Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
DDoS protecting Windows | remote gre tunnel
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

DDoS protecting Windows | remote gre tunnel

I am trying to establish an GRE tunnel to my Windows Server 2019, which seems easy enough. Although things get a bit complicated, as I want my applications to bind to the IP on the other side of the tunnel.

My setup would look like this: Visitor -> Mikrotik router (10.10.10.10) --> GRE tunnel --> Server (20.20.20.20) + (10.10.10.10)

I am aware that it would require 3 IPs or so, as I need to route an /28 with the GRE tunnel.

I've seen a few companies do what I'm trying to accomplish eg. x4b.net, but their secret source is hidden in an exe program.

I have tested the setup using an OpenVPN tunnel as a TAP adapter and it is working. However, in regards to performance, this doesn't seem like an optimal solution.

An important note: I do not have access to a router in front of the server (client seen from the tunnel) so it needs to be configured on the server itself.

What I am trying to accomplish is similar to this: https://www.x4b.net/kb/WindowsIPIPTunnel

The solution on Linux is pretty well defined here: https://www.lowendtalk.com/discussion/156850/howto-tunnel-ddos-protected-ovh-ip-to-vms-in-other-datacenter

Comments

  • Hello,

    I think it'd be wise to set up an IPSEC/L2TP tunnel instead, which probably is a better solution for a Windows server, instead of GRE.

    You can also do that without the need for any additional software at all, it's all supported by Windows itself and it'll be picked up as a network interface.

    Regarding the OpenVPN Tunnel, I wouldn't see the reason why it's causing performance penalties? I can see that if you're using TCP, but with UDP it should not cause any issue at all, given that the server doesn't have crappy hardware!

  • ClouviderClouvider Member, Provider

    Mikrotik for DDoS protection ? I don’t think this is a good idea.

    Clouvider Limited - Leading Hosting & Connectivity Partner || Dedicated Server Sale from £39/m - Our Latest LET Offer

    Cloud Web Hosting | SSD & SAS HA OnApp VPS | US, UK, NL & DE Dedicated Servers | Network Services | Colocation | Managed Services

  • We aren't using the mikrotik for DDoS protection :) - its just our router, which we create tunnels for remote protection from.
    I will have a look at the L2TP, although I think there was some issues which prevented us from using it. If I remember correctly, we had the problem, that the servers application could not bind to the ip provided through l2tp tunnel.

  • ClouviderClouvider Member, Provider

    What if the remote protection leaks?

    Clouvider Limited - Leading Hosting & Connectivity Partner || Dedicated Server Sale from £39/m - Our Latest LET Offer

    Cloud Web Hosting | SSD & SAS HA OnApp VPS | US, UK, NL & DE Dedicated Servers | Network Services | Colocation | Managed Services

  • Not to be a jerk or anything, but this topic was about a technical matter, not wether our infrastructure was ready for handling DDoS.

    But we announce our ip block to our scrubbing center, which then provides us with the data through two dedicated fiber connections.
    We then receive the data scrubbed, but in case there is some packages that aren't filtered, we simply correct our filter at the scrubbing center.
    We also have a juniper DDoS appliance, which can send flowspec rules to the scrubbing center.

    So for our usage it's fine.
    Thanks for your concern.

  • SplitIceSplitIce Member, Provider
    edited September 12

    As far as I know we are the only company who has taken the leap into developing an application for GRE on Windows. Given the cost of custom development and the general low margin of protection services it shouldn't be surprising.

    If you want to do GRE on Windows like we do without us you will need to develop your own application. It's not supported the way it is on Linux (in fact I don't think Windows natively supports any point-to-point networking options)

    IPSec+L2TP VPN does work on Windows however its a metric PITA to configure and can be unstable with Strongswan. It's the closest you will get natively however. We used to offer it, however the support costs and low popularity (largely due to limited compatibility and complexity) made it unavailable. It may be however the best solution available to you. It however behaves more like a VPN than a tunnel.

    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
  • FranciscoFrancisco Top Provider

    @SplitIce said: If you want to do GRE on Windows like we do without us you will need to develop your own application.

    Or use Windows 2019 which supposedly has GRE built in.

    Still, you're best off just buying a DDOS protected service and put Windows on that instead of tunneling.

    Francisco

    BuyVM - Free DirectAdmin, Softaculous, & Blesta! / Anycast Support! / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
    BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
  • SplitIceSplitIce Member, Provider

    @Francisco said: Or use Windows 2019 which supposedly has GRE built in.

    FYI As far as I know it's very limited and not intended for use like this. There is very little documentation on it however. It seems largely for use with HyperV Virtual Switch and functions similarly to a VPN in that type of setup.

    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
  • Thanks for the advice splitice, we actually did reach out, but the sales person we ran into, was asking for a budget, and since we haven't really thought about a budget yet, we wrote that we were looking into options, and price wasn't really thought about yet.
    The topic was then shutdown by the salesperson, as we didn't have a budget.

    We now had the chance to look in to L2TP and test it with our remote servers, and it seems fine.
    It's using a few more resources than we wanted to, which is why we are still looking into gre tunnels on windows.

    We are in fact using Windows server 2019 and I didn't know that they have implemented gre support to some extend, but I will surely have a look at that to see if there's any opportunities.

    The reason we aren't able to use x4b is that we are using our own ip blocks, along with the fact that we already have a strong scrubbing partner, which we are happy with.

    Francisco have you tried the gre tunnel functionality on Windows 2019, and what are your thoughts, do you think its worth looking into, for our use case?

  • FranciscoFrancisco Top Provider

    @Rakkey said: Francisco have you tried the gre tunnel functionality on Windows 2019, and what are your thoughts, do you think its worth looking into, for our use case?

    Nope.

    Basically I tell people to just get a VPS from me w/ windows and they're happy enough.

    Some people use OpenVPN which works but is weird.

    Francisco

    BuyVM - Free DirectAdmin, Softaculous, & Blesta! / Anycast Support! / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
    BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
  • SplitIceSplitIce Member, Provider

    @Rakkey said: The topic was then shutdown by the salesperson, as we didn't have a budget.

    Without a budget there is no case for us to invest time developing you a custom application for your needs, licence you the software developed to date and support it. So yes I, as the owner and lead developer ended discussions with you when you made that clear.

    @Rakkey said: The reason we aren't able to use x4b is that we are using our own ip blocks

    Not sure why you think that an issue you need only contact us for a quote. That's been an option for us for either a pool for usage on ordered /32 services, small network services (multiple /27 - /25) or announced as a large network service (/24+).

    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
Sign In or Register to comment.