Introduction to GRE

What is GRE anyway? It stands for Generic Routing Encapsulation — a protocol that operates as a means of connecting two servers, or sites, together. GRE tunnels often transport multiple layers of data and are multicast. This means that tunnels can encapsulate virtually any traffic across two points, and are fairly easy to configure.

One more thing to note is that there are other forms of site-site tunnels — a nonexhaustive list includes IPIP tunnels, GRETAP tunnels, and more.

Uses for GRE

While GRE tunnels can be used to transport video, website traffic (basically anything), they have a few notable uses:

  • Allowing for unsupported protocols to be transported across a network to a destination (example: allowing for IPv6 communication over a network that is IPv4-only)
  • DDoS protection (traffic is routed to and from a tunnel endpoint from a provider that can remove dirty traffic)
  • Creating a virtual link between two networks for routing (a router can be connected to a virtual network of other networks; this enables BGP communication among multiple networks without having a physical connection to each other, as seen in conventional internet exchange points (IXPs).)

How does GRE work

As mentioned previously, GRE tunnels encapsulate traffic; this means that tunnels do not care about the type of traffic you send over them. So long as the tunnels are configured properly*, traffic will traverse across the open Internet (tunnels do not encrypt traffic on their own; you are free to use encrypted tunneling through VPN software) in plain text.

What Is Generic Routing Encapsulation (GRE)? How Does It Work

Also, GRE tunnels are stateless. When you first configure a tunnel, it is analogous to using unregistered airmail. You load your packages on board (i.e. your packets/data), and send it off to your destination server. Unfortunately, the destination is never made aware of this “flight,” and will only know about the incoming data once it arrives at a given destination. However, you may ask: “How does the destination server know where to send a response?”

The answer is simple: all packets encapsulated through GRE will include both the destination and source, allowing both points to know where to send data back.

The stateless nature of GRE further raises issues: if you, for example, set your MTU (Maximum Transmission Unit) too high, and the destination is configured to not accept packets that large, you will receive no reply or response. The only way to know whether one point’s packets are reaching a destination is through a dump on the receiving server; this reduces overhead on transmissions, but increases the difficulty of debugging the specific issue being caused by the “cargo” on board the “plane.”

With that said, GRE tunneling is supported on many platforms. You will often find time built-in to enterprise routers, but they are available on virtually all Linux platforms with the ip_gre module (in software). The previously mentioned routers will tend to have hardware acceleration to reduce load, though — keep this in mind when setting up tunnels, as you may encounter problems with the overhead added by encapsulating data (there are an additional 24 bytes per GR-encapsulated packet).



A Distributed Denial of Service attack is a category of attacks that target multiple areas on a server.


Generic Routing Encapsulation.

Point-to-point Networks

Point-to-point networks are a pair of fixed "computers" that are connected to each other.