• Created on:2021-08-22 17:50:45
  • Protecting a Windows server using a GRE or IPIP Tunnel

Introduction

Microsoft Windows does not natively support Generic Routing Encapsulation (GRE) or IP-in-IP (IPIP) tunnels. However, with the assistance of a userland client (We will send it to you after purchase) these features can be emulated and are, therefore, possible to fully encapsulate (preserve backend IP) services running on the Microsoft Windows platform. This software which is provided by us will automatically configure a GRE, IP-in-IP (IPIP).

Notes Windows Firewall will be enabled on the server, ensure all your services are whitelisted in your firewall. (All our communication IP’s will be sent to you for whitelisting them in your server’s firewall) Explained At the bottom of the page.

Tested on Windows Server 2018, Windows 7, 8.1 & 10 & Windows Server 2012 & 2018 (Requires Windows 7/Server 2010 or later) Supports both IP-in-IP and GRE tunnels Requires an Ethernet (802.1) Internet Connection The tunnel software supports multiple tunnels in a single instance. Running multiple instances of the tunnel software is not supported.

Steps

Please follow the steps below carefully.

Step 1

Download and install Npcap from the Npcap Downloads page. Npcap is a Driver for capturing packets from the Network card before the Operating system's network stack processes them. WinPCAP can also be used. Npcap must be installed in WinPCAP compatibility mode.

Step 2

While installing WinPcap you will be asked if you would like the driver to start on boot. Please ensure that you configure the driver to start on boot automatically. As shown in the picture below

Step 3

Download and install OpenVPN's TUN/TAP Driver. If you have already installed OpenVPN you should already have the driver installed.

Only the TUN/TAP driver is required to be installed, OpenVPN is not required. We recommend installing the latest version of the driver, latest tested 9.24.2. From 4.0.0 (currently pre-release) Wintun can be used instead of OpenVPN Tun/TAP. Simply place the wintun.dll file in the same directory as the auto setup file (Which we will give) (and working directory) to activate. This driver is theoretically faster but currently highly experimental. We welcome feedback.

Step 4

When installing the TUN/TAP driver select to install the supplied utilities when asked. The screen may look like the above, note that both the Adapter (driver) and TAP Utilities are selected. (As shown below)

If asked during setup, you must agree to trust the driver developed by OpenVPN. OpenVPN developed of the TUN/TAP driver being installed. Step 5

Restart your server to load/activate the PCAP and TUN/TAP drivers.

This is an Important Step. Please do not skip. Skipping usually results in adapter not found or not supported issues Step 6

From here you can download the customized tunnel application which we sent to you on your Windows server

Step 7 MUST

Run this application as Administrator. On Windows 7 or greater this can be done via Right Click > Run as Administrator, log in as Administrator if you are not logged in as the Administrator user. And run this application whenever you restart the server.

Conclusion & Testing

Your tunnel should now be online. You should now be able to ping the EncapsulatedRemote address from your Windows Server: Open CMD type Ping “Proxy ip” and hit enter. (You Should Get A Ping Back)

Game Server

If your game server is unable to bind to a specific interface you may need to utilize a 3rd party utility to do so (e.g ForceBindIP)

We also recommend adding an ICMPv4 allow all rule in "Windows Firewall with Advanced Security" to allow us to ping your backend. This will look something like this: Customer Provided Notes: -

Some customers have reported that for Windows Server 2012 R2 you need tap-windows-9.9.2_3

How to whitelist eFlame Networks Communication IP’s Step: 1

Go to firewall> Advanced Settings> Inbound/Outbound (Do The process for both)

Rules> New Rule Step: 2 It will ask what type of rule you want to create> Select Custom> All Programs>Protocol type = Any> Local IP’s= Any> Remote IP’s = These ip addresses> Enter all our communication IP addresses which were sent to you after purchase!>Allow the commection> Check all Domain, public, private. Name it anything you like> Finish

NAT

If you are behind NAT, or the Local address provided in our interface is not found on the server Our Application will ask you to provide an interface and the application will bind to the main IP of that interface. It is your responsibility to ensure that GRE/IP-in-IP traffic sent to the publicly routable address provided in the interface is delivered to your backend. We can not provide you with much assistance with these setups as each router / NAT device is different. You may however be able to set your backend server to the DMZ and this may forward the IP traffic to your backend server

NOTE: If you have setup this GRE for fivem server then u need to add these 3 lines in server.cfg file. sv_forceIndirectListing "true" sv_listingIpOverride "here your proxy ip" sv_proxyIPPranges "here your proxy ip/32" Replace here your proxy ip with the GRE IP.