Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
GRE Tunnel original client IP
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

GRE Tunnel original client IP

Hi,

At first: sorry if I am misunderstanding what a GRE tunnel does. I managed to succesfully set it up. The connection is working fine. I opened a webserver port with iptables.

However, when I do a REMOTE_ADDR with PHP, I get to see the IP-address of the tunnel (192.168.168.xx), not the IP-address of client (in this case, my IP). Let’s say I want to have the same thing as what X-Real-IP or X-Forwarded-For would do with a reverse proxy. Is this possible with a GRE Tunnel, or am I misunderstanding the concept?

Why not use a reverse proxy? Because the content is on a different server, which has some latency. It causes a slow website, so I’d rather serve it at once, if possible.

Comments

  • hzrhzr Member, Moderator

    GRE forwards at a different layer.

    A reverse proxy with bytes cached/buffered set to 0 accomplishes what you are asking for.

    Thanked by 1DennisdeWit
  • DennisdeWitDennisdeWit Member
    edited July 27

    @hzr said:
    GRE forwards at a different layer.

    A reverse proxy with bytes cached/buffered set to 0 accomplishes what you are asking for.

    Interesting! I should definitely try that, as I had my Nginx configured succesfully already. It was just unbearable slow.

    Edit: it works! Thanks!

  • lebuserlebuser Member

    @DennisdeWit said: However, when I do a REMOTE_ADDR with PHP, I get to see the IP-address of the tunnel (192.168.168.xx), not the IP-address of client (in this case, my IP)

    When you use GRE or other tunnel protocols the packets that are tunneled usually are unchanged. If the source address is changed it may be because you are applying SNAT to the packet.

  • @lebuser said:

    @DennisdeWit said: However, when I do a REMOTE_ADDR with PHP, I get to see the IP-address of the tunnel (192.168.168.xx), not the IP-address of client (in this case, my IP)

    When you use GRE or other tunnel protocols the packets that are tunneled usually are unchanged. If the source address is changed it may be because you are applying SNAT to the packet.

    So what would be the correct command to do it, then? :)

  • lebuserlebuser Member

    @DennisdeWit said:

    So what would be the correct command to do it, then? :)

    To avoid SNAT/masquerade to an interface you can insert an ACCEPT rule first in the POSTROUTING chain on the VPS. That way packets sent out via the gre tunnel aren't affected by SNAT/masquerade rules later in the POSTROUTING chain.

    iptables -t nat -I POSTROUTING 1 -o gre1 -j ACCEPT
    

    Since the source address isn't changed the other end of the tunnel will need to use policy routing which sends all packets from the web server to the gre tunnel.

  • Would this be correct? @lebuser

    OLD_IP=123.PUBLIC.IP
    NEW_IP=192.168.168.1
    
    # enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    iptables -t nat -I POSTROUTING 1 -o gre1 -j ACCEPT
    # redirect the traffic on port 80
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $NEW_IP:80
    iptables -t nat -A POSTROUTING -p tcp -d $NEW_IP --dport 80 -j SNAT --to-source $OLD_IP
    
    # redirect the traffic on port 443 (SSL)
    iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $OLD_IP:443
    iptables -t nat -A POSTROUTING -p tcp -d $NEW_IP --dport 443 -j SNAT --to-source $OLD_IP
    
Sign In or Register to comment.