GRE Tunnel Setup Guide
This guide explains how to deploy a GRE tunnel between two Linux endpoints for stable L3 transport across public networks. It is written for infrastructure teams that need deterministic packet paths for private routing overlays, service segmentation, or controlled upstream steering.
Requirement
Section titled “Requirement”Before configuring this tunnel, you need an UltraVM VPS endpoint. For this setup, you need to buy a VPS from UltraVM so one side of the GRE tunnel can be provisioned inside the UltraVM network.
Topology Example
Section titled “Topology Example”In this example, we use:
- Server A (UltraVM VPS): public IP
203.0.113.10 - Server B (remote server): public IP
198.51.100.20 - GRE tunnel IP on Server A:
10.10.10.1/30 - GRE tunnel IP on Server B:
10.10.10.2/30
Step 1: Enable IP Forwarding
Section titled “Step 1: Enable IP Forwarding”Run on both servers:
sudo sysctl -w net.ipv4.ip_forward=1echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-gre.confsudo sysctl --systemThis allows routed traffic to pass through the host when the GRE interface is used for forwarding.
Step 2: Create the GRE Interface
Section titled “Step 2: Create the GRE Interface”On Server A:
sudo ip tunnel add gre1 mode gre local 203.0.113.10 remote 198.51.100.20 ttl 255sudo ip addr add 10.10.10.1/30 dev gre1sudo ip link set gre1 upOn Server B:
sudo ip tunnel add gre1 mode gre local 198.51.100.20 remote 203.0.113.10 ttl 255sudo ip addr add 10.10.10.2/30 dev gre1sudo ip link set gre1 upStep 3: Add Static Routes
Section titled “Step 3: Add Static Routes”If you need to route a subnet through the tunnel, add route policies to the GRE next hop.
Example on Server A (route remote private subnet via Server B):
sudo ip route add 172.16.20.0/24 via 10.10.10.2 dev gre1Example on Server B:
sudo ip route add 172.16.10.0/24 via 10.10.10.1 dev gre1Step 4: Firewall and Security Notes
Section titled “Step 4: Firewall and Security Notes”GRE uses IP protocol 47, not TCP/UDP. Ensure perimeter filtering allows GRE between both public endpoints.
For iptables based systems:
sudo iptables -A INPUT -p 47 -s 198.51.100.20 -d 203.0.113.10 -j ACCEPTsudo iptables -A OUTPUT -p 47 -s 203.0.113.10 -d 198.51.100.20 -j ACCEPTAdjust source and destination values on each server accordingly.
Step 5: Validate Tunnel Health
Section titled “Step 5: Validate Tunnel Health”Confirm interface and address state:
ip -d link show gre1ip addr show gre1Ping across tunnel endpoints:
ping -c 4 10.10.10.2Then test routed subnet reachability to confirm forwarding and route policy are both active.
Step 6: Make Configuration Persistent
Section titled “Step 6: Make Configuration Persistent”GRE interface commands are runtime by default. Persist them with your network stack:
systemd-networkd.netdevand.networkunits- Netplan definitions (Ubuntu-based systems)
- Ifupdown scripts for Debian-style deployments
Persist route entries and firewall rules in the same lifecycle so reboots do not break transport.
Operational Recommendations
Section titled “Operational Recommendations”Monitor GRE packet loss and jitter in Monitoring Systems and validate path behavior with Routing Consistency and Low-Latency Routing. GRE adds encapsulation overhead, so MTU tuning and PMTUD validation should be included in rollout checks.