Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


GRE Tunnel original client IP
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

GRE Tunnel original client IP

Hi,

At first: sorry if I am misunderstanding what a GRE tunnel does. I managed to succesfully set it up. The connection is working fine. I opened a webserver port with iptables.

However, when I do a REMOTE_ADDR with PHP, I get to see the IP-address of the tunnel (192.168.168.xx), not the IP-address of client (in this case, my IP). Let’s say I want to have the same thing as what X-Real-IP or X-Forwarded-For would do with a reverse proxy. Is this possible with a GRE Tunnel, or am I misunderstanding the concept?

Why not use a reverse proxy? Because the content is on a different server, which has some latency. It causes a slow website, so I’d rather serve it at once, if possible.

Comments

  • hzrhzr Member

    GRE forwards at a different layer.

    A reverse proxy with bytes cached/buffered set to 0 accomplishes what you are asking for.

    Thanked by 1DennisdeWit
  • DennisdeWitDennisdeWit Member
    edited July 2020

    @hzr said:
    GRE forwards at a different layer.

    A reverse proxy with bytes cached/buffered set to 0 accomplishes what you are asking for.

    Interesting! I should definitely try that, as I had my Nginx configured succesfully already. It was just unbearable slow.

    Edit: it works! Thanks!

  • @DennisdeWit said: However, when I do a REMOTE_ADDR with PHP, I get to see the IP-address of the tunnel (192.168.168.xx), not the IP-address of client (in this case, my IP)

    When you use GRE or other tunnel protocols the packets that are tunneled usually are unchanged. If the source address is changed it may be because you are applying SNAT to the packet.

  • @lebuser said:

    @DennisdeWit said: However, when I do a REMOTE_ADDR with PHP, I get to see the IP-address of the tunnel (192.168.168.xx), not the IP-address of client (in this case, my IP)

    When you use GRE or other tunnel protocols the packets that are tunneled usually are unchanged. If the source address is changed it may be because you are applying SNAT to the packet.

    So what would be the correct command to do it, then? :)

  • @DennisdeWit said:

    So what would be the correct command to do it, then? :)

    To avoid SNAT/masquerade to an interface you can insert an ACCEPT rule first in the POSTROUTING chain on the VPS. That way packets sent out via the gre tunnel aren't affected by SNAT/masquerade rules later in the POSTROUTING chain.

    iptables -t nat -I POSTROUTING 1 -o gre1 -j ACCEPT
    

    Since the source address isn't changed the other end of the tunnel will need to use policy routing which sends all packets from the web server to the gre tunnel.

  • Would this be correct? @lebuser

    OLD_IP=123.PUBLIC.IP
    NEW_IP=192.168.168.1
    
    # enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    iptables -t nat -I POSTROUTING 1 -o gre1 -j ACCEPT
    # redirect the traffic on port 80
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $NEW_IP:80
    iptables -t nat -A POSTROUTING -p tcp -d $NEW_IP --dport 80 -j SNAT --to-source $OLD_IP
    
    # redirect the traffic on port 443 (SSL)
    iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $OLD_IP:443
    iptables -t nat -A POSTROUTING -p tcp -d $NEW_IP --dport 443 -j SNAT --to-source $OLD_IP
    
  • upme88upme88 Member

    Did you managed to make it work? If yes, I would love to know how.

  • Lu5ckLu5ck Member

    @upme88 said:
    Did you managed to make it work? If yes, I would love to know how.

    Don't pump old thread and if you need point to point, use wireguard instead.

    Thanked by 1darkimmortal
Sign In or Register to comment.