `/etc/systemd/system/gre.service` to execute the newly created managing scripts instead: ``` ExecStart=/root/initGRE.sh ExecStop=/root/deinitGRE.sh ``` ## ⚠️ An important note if you are using BuyVM as your GRE VPS + a DDoS protected IP from them In the `makeGRE.sh` file of Server A (the GRE VPS), replace: -
Aug 5, 2024 . 1 changed file with 154 additions and 81 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -199,6 +199,9 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME ----- ## Notes > 📌 each individual note is prefixed with a white dot (even if this is handled by your browser). any uncoloured dots are sub-points of a note. - On the GRE VPS: * It is recommended to use AlmaLinux * Make sure the system is up to date (dnf update) @@ -217,115 +220,183 @@ ip tunnel del $GRE_TUNNEL_INTERFACE_NAME * Reboot the VPS after updating the system & disabling SELinux - A bad provider for the GRE tunnel will cause packet loss. An example of that is Aeza.net. See https://lowendtalk.com/discussion/192513/aeza-sweden-and-probably-other-locations-network-issues - Setting the incorrect MTU for the gre1 interface will cause packet loss. It is recommended to always keep the default MTU values set by the provider and Linux. - If you are facing issues after setting the GRE tunnel up, try disabling the firewall (ufw/firewalld) on the destination (backend) server [if it's enabled]. If this solves the problem but you would like to keep your firewall enabled, make sure the public IP address(es) of the GRE VPS and the private IP address(es) of the GRE VPS on the GRE tunnel (e.g. 192.168.168.1) are trusted on the firewall of the backend server. - ⚠️ If you have multiple IP addresses on your GRE VPS, make sure they are linked to the operating system first before attempting to involve them in a GRE tunnel! **This is super important! you can't start magically using an IP address when the operating system does not know about it.** For example, if your GRE VPS has the public IP address `a.b.c.d` as the main IP, and it also has `e.f.g.h` as an additional IP. Make sure the latter is configured on the GRE VPS system. On AlmaLinux this can be done by creating `/etc/sysconfig/network-scripts/ifcfg-eth0:1` and placing the following in it: ``` DEVICE=eth0:1 IPADDR=e.f.g.h NETMASK=[netmask here] GATEWAY=[gateway here] BOOTPROTO=none IPV4_FAILURE_FATAL=no PROXY_METHOD=none ``` Make sure to replace everything with their proper values then restart the network service using `systemctl restart NetworkManager.service` You can absolutely do the same for all the IP addresses you would like to link. Just replace the `eth0:1` with `eth0:2`, etc. - If you have multiple IP addresses on the GRE VPS and you would like to use them for **multiple different backend servers**, you can create multiple GRE tunnels. This can be done by editing this configurable part: ``` GRE_TUNNEL_INTERFACE_NAME="gre1" GRE_TUNNEL_GATEWAY_IP="192.168.168.0" GRE_TUNNEL_GREVPS_IP="192.168.168.1" GRE_TUNNEL_BACKEND_IP="192.168.168.2" GRE_TUNNEL_RTTABLES_ID="100" GRE_TUNNEL_RTTABLES_NAME="GRE" ``` to be: ``` GRE_TUNNEL_INTERFACE_NAME="gre2" GRE_TUNNEL_GATEWAY_IP="192.168.169.0" # NOTE: uses 169 instead of 168 GRE_TUNNEL_GREVPS_IP="192.168.169.1" # NOTE: uses 169 instead of 168 GRE_TUNNEL_BACKEND_IP="192.168.169.2" # NOTE: uses 169 instead of 168 GRE_TUNNEL_RTTABLES_ID="200" GRE_TUNNEL_RTTABLES_NAME="GRE2" ``` then modify `GRE_VPS_IP` and `BACKEND_IP` to be the additional public IP of the GRE VPS and the IP of the new backend server respectively. ⚠️ **Also, super importantly,** make sure that the `iptables -F` line on the `makeGRE.sh` script of the GRE VPS is executed only once by ONLY ONE script. Otherwise the script of each GRE tunnel will keep clearing the iptables rules as they are executed, resulting in an unwanted behaviour. - **However** if you have multiple IP addresses on the GRE VPS and you would like to make them forward to the **same backend server**, you have two options: ### Option 1: Make your backend server see a single `GRE_TUNNEL_BACKEND_IP` (e.g. 192.168.168.2) and a single `GRE_TUNNEL_GREVPS_IP` (e.g. 192.168.168.1): Add this below the `iptables -t nat -A POSTROUTING -s $GRE_TUNNEL_GATEWAY_IP/30 ! -o gre+ -j SNAT --to-source $GRE_VPS_IP` and `iptables -t nat -A PREROUTING -d $GRE_VPS_IP -j DNAT --to-destination $GRE_TUNNEL_BACKEND_IP` lines in the `makeGRE.sh` script of the GRE VPS: ``` iptables -t nat -A POSTROUTING -s $GRE_TUNNEL_GATEWAY_IP/30 ! -o gre+ -j SNAT --to-source [second additional ip] iptables -t nat -A PREROUTING -d [second additional ip] -j DNAT --to-destination $GRE_TUNNEL_BACKEND_IP iptables -t nat -A POSTROUTING -s $GRE_TUNNEL_GATEWAY_IP/30 ! -o gre+ -j SNAT --to-source [third additional ip] iptables -t nat -A PREROUTING -d [third additional ip] -j DNAT --to-destination $GRE_TUNNEL_BACKEND_IP etc... ``` And make sure to add the same to the `delGRE.sh` script of the GRE VPS, but replace the `-A` argument with `-D` to undo the iptables commands. For example: ``` iptables -t nat -D POSTROUTING -s $GRE_TUNNEL_GATEWAY_IP/30 ! -o gre+ -j SNAT --to-source [second additional ip] iptables -t nat -D PREROUTING -d [second additional ip] -j DNAT --to-destination $GRE_TUNNEL_BACKEND_IP iptables -t nat -D POSTROUTING -s $GRE_TUNNEL_GATEWAY_IP/30 ! -o gre+ -j SNAT --to-source [third additional ip] iptables -t nat -D PREROUTING -d [third additional ip] -j DNAT --to-destination $GRE_TUNNEL_BACKEND_IP etc... ``` Thanks to @vsys_host at https://lowendtalk.com/discussion/comment/3997677/#Comment_3997677 for this idea :) ### Option 2: Make your backend server see a different `GRE_TUNNEL_BACKEND_IP` (e.g. 192.168.169.2) and `GRE_TUNNEL_GREVPS_IP` (e.g. 192.168.169.1) for each additional IP. [this is more recommended than the above approach]: On both the GRE VPS (Server A) and the backend server (Server B), copy makeGRE.sh and delGRE.sh so we can create new GRE setup scripts (but we still will use the same GRE tunnel `gre1`): ``` cp makeGRE.sh makeGRE-2.sh cp delGRE.sh delGRE-2.sh ``` On the makeGRE-2.sh of the backend server: - Change `GRE_VPS_IP` to the additional IP address. - Change `GRE_TUNNEL_GATEWAY_IP` to `192.168.169.0` instead of `...168.0` - Change `GRE_TUNNEL_GREVPS_IP` to `192.168.169.1` instead of `...168.1` - Change `GRE_TUNNEL_BACKEND_IP` to `192.168.169.2` instead of `...168.2` - Keep `GRE_TUNNEL_INTERFACE_NAME`, `GRE_TUNNEL_RTTABLES_ID`, `GRE_TUNNEL_RTTABLES_NAME` and the rest of the variables unchanged since we are not setting up a new GRE tunnel. - Comment or remove the `ip tunnel add...` line - Comment or remove the `ip link set $GRE_TUNNEL_INTERFACE_NAME up` line - Comment or remove the `ip route add default via $GRE_TUNNEL_GREVPS_IP table $GRE_TUNNEL_RTTABLES_NAME` line On the delGRE-2.sh of the backend server: - Change `GRE_TUNNEL_GATEWAY_IP` to `192.168.169.0` instead of `...168.0` - Change `GRE_TUNNEL_GREVPS_IP` to `192.168.169.1` instead of `...168.1` - Change `GRE_TUNNEL_BACKEND_IP` to `192.168.169.2` instead of `...168.2` - Keep `GRE_TUNNEL_INTERFACE_NAME`, `GRE_TUNNEL_RTTABLES_NAME` and the rest of the variables unchanged since we are not setting up a new GRE tunnel. - Comment or remove the `ip route del default via $GRE_TUNNEL_GREVPS_IP table $GRE_TUNNEL_RTTABLES_NAME` line - Comment or remove the `ip link set $GRE_TUNNEL_INTERFACE_NAME down` line - Comment or remove the `ip tunnel del $GRE_TUNNEL_INTERFACE_NAME` line On the makeGRE-2.sh of the GRE VPS: - Change `GRE_VPS_IP` to the additional IP address. - Change `GRE_TUNNEL_GATEWAY_IP` to `192.168.169.0` instead of `...168.0` - Change `GRE_TUNNEL_GREVPS_IP` to `192.168.169.1` instead of `...168.1` - Change `GRE_TUNNEL_BACKEND_IP` to `192.168.169.2` instead of `...168.2` - Keep `GRE_TUNNEL_INTERFACE_NAME` and the rest of the variables unchanged since we are not setting up a new GRE tunnel. - Comment or remove the `iptables -F` line to avoid clearing the iptables rules that were/are set by the `makeGRE.sh` script - Comment or remove the `ip tunnel add...` line - Comment or remove the `ip link set $GRE_TUNNEL_INTERFACE_NAME up` line On the delGRE-2.sh of the GRE VPS: - Change `GRE_VPS_IP` to the additional IP address. - Change `GRE_TUNNEL_GATEWAY_IP` to `192.168.169.0` instead of `...168.0` - Change `GRE_TUNNEL_GREVPS_IP` to `192.168.169.1` instead of `...168.1` - Change `GRE_TUNNEL_BACKEND_IP` to `192.168.169.2` instead of `...168.2` - Keep `GRE_TUNNEL_INTERFACE_NAME` and the rest of the variables unchanged since we are not setting up a new GRE tunnel. - Comment or remove the `ip link set $GRE_TUNNEL_INTERFACE_NAME down` line - Comment or remove the `ip tunnel del $GRE_TUNNEL_INTERFACE_NAME` line Now running `makeGRE-2.sh` on both the backend and the GRE VPS should set this up properly. Accessing the additional IP of the GRE VPS should forward the traffic to the same backend server that we set the main GRE tunnel up for. To confirm the setup, run this on the backend server: ``` curl --interface 192.168.168.2 https://icanhazip.com curl --interface 192.168.169.2 https://icanhazip.com ``` the first command should output the first IP address that we initially set up for the GRE tunnel. and the second command should output the additional IP address that we have just linked to the GRE tunnel. You can do the same for as many additional IP addresses as you want. Just create `makeGRE-3.sh` and `delGRE-3.sh`, and change the `192.168.169` part to something else like `192.168.179` - To make the GRE tunnel(s) persistent, create a file at `/etc/systemd/system/gre.service` with the following content: ``` [Unit] Description=GREInitService After=network.target [Service] Type=oneshot ExecStart=/root/makeGRE.sh ExecStop=/root/delGRE.sh User=root RemainAfterExit=yes [Install] WantedBy=multi-user.target ``` Then run `systemctl daemon-reload`, `systemctl enable gre.service`. This will: - make the GRE tunnel(s) automatically get created on the system boot. - make the management of the GRE tunnel(s) easier. just use `systemctl stop gre.service` to delete the tunnel(s), and the same for `start`. Note that if you have multiple GRE tunnels setup by multiple scripts, you can add them in the `ExecStart` and `ExecStop` parts like this [as an example]: ``` ExecStart=/root/makeGRE.sh && /root/makeGRE-2.sh ExecStop=/root/delGRE-2.sh && /root/delGRE.sh ``` Notice how `ExecStop` is in an inversed order (the last executed `makeGRE` script is the first executed `delGRE` script). ## ⚠️ An important note if you are using BuyVM as your GRE VPS + a DDoS protected IP from them In the `makeGRE.sh` file of Server A (the GRE VPS), replace: ``` ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $GRE_VPS_IP remote $BACKEND_IP ttl 255 @@ -346,6 +417,8 @@ ip tunnel add $GRE_TUNNEL_INTERFACE_NAME mode gre local $BACKEND_IP remote [the and leave the rest of the `$GRE_VPS_IP` values in the scripts unchanged [the changes just need to be applied to the `ip tunnel add` commands]. ⚠️ If you have multiple `makeGRE` and `delGRE` scripts [either for multiple GRE tunnels linking to different backend servers, or for linking to the same backend server], make sure to apply the same to ALL of them. The main reason we do this is to avoid getting the IP address of our backend server from getting blocked by the BuyVM (Path.net) DDoS protection. > From https://wiki.buyvm.net/doku.php/gre_tunnel:
NewerOlder