# Setting up GRE Tunnels on Debian 🚇

To set up a **GRE tunnel on Debian** between two endpoints (`102.219.109.8` and `102.222.161.20`) using tunnel IPs `100.64.0.1/30` and `100.64.0.2/30`, follow these steps.

---

## ✅ Step-by-Step GRE Tunnel Setup on Debian

### 🖥️ Assumptions:

| Host | Public IP | Tunnel IP |
| --- | --- | --- |
| **Host A** | `102.219.109.8` | `100.64.0.1/30` |
| **Host B** | `102.222.161.20` | `100.64.0.2/30` |

You’ll need to do the following steps **on both hosts**, changing local/remote accordingly.

---

## 🔧 1. Create the GRE tunnel

### On **Host A** (`102.219.109.8`)

```plaintext
ip tunnel add gre1 mode gre local 102.219.109.8 remote 102.222.161.20 ttl 255
ip addr add 100.64.0.1/30 dev gre1
ip link set gre1 up
```

### On **Host B** (`102.222.161.20`)

```plaintext
ip tunnel add gre1 mode gre local 102.222.161.20 remote 102.219.109.8 ttl 255
ip addr add 100.64.0.2/30 dev gre1
ip link set gre1 up
```

---

## 🔁 2. Test the Tunnel

From **Host A**, ping Host B:

```plaintext
ping 100.64.0.2
```

From **Host B**, ping Host A:

```plaintext
ping 100.64.0.1
```

---

## 💾 3. Make it Persistent (Optional)

If you want to make the tunnel persistent across reboots, you can:

### Option A: Use a systemd unit or init script

(not ideal unless scripted manually)

### Option B: Use `/etc/network/interfaces` (legacy method)

Edit `/etc/network/interfaces` on **Host A**:

```plaintext
auto gre1
iface gre1 inet static
    address 100.64.0.1
    netmask 255.255.255.252
    pre-up ip tunnel add gre1 mode gre local 102.219.109.8 remote 102.222.161.20 ttl 255
    up ip link set gre1 up
    down ip link set gre1 down
    post-down ip tunnel del gre1
```

Edit `/etc/network/interfaces` on **Host B**:

```plaintext
auto gre1
iface gre1 inet static
    address 100.64.0.2
    netmask 255.255.255.252
    pre-up ip tunnel add gre1 mode gre local 102.222.161.20 remote 102.219.109.8 ttl 255
    up ip link set gre1 up
    down ip link set gre1 down
    post-down ip tunnel del gre1
```

Then restart networking:

```plaintext
sudo systemctl restart networking
```

---

## 📌 Notes

* Ensure GRE (IP protocol 47) is allowed through any firewall (iptables, nftables, cloud firewall, etc.).
    
* No NAT should be applied to the tunnel unless explicitly required.
    
* GRE doesn't encrypt traffic — it's purely encapsulation.
    

%[https://bsky.app/profile/mastelek.bsky.social/post/3lqtydscabk2m]
