Pufferfish Host provides excellent DDoS protection, but you may want to tunnel traffic from Pufferfish Host to some other hosting platform or service. In this guide, we will show you how to accomplish this using a GRE tunnel.
VPS Specifications
In order to establish a GRE tunnel, your VPS will need two IP addresses assigned. This can be configured on the order page. If you have already ordered a VPS, please contact support to get a second IP address assigned. We recommend installing Debian on your VPS for this purpose, but any other Linux operating system should work fine (some parts of this guide may not work perfectly though). Windows also supports a setup like this, but we do not recommend using Windows.
Pufferfish Host Tunnel Setup
Run the following commands on your Pufferfish Host VPS to configure a GRE tunnel:
# Enable IP forwarding
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -pNext, edit the /etc/network/interfaces file on your Pufferfish Host server, adding the following lines to the bottom. Here, OTHER_IP_ADDRESS represents the IP address of the remote server, PUFFERFISH_HOST_IP_1 represents your first Pufferfish Host IP address, and PUFFERFISH_HOST_IP_2 represents your second Pufferfish Host IP address:
auto gre1
iface gre1 inet static
address 192.168.200.1/30
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote OTHER_IP_ADDRESS local PUFFERFISH_HOST_IP_1
post-up iptables -t nat -A POSTROUTING -s 192.168.200.0/30 ! -o gre+ -j SNAT --to-source PUFFERFISH_HOST_IP_2
post-up iptables -t nat -A PREROUTING -d PUFFERFISH_HOST_IP_2 -j DNAT --to-destination 192.168.200.2
post-up iptables -A FORWARD -d 192.168.200.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
post-down ip tunnel del gre1Run ifup gre1 to apply the changes. At this point, all traffic inbound to your second Pufferfish Host IP address will be forwarded to your remote server via GRE tunnel.
Remote Server Tunnel Setup
On your remote server, first run the following command to create a new routing table. This routing table will be used to send return traffic through the GRE tunnel:
echo '100 PUFFHOST' >> /etc/iproute2/rt_tablesNext, edit the /etc/network/interfaces file, adding the following lines to the bottom. As in the previous step, OTHER_IP_ADDRESS represents the IP address of the remote server, and PUFFERFISH_HOST_IP_1 represents your first Pufferfish Host IP address:
auto gre1
iface gre1 inet static
address 192.168.200.2/30
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote PUFFERFISH_HOST_IP_1 local OTHER_IP_ADDRESS
post-up ip rule add from 192.168.200.0/30 table PUFFHOST
post-up ip route add default via 192.168.200.1 table PUFFHOST
post-down ip tunnel del gre1Run ifup gre1 to apply the changes.
Test the GRE tunnel
Now, we will test that the servers are reachable via GRE tunnel. Run ping 192.168.200.2` from your Pufferfish Host VPS server. You should get responses back. These pings are coming through the GRE tunnel. Although this is a redundant test, you may also want to test pinging from the other side: ping 192.168.200.1 from your remote server.
You may also want to verify that traffic is being properly forwarded externally by running the following command on your remote server:
curl icanhazip.com --interface PUFFERFISH_HOST_IP_2If all is working, you should see your second Pufferfish Host IP.
Docker/Pterodactyl – Default Route
Docker doesn't "play nice", with this setup due to the extra container networking interfaces it configures. In order to make Docker work, we will need to set up a default route through the GRE tunnel.
First, you will need to determine your current default gateway and interface:
ip route show default 0.0.0.0/0 | awk '{print $3}' # Shows default gateway
ip -br addr show | grep OTHER_IP_ADDRESS | awk '{print $1}' # Shows default interfaceNext, run the following commands to establish a default route. Note that this will cut out your SSH connection.
ip route add PUFFERFISH_HOST_IP_1 via YOUR_DEFAULT_GATEWAY dev YOUR_INTERFACE onlink
ip route replace default via 192.168.200.1 src PUFFERFISH_HOST_IP_2At this point, restart your SSH connection using the PUFFERFISH_HOST_IP_2 address. If this doesn't work, restart your machine to revert the change. If this does work, you can make the change permanent by adding the following lines to the /etc/network/interfaces file under the gre1 interface, and restart your remote server:
post-up ip route add PUFFERFISH_HOST_IP_1 via YOUR_DEFAULT_GATEWAY dev YOUR_INTERFACE onlink
post-up ip route replace default via 192.168.200.1 src PUFFERFISH_HOST_IP_2This will force all traffic to be routed through the GRE tunnel, and the machine's "new" primary IP address will change to the second Pufferfish Host IP address.
Troubleshooting
Sometimes, MTU issues can pop up because the GRE tunnel adds 24 extra bytes of headers to every packet. If you're seeing TCP connections stall, or UDP packets dropped, then this is likely what is causing the problem. If this happens, decrease the MTU on your gre1 interface. You may also need to apply MSS clamping using the following command:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre1 -j TCPMSS --set-mss 1400We recommend adding this command to your /etc/network/interfaces file so that it applies on boot. If you need additional assistance with this, please contact support and we can help you out.
Your other provider may also be filtering GRE traffic. If this happens, you may have to contact their support, check their firewall rules (try adding a rule to explicitly allow GRE), or use an IPIP tunnel instead. If your GRE tunnel works, but fails for larger bandwidth uploads or downloads, then DDoS mitigation may be kicking in, either on our end or on the other provider. If this happens, please contact support so we can adjust the filtering rules for you.