Build GRE tunnel to break wall

TLDR; GRE tunnel still works.

Since the GFW has improved eventually, it seems that it could do some in-depth detection on long-connection unknown traffic passing through the country internet border.

Say I have VPS A and B, VPS A is within the wall and VPS B is in another country.

Configs as below, and enable ipv4.forward, no need to mention again.

On VPS A:

cat /etc/rc.local

(exec /home/feuvan/scripts/gre.sh)

gre.sh

NAME=xxxx
REMOTE=<IP of VPS B>

ip tunnel add $NAME mode gre remote $REMOTE
ip addr add dev $NAME 10.18.20.1/24
ip link set dev $NAME up

/etc/iptables/rules.v4, for iptables-persistent

# Generated by iptables-save v1.4.21 on Wed Oct  7 21:41:32 2015
*mangle
:PREROUTING ACCEPT [165069:36215370]
:INPUT ACCEPT [55774:15585668]
:FORWARD ACCEPT [109295:20629702]
:OUTPUT ACCEPT [64319:8616282]
:POSTROUTING ACCEPT [173614:29245984]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Oct  7 21:41:32 2015
# Generated by iptables-save v1.4.21 on Wed Oct  7 21:41:32 2015
*nat
:PREROUTING ACCEPT [30:1332]
:INPUT ACCEPT [30:1332]
:OUTPUT ACCEPT [19:1309]
:POSTROUTING ACCEPT [19:1309]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.18.20.2:8080
-A POSTROUTING -d 10.18.20.2/32 -p tcp -m tcp --dport 8080 -j SNAT --to-source 10.18.20.1
COMMIT
# Completed on Wed Oct  7 21:41:32 2015
# Generated by iptables-save v1.4.21 on Wed Oct  7 21:41:32 2015
*filter
:INPUT ACCEPT [484280:623851754]
:FORWARD ACCEPT [872982:650674202]
:OUTPUT ACCEPT [574608:63020814]
COMMIT
# Completed on Wed Oct  7 21:41:32 2015

On VPS B,

grep -e "^[^#]" 3proxy.cfg

nserver 8.8.8.8
nscache 65536
users SOMEBIGSECRET
daemon
log 3proxy.log D
logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
rotate 30
auth strong
deny * * 127.0.0.1,192.168.1.1
allow * * * * *
proxy -n -a -p8080

gre.sh

NAME=xxxx
REMOTE=<IP of VPS A>

ip tunnel add $NAME mode gre remote $REMOTE
ip addr add dev $NAME 10.18.20.2/24
ip link set dev $NAME up

So when user hits VPSA port 8080, the traffic is pass through to VPS B via the GRE tunnel xxxx, which is still not affected by GFW.

And the long connection between your device and VPS A won’t be monitored by GFW either.

Enjoy.