Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Previous revision | ||
gre_tunnel [2015/01/12 20:39] |
gre_tunnel [2021/05/03 12:22] (current) cubebuilder |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | This how-to tutorial was created by BuyVM. We offer affordable and reliable **[[https:// | ||
+ | {{buyvm_logo.png? | ||
+ | ====== Tutorial: GRE tunneling from your BuyVM DDoS Filtered VPS IP ====== | ||
+ | |||
+ | ==== What is a GRE tunnel? ==== | ||
+ | |||
+ | Much like a proxy, a GRE tunnel allows you to pass traffic from your BuyVM VPS including DDoS filtering to another remote destination. | ||
+ | |||
+ | GRE tunnels allow **all traffic** through, not just HTTP. With a GRE tunnel you can serve, and deliver any type of content from any type of server (audio, FTP, SSH, SCP, video, etc.). | ||
+ | |||
+ | ==== What can your use a GRE tunnel for? ==== | ||
+ | |||
+ | GRE tunneling is very handy when you want to use our DDoS filtering services to protect services that are too large to host with us (I.e. game servers, Java applications, | ||
+ | |||
+ | Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to [[redirect_traffic|redirect traffic]] to your remote server. | ||
+ | |||
+ | **Note:** If you are tunneling to an OVH server, you most likely don't have GRE support in your kernel. You'll need to use a [[ipip_tunnel|IPIP tunnel]] instead. | ||
+ | |||
+ | ==== GRE Tunnel How-to Tutorial Begins Here ===== | ||
+ | |||
+ | Our how-to tutorial to setup a GRE tunnel between BuyVM DDoS filtered VPS IP and your remote server starts here. | ||
+ | |||
+ | Following the simple instructions below you should be able to create a GRE tunnel in under 20 minutes. | ||
+ | |||
+ | ===== Supported Operating Systems ==== | ||
+ | |||
+ | It is possible to use Windows to create, and forward your GRE tunnel. | ||
+ | |||
+ | In this document we'll only be covering a Linux GRE tunnel configuration. | ||
+ | |||
+ | This guide will work 100% on our KVM Slices. | ||
+ | |||
+ | ===== Prerequisites ===== | ||
+ | |||
+ | * iptables installed on your BuyVM VPS (included already in most cases) | ||
+ | * iproute2 (included with pretty much every recent Linux distribution) | ||
+ | * A kernel with GRE support (Linux includes this by default - ip_gre kernel module) | ||
+ | * A list of ports you need forwarded to your destination | ||
+ | * A BuyVM KVM Slice (starting as low as [[https:// | ||
+ | * A [[https:// | ||
+ | |||
+ | ===== Tunnel Setup ===== | ||
+ | |||
+ | First we need to set our tunnel up. | ||
+ | |||
+ | On your BuyVM VPS please execute the following commands: | ||
+ | |||
+ | < | ||
+ | echo ' | ||
+ | sysctl -p | ||
+ | iptunnel add gre1 mode gre local YOUR_UNFILTERED_IP remote DESTINATION_SERVER_IP ttl 255 | ||
+ | ip addr add 192.168.168.1/ | ||
+ | ip link set gre1 up | ||
+ | </ | ||
+ | |||
+ | On the remote server you wish to protect run the following: | ||
+ | |||
+ | < | ||
+ | iptunnel add gre1 mode gre local DESTINATION_SERVER_IP remote YOUR_UNFILTERED_IP ttl 255 | ||
+ | ip addr add 192.168.168.2/ | ||
+ | ip link set gre1 up | ||
+ | </ | ||
+ | |||
+ | You will always want to form your GRE with your **unfiltered** IP address for all GRE tunnels to make sure you don't run into any sort of MTU issues or trigger the DDOS protection. | ||
+ | |||
+ | Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2. | ||
+ | ===== Test your New GRE Tunnel with Ping ===== | ||
+ | |||
+ | On your BuyVM VPS, you should now be able to ping '' | ||
+ | |||
+ | For the sake of completeness, | ||
+ | |||
+ | ===== Setup Source Route Tables ===== | ||
+ | |||
+ | Source route entries are required to make sure data that came in via the GRE tunnel is sent back out the GRE tunnel. | ||
+ | |||
+ | Please execute the following commands on the **destination** server. | ||
+ | |||
+ | < | ||
+ | echo '100 BUYVM' >> / | ||
+ | ip rule add from 192.168.168.0/ | ||
+ | ip route add default via 192.168.168.1 table BUYVM | ||
+ | </ | ||
+ | |||
+ | **Please note that the echo command only needs to be ran once. The entry will be saved into / | ||
+ | |||
+ | ===== Initial NAT Entries to Move Data over GRE Tunnel ===== | ||
+ | |||
+ | NAT is used to pass data over our GRE and out the other end. | ||
+ | |||
+ | While it would be possible to use a KVM based VPS with a purchased /29 allocation, this guide doesn' | ||
+ | |||
+ | On your BuyVM VPS run the following command: | ||
+ | < | ||
+ | iptables -t nat -A POSTROUTING -s 192.168.168.0/ | ||
+ | </ | ||
+ | |||
+ | ===== Test Outbound Connections ===== | ||
+ | |||
+ | On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly: | ||
+ | < | ||
+ | curl http:// | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | wget http:// | ||
+ | </ | ||
+ | |||
+ | The IP dumped should be your BuyVM filtered IP. | ||
+ | |||
+ | ===== Forwarding Ports Over your GRE Tunnel ===== | ||
+ | |||
+ | To make things easier, we'll forward all ports to the backend server. | ||
+ | |||
+ | Run the following commands on your BuyVM VPS: | ||
+ | |||
+ | < | ||
+ | iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2 | ||
+ | iptables -A FORWARD -d 192.168.168.2 -m state --state NEW, | ||
+ | </ | ||
+ | |||
+ | If you're wanting to get more specific, you could add: | ||
+ | |||
+ | < | ||
+ | -p tcp --dport 25565 | ||
+ | </ | ||
+ | |||
+ | If you just wanted to protect a minecraft server for instance. | ||
+ | |||
+ | The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly. | ||
+ | |||
+ | At this point you should be able to connect to '' | ||
+ | |||
+ | |||
+ | ===== Restarting your GRE Tunnel After Rebooting ===== | ||
+ | |||
+ | You can edit ''/ | ||
+ | |||
+ | Your distribution of choice (like Debian) may have hooks in ''/ | ||
+ | |||
+ | ===== GRE Configuration for Pterodactyl/ | ||
+ | Running Pterodactyl or Docker and want to protect your docker container? | ||
+ | |||
+ | [[gre_tunnel: |