How to setup GRE tunnel in CentOS 7 linux
In today article, we want to show how to setup GRE tunnel in CentOS 7 linux.
as you may know, GRE stands for generic routing protocol, created by Cisco and is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network.
Here is our environment:
OS: Centos 7 linux on VMWare
Firewall: CSF
SElinux: enforcing
Endpoint A:
local/internal IP: 10.10.10.1
public IP: 192.168.2.128
Endpoint B:
local/internal IP: 10.10.10.2
public IP: 192.168.2.129
1- Prerequisites
to set up gre tunnel and allow handle it by linux, related module needs to be loaded. so load it by running:
# modprobe ip_gre
then check if it’s loaded correctly:
# lsmod | grep ip_gre
to automatically load this module on startup, create a file named tun.conf under /etc/modules-load.d and put the following line in it:
# echo ip_gre >> /etc/modules-load.d/tun.conf
2- Setup tunnel
for setting up tunnel, we must create an interface on each endpoint. so run this commands on endpoint A:
# vim /etc/sysconfig/network-scripts/ifcfg-tun0
and put these lines in it:
DEVICE=tun0 BOOTPROTO=none ONBOOT=yes DEVICETYPE=tunnel TYPE=GRE PEER_INNER_IPADDR=10.10.10.2 PEER_OUTER_IPADDR=192.168.2.129 MY_INNER_IPADDR=10.10.10.1
then create an interface on endpoint B:
# vim /etc/sysconfig/network-scripts/ifcfg-tun0
and also put these lines in it:
DEVICE=tun0 BOOTPROTO=none ONBOOT=yes TYPE=GRE PEER_INNER_IPADDR=10.10.10.1 PEER_OUTER_IPADDR=192.168.2.128 MY_INNER_IPADDR=10.10.10.2
now bring up two tunnel interfaces by running this command on both endpoint A and B:
# ifup tun0
3- Configure firewall
here we use csf as our firewall. so to allow gre traffic pass through these endpoints, we just need to whitelist both endpoints IPs.
so add public IP of endpoint B to endpoint A and vice versa. on endpoint A:
# echo 10.10.10.2 >> /etc/csf/csf.allow
also we should allow gre traffic. run this commnad:
# vim /etc/csf/csfpre.sh
then put these lines in it:
#!/bin/bash iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT
then reload csf:
# csf -r
and on endpoint B:
# echo 10.10.10.1 >> /etc/csf/csf.allow
again we should allow gre traffic. run this commnad:
# vim /etc/csf/csfpre.sh
then put these lines in it:
#!/bin/bash iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT
then reload csf:
# csf -r
if you use firewalld as your centos 7 firewall, run these command to allow gre traffic:
on endpoint A:
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT # firewall-cmd --reload
and on endpoint B:
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT # firewall-cmd --reload
4- Test connectivity
now it’s time to test connectivity. on endpoint A:
# ping 10.10.10.2
and on endpoint B:
# ping 10.10.10.1
if ping responses successfully, this means that our gre tunnel is working properly. if not, first disable firewall and test again and if problem persists, you should investigate your routing table to see where packets destined for our tunnel goes.
5- Remove tunnel
at any time, if you decided to remove tunnel, just bring down tunnel interface and remove related file on both endpoints:
# ifdown tun0 # rm -rf /etc/sysconfig/network-scripts/ifcfg-tun0 # service network restart
Dear Hector,
How can I share endpoint A internet to endpoint B on this tunnel?
Thank you in advance
dear abdali, what’s your goal totally and does your both servers have internet access?