Setting up GRE Tunnels on Debian ๐Ÿš‡

Ronald BartelsRonald Bartels
2 min read

To set up a GRE tunnel on Debian between two endpoints (102.219.109.8 and 102.222.161.20) using tunnel IPs 100.64.0.1/30 and 100.64.0.2/30, follow these steps.


โœ… Step-by-Step GRE Tunnel Setup on Debian

๐Ÿ–ฅ๏ธ Assumptions:

HostPublic IPTunnel IP
Host A102.219.109.8100.64.0.1/30
Host B102.222.161.20100.64.0.2/30

Youโ€™ll need to do the following steps on both hosts, changing local/remote accordingly.


๐Ÿ”ง 1. Create the GRE tunnel

On Host A (102.219.109.8)

ip tunnel add gre1 mode gre local 102.219.109.8 remote 102.222.161.20 ttl 255
ip addr add 100.64.0.1/30 dev gre1
ip link set gre1 up

On Host B (102.222.161.20)

ip tunnel add gre1 mode gre local 102.222.161.20 remote 102.219.109.8 ttl 255
ip addr add 100.64.0.2/30 dev gre1
ip link set gre1 up

๐Ÿ” 2. Test the Tunnel

From Host A, ping Host B:

ping 100.64.0.2

From Host B, ping Host A:

ping 100.64.0.1

๐Ÿ’พ 3. Make it Persistent (Optional)

If you want to make the tunnel persistent across reboots, you can:

Option A: Use a systemd unit or init script

(not ideal unless scripted manually)

Option B: Use /etc/network/interfaces (legacy method)

Edit /etc/network/interfaces on Host A:

auto gre1
iface gre1 inet static
    address 100.64.0.1
    netmask 255.255.255.252
    pre-up ip tunnel add gre1 mode gre local 102.219.109.8 remote 102.222.161.20 ttl 255
    up ip link set gre1 up
    down ip link set gre1 down
    post-down ip tunnel del gre1

Edit /etc/network/interfaces on Host B:

auto gre1
iface gre1 inet static
    address 100.64.0.2
    netmask 255.255.255.252
    pre-up ip tunnel add gre1 mode gre local 102.222.161.20 remote 102.219.109.8 ttl 255
    up ip link set gre1 up
    down ip link set gre1 down
    post-down ip tunnel del gre1

Then restart networking:

sudo systemctl restart networking

๐Ÿ“Œ Notes

  • Ensure GRE (IP protocol 47) is allowed through any firewall (iptables, nftables, cloud firewall, etc.).

  • No NAT should be applied to the tunnel unless explicitly required.

  • GRE doesn't encrypt traffic โ€” it's purely encapsulation.

17
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa