Connecting LXC hosts with GRE tunnels

A GRE tunnel is a simple point to point IP tunnel connecting 2 public IPs and networks. But it's not encrypted. For private networks across the public Internet, encryption is often standard but if your traffic does not have high security requirements or you are doing on local networks a GRE tunnel is a simple just works solution.

To build secure encrypted connections please visit the IPSEC and Tinc guides.

This guide presumes you have gone through the basic LXC networking guide and are familiar with LXC and VM networking basics.

Setting it up
Connecting 2 LXC hosts with a GRE tunnel will enable your LXC containers to access each other. LXC containers will be using their default NAT bridge lxcbr0.

We are going to change the subnet provided by lxcbr0 on one side which is normally 10.0.3.0/24 to 10.0.4.0/24 so there is no clash of IPs on either side and we can route both ways.

So here is the network map. We are going to call our GRE tunnel 'neta' on Host A and 'netb' on Host B (You can call this anything you want)

Host A has public IP 1.2.3.4
Host B has public IP 2.3.4.5
Containers in Host A are on subnet 10.0.4.0/24 via default lxcbr0 nat bridge
Containers in Host B are on subnet 10.0.3.0/24 via default lxcbr0 nat bridge

Change the subnet on Host A
To change the default lxc-net subnet range edit the /etc/init.d/lxc-net script or if you are on Ubuntu edit the /etc/default/lxc-net file. Change the subnet entries from 10.0.3.0/24 to 10.0.4.0/24.

Create the GRE tunnel on Host A and B
First load the GRE module on both hosts
modprobe ip_gre

On Host A

ip tunnel add gre1 mode gre remote 2.3.4.5 local 1.2.3.4 ttl 255
ip link set gre1 up
ip addr add 10.0.4.254 dev gre1
ip route add 10.0.3.0/24 dev gre1

On Host B

ip tunnel add gre2 mode gre remote 1.2.3.4 local 2.3.4.5 ttl 255
ip link set gre2 up
ip addr add 10.0.3.254 dev gre2
ip route add 10.0.4.0/24 dev gre2

Congratulations! You spanking new GRE tunnel is up and your containers on both sides can ping each other. You can do a traceroute and you will notice the IP address we added to the tunnel on each side 10.0.3/4.254 is being used as the gateway to reach either side. This is a random link IP, you can use anything 10.0.0.1/2 for instance.

You can easily extend this beyond 2 hosts with a multiple GRE tunnels to connect all your hosts and containers. Give each of the GRE endpoints an IP in the /16 range. In this case your routing rules will change from a /24 to a /16  to something like this:

ip addr add 10.0.0.254/16 dev gre1

ip route add 10.0.0.0/16 dev gre2

To remove the tunnel

ip link set gre1 down
ip tunnel del gre1

More from the Flockport LXC networking series

Connect LXC hosts with IPSEC VPNs

Connect LXC containers across hosts with IPSEC VPNs

Connect LXC hosts with Tinc VPNs

Connect LXC containers across hosts with Tinc VPNs

LXC networking deep dive - Extending layer 2 across hosts

Connect containers across hosts with VXLAN

Stay updated on Flockport news

Recommended Posts

Leave a Comment

Login

Register | Lost your password?