Need help with Flex GRE IPs

Hello,

I’ve had a problem for a few days that I really can’t solve, I’ve tried on 3 different Hetzner dedicated (Proxmox), always the same problem

I use the script Server-Verstehen.de - Application Installieren - Noez

Of course, I’ve already tried the other tutorials available on the forum without success.

Here’s the problem in pictures:

The IP ping on the Proxmox when the CT is switched on:
https://who-asked.lol/vSFIfzP9Aq.png

Here are the configurations:
https://who-asked.lol/ksUpWgNu4z.png
https://who-asked.lol/3SIZxyNnAC.png

And the proof that even with this I get no response:

1 Like

I get redirected to a different domain and can not view your configuration.
So, i (and potentially others) can not help you with your configuration so far.

I personally dont like the Tutorial of Server-Verstehen.de, especially because (at least in ealier versions) it tries to create a greTAP interface (instead of an gretun), which is completly wrong in this scenario.

For troubleshouting purposes, it would be good to know, if you are using the hetzner firewall.
It supports gre and if activated, you have to allow incoming gre traffic from the noez server endpoint.

If the proxmox firewall is enabled, you have to allow incoming traffic there too. Outgoing traffic is allowed by default on proxmox servers.

Another useful piece of information would be the type of your ips. Did you ordered a subnet or multiple single ips. What do you want to do? Do you want to use these ips on the host? Do you want to nat them? Do you want to ROUTE the ips to virtual machines or containers?

My setup is the following:

  • The GRE-Tunnel gets terminated on the proxmox server.
  • ALL ips get routed to a bridge on the host. My Containers and vms are connected to that bridge.
  • I use my main IP address from hetzner as a gateway ip for my containers.
  • Since the mtu is reduced (by the gre tunnel) containers addapt the mtu by default. VMs must be configured.
  • Since my main IP is outside of the subnet (every /32 is outside of another /32), i can not specify the gateway during installations of vms (the installer restricts this). So i have to configure the connection afterwards. And packages like resolvconf must be installed afterwards too. Which leds me to the situation, that i always have to resolve deb.debian.org manually.

As you can see, every configuration has its advantages and disadvantages. And your exact scenario must be descriped.

1 Like

Hello @iamlouchou :slight_smile:
Thanks for using the tutorial i can you help with your problem:

  1. set the mtu 1476 on e.g. gre1 and vmbrX
  2. ip rule add from yourIPv4fromNoez/32 or /28, /29 etc. table 20
    Either the individual or subnet must be defined here.
  3. ip route add yourIPv4fromNoez/32 or /28, /29 etc. dev vmbrX
    vmbrX => your vmbr0,1,2 etc. bridge from linux to virtualise.
  4. to save IP addresses, simply take a „to“ simulated gateway address and convert it locally on your computer:
    e.g. ip addr add yourIPv4fromNoez/32 dev vmbrX
  5. ip route add default via internalGREclient/30 dev gre1 table 20

Here for the network configuration /etc/network/interfaces:
nano /etc/network/interfaces => and add the following:

auto vmbr1
iface vmbr1 inet static
address yourIPv4fromNoez/32
        bridge-ports none
        bridge-stp off
        bridge-fd 0
post-up /root/mygre.sh

now I’ll write a short post-up script for you:

#!/bin/bash
ip route add default via internalGREclient/30 dev gre1 table 20
ip rule add from yourIPv4fromNoez/32 table 20
# add more rules for more ipv4 from gre tunnel noez.de
ip route add yourIPv4fromNoez/32 dev vmbr1
# ... add more ips to the vmbr1 ...
ip link set vmbr1 mtu 1476
ip link set gre1 mtu 1476

and now save the file here: /root/mygre.sh :slight_smile:
Give Permissions: chmod 777 /root/mygre.sh

Final: Please use the speedtest.net speedtest:

apt-get install sudo -y
sudo apt-get install curl
curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/script.deb.sh | sudo bash
sudo apt-get install speedtest

Then run a speedtest on your routed vm or lxc container:
speedtest

A list on the speedtest server pids for excellent testing:

speedtest -s 8040
for specified speedtest server :slight_smile:

The Server-Verstehen Tutorials a not correctly updated, this will be in the next few days :slight_smile:

1 Like

Hello :slight_smile:
Okay i see a minimal problem:
in the configuration /etc/network/interface:
add the address: 5.230.227.1/32
this is the „simulated“ gateway :slight_smile:

And please set the address 5.230.227.1 not in table 20
all antoher ip addresses can be routed via ip rule add from ip/32 table 20

Can you send me a screenshot of a ping via 192.168.4.1? :slight_smile:

The 192.168.4.1 is the internal gre gateway from noez.

Oh and set the gre connection in mygre.sh on line 2:

sudo ip link add gre1 type gre local HetznerIP remote NoezGREIP ttl 255
# paste here the /30 internal subnet from noez gre tunnel
sudo ip addr add 192.168.4.2/30 dev gre1
sudo ip link set gre1 up
1 Like

I’d just forgotten this:
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

for premanent saving :slight_smile:

1 Like

Thank you so much, you don’t know how much you’ve saved my life :slight_smile:

1 Like

No Problem :wink:
if there is still a problem i will help you to solve it :slight_smile:

1 Like

If I want to set up a second GRE tunnel from a VPS to my Hetzner server, how can I do this while keeping the FlexIPs tunnel?

Technically possible but noez.de requires different ipv4 or ipv6 addresses per gre tunnel. In any case, you could route several ipv6 addresses from the /64 to the main interface and specify them differently at noez.de.

e.g. 1000:1000:1001::1/64
for gre tunnel two: route 1000:1000:1001::2/64 to eth0 etc. :slight_smile:

But these are example addresses that only serve as examples.
You can find the ipv6 data in the hetzner overview.

ip addr add ipv6/128 dev main interface

with this command you can add a single ipv6 address from your /64 hetzner subnet to the main vps interface and order a new gre tunnel on it :wink:

Best regards Jan

Hello,

I’d like to make a second GRE IPV4 tunnel from a VPS I own to my dedicated Hetzner, while keeping the Noez tunnel.

How can I do it?

Same steps. Just use IPv6 for endpoint when ordering second GRE Tunnel.

Here’s how I made the second GRE tunnel, the trick is that the CT doesn’t ping

Configuration :

Configuration VPS :

(External media has been removed)

(External media has been removed)

Here’s how I made the second GRE tunnel, the trick is that the CT doesn’t ping

Configuration :


brave_kiPYF6UCGe

Configuration VPS :

I’m still working on this problem.

Up topic

Do you allow incoming gre-traffic on your vps (104.244.76.163)?

Do you allow forwarding traffic between your main interface and your gre2 interface on your vps (104.244.76.163)?

  • For UFW you can use the „ufw route allow“ command.
  • For iptables you can use the „iptables -A FORWARD -i [MAIN INTERFACE] -o [GRE INTERFACE] -j ACCEPT“ command. The second rule is exactly like the first one, except that -i and -o are swapped.

Do you allow routing on your vps (104.244.76.163)?
„net.ipv4.ip_forward“ must be activated on the vps too.