Understand GRE and connect two houses

Hi,

just a few days ago I found out OpenWRT while looking for a way to solve my problem: how to connect devices from two houses as if they were in the same network?

To play with the networks and understand (hopefully) how things work, I'm using GNS3 and routers with OpenWrt19.07.2.

I found a similar answer here (GRE tunneling between two OpenWrt routers). However, I still don't know how to set up GRE correct (or I'm missing some very basic stuff - I'm nowbie).

Here is the topology


Router2-1 and Router2-2 are the houses, the part above them belong to my ISP (houses are inside their network, will be able to ping each other, but I dunno what devices are on this part)

My final goal is to make PC2, PC3, PC4 see each other as if being in the same network.

However, as the first stage, I would like to connect Router2-1 and Router 2-2 through GRE tunnel and validate if they can speak to each other.

Router2-1
/etc/config/network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '10.10.21.2'
        option netmask '255.255.255.0'
        option gateway '10.10.21.1'
        list dns '10.10.21.1'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'gt'
        option proto 'gre'
        option peeraddr '10.10.22.2'
        option ipaddr '10.10.21.2'
        option tunlink 'wan'

/etc/config/firewall

config rule
        option src 'wan'
        option name 'Allow-GPR'
        option family 'ipv4'
        option target 'ACCEPT'
        option proto 'gre'

Router2-2
/etc/config/network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.3.2'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '10.10.22.2'
        option gateway '10.10.22.1'
        option netmask '255.255.255.0'
        list dns '10.10.22.1'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'gt'
        option proto 'gre'
        option peeraddr '10.10.21.2'
        option ipaddr '10.10.22.2'
        option tunlink 'wan'

/etc/config/firewall

config rule
        option name Allow-GRE
        option src 'wan'
        option family 'ipv4'
        option target 'ACCEPT'
        option proto 'gre'

When I try from Router2-2

root@OpenWrt:/# traceroute 10.10.21.2
traceroute to 10.10.21.2 (10.10.21.2), 30 hops max, 46 byte packets
 1  10.10.22.1 (10.10.22.1)  0.430 ms  0.297 ms  0.343 ms
 2  10.10.21.2 (10.10.21.2)  0.735 ms  0.610 ms  0.644 ms

If the tunnel is set up correctly, I would expect that only 10.10.21.2 is on the list.

My current questions are:
1. Is my understanding of the traceroute output correct?
2. What is missing in (or wrong with) these configs?

You have not created interfaces on top of the gre tunnel.
See the mygre_static here.

1 Like

Thank you @trendy for the replay. Your advice did the job :slight_smile: (I thought I tried this before, probably I did sth else wrong)

Right now I can see the correct output (Router2-1 is 10.0.0.212, Router 2-2 is 10.0.0.222) :tada:

root@OpenWrt:/# traceroute 10.10.22.2
traceroute to 10.10.22.2 (10.10.22.2), 30 hops max, 46 byte packets
 1  10.10.21.1 (10.10.21.1)  0.410 ms  0.465 ms  0.366 ms
 2  10.10.22.2 (10.10.22.2)  0.812 ms  0.687 ms  0.659 ms
root@OpenWrt:/# traceroute 10.0.0.222
traceroute to 10.0.0.222 (10.0.0.222), 30 hops max, 46 byte packets
 1  10.0.0.222 (10.0.0.222)  0.300 ms  0.793 ms  0.409 ms
root@OpenWrt:/# ping 10.0.0.222
PING 10.0.0.222 (10.0.0.222): 56 data bytes
64 bytes from 10.0.0.222: seq=0 ttl=64 time=2.496 ms
64 bytes from 10.0.0.222: seq=1 ttl=64 time=1.176 ms

Additional configs
Router2-1

config interface 'gt_static'
        option proto 'static'
        option ifname '@gt'
        option ipaddr '10.0.0.212'
        option netmask '255.255.255.0'

Router2-2

config interface 'gt_static'
        option proto 'static'
        option ifname '@gt'
        option ipaddr '10.0.0.222'
        option netmask '255.255.255.0'

Now, having the tunnel working, how can I connect PC2, PC3 and PC4 into a single network so that they can see each other? (can I somehow take advantage of gretap? is vlan necessary?)


I don't mind if they are in the same network as routers (so both houses can construct a single network) or in a separate one (as the picture presents).
I only need PCs 2,3,4 communicate with each other; devices from each house don't use the tunnel when accessing the Internet.

Then I would suggest to leave GRE and use Wireguard.

1 Like

Thank you @trendy for the replay. I'll try Wireguard at the beginning of the next week as I'm away from my GNS3 simulator now.

Sorry for jumping in with a side quest: can you really use this sw to emulate any topology you like with realistic software behaviour? I assume the hw is possibly not so accurate (for example, the quirks of the switch on my 4040)

I don't know. The simulator gives me some envorionment to play with (I don't have the possibility to test real configuration right now) and to get familiar with concepts and interfaces that I'll probably use. Therefore, I'm focus on getting knowledge before doing real stuff :slight_smile: (as real stuff will be harder to accomplish, if I make a mistake I'll need to move from one location to another which will take at least 15 minutes).

1 Like

I've finished up with below configurations (GNS3 simulator).

Router1
/etc/config/network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 @gt'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '10.10.1.2'
        option netmask '255.255.255.0'
        option gateway '10.10.1.1'
        list dns '10.10.1.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'eN52dObMC1M+7gTdQwoy0+vbopS9METSKeVZas3i71o='
        option listen_port '51820'
        list addresses '192.168.100.1/24'

config wireguard_wg0 'wgclient'
        option public_key 'Q/22JOc/Wnj97WwT0tcUVBjP+oBrMeVxxxN00Pa1Xkk='
        option preshared_key 'g9fvBSHmElexqNoqoT74ONa/zmN8bV8T5+cMxEYWj+8='
        list allowed_ips '192.168.100.2/32'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option description 'Router2'

config interface 'gt'
        option proto 'gretap'
        option peeraddr '192.168.100.2'
        option ipaddr '192.168.100.1'

/etc/config/firewall

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wg0'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Router2
/etc/config/network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 @gt'
        option proto 'static'
        option ipaddr '192.168.1.100'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '10.10.2.2'
        option netmask '255.255.255.0'
        option gateway '10.10.2.1'
        list dns '10.10.2.1'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'gENATB6ik8UJYvekkP9/AXqQp2tLAz1NBzKsWKMoVFI='
        list addresses '192.168.100.2/32'

config wireguard_wg0 'wgserver'
        option public_key 'J0QU8j4E8n6s6+nrZ5yYypUDLRwJXdX7T3aDWxANLmc='
        option preshared_key 'g9fvBSHmElexqNoqoT74ONa/zmN8bV8T5+cMxEYWj+8='
        option endpoint_host '10.10.1.2'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.100.1/32'

config interface 'gt'
        option proto 'gretap'
        option peeraddr '192.168.100.1'
        option ipaddr '192.168.100.2'

/etc/config/firewall

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan wan6 wg0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Do the above configs have some unnecessary entries or mistakes (or maybe sth is missing)?

2 Likes

In my humble opinion, everything looks fine.

2 Likes

Make sure to change your wireguard keys though, as you've now pasted them to the public.

3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.