How to Set Up Windows Server 2019 GRE Tunnelling

Generic Routing Encapsulation (GRE) tunnelling is a lightweight tunnelling protocol that encapsulates a wide variety of network layer protocols within virtual point-to-point links. Windows Server 2019 supports GRE tunnelling through the RAS Gateway, enabling L3 connectivity between tenant virtual networks and external physical networks without the overhead of IPsec or IKE. This guide covers planning, deployment, and verification of GRE tunnels on Windows Server 2019.

Understanding GRE Tunnelling in Windows Server 2019

GRE tunnels in Windows Server 2019 are implemented as part of the RAS Gateway feature. Unlike IKEv2 site-to-site VPNs, GRE tunnels do not provide encryption by default. They are typically used in SDN environments where the underlying network already provides security, or where high-throughput L3 routing between networks is needed without IPsec overhead. GRE tunnels operate at layer 3 and can carry IPv4 or IPv6 packets.

Installing Required Components

GRE tunnelling requires the Remote Access role with the RAS Gateway feature. Install it in multi-tenant mode for SDN environments or in standard VPN mode for simpler deployments:

Install-WindowsFeature RemoteAccess -IncludeAllSubFeature -IncludeManagementTools
Install-RemoteAccess -MultiTenancy

Confirm the installation state:

Get-WindowsFeature RemoteAccess | Select Name, InstallState
Get-RemoteAccess

Creating a GRE Tunnel Interface

GRE tunnels are created as S2S (site-to-site) VPN interfaces with the GRE protocol specified. Each tunnel requires a source IP (the local gateway external IP) and a destination IP (the remote endpoint). Create a GRE tunnel for a tenant named Fabrikam:

Add-VpnS2SInterface `
    -Name "Fabrikam_GRE_Tunnel" `
    -Protocol GRE `
    -Destination "198.51.100.20" `
    -GreKey 12345 `
    -IPv4Subnet "10.50.0.0/24:100" `
    -RoutingDomain "Fabrikam" `
    -PassThru

The GreKey parameter is a 32-bit integer used to differentiate multiple GRE tunnels between the same endpoints. Both sides of the tunnel must use the same key value.

Connecting the GRE Tunnel

After creating the tunnel interface, establish the connection:

Connect-VpnS2SInterface -Name "Fabrikam_GRE_Tunnel"

Verify the tunnel state:

Get-VpnS2SInterface -Name "Fabrikam_GRE_Tunnel" | Select Name, ConnectionState, Protocol, Destination

The connection state should show as “Connected” once the remote endpoint is also configured and reachable.

Configuring Static Routes Through the GRE Tunnel

Once the tunnel is established, configure static routes to direct traffic through it. In a standard routing configuration, add a route pointing to the remote network via the GRE tunnel interface:

Add-VpnS2SInterface `
    -Name "Fabrikam_GRE_Tunnel" `
    -IPv4Subnet "172.20.0.0/16:10","10.200.0.0/8:20"

Verify the routes appear in the routing table:

Get-NetRoute | Where-Object {$_.RouteMetric -le 100 -and $_.DestinationPrefix -like "172.*"} | Format-Table DestinationPrefix, NextHop, RouteMetric, InterfaceAlias

Using BGP Over GRE

A common deployment pattern is to run BGP over GRE tunnels to provide dynamic routing. After the tunnel is established, configure BGP to use the tunnel interface as the peering interface. First create the BGP router for the routing domain:

Add-BgpRouter `
    -RoutingDomain "Fabrikam" `
    -BgpIdentifier "10.50.0.1" `
    -LocalASN 65010

Then add a BGP peer whose peering IP is the remote end of the GRE tunnel:

Add-BgpPeer `
    -RoutingDomain "Fabrikam" `
    -Name "Fabrikam_Remote" `
    -LocalIPAddress "10.50.0.1" `
    -PeerIPAddress "10.50.0.2" `
    -LocalASN 65010 `
    -PeerASN 65020

Configuring Multiple GRE Tunnels

For environments with multiple branch offices or tenants, multiple GRE tunnels can be created. Each tunnel uses a unique GRE key and destination IP. Add a second tunnel for a different tenant:

Add-VpnS2SInterface `
    -Name "Contoso_GRE_Tunnel" `
    -Protocol GRE `
    -Destination "203.0.113.30" `
    -GreKey 67890 `
    -IPv4Subnet "10.60.0.0/24:100" `
    -RoutingDomain "Contoso" `
    -PassThru

Connect-VpnS2SInterface -Name "Contoso_GRE_Tunnel"

List all VPN/GRE interfaces to confirm both tunnels are active:

Get-VpnS2SInterface | Select Name, Protocol, Destination, ConnectionState, GreKey

Firewall Configuration for GRE

GRE uses IP protocol number 47 (not a TCP/UDP port). Windows Firewall must allow inbound and outbound GRE traffic. Create the necessary firewall rules:

New-NetFirewallRule `
    -DisplayName "Allow GRE Inbound" `
    -Direction Inbound `
    -Protocol 47 `
    -Action Allow `
    -Profile Any

New-NetFirewallRule `
    -DisplayName "Allow GRE Outbound" `
    -Direction Outbound `
    -Protocol 47 `
    -Action Allow `
    -Profile Any

Monitoring GRE Tunnel Performance

Monitor the GRE tunnel statistics and connection state using these commands:

Get-RemoteAccessConnectionStatistics
Get-VpnS2SInterface -Name "Fabrikam_GRE_Tunnel" | Format-List *

Test end-to-end connectivity through the tunnel using ping with source specification:

Test-NetConnection -ComputerName "172.20.1.1" -InformationLevel Detailed

Troubleshooting GRE Tunnels

If the tunnel fails to connect, check that IP protocol 47 is permitted through any intermediate firewalls. Verify the remote endpoint is reachable:

Test-NetConnection -ComputerName "198.51.100.20" -InformationLevel Detailed

Review Remote Access event logs for GRE-specific errors:

Get-WinEvent -LogName "Microsoft-Windows-RemoteAccess-Router/Operational" -MaxEvents 50 | Format-List TimeCreated, Id, Message

GRE tunnelling on Windows Server 2019 is a lightweight and flexible solution for inter-network routing in SDN and multi-tenant environments. When combined with BGP for dynamic routing, it provides a robust fabric for connecting tenant workloads to physical infrastructure without the complexity of full IPsec configuration.