Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[HOWTO] Tunnel DDoS protected OVH IP to VM's in other datacenter - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[HOWTO] Tunnel DDoS protected OVH IP to VM's in other datacenter

2

Comments

  • jordynegen11jordynegen11 Member
    edited August 2019

    What happend here 🧐

    For the record @LayerVPS. The post before your original post explained how to do this for a single IPv4 address..

    Thanked by 1banana_mcn
  • RxyzrRxyzr Member

    How do you do this with /32 oder /31? I want to test it with an /32 Subnetz. I have a vServer with 2x /32 IPs(DDoS Protected) and a Dedicated with 12 IPs, but no Protection. Can you help me?

  • afplaysafplays Member
    edited April 2020

    @Rxyzr said:
    How do you do this with /32 oder /31? I want to test it with an /32 Subnetz. I have a vServer with 2x /32 IPs(DDoS Protected) and a Dedicated with 12 IPs, but no Protection. Can you help me?

    Hello,
    Same here using OVH VPS SSD and 7 dedicated server each with 4/8 IPv4, if you know how to do please let me know, because OVH only allow /32 subnet in their VPS's and i need alot to do this due to all my IPS are ddosed all the time...

  • @afplays said:

    @Rxyzr said:
    How do you do this with /32 oder /31? I want to test it with an /32 Subnetz. I have a vServer with 2x /32 IPs(DDoS Protected) and a Dedicated with 12 IPs, but no Protection. Can you help me?

    Hello,
    Same here using OVH VPS SSD and 7 dedicated server each with 4/8 IPv4, if you know how to do please let me know, because OVH only allow /32 subnet in their VPS's and i need alot to do this due to all my IPS are ddosed all the time...

    This method will not work with a /32 subnet (1 IP). You need at least a /30 subnet.

  • afplaysafplays Member

    Hi,

    Thank you, but OVH VPS SSD only allow /32 :disappointed:
    Thank you anyways

  • doghouchdoghouch Member
    edited May 2020

    @jordynegen11 said:

    @afplays said:

    @Rxyzr said:
    How do you do this with /32 oder /31? I want to test it with an /32 Subnetz. I have a vServer with 2x /32 IPs(DDoS Protected) and a Dedicated with 12 IPs, but no Protection. Can you help me?

    Hello,
    Same here using OVH VPS SSD and 7 dedicated server each with 4/8 IPv4, if you know how to do please let me know, because OVH only allow /32 subnet in their VPS's and i need alot to do this due to all my IPS are ddosed all the time...

    This method will not work with a /32 subnet (1 IP). You need at least a /30 subnet.

    Are you sure that a /30 (2 useable addresses) subnet is needed to establish a GRE tunnel?

    Edit: Didn’t read — this tutorial is for subnets only, not single IPs (doh!)

  • RickBakkrRickBakkr Member, Patron Provider, LIR
    edited May 2020

    doghouch said: this tutorial is for subnets only, not single IPs (doh!)

    Single IPs can be routed over a GRE tunnel the exact same way. Requires some 'hacking' to route it over your switch/bridge, as your gateway will be out of the used subnet - if there truly is a subnet at all. Might possibly need something nasty like proxy_arp to 'pull' the IP towards your VM at OVH, to be able to route it.

    Hacky: yes. Works without a (routed) subnet or wasting IPs on network/broadcast? Definitely.

  • RxyzrRxyzr Member

    @RickBakkr said:

    doghouch said: this tutorial is for subnets only, not single IPs (doh!)

    Single IPs can be routed over a GRE tunnel the exact same way. Requires some 'hacking' to route it over your switch/bridge, as your gateway will be out of the used subnet - if there truly is a subnet at all. Might possibly need something nasty like proxy_arp to 'pull' the IP towards your VM at OVH, to be able to route it.

    Hacky: yes. Works without a (routed) subnet or wasting IPs on network/broadcast? Definitely.

    Can you make a Tutorial? How to do this?

  • Could this be done with windows as well?
    Isn't there a problem with default gw.

  • Do not forget to run this on both nodes:

    sudo echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
    sudo sysctl -p

  • AbdAbd Member, Patron Provider
    edited December 2020

    @jordynegen11 think something needs to be done for IP Mac protection..
    Ovh IPs are bound to vMAC ID, can it cause an issue?
    (I mean for the IP we are going to use as gateway)

  • jordynegen11jordynegen11 Member
    edited December 2020

    @WebHorizon said:
    @jordynegen11 think something needs to be done for IP Mac protection..
    Ovh IPs are bound to vMAC ID, can it cause an issue?
    (I mean for the IP we are going to use as gateway)

    You should not use OVH vMAC for this. It works fine without vMAC for me. Your iptables can also cause issues. Try to disable all firewalls first.

    Thanked by 1Abd
  • Hello,
    I tried this tutorial and I have problems.
    I can't ping outside of VM.

    IP SV1: x.158
    IP SV2: x.242
    IP /29: x.192/29
    Bridge: bridge0
    
    SV1:
    ip tunnel add gre1 mode gre remote x.242 local x.158 ttl 255
    ip link set gre1 up
    ip route add x.192/29 dev gre1
    
    SV2:
    ip tunnel add gre1 mode gre remote x.158 local x.242 ttl 255
    ip link set gre1 up
    ip rule add from x.192/29 table 666
    ip route add default dev gre1 table 666
    ip route add x.192/29 dev bridge0 table 666
    ip addr add x.193/29 dev bridge0
    
    SV 2 - /etc/sysconfig/network-scripts/ifcfg-bridge0
    DEVICE=bridge0
    TYPE=Bridge
    ONBOOT=yes
    BOOTPROTO=static
    IPADDR="x.194"
    NETMASK="x.248"
    GATEWAY="x.193"
    
  • jordynegen11jordynegen11 Member
    edited June 2021

    @panthera666 said:

    Hello,
    I tried this tutorial and I have problems.
    I can't ping outside of VM.

    IP SV1: x.158
    IP SV2: x.242
    IP /29: x.192/29
    Bridge: bridge0
    
    SV1:
    ip tunnel add gre1 mode gre remote x.242 local x.158 ttl 255
    ip link set gre1 up
    ip route add x.192/29 dev gre1
    
    SV2:
    ip tunnel add gre1 mode gre remote x.158 local x.242 ttl 255
    ip link set gre1 up
    ip rule add from x.192/29 table 666
    ip route add default dev gre1 table 666
    ip route add x.192/29 dev bridge0 table 666
    ip addr add x.193/29 dev bridge0
    
    SV 2 - /etc/sysconfig/network-scripts/ifcfg-bridge0
    DEVICE=bridge0
    TYPE=Bridge
    ONBOOT=yes
    BOOTPROTO=static
    IPADDR="x.194"
    NETMASK="x.248"
    GATEWAY="x.193"
    

    The bridge is acting like a gateway for your VPS so it should be:

    SV 2 - /etc/sysconfig/network-scripts/ifcfg-bridge0
    DEVICE=bridge0
    TYPE=Bridge
    ONBOOT=yes
    BOOTPROTO=static
    IPADDR="x.193"
    NETMASK="x.248"
    

    And then you can remove/not use this line:

    ip addr add x.193/29 dev bridge0

    Also don't forget to run these on both servers:

    sudo echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
    sudo sysctl -p

    If that's not working, check if you can ping the x.193 address from server A. If not, there is something wrong with your GRE connection. Try disable ufw, iptables or any other firewall.

    Thanked by 2Falzo panthera666
  • IxelIxel Member

    Hi,
    New to the forum and came across this useful tutorial on something I was aiming to do. I'm currently doing it in a rather roundabout way with multiple L2TP connections (one for each IP address, then some policy routing).

    I would like to use the GRE method, but there's one thing that's puzzling me. I have an OVH server with a public /24 allocated. For an example, lets say it's 2.2.2.0/24. This goes via the second ethernet interface (eth1) as it's on OVH's vrack.

    Now, this is very likely a silly question so I apologise if it is but what I'm a little puzzled about is... I presume I still need to use an IP address from, and the gateway IP of, the /24 on eth1 (e.g. .253 IP, .254 gateway) in order for GRE to work from 'server 1' - the OVH side? If so then I presume it's also important that I make sure the GRE local IP is set to the IP address I've assigned to eth1 on 'server 1', not the IP address of eth0 on 'server 1'?

    Finally do I need to assign every IP address that belongs to the /24 to eth1 on 'server 1', or is that unnecessary? I've read a little about GRE but have to admit in practice I've never used it before.

    I tried following the tutorial, albeit with a slight change in that 'server 2' is essentially my Edgerouter (EdgeOS/VyOS). I can only guess I didn't set it up on the Edgerouter correctly, so later tonight I will be trying a virtual machine as 'server 2' to see if I have success.

    Thanks in advance. Hope what I said above isn't somewhat confusing.

  • LowHostingLowHosting Member, Host Rep
    edited August 2021

    @FHR said:

    @jordynegen11 said:
    Please be sure that you check your MTU settings. For us, it gave problems with https.

    Our perfect number was 1476.

    For Libvirt: You can simply add the option in the XML.

    If you're running CentOS: You first have to update QEMU and Libvirt manual or this option isn't available.

    Just do MSS clamping on edges.

    This "perfect number" can also be easily calculated, it's networking 101. Please don't blindly guess.

    A simple iptables rule can help to do that:

    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    Obviously it must be done on both sides.

    Thanked by 1ehab
  • jordynegen11jordynegen11 Member
    edited August 2021

    @Ixel said:
    Hi,
    New to the forum and came across this useful tutorial on something I was aiming to do. I'm currently doing it in a rather roundabout way with multiple L2TP connections (one for each IP address, then some policy routing).

    I would like to use the GRE method, but there's one thing that's puzzling me. I have an OVH server with a public /24 allocated. For an example, lets say it's 2.2.2.0/24. This goes via the second ethernet interface (eth1) as it's on OVH's vrack.

    Now, this is very likely a silly question so I apologise if it is but what I'm a little puzzled about is... I presume I still need to use an IP address from, and the gateway IP of, the /24 on eth1 (e.g. .253 IP, .254 gateway) in order for GRE to work from 'server 1' - the OVH side? If so then I presume it's also important that I make sure the GRE local IP is set to the IP address I've assigned to eth1 on 'server 1', not the IP address of eth0 on 'server 1'?

    Finally do I need to assign every IP address that belongs to the /24 to eth1 on 'server 1', or is that unnecessary? I've read a little about GRE but have to admit in practice I've never used it before.

    I tried following the tutorial, albeit with a slight change in that 'server 2' is essentially my Edgerouter (EdgeOS/VyOS). I can only guess I didn't set it up on the Edgerouter correctly, so later tonight I will be trying a virtual machine as 'server 2' to see if I have success.

    Thanks in advance. Hope what I said above isn't somewhat confusing.

    You don't have to assign anything, you only have the create a route on the OVH server that redirects the traffic (received on your /24 block) to the GRE tunnel interface. On server B, the second IP address of your block is your gateway and you should add that to a bridge just as explained in the tutorial.

    But in my situation the IP addresses are assigned to the OVH server (public NIC) and not to the vrack. I never got that to work.

    Thanked by 1Ixel
  • IxelIxel Member

    @jordynegen11 said:
    You don't have to assign anything, you only have the create a route on the OVH server that redirects the traffic (received on your /24 block) to the GRE tunnel interface. On server B, the second IP address of your block is your gateway and you should add that to a bridge just as explained in the tutorial.

    But in my situation the IP addresses are assigned to the OVH server (public NIC) and not to the vrack. I never got that to work.

    Ah I see. That could be why I had trouble (I have the /24 block in a vrack). I will move the block away from the vrack and try again. Many thanks! :)

  • Hi,

    is it possible to use internal ip on GRE? then route this to bridge?
    like 10.0.0.0/24 then we forward all traffic from public ip to internal ip.

    example on server A:
    public ip: 125.0.0.10/32
    internal ip: 10.0.0.10/32

    125.0.0.10 => 10.0.0.10 => node vm => vm

    so we can use /32 ip not /26 ip subnet.

  • @LightBlade said:
    Hi,

    is it possible to use internal ip on GRE? then route this to bridge?
    like 10.0.0.0/24 then we forward all traffic from public ip to internal ip.

    example on server A:
    public ip: 125.0.0.10/32
    internal ip: 10.0.0.10/32

    125.0.0.10 => 10.0.0.10 => node vm => vm

    so we can use /32 ip not /26 ip subnet.

    Not using this tutorial. But if you find a way I would like to know!

  • @jordynegen11 said:

    @LightBlade said:
    Hi,

    is it possible to use internal ip on GRE? then route this to bridge?
    like 10.0.0.0/24 then we forward all traffic from public ip to internal ip.

    example on server A:
    public ip: 125.0.0.10/32
    internal ip: 10.0.0.10/32

    125.0.0.10 => 10.0.0.10 => node vm => vm

    so we can use /32 ip not /26 ip subnet.

    Not using this tutorial. But if you find a way I would like to know!

    I'm also trying it, but an idea came up to combine GRE Tunnel + ARP

    However, I still haven't had time to try to find this tutorial, maybe on a day off I'll try to study it again

  • IxelIxel Member

    Just an update to say it's working now, it's a lot better than the somewhat messy method I was using of having multiple L2TP connections each with its own IP address and then a bit of policy routing. Thanks very much!

    I did have some issues though with my Edgerouter. I was hoping that I could successfully configure all of this through the Edgerouter UI (via the config tree), for ease and persistence, but it appears to do something odd (adds a fwmark that's not mentioned if I just manually run the commands, which I believe is causing trouble). Manually running the commands listed in your tutorial (as server 2) on my Edgerouter via SSH, instead of using the config tree, worked fine though. I've added a script to the post-config.d folder which I hope will serve the purpose of persisting some of the commands between power cycles of the Edgerouter (which is rare).

    Although GRE offloading is enabled, it also seems that the CPU handles GRE traffic anyway (possibly due to using the ip rule?). I get about 350-400 megabits throughput though, which is still plenty enough for my needs. I have a UDM Pro which is currently unused, primarily because the firmware lacks some features that I'm hoping will come later on in the firmware's development, but I might get that out again and see if I can setup the GRE tunnel on it using the commands via SSH. The CPU on the UDM Pro is more powerful than my Edgerouter's CPU so should be able to push more throughput.

    Thanks once again.

    Thanked by 1jordynegen11
  • If anyone knows how to pull this off when the IPs are attached to an OVH vrack, feel free to show us your config :smile:

  • IxelIxel Member

    @jordynegen11 said:
    If anyone knows how to pull this off when the IPs are attached to an OVH vrack, feel free to show us your config :smile:

    When I have a little spare time I'll temporarily purchase something small like a /29 block and then assign it to the vrack to see if I can figure out a way to get that to work. I assume OVH will allow this, that is, as their website says up to 256 IP addresses per server and I won't want to order a second server just to see if I can get this working via vrack in the end. With the correct ip rule(s) and route(s) it should surely be possible.

    I had a minor issue with my setup recently, but it turned out to be something simple that I overlooked. As my home connection goes via PPPoE, the MTU naturally needs to be lower for the GRE tunnel. My router did this automatically, however the OVH server wasn't aware of this so used a higher MTU. This caused some download issues until I lowered the OVH server's GRE tunnel MTU to match my Edgerouter's side. All good now.

  • IxelIxel Member
    edited August 2021

    I've recently upgraded from the EdgeRouter Pro 8 to a MikroTik CCR2004-16G-2S+. Setting it up was fairly easy, however I thought with that device I would've (and should've) got close to around 900Mbit on the downstream (on the GRE tunnel to my local network). I did a speed test on the OVH server and it confirmed nearly 1Gbit upstream. The CPU usage on the MikroTik is low, around 8% on 'fastpath' and 20% to 30% if I disable fastpath and enable QoS/shaping. Plenty of room for more processing on the CPU at least. I also did a direct transfer between my local network and the OVH server, not via a tunnel, and that achieved around 900Mbit~.

    I was wondering, has anyone been able to get a downstream better than 550Mbit~? I don't seem to be able to and am wondering if it's just GRE. I'm considering trying another tunnel like IPIP, if that's compatible with the way the policy routing is done.

    EDIT: I tried an IPIP tunnel, sadly the result was very slightly worse so I'm back on the GRE tunnel. Forgot to mention that I've rate limited the connection at the moment as the ping starts to rise by around +100ms~ as it goes beyond 400Mbit and higher.

  • It looks like it's probably something on OVH's network that's throttling GRE throughput, even with the 'ultimate' bandwidth upgrade. I had no issues with GRE throughput when I tried my MikroTik router with a local Cloud Hosted Router instance (RouterOS on a virtual machine basically). I don't imagine it's being caused by CentOS either. I will look into an alternative tunnel, if possible, or just artificially cap mine and use 'cake' QoS to keep the ping reasonable when the tunnel is under load.

  • @Ixel said:
    It looks like it's probably something on OVH's network that's throttling GRE throughput, even with the 'ultimate' bandwidth upgrade. I had no issues with GRE throughput when I tried my MikroTik router with a local Cloud Hosted Router instance (RouterOS on a virtual machine basically). I don't imagine it's being caused by CentOS either. I will look into an alternative tunnel, if possible, or just artificially cap mine and use 'cake' QoS to keep the ping reasonable when the tunnel is under load.

    You can try wireguard

  • jordynegen11jordynegen11 Member
    edited September 2021

    @Ixel said:
    I've recently upgraded from the EdgeRouter Pro 8 to a MikroTik CCR2004-16G-2S+. Setting it up was fairly easy, however I thought with that device I would've (and should've) got close to around 900Mbit on the downstream (on the GRE tunnel to my local network). I did a speed test on the OVH server and it confirmed nearly 1Gbit upstream. The CPU usage on the MikroTik is low, around 8% on 'fastpath' and 20% to 30% if I disable fastpath and enable QoS/shaping. Plenty of room for more processing on the CPU at least. I also did a direct transfer between my local network and the OVH server, not via a tunnel, and that achieved around 900Mbit~.

    I was wondering, has anyone been able to get a downstream better than 550Mbit~? I don't seem to be able to and am wondering if it's just GRE. I'm considering trying another tunnel like IPIP, if that's compatible with the way the policy routing is done.

    EDIT: I tried an IPIP tunnel, sadly the result was very slightly worse so I'm back on the GRE tunnel. Forgot to mention that I've rate limited the connection at the moment as the ping starts to rise by around +100ms~ as it goes beyond 400Mbit and higher.

    I have no issues with his between OVH and hetzner.

    However if you have a OVH server from their "GAME" line-up, GRE is limited at 500Mbit. Just like they silently rate-limit their single-stream IPv6 traffic at 100mbit.

    You can try create a ticket but their support is so stupid (or pretend to be stupid), that they probably won't fix that. So if you have a "GAME" servers, switch to INFRA.

  • IxelIxel Member
    edited September 2021

    @jordynegen11 said:

    @Ixel said:
    I've recently upgraded from the EdgeRouter Pro 8 to a MikroTik CCR2004-16G-2S+. Setting it up was fairly easy, however I thought with that device I would've (and should've) got close to around 900Mbit on the downstream (on the GRE tunnel to my local network). I did a speed test on the OVH server and it confirmed nearly 1Gbit upstream. The CPU usage on the MikroTik is low, around 8% on 'fastpath' and 20% to 30% if I disable fastpath and enable QoS/shaping. Plenty of room for more processing on the CPU at least. I also did a direct transfer between my local network and the OVH server, not via a tunnel, and that achieved around 900Mbit~.

    I was wondering, has anyone been able to get a downstream better than 550Mbit~? I don't seem to be able to and am wondering if it's just GRE. I'm considering trying another tunnel like IPIP, if that's compatible with the way the policy routing is done.

    EDIT: I tried an IPIP tunnel, sadly the result was very slightly worse so I'm back on the GRE tunnel. Forgot to mention that I've rate limited the connection at the moment as the ping starts to rise by around +100ms~ as it goes beyond 400Mbit and higher.

    I have no issues with his between OVH and hetzner.

    However if you have a OVH server from their "GAME" line-up, GRE is limited at 500Mbit. Just like they silently rate-limit their single-stream IPv6 traffic at 100mbit.

    You can try create a ticket but their support is so stupid (or pretend to be stupid), that they probably won't fix that. So if you have a "GAME" servers, switch to INFRA.

    I'll try Wireguard today and see what result I get. Just to make sure it's not how I configured RouterOS on my end I'll also see about setting up a virtual machine to make the connection and routing instead. Permanent mitigation is also disabled.

    I've got an INFRA-1 server, albeit not guaranteed bandwidth, but originally with GRE or IPIP it seemed to struggle depending on time of day to get beyond between 300-600 megabits from OVH to my network via GRE or IPIP. Could also be something happening on the route that the traffic takes between OVH and me and not necessarily an OVH problem, although a direct file transfer test I did (not via GRE or IPIP) wasn't appearing to struggle.

    I also have an OVH server with guaranteed bandwidth (ultimate), which takes away two hops, although similar problem. Neither server is from the GAME range. One is INFRA-1 and the other is STOR (something like 48TB of HDD storage if I recall, ideal for off-site backup, Usenet or other activities which may use a lot of storage space).

    I'm also experimenting with L2TP to see if that helps at all.

    If I need to open a ticket I'll contact the reseller of the STOR server instead, as they have a more effective way of getting help from OVH I've found. Fingers crossed it won't come to that though.

  • Just an update to say straight Wireguard didn't improve things sadly. Interestingly it looks like I've resolved the problem by going via another VPN provider (e.g. Mulvad on Wireguard in this case) to reach the OVH server (still via L2TP). I'm currently not experiencing the issue at the moment, fingers crossed it will stay this way.

    Either way it looks like it's a problem somewhere on the route my ISP typically takes, where presumably going via Mulvad takes a slightly different route that's not a bit troublesome.

Sign In or Register to comment.