How to setup GRE tunnel in CentOS 7 linux

In today article, we want to show how to setup GRE tunnel in CentOS 7 linux.

as you may know, GRE stands for generic routing protocol, created by Cisco and is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network.

Here is our environment:

OS: Centos 7 linux on VMWare
Firewall: CSF
SElinux: enforcing

Endpoint A:
local/internal IP: 10.10.10.1
public IP: 192.168.2.128

Endpoint B:
local/internal IP: 10.10.10.2
public IP: 192.168.2.129

1- Prerequisites

to set up gre tunnel and allow handle it by linux, related module needs to be loaded. so load it by running:

# modprobe ip_gre

then check if it’s loaded correctly:

# lsmod | grep ip_gre

to automatically load this module on startup, create a file named tun.conf under /etc/modules-load.d and put the following line in it:

# echo ip_gre >> /etc/modules-load.d/tun.conf

2- Setup tunnel

for setting up tunnel, we must create an interface on each endpoint. so run this commands on endpoint A:

# vim /etc/sysconfig/network-scripts/ifcfg-tun0

and put these lines in it:

DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
DEVICETYPE=tunnel
TYPE=GRE
PEER_INNER_IPADDR=10.10.10.2
PEER_OUTER_IPADDR=192.168.2.129
MY_INNER_IPADDR=10.10.10.1

then create an interface on endpoint B:

# vim /etc/sysconfig/network-scripts/ifcfg-tun0

and also put these lines in it:

DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
PEER_INNER_IPADDR=10.10.10.1
PEER_OUTER_IPADDR=192.168.2.128
MY_INNER_IPADDR=10.10.10.2

now bring up two tunnel interfaces by running this command on both endpoint A and B:

# ifup tun0

3- Configure firewall

here we use csf as our firewall. so to allow gre traffic pass through these endpoints, we just need to whitelist both endpoints IPs.
so add public IP of endpoint B to endpoint A and vice versa. on endpoint A:

# echo 10.10.10.2 >> /etc/csf/csf.allow

also we should allow gre traffic. run this commnad:

# vim /etc/csf/csfpre.sh

then put these lines in it:

#!/bin/bash
iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT

then reload csf:

# csf -r

and on endpoint B:

# echo 10.10.10.1 >> /etc/csf/csf.allow

again we should allow gre traffic. run this commnad:

# vim /etc/csf/csfpre.sh

then put these lines in it:

#!/bin/bash
iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT

then reload csf:

# csf -r

if you use firewalld as your centos 7 firewall, run these command to allow gre traffic:
on endpoint A:

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
# firewall-cmd --reload

and on endpoint B:

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
# firewall-cmd --reload

4- Test connectivity

now it’s time to test connectivity. on endpoint A:

# ping 10.10.10.2

and on endpoint B:

# ping 10.10.10.1

if ping responses successfully, this means that our gre tunnel is working properly. if not, first disable firewall and test again and if problem persists, you should investigate your routing table to see where packets destined for our tunnel goes.

5- Remove tunnel

at any time, if you decided to remove tunnel, just bring down tunnel interface and remove related file on both endpoints:

# ifdown tun0
# rm -rf /etc/sysconfig/network-scripts/ifcfg-tun0
# service network restart