Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


DDoS protecting Windows | remote gre tunnel
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

DDoS protecting Windows | remote gre tunnel

I am trying to establish an GRE tunnel to my Windows Server 2019, which seems easy enough. Although things get a bit complicated, as I want my applications to bind to the IP on the other side of the tunnel.

My setup would look like this: Visitor -> Mikrotik router (10.10.10.10) --> GRE tunnel --> Server (20.20.20.20) + (10.10.10.10)

I am aware that it would require 3 IPs or so, as I need to route an /28 with the GRE tunnel.

I've seen a few companies do what I'm trying to accomplish eg. x4b.net, but their secret source is hidden in an exe program.

I have tested the setup using an OpenVPN tunnel as a TAP adapter and it is working. However, in regards to performance, this doesn't seem like an optimal solution.

An important note: I do not have access to a router in front of the server (client seen from the tunnel) so it needs to be configured on the server itself.

What I am trying to accomplish is similar to this: https://www.x4b.net/kb/WindowsIPIPTunnel

The solution on Linux is pretty well defined here: https://www.lowendtalk.com/discussion/156850/howto-tunnel-ddos-protected-ovh-ip-to-vms-in-other-datacenter

Comments

  • Hello,

    I think it'd be wise to set up an IPSEC/L2TP tunnel instead, which probably is a better solution for a Windows server, instead of GRE.

    You can also do that without the need for any additional software at all, it's all supported by Windows itself and it'll be picked up as a network interface.

    Regarding the OpenVPN Tunnel, I wouldn't see the reason why it's causing performance penalties? I can see that if you're using TCP, but with UDP it should not cause any issue at all, given that the server doesn't have crappy hardware!

  • ClouviderClouvider Member, Patron Provider

    Mikrotik for DDoS protection ? I don’t think this is a good idea.

  • We aren't using the mikrotik for DDoS protection :) - its just our router, which we create tunnels for remote protection from.
    I will have a look at the L2TP, although I think there was some issues which prevented us from using it. If I remember correctly, we had the problem, that the servers application could not bind to the ip provided through l2tp tunnel.

  • ClouviderClouvider Member, Patron Provider

    What if the remote protection leaks?

  • Not to be a jerk or anything, but this topic was about a technical matter, not wether our infrastructure was ready for handling DDoS.

    But we announce our ip block to our scrubbing center, which then provides us with the data through two dedicated fiber connections.
    We then receive the data scrubbed, but in case there is some packages that aren't filtered, we simply correct our filter at the scrubbing center.
    We also have a juniper DDoS appliance, which can send flowspec rules to the scrubbing center.

    So for our usage it's fine.
    Thanks for your concern.

  • SplitIceSplitIce Member, Host Rep
    edited September 2020

    As far as I know we are the only company who has taken the leap into developing an application for GRE on Windows. Given the cost of custom development and the general low margin of protection services it shouldn't be surprising.

    If you want to do GRE on Windows like we do without us you will need to develop your own application. It's not supported the way it is on Linux (in fact I don't think Windows natively supports any point-to-point networking options)

    IPSec+L2TP VPN does work on Windows however its a metric PITA to configure and can be unstable with Strongswan. It's the closest you will get natively however. We used to offer it, however the support costs and low popularity (largely due to limited compatibility and complexity) made it unavailable. It may be however the best solution available to you. It however behaves more like a VPN than a tunnel.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @SplitIce said: If you want to do GRE on Windows like we do without us you will need to develop your own application.

    Or use Windows 2019 which supposedly has GRE built in.

    Still, you're best off just buying a DDOS protected service and put Windows on that instead of tunneling.

    Francisco

  • SplitIceSplitIce Member, Host Rep

    @Francisco said: Or use Windows 2019 which supposedly has GRE built in.

    FYI As far as I know it's very limited and not intended for use like this. There is very little documentation on it however. It seems largely for use with HyperV Virtual Switch and functions similarly to a VPN in that type of setup.

  • Thanks for the advice splitice, we actually did reach out, but the sales person we ran into, was asking for a budget, and since we haven't really thought about a budget yet, we wrote that we were looking into options, and price wasn't really thought about yet.
    The topic was then shutdown by the salesperson, as we didn't have a budget.

    We now had the chance to look in to L2TP and test it with our remote servers, and it seems fine.
    It's using a few more resources than we wanted to, which is why we are still looking into gre tunnels on windows.

    We are in fact using Windows server 2019 and I didn't know that they have implemented gre support to some extend, but I will surely have a look at that to see if there's any opportunities.

    The reason we aren't able to use x4b is that we are using our own ip blocks, along with the fact that we already have a strong scrubbing partner, which we are happy with.

    Francisco have you tried the gre tunnel functionality on Windows 2019, and what are your thoughts, do you think its worth looking into, for our use case?

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Rakkey said: Francisco have you tried the gre tunnel functionality on Windows 2019, and what are your thoughts, do you think its worth looking into, for our use case?

    Nope.

    Basically I tell people to just get a VPS from me w/ windows and they're happy enough.

    Some people use OpenVPN which works but is weird.

    Francisco

  • SplitIceSplitIce Member, Host Rep

    @Rakkey said: The topic was then shutdown by the salesperson, as we didn't have a budget.

    Without a budget there is no case for us to invest time developing you a custom application for your needs, licence you the software developed to date and support it. So yes I, as the owner and lead developer ended discussions with you when you made that clear.

    @Rakkey said: The reason we aren't able to use x4b is that we are using our own ip blocks

    Not sure why you think that an issue you need only contact us for a quote. That's been an option for us for either a pool for usage on ordered /32 services, small network services (multiple /27 - /25) or announced as a large network service (/24+).

Sign In or Register to comment.