Connect KVM host over GRE
Hi Folks,
As you may know, Libvirt virtual network switches operates in NAT mode in default (IP Masquerading rather than SNAT or DNAT). In this mode Virtual guests can communicate outside world. But, Computers external to the host can’t initiate communications to the guests inside, when the virtual network switch is operating in NAT mode. One of the solution is creating a virtual switch in Routed-Mode . We have still one more option without changing underlying virtual switch operation mode. The Solution is creating a GRE Tunnel between the hosts.
What is GRE?
GRE (Generic Routing Encapsulation) is a communication protocol that provides virtually point-to-point communication. It is very simple and effective method of transporting data over a public network. You can use GRE tunnel some of below cases.
- Use of multiple protocols over a single-protocol backbone
- Providing workarounds for networks with limited hops
- Connection of non-contiguous subnetworks
- Being less resource demanding than its alternatives (e.g. IPsec VPN)
Reference: https://www.incapsula.com/blog/what-is-gre-tunnel.html
Example of GRE encapsulation
Reference: https://www.incapsula.com/blog/what-is-gre-tunnel.html
I have created GRE tunnel to connect to some of KVM guests from the external host. It is depicted in the Figure-2 how my topology looks like.
Figure-2 Connecting KVM guests over GRE Tunnel
I have two Physical hosts installed Mint and Ubuntu GNU/Linux distribution. KVM is running on the Ubuntu.
GRE Tunnel configuration on GNU/Linux hosts
Before create a GRE tunnel, we need to add ip_gre module on both GNU/Linux hosts.
[email protected]$ sudo modprobe ip_gre
[email protected]tuken:~$ sudo modprobe ip_gre
Configuring Physical interface on both nodes.
[email protected]$ ip addr add 100.100.100.1/24 dev enp0s31f6
[email protected]:~$ ip addr add 100.100.100.2/24 dev enp2s0
Configuring GRE Tunnel (On the first node)
[email protected]$ sudo ip tunnel add tun0 mode gre remote 100.100.100.2 local 100.100.100.1 ttl 255
[email protected]$ sudo ip link set tun0 up
[email protected]$ sudo ip addr add 10.0.0.10/24 dev tun0
[email protected]$ sudo ip route add 10.0.0.0/24 dev tun0
[email protected]$ sudo ip route add 192.168.122.0/24 dev tun0
Configuring GRE Tunnel (On the Second Node)
[email protected]:~$ sudo ip tunnel add tun0 mode gre remote 100.100.100.1 local 100.100.100.2 ttl 255
[email protected]:~$ sudo ip link set tun0 up
[email protected]:~$ sudo ip addr add 10.0.0.20/24 dev tun0
[email protected]:~$ sudo ip route add 10.0.0.0/24 dev tun0
As GRE protocol adds additional 24 bytes of header, it is highly recommended to set MTU . Recommended MTU value is 1400.
Also do not forget to check iptables rules on both hosts.
Experiment:
Once configuration completed, I successfully ping the KVM guest(192.168.122.35) and transfer a file over SSH(scp). You can download the Wireshark pcap file here .