Is tunneling usually possible on most hosts by DEFAULT?

Discussion in 'Mail Chat' started by location, Oct 27, 2015.

  1. location

    location New Member

    Joined:
    Mar 18, 2015
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    Gender:
    Male
    If I buy a VPS or dedicated server at your average US host, and want to tunnel to another US host, will this normally be possible by default, or do they filter out that kind of traffic and you have to ask?

    Also, I did some searching and I see a lot of talk about tun/tap vs gre tunneling. Does anyone care to explain which is better and why?

    Thanks.
     
  2. SuperGenii

    SuperGenii www.DataMCP.com

    Joined:
    Apr 9, 2011
    Messages:
    135
    Likes Received:
    16
    Trophy Points:
    63
    Location:
    Southern California
    GRE is the standard in my opinion. If you get a dedicated server, most likely, you will have tunneling capability assuming GRE and IPIP protocol are not being blocked by your service provider which is unlikely but possible.

    I have come across VPS without module ip_gre installed. That makes it much more complicated. VPS providers can and do restrict you more than if you leased a dedicated server.

    SG
     
  3. docbrown

    docbrown Member

    Joined:
    Jan 4, 2013
    Messages:
    60
    Likes Received:
    14
    Trophy Points:
    8
    Some hosts will not allow you to source route other ips, so depending on your setup you could have some difficulties. You just have to try some out and see if they fit your needs.

    tun/tap and gre are two different things. tun is software/virtual network device that can be used by a tunnelling protocol like gre.
     
  4. maileradmin

    maileradmin Mailer Forum Staff Member

    Joined:
    Feb 17, 2011
    Messages:
    167
    Likes Received:
    23
    Trophy Points:
    18
    Gender:
    Male
    GRE is the "old way". Most VPS don't come with ip_gre so using tun/tap is the best option nowadays, and it works on 99% of the servers. The thing is that not everyone knows exactly how to do it, luckily I figured it out lol. Also with GRE you're forced to use the GRE protocol which can be spotted and blocked, with tuntap you can use any port.
     
  5. nickphx

    nickphx VIP

    Joined:
    Apr 2, 2011
    Messages:
    1,139
    Likes Received:
    363
    Trophy Points:
    83
    Gender:
    Male
    Location:
    guadalajara, chiuhuahua
    How is GRE the old way? It's just a simple encapsulation protocol.
    GRE doesn't use a port, it's a protocol. Protocol 47.
    tun is a device, tap is a device.
    tun moves layer 3.
    tap moves layer 2 + layer 3, so it can be used as network bridge and send broadcast traffic.
    gre uses a tun device..
    gre encapsulates the layer3 traffic and sends it over the tun device.

    I've yet to see gre filtered on a hosting network.
    I've seen egress filtering where only traffic from allowed IP addresses can leave the network.
    This would prevent you from tunneling in IPs from another provider and sending traffic from those IPs to the world, as the IPs would not be from the sourced network and would get dropped by the provider.

    I have seen SPI (stateful packet inspection) firewalls dropping traffic when the connection didn't originate from the network.
    IE:
    You tunnel a /27 from Bob's network to Steve's network.
    Steve's network doesn't have egress filtering, so you can send traffic claiming to be from Bob's IPs from Steve's network.
    Bob's ISP firewall didn't see the initial connection come through Bob's network so a stateful firewall would drop it.
    The ACK would never make it to Bob's server so the ACK wouldn't be routed over the tunnel to Steve's network and the connection would timeout.
     
  6. maileradmin

    maileradmin Mailer Forum Staff Member

    Joined:
    Feb 17, 2011
    Messages:
    167
    Likes Received:
    23
    Trophy Points:
    18
    Gender:
    Male
    I said old way because it's what people used before the tuntap method was discovered. I don't call it by its name because it would reveal the how to, which I don't want. I know the proper name...
    for clarity's sake the tuntap method works on layer4. with gre you don't know the status of the tunnel, you have to ping. with tuntap you do, the app tells you.
    If I ran/worked at a hosting company I'd definitely block GRE traffic and other measures that only a few companies have started to do. It is easy to do just create a rule for incoming and outgoing traffic for protocol 47, you don't need anything fancy any router can do it. Their admins are just plain stupid or they just want to take money from mailers. With tuntap it is a bit more difficult since it works on layer 4 you can't block it with a firewall filter.
     
  7. SuperGenii

    SuperGenii www.DataMCP.com

    Joined:
    Apr 9, 2011
    Messages:
    135
    Likes Received:
    16
    Trophy Points:
    63
    Location:
    Southern California
    Anyone tunnelling ipv6?
     
  8. maileradmin

    maileradmin Mailer Forum Staff Member

    Joined:
    Feb 17, 2011
    Messages:
    167
    Likes Received:
    23
    Trophy Points:
    18
    Gender:
    Male
    not yet but totally doable. have you seen any improvements in doing so?
     

Share This Page