no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | gre_tunnel [2022/10/13 09:11] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | //[This how-to tutorial was created by EidolonHost. Please consider EidolonHost for your [[http:// | ||
+ | ====== Tutorial: GRE tunneling from your EidolonHost DDoS Filtered VPS IP ====== | ||
+ | |||
+ | ==== What is a GRE tunnel? ==== | ||
+ | |||
+ | Much like a proxy, a GRE tunnel allows you to pass traffic from your EidolonHost VPS including DDoS filtering to another remote destination. | ||
+ | |||
+ | GRE tunnels allow **all traffic** through, not just HTTP. With a GRE tunnel you can serve, and deliver any type of content from any type of server (audio, FTP, SSH, SCP, video, etc.). | ||
+ | |||
+ | ==== What can you use a GRE tunnel for? ==== | ||
+ | |||
+ | GRE tunneling is very handy when you want to use our DDoS filtering services to protect services that are too large to host with us (I.e. game servers, Java applications, | ||
+ | |||
+ | Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to [[redirect_traffic|redirect traffic]] to your remote server. | ||
+ | |||
+ | **Note:** If you are tunneling to an OVH server, you most likely don't have GRE support in your kernel. You'll need to use a [[ipip_tunnel|IPIP tunnel]] instead. | ||
+ | |||
+ | ==== GRE Tunnel How-to Tutorial Begins Here ===== | ||
+ | |||
+ | Our how-to tutorial to setup a GRE tunnel between EidolonHost DDoS filtered VPS IP and your remote server starts here. | ||
+ | |||
+ | Following the simple instructions below you should be able to create a GRE tunnel in under 20 minutes. | ||
+ | |||
+ | ===== Supported Operating Systems ==== | ||
+ | |||
+ | It is possible to use Windows to create, and forward your GRE tunnel. | ||
+ | |||
+ | In this document we'll only be covering a Linux GRE tunnel configuration. | ||
+ | |||
+ | This guide will work 100% on both our KVM, and OpenVZ based plans. | ||
+ | |||
+ | ===== Prerequisites ===== | ||
+ | |||
+ | * iptables installed on your EidolonHost VPS (included already in most cases) | ||
+ | * iproute2 (included with pretty much every recent Linux distribution) | ||
+ | * A kernel with GRE support (Linux includes this by default - ip_gre kernel module) | ||
+ | * A list of ports you need forwarded to your destination | ||
+ | * A EidolonHost VPS (starting as low as $15/yr for our [[http:// | ||
+ | * A [[http:// | ||
+ | |||
+ | |||
+ | ===== Tunnel Setup ===== | ||
+ | |||
+ | First we need to set our tunnel up. | ||
+ | |||
+ | On your EidolonHost VPS please execute the following commands: | ||
+ | |||
+ | < | ||
+ | echo ' | ||
+ | sysctl -p | ||
+ | iptunnel add gre1 mode gre local YOUR_UNFILTERED_IP remote DESTINATION_SERVER_IP ttl 255 | ||
+ | ip addr add 192.168.168.1/ | ||
+ | ip link set gre1 up | ||
+ | </ | ||
+ | |||
+ | On the remote server you wish to protect run the following: | ||
+ | |||
+ | < | ||
+ | iptunnel add gre1 mode gre local DESTINATION_SERVER_IP remote YOUR_UNFILTERED_IP ttl 255 | ||
+ | ip addr add 192.168.168.2/ | ||
+ | ip link set gre1 up | ||
+ | </ | ||
+ | |||
+ | You will always want to form your GRE with your **unfiltered** IP address for all GRE tunnels to make sure you don't run into any sort of MTU issues or trigger the DDOS protection. | ||
+ | |||
+ | Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2. | ||
+ | ===== Test your New GRE Tunnel with Ping ===== | ||
+ | |||
+ | On your EidolonHost VPS, you should now be able to ping '' | ||
+ | |||
+ | For the sake of completeness, | ||
+ | |||
+ | ===== Setup Source Route Tables ===== | ||
+ | |||
+ | Source route entries are required to make sure data that came in via the GRE tunnel is sent back out the GRE tunnel. | ||
+ | |||
+ | Please execute the following commands on the **destination** server. | ||
+ | |||
+ | < | ||
+ | echo '100 EidolonHost' | ||
+ | ip rule add from 192.168.168.0/ | ||
+ | ip route add default via 192.168.168.1 table EidolonHost | ||
+ | </ | ||
+ | |||
+ | **Please note that the echo command only needs to be ran once. The entry will be saved into / | ||
+ | |||
+ | ===== Initial NAT Entries to Move Data over GRE Tunnel ===== | ||
+ | |||
+ | NAT is used to pass data over our GRE and out the other end. | ||
+ | |||
+ | While it would be possible to use a KVM based VPS with a purchased /29 allocation, this guide doesn' | ||
+ | |||
+ | On your EidolonHost VPS run the following command: | ||
+ | < | ||
+ | iptables -t nat -A POSTROUTING -s 192.168.168.0/ | ||
+ | </ | ||
+ | |||
+ | ===== Test Outbound Connections ===== | ||
+ | |||
+ | On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly: | ||
+ | < | ||
+ | curl http:// | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | wget http:// | ||
+ | </ | ||
+ | |||
+ | The IP dumped should be your EidolonHost filtered IP. | ||
+ | |||
+ | ===== Forwarding Ports Over your GRE Tunnel ===== | ||
+ | |||
+ | To make things easier, we'll forward all ports to the backend server. | ||
+ | |||
+ | Run the following commands on your EidolonHost VPS: | ||
+ | |||
+ | < | ||
+ | iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2 | ||
+ | iptables -A FORWARD -d 192.168.168.2 -m state --state NEW, | ||
+ | </ | ||
+ | |||
+ | If you're wanting to get more specific, you could add: | ||
+ | |||
+ | < | ||
+ | -p tcp --dport 25565 | ||
+ | </ | ||
+ | |||
+ | If you just wanted to protect a minecraft server for instance. | ||
+ | |||
+ | The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly. | ||
+ | |||
+ | At this point you should be able to connect to '' | ||
+ | |||
+ | ===== Restarting your GRE Tunnel After Rebooting ===== | ||
+ | |||
+ | You can edit ''/ | ||
+ | |||
+ | Your distribution of choice (like Debian) may have hooks in ''/ |