All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GRE Tunniling OVH VPS as DDoS Shield for Hetzner Dedicated But UDP Mitigation Issues
Hey everyone, I'm glad to be a part of this great community.
I just wanted to share my experience trying to use OVH DDoS Mitigation by using their VPS as protection for my Hetzner Dedicated Server.
Everything works great with TCP/GRE after lots of tries, but there is one major issue — of course — which is with UDP.
OVH Setup:
ip tunnel add gre1 mode gre remote <Unprotected Server Public IP> local <Protected Server Public IP> ttl 255 key 123
ip link set gre1 up
ip addr add 10.0.0.1/30 dev gre1
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING -i ens3 -j DNAT --to-destination 10.0.0.2
iptables -A FORWARD -i ens3 -o gre1 -j ACCEPT
iptables -A FORWARD -i gre1 -o ens3 -j ACCEPT
iptables -t nat -A POSTROUTING -o gre1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/30 -o ens3 -j MASQUERADE
Hetzner Setup:
ip tunnel add gre1 mode gre remote <Protected Server Public IP> local <Unprotected Server Public IP> ttl 255 key 123
ip link set gre1 up
ip addr add 10.0.0.2/30 dev gre1
ip route | grep default
sudo ip route add < PROTECTED IP > via < Hetzner Default Gateway> dev enp41s0
sudo ip route replace default via 10.0.0.1 dev gre1
Everything works great until I run a UDP application and get's DDOSED Attacked.
When that happens, ovh's scrubbing center stats working and drops any IP connected to the UDP application and get banned for around 30 seconds.
Even IPs connected through SSH get dropped if connected to that UDP Application.
I tried every method I could think of to fix it, but no luck whatsoever.
Once DDoS Mitigation starts on the OVH server, everything goes totally stupid.
I even tried following the BuyVM method and still had the same issue:
https://wiki.buyvm.net/doku.php/gre_tunnel:docker
- Wiregaurd didn't work for me the udp port for wireguard drops also
Comments
GRE used to be a pretty common attack vector, it's possible that OVH detects your tunnel traffic as malicious during mitigation.
You can try whitelisting GRE traffic for the specific IP in their dashboard if you haven't already, but it's also possible that the firewall you have access to is "behind" another device filtering traffic closer to their edges.
Don't bother using OVH. If you get a UDP flood, they will just rate limit all UDP. This cannot be fixed even if you open a support ticket.
Many people tried that, it doesn't work.
Gre doesn't get dropped just the when connecting to udp it ban my ip it's a part of there mitigation system i guess, there firewall get ignored once ddos mitigation start they moves you to there sctubbing center which you can't whitelist ips or anything there you have zero controle over it.
I think you are right i'll stop trying i spent too much time already trying to achive un achivable thing
Thank you i think your right i'll start making my own XDP firewall mitigation system and making a small scrubbing center
I made a typo. I meant that they just rate limit GRE when you are under attack as they probably assume its part of the attack. But yeah the meaning is still the same.
Will point out that IPTables is on it's way out and NFTables is now the one to use.
Looked at XDP Firewall and only has 634 stars on GitHub. Why not stick to Fail2ban or Crowdsec?
Also do you know why you are being targeted so much for DDOS? Considered Cloudflare free tier?
@zeskar you can try using noez or novacloud instead ovh and see how it goes, they are fairly cheap noez is 2.5€/m and novacloud is 4.5€/m which if you dont like them you can cancel anytime.
https://shop.novacloud-hosting.com/store/iptransit
https://noez.de/en/gre
Try tunneling with IPv6. IPv4 is filtered and 99% of protections will block or throttle it.