Skip to content

GRE tunnel configuration

GRE

The GRE tunnel is one of the most basic tunnels, but it's not the simplest either. First of all, GRE works using port 47 in UDP, so if your router is behind a box or a NAT, be sure to redirect port 47 to it.

To configure your tunnel, examples of configurations are given on your tunnel page

Subnets

It's important not to forget to assign your subnets to the tunnel. To do so, go to the subnets page.

Once your subnet has been assigned, you need to configure it on the other side of the tunnel, depending on how you want to do it. There are 2 main ways of simply assigning the subnet:

Assign in LAN

Classic routing

In this scenario, we simply treat the subnet as a LAN, assign an IP for the gateway (router) and assign the LAN IPs to the machines. This is the recommended method.

NAT 1:1

NAT one to one

In this scenario, NAT rules are applied to the router to translate public IPs to private IPs, just as port forwarding would do, but with full IPs. Under Linux, for example, this could be done as follows: 

# Don't forget to enable forwarding
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.5 -j SNAT --to-source 203.0.113.1
iptables -t nat -A PREROUTING -i eth0 -d 203.0.113.1 -j DNAT --to-destination 192.168.0.5
iptables -A FORWARD -s 203.0.113.1 -j ACCEPT
iptables -A FORWARD -d 192.168.0.5 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.10 -j SNAT --to-source 203.0.113.2
iptables -t nat -A PREROUTING -i eth0 -d 203.0.113.2 -j DNAT --to-destination 192.168.0.10
iptables -A FORWARD -s 203.0.113.2 -j ACCEPT
iptables -A FORWARD -d 192.168.0.10 -j ACCEPT

Under mikrotik it could be done like this: 

/ip firewall nat
add chain=srcnat src-address=192.168.0.5 action=src-nat to-addresses=203.0.113.1
add chain=srcnat src-address=192.168.0.10 action=src-nat to-addresses=203.0.113.2

/ip firewall nat
add chain=dstnat src-address=203.0.113.1 action=dst-nat to-addresses=192.168.0.5
add chain=dstnat src-address=203.0.113.2 action=dst-nat to-addresses=192.168.0.10

โš  Be sure to assign the IPs you use to an interface on your router (ideally a local interface), otherwise NAT may not work.

Routing tables

Once you've configured your subnets, you may run into a problem: outgoing traffic isn't properly redirected to the tunnel (packets with the source IPs of your subnets try to exit via your box). To remedy this, you can make use of routing tables and routing rules, or VRFs. We'll explain the routing rule method here.

Under Linux, one way of solving this problem would be : 

ip route add default via 172.42.0.1 dev tunnel0 table GRE
ip rule add from 203.0.113.0/28 table GRE

Under Mikrotik it would look like this: 

/routing/table/add name=GRE fib
/ip/route add dst-address=0.0.0.0/0 gateway=172.42.0.1 routing-table=GRE
/routing rule add action=lookup src-address=203.0.113.0/28 table=GRE