Other guides Cheap and Easy DDoS protected VPN (GRE Tunnel)

Guides for any other game/matter

Cheap, easy DDoS protection, via GRE tunnel


Note: This works best for dedicated servers rented in companies like Hetzner, OVH, etc.. Use at home hosted servers is subject if your ISP allows GRE traffic, contact them beforehand.

Last year I was running a DDoS protection service, and I will unveil one of the cheapest ways to get reliable DDoS protection very easily.
For the purpose of this guide you will need a linux vps, at a provider that has decent DDoS protection, like Path.net or Cosmic Guard. I will be using EUGameHost as I've been using it for my PvP cluster recently, and it's yielded very good results for the price paid. Also we will configure the tunnel between this VPS and a Windows machine. It can also be configured in a Linux machine, you can search for some tutorials on the internet.
VPS is using debian.

Also, you will need a program to access the server via SSH, I will use PuTTy.
If you are in linux, or in Windows 11, you can use CLI based ssh.
Any VPS that has 2 cores or more should be valid, depends on how many people and traffic your servers use, however.

When you buy the VPS, you will have to download a private key, which is used instead of a password. Private keys are way better than a password in terms of security.
To use the private key to log in trough SSH with PuTTy, you will need to convert it to the putty format. When you installed Putty, it should have also installed a program called PuTTyGen, open it.

Important!
Many hosts put a "Deny all" rule by default, you will need to open ports in the firewall for SSH (22), and after finishing this guide you will also need to open ports for ARK server, and other software you run trough the VPN


Load the private key you downloaded, and click "Save Private Key". You can use a passphrase or not, I usually do not use it. Save the .ppk file somewhere, and remember where it is.

1715353894466.png


After converting the private key to Putty format, select your newly saved .ppk file in the following section
1715354124536.png

And fill in the user and the server ip like this, where XXX.XXX.XXX.XXX is your vps' ip:
1715354165291.png
You can save the default settings so you don't need to repeat these 2 steps every time.

Once you are ready to go, click "Open", it should open a console window.
When you are connected and, if you haven't, update and upgrade all of your packages using your package manager. For example, for apt you can put
Bash:
apt update && apt upgrade

Now, open your favourite text editor. I will use nano (if it says command is not found, execute apt install nano), and open a new .sh file. I will open gre.sh
Bash:
nano gre.sh

And paste this script:
Bash:
#!/bin/bash

# ./gre_tunnel.sh gre1 192.0.2.1 198.51.100.2 10.0.0.1 10.0.0.2 203.0.113.0

INTERFAZ=$1
IP_LOCAL=$2
IP_REMOTA=$3
IP_PRIVADA_LOCAL=$4
IP_PRIVADA_REMOTA=$5
IP_PUBLICA=$6

ip tunnel add $INTERFAZ mode gre remote $IP_REMOTA local $IP_LOCAL ttl 255
ip addr add $IP_PRIVADA_LOCAL peer $IP_PRIVADA_REMOTA dev $INTERFAZ
ip link set $INTERFAZ up

echo "net.ipv4.ip_forward = 1" | tee /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

iptables -t nat -A POSTROUTING -o $INTERFAZ -p tcp --dport 22 -j RETURN

iptables -t nat -A POSTROUTING -o $INTERFAZ -j MASQUERADE
iptables -A FORWARD -i $INTERFAZ -j ACCEPT

iptables -t nat -A PREROUTING -d $IP_PUBLICA -j DNAT --to-destination $IP_PRIVADA_REMOTA
iptables -t nat -A POSTROUTING -s $IP_PRIVADA_REMOTA -j SNAT --to-source $IP_PUBLICA

This script will set up all the necessary rules and configurations to set up a basic GRE tunnel.
Now give it execution permission:
Bash:
chmod +x gre.sh

Then, we need some data to keep going:

  • VPS ip: Is the IP of the vps server we just bought. Let's assume it's 192.168.1.2
  • Dedicated Server IP: It's the original IP of the machine running the game servers. This IP should be kept secret, otherwise attacks can be easily done to this IP. Let's assume it's 192.168.1.10
  • Internal IPs for the VPS. If you just bought this VPS, and don't have any more GRE tunnels running, you can use 10.10.0.1 and 10.10.0.2 as I will show later. These will be the IPs where the GRE traffic will be routed back and forth
  • A unique name for the network interface. You will need to give the interface a name. I will call it "gre1" for this guide.
Once we have all the data, execute this command in the console:
Bash:
./gre.sh gre1 192.168.1.2 192.168.1.10 10.10.0.1 10.10.0.2 192.168.1.2
This command starts the GRE tunnel and now it's ready to be configured on our windows machine

On the Windows machine, download a copy of this open-source software: https://github.com/wow0000/GRE_Tunnel/releases/latest
Unzip it and create a new file, start.bat for example:

Bash:
@echo off
:start
.\GRETunnel.exe 192.168.1.10 19.168.1.2 10.10.0.2 10.10.0.1
timeout /t 5
goto start

Once you start that bat script, it should be working already if everything is correctly configured!
To test this, open a cmd window and try "ping 10.10.0.1". If you can ping 10.10.0.1 means the GRE tunnel is healthy.

To make the game servers go trough the GRE tunnel we just set up, you will have to set multihome IP in Ark. In ASM you can find the IP in this section:
1715355984251.png

For ASA, you can write in the launch args -multihome=10.10.0.2 and -ServerIP=192.168.1.2 (change this with your actual IPs from the VPS)

Now, this is different for each VPS provider, but you should open ports for your ark server ports. Game port, Query, Peer, Rcon, etc...
Also, when available, filters are super necessary!. Filters examine the network packets based on game/software type and discard the malicious packets allowing your server to continue operating without noticing any kind of attack. If you miss filters, you will likely get affected if someone sends a DDoS attack against you.

In my case, since I'm using EUGameHost, they have a nice firewall panel (you have to open a ticket in their discord to get access to it currently), but you can set up each game server with the presets for ARK: SE and ARK: SA:
1715356045576.png
This firewall presets will take care of everything for you, including firewall and filters.

Hope you find this guide interesting! Like if you liked!

© Pelayori. Unauthorized distribution of this work, or any derived versions, is strictly prohibited.
 

Attachments

  • 1715356042641.png
    1715356042641.png
    27.6 KB · Views: 12
Last edited:
Hi, Thank you for sharing that information!

I have a few questions:

  1. Does it work if my home server is under an open NAT? That is, I am under the public IP 203.x.x.37 in a local network 192.168.1.65 (IP of my network adapter).
  2. Is it necessary to add ARKS ports forwarding in the VPS (Debian 10) ?

I use Zap Hosting as VPS. I followed the tutorial to the letter, executed the script on Windows without errors, successfully pinged 100% of the packets to the local IP of the VPS server, but my ARK server does not appear in the list, and I can't access it directly by IP (using the VPS IP).

PS: I configured the multi-home in the private network where the GRE tunnel is (10.10.0.2) and windows firewall off.
In home networks it fully depends on the ISP and the router they give you. Some ISPs will allow GRE traffic while others might not. If your private IPs are giving ping it usually means it works.
GRE traffic doesn't need any ports are it doesn't run off any port so you shouldn't need to open any port in your local network, but you might need to do so on the VPS or the host's firewall because that's where the connections are going to arrive.

There are other options like wireguard but I haven't been able to set it up yet so I do not have much knowledge on that.
 
In home networks it fully depends on the ISP and the router they give you. Some ISPs will allow GRE traffic while others might not. If your private IPs are giving ping it usually means it works.
GRE traffic doesn't need any ports are it doesn't run off any port so you shouldn't need to open any port in your local network, but you might need to do so on the VPS or the host's firewall because that's where the connections are going to arrive.

There are other options like wireguard but I haven't been able to set it up yet so I do not have much knowledge on that.
Know why I would get API timeouts and problems connecting to steam cmd from ASM on ASE to download mods after installing a ddos protection? (cosmic guard)


All ARK server ports are open inbound rules
 
I use Zap Hosting as VPS. I followed the tutorial to the letter, executed the script on Windows without errors, successfully pinged 100% of the packets to the local IP of the VPS server, but my ARK server does not appear in the list, and I can't access it directly by IP (using the VPS IP).
All firewalls have inbound rules opened!
 
Back
Top