How to Configure Windows Server 2016 GRE Tunnelling
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links. Windows Server 2016 supports GRE tunneling as part of its RAS Gateway feature set, making it particularly useful in Software Defined Networking (SDN) environments for connecting virtual networks to physical networks or for tenant-to-tenant connectivity across shared infrastructure.
GRE tunnels in Windows Server 2016 are stateless and lightweight, with no built-in encryption or authentication. They are typically used in conjunction with network virtualization policies that provide tenant isolation. Unlike IPsec, GRE does not add authentication overhead, making it faster but requiring that security be handled at other layers if needed.
In the Windows Server 2016 SDN context, GRE is one of three encapsulation methods supported by the RAS Gateway alongside IPsec and L3 routing. GRE tunnels are often used when a tenant needs to connect their virtual network (running on HNV) to a remote physical site over the datacenter fabric.
Prerequisites
To configure GRE tunneling, the following must be in place: Windows Server 2016 with the Remote Access role installed, the Routing component enabled, at least two network interfaces (internal and external), IP connectivity between the tunnel endpoints, and PowerShell with administrative privileges. In a full SDN deployment, Network Controller should also be available.
Step 1: Install the Remote Access Role
Install the Remote Access role and the Routing component:
Install-WindowsFeature RemoteAccess, Routing -IncludeManagementToolsConfigure RRAS for routing only (no VPN dial-in required for GRE-only setups):
Install-RemoteAccess -VpnType RoutingOnlyVerify that RRAS is running:
Get-Service RemoteAccess | Select-Object Status, NameStep 2: Create a GRE Interface
Windows Server 2016 uses the VpnS2SInterface cmdlet to configure GRE tunnels as site-to-site VPN interfaces. Create a GRE interface specifying the remote tunnel endpoint and the local endpoint:
Add-VpnS2SInterface -Name "GRE-Tunnel1" -Protocol GRE -Destination 203.0.113.100 -IPv4Subnet @("10.20.0.0/24:1") -SourceIpAddress 198.51.100.1In this command, the Destination is the remote tunnel endpoint IP, SourceIpAddress is the local external IP, and IPv4Subnet specifies the remote network to route through the tunnel with its metric.
Step 3: Set the GRE Key
GRE supports an optional 32-bit key field that can be used to distinguish between multiple tunnels sharing the same endpoints. Set the GRE key if required by the remote end:
Set-VpnS2SInterface -Name "GRE-Tunnel1" -GreKey 12345Both ends of the tunnel must use the same GRE key for the encapsulation to work. If the remote end does not use a key, omit this step.
Step 4: Connect the GRE Tunnel
Bring the tunnel interface up to initiate the GRE session:
Connect-VpnS2SInterface -Name "GRE-Tunnel1"Check the connection status:
Get-VpnS2SInterface -Name "GRE-Tunnel1"The ConnectionState should show as “Connected” once the tunnel is established. If it shows “Disconnected”, verify IP reachability between endpoints and check firewall rules.
Step 5: Verify the Routing Table
Once the GRE tunnel is up, verify that routes are correctly installed for the remote network:
Get-NetRoute -AddressFamily IPv4 | Where-Object {$_.NextHop -ne "0.0.0.0"}You should see a route for the remote subnet (10.20.0.0/24 in the example) pointing through the GRE tunnel interface.
Step 6: Add Static Routes via the GRE Tunnel
To route additional networks through the GRE tunnel, add static routes pointing to the remote subnet via the tunnel interface:
New-NetRoute -DestinationPrefix "10.30.0.0/24" -InterfaceAlias "GRE-Tunnel1" -NextHop 10.20.0.1Step 7: Configure Firewall Rules for GRE Traffic
GRE uses IP protocol number 47 (not TCP or UDP). Add a Windows Firewall rule to allow GRE traffic:
New-NetFirewallRule -DisplayName "Allow GRE" -Direction Inbound -Protocol 47 -Action AllowNew-NetFirewallRule -DisplayName "Allow GRE Outbound" -Direction Outbound -Protocol 47 -Action AllowStep 8: Test End-to-End Connectivity
Once the tunnel is up and routes are in place, test connectivity through the tunnel by pinging a host on the remote network:
Test-NetConnection -ComputerName 10.20.0.10 -InformationLevel DetailedIf the ping succeeds, the GRE tunnel is operating correctly. Use tracert to verify the path goes through the tunnel:
tracert 10.20.0.10Troubleshooting GRE Tunnels
If connectivity fails, check the following: Verify protocol 47 is allowed through any external firewalls or NAT devices between the endpoints. Confirm both sides have matching GRE key configurations. Check that the RRAS service is running and the interface shows Connected. Review Event Viewer logs under System and Application for RRAS-related errors. GRE tunneling in Windows Server 2016 provides a fast, flexible mechanism for network connectivity in SDN and multi-tenant environments.
