How to Configure a GRE Tunnel on FreeBSD Operating System

This article provides a step-by-step guide on how to configure a GRE tunnel on a FreeBSD operating system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol (IP) network. GRE tunnels are commonly used to create a virtual private network (VPN) between two endpoints, allowing for the secure transmission of data over an untrusted network, such as the internet. FreeBSD, a powerful and versatile Unix-like operating system, provides robust support for GRE tunneling, making it an excellent choice for setting up such configurations.

In this article, we will walk through the process of configuring a GRE tunnel on a FreeBSD operating system. We will cover the necessary steps, from preparing the system to verifying the tunnel’s functionality. This guide assumes a basic understanding of FreeBSD, networking concepts, and command-line operations.

Prerequisites

Before diving into the configuration, ensure that you have the following:

  1. Two FreeBSD Systems: You will need two FreeBSD machines to act as the endpoints of the GRE tunnel. These can be physical machines or virtual machines.
  2. Root Access: You will need root or superuser access on both systems to configure network interfaces and routing.
  3. Static IP Addresses: Both systems should have static IP addresses assigned to their network interfaces. This ensures that the tunnel endpoints remain consistent.
  4. Basic Networking Knowledge: Familiarity with IP addressing, subnetting, and routing is essential.

Step 1: Update the FreeBSD System

Before starting the configuration, it is a good practice to ensure that your FreeBSD system is up to date. Run the following commands to update the system and its packages:

freebsd-update fetch
freebsd-update install
pkg update
pkg upgrade

Step 2: Load the GRE Kernel Module

FreeBSD includes support for GRE tunneling through the if_gre kernel module. To use GRE, you need to load this module. You can load it manually or ensure it loads at boot time.

To load the if_gre module manually, run:

kldload if_gre

To ensure the module loads automatically at boot, add the following line to /boot/loader.conf:

if_gre_load="YES"

Step 3: Configure the GRE Tunnel

Now that the if_gre module is loaded, you can proceed to configure the GRE tunnel. We will create a GRE tunnel interface on both FreeBSD systems and configure them to communicate with each other.

On the First FreeBSD System (Endpoint A)

  1. Create the GRE Tunnel Interface:

    Use the ifconfig command to create a GRE tunnel interface. Replace gre0 with the desired interface name, 192.0.2.1 with the public IP address of Endpoint A, and 203.0.113.1 with the public IP address of Endpoint B.

    ifconfig gre0 create
ifconfig gre0 tunnel 192.0.2.1 203.0.113.1
ifconfig gre0 inet 10.0.0.1/30

    Here, 10.0.0.1/30 is the private IP address assigned to the GRE tunnel interface on Endpoint A. The /30 subnet mask ensures that only two IP addresses are available, one for each endpoint.

  2. Bring the Interface Up:

    Bring the GRE interface up:

    ifconfig gre0 up

  3. Add a Route:

    Add a route to direct traffic destined for the remote private network through the GRE tunnel. Replace 10.0.0.2 with the private IP address of Endpoint B and 192.168.1.0/24 with the subnet of the remote private network.

    route add -net 192.168.1.0/24 10.0.0.2

On the Second FreeBSD System (Endpoint B)

  1. Create the GRE Tunnel Interface:

    Similarly, create the GRE tunnel interface on Endpoint B. Replace gre0 with the desired interface name, 203.0.113.1 with the public IP address of Endpoint B, and 192.0.2.1 with the public IP address of Endpoint A.

    ifconfig gre0 create
ifconfig gre0 tunnel 203.0.113.1 192.0.2.1
ifconfig gre0 inet 10.0.0.2/30

    Here, 10.0.0.2/30 is the private IP address assigned to the GRE tunnel interface on Endpoint B.

  2. Bring the Interface Up:

    Bring the GRE interface up:

    ifconfig gre0 up

  3. Add a Route:

    Add a route to direct traffic destined for the remote private network through the GRE tunnel. Replace 10.0.0.1 with the private IP address of Endpoint A and 192.168.0.0/24 with the subnet of the remote private network.

    route add -net 192.168.0.0/24 10.0.0.1

Step 4: Configure Persistent Settings

To ensure that the GRE tunnel configuration persists across reboots, you need to add the configuration to the /etc/rc.conf file on both systems.

On Endpoint A

Add the following lines to /etc/rc.conf:

cloned_interfaces="gre0"
ifconfig_gre0="tunnel 192.0.2.1 203.0.113.1"
ifconfig_gre0_inet="inet 10.0.0.1/30"
static_routes="gre_route"
route_gre_route="-net 192.168.1.0/24 10.0.0.2"

On Endpoint B

Add the following lines to /etc/rc.conf:

cloned_interfaces="gre0"
ifconfig_gre0="tunnel 203.0.113.1 192.0.2.1"
ifconfig_gre0_inet="inet 10.0.0.2/30"
static_routes="gre_route"
route_gre_route="-net 192.168.0.0/24 10.0.0.1"

Step 5: Test the GRE Tunnel

With the GRE tunnel configured on both endpoints, it’s time to test the connection.

  1. Ping the Remote Endpoint:

    From Endpoint A, ping the private IP address of Endpoint B:

    ping 10.0.0.2

    From Endpoint B, ping the private IP address of Endpoint A:

    ping 10.0.0.1

    If the tunnel is functioning correctly, you should receive replies to the ping requests.

  2. Test Connectivity to Remote Networks:

    From Endpoint A, try to ping a host on the remote private network (e.g., 192.168.1.10):

    ping 192.168.1.10

    From Endpoint B, try to ping a host on the remote private network (e.g., 192.168.0.10):

    ping 192.168.0.10

    Successful pings indicate that the GRE tunnel is correctly routing traffic between the two private networks.

Step 6: Troubleshooting

If the GRE tunnel is not functioning as expected, consider the following troubleshooting steps:

  1. Check Interface Configuration:

    Verify that the GRE tunnel interfaces are correctly configured and up:

    ifconfig gre0

  2. Check Routing Tables:

    Ensure that the routes are correctly added to the routing table:

    netstat -rn

  3. Check Firewall Rules:

    Ensure that any firewalls on the systems are not blocking GRE traffic (IP protocol 47) or the encapsulated traffic. You may need to add rules to allow GRE and the relevant traffic.

  4. Check Logs:

    Review system logs for any errors or warnings related to the GRE tunnel:

    dmesg | grep gre

Conclusion

Configuring a GRE tunnel on FreeBSD is a straightforward process that involves loading the if_gre kernel module, creating and configuring the GRE tunnel interface, and setting up the necessary routes. By following the steps outlined in this article, you can establish a secure and reliable GRE tunnel between two FreeBSD systems, enabling the secure transmission of data over an untrusted network.

GRE tunnels are a powerful tool for creating virtual private networks and connecting disparate networks securely. With FreeBSD’s robust networking capabilities, you can leverage GRE tunnels to build scalable and efficient network infrastructures. Whether you’re connecting remote offices, securing communications, or experimenting with network configurations, FreeBSD provides the flexibility and performance needed to meet your requirements.


< How to Test Port Connectivity with telnet or nc