Skip to main content

How to Set Up GRE Tunnel Between OPNsense and Linux?

Generic Routing Encapsulation (GRE) which is developed by Cisco is used to wrap network layer protocols in virtual point-to-point links over an Internet Protocol network. GRE tunnel is deployed to use (OSI-layer 3) protocols between devices over a connection that doesn't normally support these protocols. When a GRE interface is used, both peer routers that controls access to the corporate network can support dynamic IP routing protocols to exchange routing updates over the tunnel and allow IP multicast traffic. Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP), Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path First (OSPF), and Border Gateway Protocol(BGP) are all supported IP routing protocols. GRE is often used to forward multicast traffic that can't be routed. However, this requires extra software like IGMP-proxy or PIMD, which aren't used as often on OPNsense.

GRE is often used as the default tunnel technology when Cisco solutions are used.

Through a virtual tunnel, GRE packets move directly between the two ends. When a packet passes through other routers, the routers don't do anything to its payload. Instead, they only look at the IP packet on the outside. When the packet gets to the end of the GRE tunnel, the switch takes off the outer packet, looks at the payload, and then sends the packet to its final destination.

GRE uses multiple protocols on top of a single protocol backbone. It is easier to set up than some other solutions, like VPN. You can use GRE to send protocols that the underlying network doesn't support, get around networks with a limited number of hops, connect subnets that aren't next to each other, and let VPNs work across wide area networks.

GRE Tunnel Topology Between OPNsense and Ubuntu Linux

Figure 1. GRE Tunnel Topology Between OPNsense and Ubuntu Linux

In this tutorial, we will explain the GRE Tunnel configuration on the OPNsense 22.7.6 firewall and Ubuntu 20.04.3 LTS Linux. You can easily set up a GRE tunnel between your OPNsense node and Linux server by following the main steps given below:

  1. Create GRE Tunnel Interface on OPNsense
  2. Enable GRE Tunnel Interface on OPNsense
  3. Define a Firewall Rule To Allow Traffic on GRE Tunnel Interface
  4. Define a Firewall Rule To Allow GRE Protocol on WAN Interface
  5. Set Up GRE Tunnel on Linux

Each steps will be explained in detail below.

1. Create GRE Tunnel Interface on OPNsense

To create a GRE interface on your OPNsense firewall you can follow these steps:

1.1. Navigate to the Interfaces > Other Types > GRE on your OPNsense web UI.

1.2. Click on the + Add button.

Adding GRE Interface on OPNsense

Figure 2. Adding GRE Interface on OPNsense

1.3. Select the Parent interface. This interface serves as the local address to be used for the GRE tunnel. In our example, we will select WAN.

1.4. Set the GRE remote address. It must be the peer address where encapsulated GRE packets will be sent. In our example, it is the Public IP address of the remote Ubuntu server, 22.22.22.22.

1.5. Set the GRE tunnel local address, such as 11.11.11.1. This IP address belongs to the Local GRE tunnel endpoint.

1.6. Set the GRE tunnel remote address, such as 11.11.11.2, and the subnet mask, like 30. This IP address belongs to the Remote GRE tunnel endpoint. The subnet is used to figure out which network is being tunneled.

1.7. Type a descriptive name in the Description field for your reference, such as MyGRE Tunnel.

1.8. Click Save to add the GRE interface.

Viewing the existing GRE Interface on OPNsense

Figure 3. Viewing the existing GRE Interface on OPNsense

1.9. For interface assignment on OPNsense, navigate to the Interfaces > Assignments. You will see the existing interfaces and your newly created GRE interface.

GRE Interface Assignment on OPNsense

Figure 4. GRE Interface Assignment on OPNsense

1.10. Type a descriptive name in the Description field for your reference, such as MyGRE.

1.11. Click on the + Add button to complete the GRE interface assignment.

1.12. Click Save to save the interface settings.

Viewing GRE Interface Assignment on OPNsense

Figure 5. Viewing Interface Assignment on OPNsense

2. Enable GRE Tunnel Interface on OPNsense

To activate your newly created GRE tunnel interface on OPNsense, you may follow the instructions given below:

2.1. Go to the Interfaces on OPNsense Web UI.

2.2. Select the newly created GRE tunnel interface, like MyGRE.

2.3. Click on the Enable Interface check box. This will open the Generic Configuration pane.

Enabling GRE Interface on OPNsense

Figure 6. Enabling GRE Interface on OPNsense

2.4. You may select Block private networks and Block bogon networks options for security.

2.5. You may leave other options as default.

Setting GRE Interface Generic Configuration on OPNsense

Figure 7. Setting GRE Interface Generic Configuration on OPNsense

2.6. Click Save to save the interface settings.

2.7. Click the Apply changes button to activate the settings.

2.8. To view the GRE interface status, go to Interfaces > Overview on OPNsense Web UI.

2.9. Select the newly created GRE interface, like MyGRE. You should see the Status is up as seen below.

Viewing GRE Interface Status on OPNsense

Figure 8. Viewing GRE Interface Status on OPNsense

3. Define a Firewall Rule To Allow Traffic on GRE Tunnel Interface

You may define a firewall policy to allow traffic coming from the GRE tunnel interface by following the next instructions. We will all traffic on the GRE tunnel, but you may define more restrictive rules depending on your needs.

3.1. Navigate to the Firewall > Rules and select the GRE interface, like MyGRE.

Adding Firewall Rule on GRE Tunnel Interface

Figure 9. Adding Firewall Rule on GRE Tunnel Interface

3.2. Click the + Add button to define a rule.

Adding any-to-any Firewall Rule on GRE Tunnel Interface

Figure 10. Adding any-to-any Firewall Rule on GRE Tunnel Interface

3.3. You may leave all options as default if you allow any-to-any traffic.

3.4. Select the Log packets that are handled by this rule option.

3.5. Type a descriptive name in the Description field for your reference, such as Allow GRE All Traffic

Enable Logging for Firewall Rule on GRE Tunnel Interface

Figure 11. Enable Logging for Firewall Rule on GRE Tunnel Interface

3.6. Click Save to add the rule.

3.7. Click the Apply changes button to activate the settings.

Applying the Firewall Rule on GRE Tunnel Interface

Figure 12. Applying the Firewall Rule on GRE Tunnel Interface

4. Define a Firewall Rule To Allow GRE Protocol on WAN Interface

4.1. Navigate to the Firewall > Aliases page. You will notice there are 4 pre-defined aliases in the list by default.

4.2. Click on the "+" button at the right bottom of the pane.

4.3. Enter the Name of the alias, like Linux_GRE_Peer.

4.4. Select Host(s) in the Type dropdown menu.

4.5. Enter the Ubuntu Linux IP addresses, 22.22.22.22, in the Content field.

4.6. Type a Description that will assist you in understanding the purpose or details of the alias, like Ubuntu Linux GRE Peer

Defining the Alias for Ubuntu Linux Server on OPNsense

Figure 13. Defining the Alias for Ubuntu Linux Server on OPNsense

4.7. Click Save to add the aliases.

4.8. Click Apply to activate the settings.

4.9. Navigate to the Firewall > Rules and select the WANinterface.

4.10. Click the + Add button to define a rule.

4.11. Select GRE in the Protocol option.

4.12. Select Linux_GRE_Peer for the Source option.

Define a Firewall Rule To Allow GRE Protocol on WAN Interface-1

Figure 14. Define a Firewall Rule To Allow GRE Protocol on WAN Interface-1

4.13. Select the Log packets that are handled by this rule option.

4.14. Type a descriptive name in the Description field for your reference, such as Allow GRE Protocol

4.15. You may leave other options as default

4.16. Click Save to add the rule.

4.17. Click the Apply changes button to activate the settings.

Define a Firewall Rule To Allow GRE Protocol on WAN Interface-2

Figure 15. Define a Firewall Rule To Allow GRE Protocol on WAN Interface-2

Let's make the other side of the tunnel on the Ubuntu Linux server.

5. Set Up GRE Tunnel on Linux

You can easily set up a GRE tunnel between your Ubuntu Linux server and OPNsense node by following the steps below:

5.1. On Linux, you must have the ip_gre module loaded in your kernel in order to set up a GRE tunnel. To ensure that it�s loaded run the next command:

sudo modprobe ip_gre
lsmod | grep gre

You should see the output similar to the given below:

ip_gre 28672 0
ip_tunnel 24576 1 ip_gre
gre 16384 1 ip_gre

If you see something else, it's possible that your kernel doesn't support GRE.

5.2. All of the major Linux distributions should already have iproute2 installed. If they aren't already there, use the following command:

sudo apt install iptables iproute2

5.3. Check the iproute2 help hints to see how to write the syntax:

ip tunnel help

You should see the output similar to the given below:

Usage: ip tunnel { add | change | del | show | prl | 6rd } [ NAME ]
[ mode { ipip | gre | sit | isatap | vti } ] [ remote ADDR ] [ local ADDR ]
[ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ]
[ prl-default ADDR ] [ prl-nodefault ADDR ] [ prl-delete ADDR ]
[ 6rd-prefix ADDR ] [ 6rd-relay_prefix ADDR ] [ 6rd-reset ]
[ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ dev PHYS_DEV ]

Where: NAME := STRING
ADDR := { IP_ADDRESS | any }
TOS := { STRING | 00..ff | inherit | inherit/STRING | inherit/00..ff }
TTL := { 1..255 | inherit }
KEY := { DOTTED_QUAD | NUMBER }

5.4. To create the GRE tunnel device (with no key) on your Linux run the next command:

sudo ip tunnel add tun0 mode gre remote 33.33.33.33 local 22.22.22.22 dev ens18

Here you should change the parameters according to your settings,

  • 33.33.33.33 is the public IP address of the OPNsense WAN interface.
  • 22.22.22.22 is the public IP address of the Linux WAN interface.
  • ens18 is the WAN device name of the Linux.

5.5. To assign an IP address to the GRE tunnel interface run the following command:

sudo ip addr add 11.11.1.2/30 dev tun0

5.6. To bring the GRE interface up run the next command:

sudo ip link set tun0 up

5.7. To view the newly created GRE tunnel interface on Linux run the following command:

ip addr show

You should see the output similar to the given below:

[email protected]: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre 22.22.22.22 peer 33.33.33.33
inet 11.11.1.2/30 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::5efe:c0a8:1e/64 scope link
valid_lft forever preferred_lft forever

Or run the next command

ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
tun0: gre/ip remote 33.33.33.33 local 22.22.22.22 dev ens18 ttl inherit

Since there is no handshake in GRE, it doesn't matter what order you bring up the tunnel ends. It also means that the tunnel will always be in one of two states: DOWN or UNKNOWN. Because a GRE tunnel has no state, it can never really be UP on Linux server.

Run the following command on Linux if you want to tear down the existing GRE tunnel:

sudo ip link set tun0 down
sudo ip tunnel del tun0

What is the Difference Between GRE and IPsec VPN Tunnels?

GRE and VPN tunnels are both ways to connect remote networks virtually, but each has its own pros and cons. The biggest benefit of VPNs is that they give site-to-site traffic a safer way to talk over the internet, which is a public space. When traffic is sent over a VPN tunnel, it is encrypted, but when traffic is sent over a GRE tunnel, it is just wrapped up.

By using a VPN solution, a business can get all of the following benefits:

  • Cost savings: If you use a VPN over an existing Internet connection, you don't have to rent lines from a telecommunications service provider to build a wide area network (WAN). So, it costs less to set up a VPN than it does to set up a traditional leased-line WAN. A VPN solution, on the other hand, does require that each site or mobile user that wants to connect to the VPN has access to the Internet.
  • Encrypted traffic: VPNs can use a variety of encryption methods within the IPSec protocol framework to protect traffic between an organization and its remote locations or users. Secure Sockets Layer (SSL), which is the encryption standard used by many online retailers, bank Web sites, and other Internet-based businesses, is used by some VPN installations to encrypt data.
  • Easy network growth: Most VPN connections only need an Internet connection, a VPN gateway device, and in some cases, a software application. So, adding new locations and remote users to a VPN is usually cheaper and easier to set up than connecting a new location to a leased-line WAN.

But, VPN tunnels have some drawbacks. Traffic that is allowed to go through the tunnel must be listed on static access lists that are kept up to date. For bigger networks, this can be a long process. Discontinuous subnets require separate tunnels. Since VPNs don't make routable interfaces, you can't do some things on VPN tunnels that you could do on other interfaces. Also, VPNs don't let multicast traffic through, so you can't use dynamic routing protocols like RIP and OSPF across VPN.

GRE tunnels are used to connect two networks point-to-point, just like IPSec VPNs. Some of the advantages of GRE tunnels are as follows:

  • Data encapsulation: GRE tunnels wrap packets that use protocols that aren't compatible with an intermediary network (passenger protocols) in protocols that are (transport protocols). This makes it possible to send data across networks that could not be reached before. You could use a GRE tunnel, for example, to connect two AppleTalk networks through an IP-only network or to send IPv4 packets across an IPv6-only network.
  • Simplicity: By default, GRE tunnels don't have mechanisms for controlling flow or making sure they are safe. This lack of features makes it easier to set up. But you probably don't want to send unencrypted data over a public network. For security reasons, you can add the IPSec suite of protocols to GRE tunnels to protect your data. Also, GRE tunnels can send data from networks that don't connect to each other through a single tunnel, which VPNs can't do.
  • Multicast traffic forwarding: GRE tunnels can be used to forward multicast traffic, but a VPN cannot. Using a GRE tunnel makes it easy to send multicast traffic like advertisements sent by routing protocols between sites that are far apart.

But GRE tunnels are not secure since network traffic is not encrypted.

Both protocols have extra headers that make the packets bigger. This can cause packet fragmentation, which slows down the network. Modern operating systems use TCP Path Maximum Transmission Unit Discovery (PMTUD) to figure out automatically which packet is the biggest. But User Datagram Protocol doesn't work with PMTUD. The other option is to set the MTU on the network by hand so that IP fragmentation happens outside the tunnel.

When organizations need safe IP tunneling, they should use IPsec VPN. They should use GRE when they need to tunnel multiple protocols or multicast without privacy.

Many organizations combine VPNs and GRE tunnels to get the security of VPN without the limitations VPNs have. This is how GRE over IPSec VPN tunnels are set up. This lets GRE tunnel traffic go through the VPN tunnel and creates only one IPSec association, no matter how many subnets need to cross. It also gives a way to send changes to the routing.

When both GRE and IPsec tunnel are combined, costs increase. By configuring a GRE tunnel over an IPsec tunnel, organizations can safely tunnel packets that aren't IP or that are sent to more than one person. When both protocols are used together, the overhead goes up.

CriteriaGREIPsec
Stand ForGeneric Routing EncapsulationIP Security
PurposeGRE is a protocol that wraps packets so that other protocols can be sent through IP networks.The IP Security (IPsec) Protocol is a set of standards for making sure that information sent across IP networks is private, correct, and real.
UsageGRE is used to send IP packets from one network to another without having any routers in between read them or treat them like IP packets.IPsec ESP is used when IP packets need to be sent from one system to another while protecting them from being snooped on or changed.
ModesSingle mode - GRE TunnelTwo Modes - Tunnel Mode and Transport Mode
Privacy, integrity and authenticity of informationNot SupportedSupported
EncapsulationEncapsulation of PayloadTransport Mode - Only payload is protected. Tunnel Mode - Entire packet is encapsulated
StandardGRE is defined in RFC 2784 standardIPSEC ESP is defined in RFC2406
Protocol & PortGRE use IP Protocol number 47IPSec uses ESP (IP protocol number 50) and AH (IP Protocol number 51). In addition, IPSec uses IKE for negotiations (UDP Port number 500).
IP Header4 Bytes additional IP HeaderAdditional bytes not used.
Multicast , Routing Protocol and Routed protocol supportSupportedNot Supported
SimplicitySimpler and fasterComplex

Table 1. GRE Tunnel vs IPsec VPN Tunnel