How to add a GRE tunnel with ip tunnel

Adding a GRE tunnel with ip tunnel add is useful when two Linux hosts need a simple routed path across an existing IPv4 network. It is a practical choice for lab links, lightweight overlays, or point-to-point routing between sites without bringing in a full VPN stack.

The ip tunnel command creates a kernel tunnel interface that encapsulates inner packets in GRE and sends them to the remote outer endpoint. After the interface exists, it can be brought up, assigned an inner address, and used by routes like any other point-to-point link.

Both peers need matching outer endpoints and compatible inner addressing before traffic can pass. GRE does not add encryption or authentication, and a locally created interface only proves that the local tunnel definition is valid.

Steps to add a GRE tunnel with ip tunnel:

Confirm that the chosen local outer address already exists on the host before using it in the tunnel definition.
```
$ ip -brief address show
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0             UP             192.0.2.10/24 2001:db8:1::10/64
```
The local value in ip tunnel add must already belong to another interface. The inner tunnel subnet is configured separately on the new GRE interface.
Create the GRE tunnel interface with the local and remote outer endpoint addresses.
```
$ sudo ip tunnel add gre1 mode gre local 192.0.2.10 remote 198.51.100.10
```
No output usually means the tunnel object was created.
Bring the GRE interface up so the kernel can use it.
```
$ sudo ip link set dev gre1 up
```
Assign an inner address to the tunnel interface if it will carry routed traffic.
```
$ sudo ip address add 10.0.0.1/30 dev gre1
```
Configure the matching peer address on the remote host, such as 10.0.0.2/30, before testing traffic across the tunnel.

Verify the tunnel parameters recorded by the kernel.

$ ip tunnel show gre1
gre1: gre/ip remote 198.51.100.10 local 192.0.2.10 ttl inherit

Verify that the GRE interface is up and carrying the inner address.
```
$ ip address show dev gre1
12: gre1@NONE: &lt;POINTOPOINT,NOARP,UP,LOWER_UP&gt; mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 192.0.2.10 peer 198.51.100.10
    inet 10.0.0.1/30 scope global gre1
       valid_lft forever preferred_lft forever
```
The important checks are the UP flag, the correct outer endpoint pair, and the expected inner address. Tunnel interfaces commonly show state UNKNOWN even when the local configuration is usable.

The interface can exist locally before the far side is configured. End-to-end traffic still needs the matching remote tunnel, routes, and any firewall allowance for GRE.
Recreate the tunnel through the host's persistent network configuration if it should survive a reboot.

ip tunnel add changes runtime state only.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.