How to Configure GRE Tunnel Interfaces…

How to Configure GRE Tunnel Interfaces on Windows Server 2016

April 23, 2026
Tutorials
Comment off

How to Set Up Windows Server 2016 GRE Tunnel Interface

Generic Routing Encapsulation (GRE) is a tunnelling protocol that encapsulates a wide variety of network layer protocols inside virtual point-to-point links. Windows Server 2016 introduces native GRE tunnel support through the RAS Gateway, enabling organisations to create lightweight, stateless tunnels between gateway endpoints without the overhead of encryption. GRE tunnels are particularly useful in SDN environments where the network overlay already handles security, and performance is the priority.

This tutorial explains how to set up a GRE tunnel interface on Windows Server 2016, covering the role installation, tunnel creation, routing configuration, and operational verification.

When to Use GRE Tunnels

GRE tunnels are ideal in scenarios where you need to connect two network segments through an intermediate IP network without the overhead of IPsec encryption. Common use cases include connecting branch offices to a central SDN fabric, extending tenant networks across a datacenter interconnect, and providing a transport path for protocols that do not natively route across your WAN (such as multicast). Unlike IPsec tunnels, GRE does not provide encryption or authentication, so it should be deployed only where the underlying transport is trusted or where security is handled at another layer.

Prerequisites

Ensure the Remote Access role is installed on the server that will host the GRE tunnel endpoint. If not already installed:

Install-WindowsFeature RemoteAccess -IncludeAllSubFeature -IncludeManagementTools

Verify successful installation:

Get-WindowsFeature -Name RemoteAccess

Step 1 — Enable Multitenant Mode

GRE tunnels on Windows Server 2016 operate under the multitenant gateway mode. Enable it with:

Install-RemoteAccess -MultiTenancy

Confirm multitenant mode is active:

Get-RemoteAccess

Step 2 — Create a GRE Tunnel Interface

Add a GRE tunnel interface using the Add-VpnS2SInterface cmdlet with the GRE protocol type. Specify the local and remote tunnel endpoints:

Add-VpnS2SInterface `
  -Name "GRE-Tunnel-Tenant1" `
  -Protocol GRE `
  -Destination "203.0.113.50" `
  -IPv4Subnet "10.2.0.0/24:100" `
  -GreKey 12345 `
  -Persistent

The GreKey parameter is an optional 32-bit identifier used to distinguish multiple GRE tunnels between the same pair of endpoints. Use consistent keys on both ends of the tunnel.

Step 3 — Verify the Tunnel Interface

Confirm the tunnel was created and check its current status:

Get-VpnS2SInterface -Name "GRE-Tunnel-Tenant1"

The ConnectionState should show Connected once traffic flows through the tunnel. If it remains in a Disconnected state, verify that the remote endpoint is reachable and that GRE traffic (IP protocol 47) is permitted by any firewall or ACL between the two endpoints.

Step 4 — Configure Routing for the Tunnel

Add static routes to direct traffic for the remote network through the GRE tunnel interface:

Add-VpnS2SInterface `
  -Name "GRE-Tunnel-Tenant1" `
  -IPv4Subnet "10.2.0.0/24:100","10.3.0.0/24:200"

Alternatively, use the routing table directly to add a persistent route over the tunnel:

route add 10.2.0.0 mask 255.255.255.0 0.0.0.0 IF  -p

Replace <InterfaceIndex> with the index of the GRE tunnel interface, which you can find with:

Get-NetAdapter | Where-Object { $_.Name -like "*GRE*" }

Step 5 — Enable BGP Over the GRE Tunnel

For dynamic routing, configure BGP to run over the GRE tunnel. First ensure the BGP router is initialised:

Add-BgpRouter -BgpIdentifier "192.168.1.1" -LocalASN 65100

Then add a BGP peer using the remote tunnel endpoint address:

Add-BgpPeer `
  -Name "GRE-Peer-Tenant1" `
  -LocalIPAddress "192.168.1.1" `
  -PeerIPAddress "192.168.1.2" `
  -PeerASN 65101 `
  -OperationMode Mixed `
  -PeeringMode Automatic

Step 6 — Test Connectivity Through the Tunnel

Once the tunnel is up and routing is configured, test connectivity to a host on the remote network through the tunnel:

Test-NetConnection -ComputerName "10.2.0.10" -TraceRoute

The trace route output should show the path going through the tunnel endpoint rather than the standard gateway.

Step 7 — View Tunnel Statistics

Monitor the GRE tunnel for packet counts and error rates:

Get-VpnS2SInterface -Name "GRE-Tunnel-Tenant1" | Select-Object *

Get-NetAdapterStatistics | Where-Object { $_.Name -like "*GRE*" }

Firewall Considerations

GRE operates at the IP layer using protocol number 47. Ensure that any Windows Firewall or physical firewall rules between the tunnel endpoints allow IP protocol 47. Unlike TCP/UDP-based tunnels, GRE does not use port numbers. On Windows Firewall, add a rule to allow the GRE protocol:

New-NetFirewallRule `
  -DisplayName "Allow GRE Protocol" `
  -Direction Inbound `
  -Protocol 47 `
  -Action Allow

Conclusion

GRE tunnel interfaces on Windows Server 2016 provide a flexible, lightweight mechanism for creating network overlays and extending connectivity across IP networks. When combined with BGP for dynamic routing and deployed within an SDN architecture, GRE tunnels form an important part of the connectivity toolkit available to network administrators. By following the steps in this tutorial, you can establish reliable GRE tunnels between sites and integrate them into your existing routing and SDN infrastructure.