This is an old revision of the document!
Much like a proxy, a GRE tunnel allows you to pass traffic from your BuyVM VPS including DDoS filtering to another remote destination.
GRE tunnels allow all traffic through, not just HTTP.
GRE tunneling is very handy when you want to use our DDoS filtering services to protect services that are too large to host with us (I.e. game servers, Java applications, large database driven applications, etc.).
Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to redirect traffic to your remote server.
Our how-to tutorial to setup a GRE tunnel between BuyVM DDoS filtered VPS IP and your remote server starts here.
Following the simple instructions below you should be able to create a GRE tunnel in under 20 minutes.
It is possible to use Windows to create, and forward your GRE tunnel. If you need to protect a Windows server please consider purchasing a KVM plan.
In this document we'll only be covering a Linux GRE tunnel configuration.
This guide will work 100% on both our KVM, and OpenVZ based plans.
First we need to set our tunnel up.
On your BuyVM VPS please execute the following commands:
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf sysctl -p iptunnel add gre1 mode gre local YOUR_FILTERED_IP remote DESTINATION_SERVER_IP ttl 255 ip addr add 192.168.168.1/30 dev gre1 ip link set gre1 up
On the remote server you wish to protect run the following:
iptunnel add gre1 mode gre local DESTINATION_SERVER_IP remote YOUR_FILTERED_IP ttl 255 ip addr add 192.168.168.2/30 dev gre1 ip link set gre1 up
Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2.
On your BuyVM VPS, you should now be able to ping
For the sake of completeness, test pinging
192.168.168.1 from your destination server.
Source route entries are required to make sure data that came in via the GRE tunnel is sent back out the GRE tunnel.
Please execute the following commands on the destination server.
echo '100 BUYVM' >> /etc/iproute2/rt_tables ip rule add from 192.168.168.0/30 table BUYVM ip route add default via 192.168.168.1 table BUYVM
Please note that the echo command only needs to be ran once. The entry will be saved into /etc/iproute2/rt_tables until you remove it manually.
NAT is used to pass data over our GRE and out the other end.
While it would be possible to use a KVM based VPS with a purchased /29 allocation, this guide doesn't cover that.
On your BuyVM VPS run the following command:
iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT --to-source YOUR_FILTERED_IP
On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly:
curl http://www.cpanel.net/showip.cgi --interface 192.168.168.2
wget http://www.cpanel.net/showip.cgi --bind-address=192.168.168.2 -q -O -
The IP dumped should be your BuyVM filtered IP.
A common use for filtered GRE tunnels is to protect gaming servers. In this example we'll use
port 25565 but you can change the port to fit your needs.
Please adjust, and run the following commands on your BuyVM VPS:
iptables -t nat -A PREROUTING -p tcp -d YOUR_FILTERED_IP --dport 25565 -j DNAT --to-destination 192.168.168.2:25565 iptables -A FORWARD -p tcp -d 192.168.168.2 --dport 25565 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly.
At this point you should be able to connect to
YOUR_FILTERED_IP and the destination port with your application and get passed through the GRE tunnel without issue.
You can edit
/etc/rc.local with your favourite editor of choice (or WINSCP even) and place all the commands we just ran before the
exit 0 at the bottom.
Your distribution of choice (like Debian) may have hooks in
/etc/network/interfaces to bring your GRE tunnels up at boot time but that's outside the scope of this guide.