Score:1

Server

Is it safe to use a Linux GRE tunnel with remote IP 0.0.0.0?

KlausD

8/21/24, 7:59 PM

I have plenty of remote servers that have GRE tunnels to a single central server. Tunnel traffic is only from the remote servers to the central server.

So for 50 remote servers, I usually have 50 GRE tunnels on my central server, specifying the respective remote server IP address in the tunnel setup:

ip tunnel add greXX mode gre remote <remote-IP-XX> local <local-IP> ttl 255

I wondered if I could use a single GRE tunnel interface to receive the traffic from all remote servers and tried to specify 0.0.0.0 as remote IP address:

ip tunnel add greXX mode gre remote 0.0.0.0 local <local-IP> ttl 255

Frankly, it works, but I have not found any documentation of this feature.

Hence, is it safe to use this hack, or are there any limitations I have not found yet?

1 + 2

linux-networking

gre

Esa Jokinen

8/21/24, 9:00 PM

GRE does not have encryption nor authentication. Would you consider that safe enough?

KlausD

8/21/24, 9:41 PM

I use iptables to accept GRE packets only from my remote servers. Anyway, even with 50 tunnels GRE would be unencrypted and without authentication, which would be totally fine for my application.

Score:1

Server

Nikita Kipriyanov

8/22/24, 4:04 AM

Yes. In various cases this is desired, for example, this is how Cisco DMVPN works.

This is often called mGRE (multipoint GRE).

You also need to add peers manually with ip neigh add or automatically with openNHRP on Linux (which creates a VPN compartible with DMVPN phase 2 if I am not mistaken). Else communication will not work.

Example setup

NODE1:

ip tunnel add mgre0 mode gre ttl 64 local 192.0.2.1
ip addr add 10.0.0.1/24 dev mgre0
ip neigh add 10.0.0.2 lladdr 198.51.100.1 dev mgre0 
ip neigh add 10.0.0.3 lladdr 203.0.113.1 dev mgre0

NODE2:

ip tunnel add mgre0 mode gre ttl 64 local 198.51.100.1
ip addr add 10.0.0.2/24 dev mgre0
ip neigh add 10.0.0.1 lladdr 192.0.2.1 dev mgre0 
ip neigh add 10.0.0.3 lladdr 203.0.113.1 dev mgre0

NODE3:

ip tunnel add mgre0 mode gre ttl 64 local 203.0.113.1 
ip addr add 10.0.0.3/24 dev mgre0
ip neigh add 10.0.0.1 lladdr 192.0.2.1 dev mgre0 
ip neigh add 10.0.0.2 lladdr 198.51.100.1 dev mgre0

and so on.

Things to notice:

ip neigh command adds a neighbour, and "lladdr" stands for link-level address, so it maps peers network-level address to a link-level address. In case of IPv4 over Ethernet, peer addresses are IPv4, while "lladdr" would be a MAC address and you'll end up with ARP-less static Ethernet. ARP makes this process automatic. In case of GRE which runs IPv4 over IPv4, both peer addresses and "link-level" (lower OSI layer) addresses happen to be IPv4. NHRP, a next hop resolution protocol, is an internet protocol that in this setup takes the role of the ARP protocol.

Final words

Don't attempt to gain "efficiency" by eliminating encryption and authentication, even if you think "for your application it is totally fine". That will strike back, sooner or later, in the most nasty way you don't even expect now. Encryption is so cheap today so gains would be not noticeable (I measured it other day; that not very fast system was able to encrypt 12 GB/s, enough to saturate 100 gigabit link). You should protect it with IPSec; that will also give you a benefit of allowing some nodes to exist behind NAT (it will make use of IPSec's NAT-T encapsulation, but for that you'll need to implement openNHRP).

While the way to make a multipoint tunnel I suggested above works, it is much more cumbersome to setup in Linux than tinc or WireGuard which build similar full-mesh VPNs much more easily. It is reasonable to use mGRE for openNHRP (Cisco DMVPN interoperability) only.

+ 1

KlausD

8/23/24, 5:32 AM

Thanks. I was not aware of "multipoint GRE". Now as I now how such a setup is called I can find my way.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it safe to use a Linux GRE tunnel with remote IP 0.0.0.0?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.