Hats Network | LogoHats Network
Peering

Peering via Layer 3 Tunnel

Configure Layer 3 tunnel peering with AS203314 using WireGuard, GRE, or SIT/ip6gre protocols.

Layer 3 tunnels encapsulate IP packets at the network layer. This is the recommended approach for most peering scenarios due to lower overhead and better performance compared to Layer 2 tunneling.

Layer 3 Tunnel Overview

In all examples below, replace placeholder values with your actual configuration:

  • {name} — Tunnel interface name
  • {yourside ip} — Your public IP address
  • {ourside ip} — Our endpoint IP address
  • {yourside port} — Your source port (WireGuard)
  • {ourside port} — Our destination port (WireGuard)
  • {your tunnel ip cidr} — Your tunnel IP/subnet
  • {our public key} — Our WireGuard public key
  • {your private key} — Your WireGuard private key

WireGuard

WireGuard is a modern, lightweight VPN protocol that provides encrypted Layer 3 tunneling. It's our recommended choice for secure peering due to its simplicity and performance.

Create a WireGuard configuration file:

/etc/wireguard/{name}.conf
[Interface]
Address    = {your tunnel ip cidr}
ListenPort = {yourside port}
PrivateKey = {your private key}
# Disable WireGuard's built-in routing table management when using
# an external routing daemon (e.g. BIRD, FRR)
Table = off

[Peer]
PublicKey           = {our public key}
AllowedIPs          = 0.0.0.0/0, ::/0
Endpoint            = {ourside ip}:{ourside port}
PersistentKeepalive = 25
  1. Create the .netdev file:
/etc/systemd/network/10-{name}.netdev
[NetDev]
Name = {name}
Kind = wireguard

[WireGuard]
ListenPort = {yourside port}
PrivateKey = {your private key}

[WireGuardPeer]
PublicKey           = {our public key}
AllowedIPs          = 0.0.0.0/0, ::/0
Endpoint            = {ourside ip}:{ourside port}
PersistentKeepalive = 25
  1. Configure the tunnel IP address:
/etc/systemd/network/10-{name}.network
[Match]
Name = {name}

[Network]
Address = {your tunnel ip cidr}
  1. Apply the configuration:
systemctl restart systemd-networkd

Enable and start the WireGuard service (wg-quick only):

systemctl enable --now wg-quick@{name}

GRE Tunnel

GRE (Generic Routing Encapsulation) operates at Layer 3 and is suitable for routing IPv4/IPv6 traffic over an IPv4 underlay. It's simple, widely-supported, and has minimal overhead.

ip tunnel add {name} mode gre local {yourside ip} remote {ourside ip} ttl 255
ip addr add {your tunnel ip cidr} dev {name}
ip link set dev {name} up
  1. Create a Netplan configuration file:
/etc/netplan/10-{name}.yaml
network:
  version: 2
  tunnels:
    { name }:
      mode: gre
      local: { yourside ip }
      remote: { ourside ip }
      ttl: 255
      addresses:
        - { your tunnel ip cidr }
  1. Apply the configuration:
netplan apply
  1. Create the .netdev file:
/etc/systemd/network/10-{name}.netdev
[NetDev]
Name = {name}
Kind = gre

[Tunnel]
Local  = {yourside ip}
Remote = {ourside ip}
TTL    = 255
  1. Configure the tunnel IP address:
/etc/systemd/network/10-{name}.network
[Match]
Name = {name}

[Network]
Address = {your tunnel ip cidr}
  1. Apply the configuration:
systemctl restart systemd-networkd

SIT / ip6gre (IPv6 Tunneling)

SIT (Simple Internet Transition) tunnels IPv6 traffic over an IPv4 underlay and is commonly used for 6in4 connectivity.

ip6gre provides full GRE encapsulation for IPv6 and is preferred when you need GRE key support or multi-protocol capability.

# SIT: IPv6-in-IPv4
ip tunnel add {name} mode sit local {yourside ipv4} remote {ourside ipv4} ttl 255
ip addr add {your tunnel ipv6 cidr} dev {name}
ip link set dev {name} up
# ip6gre: GRE over IPv4 carrying IPv6
ip tunnel add {name} mode ip6gre local {yourside ipv4} remote {ourside ipv4} ttl 255
ip addr add {your tunnel ipv6 cidr} dev {name}
ip link set dev {name} up
  1. Create a Netplan configuration file:
/etc/netplan/10-{name}.yaml
network:
  version: 2
  tunnels:
    { name }:
      # Use 'sit' for 6in4, or 'ip6gre' for GRE-encapsulated IPv6
      mode: sit
      local: { yourside ipv4 }
      remote: { ourside ipv4 }
      ttl: 255
      addresses:
        - { your tunnel ipv6 cidr }
  1. Apply the configuration:
netplan apply
  1. Create the .netdev file:
/etc/systemd/network/10-{name}.netdev
[NetDev]
Name = {name}
# Kind = sit   (for 6in4)
# Kind = ip6gre (for GRE over IPv4 carrying IPv6)
Kind = sit

[Tunnel]
Local  = {yourside ipv4}
Remote = {ourside ipv4}
TTL    = 255
  1. Configure the tunnel IP address:
/etc/systemd/network/10-{name}.network
[Match]
Name = {name}

[Network]
Address = {your tunnel ipv6 cidr}
  1. Apply the configuration:
systemctl restart systemd-networkd

Protocol Comparison

ProtocolEncryptionIPv4IPv6OverheadNAT Traversal
WireGuardYes32 bytesGood (UDP)
GRENo28 bytesLimited
SITNoN/A20 bytesLimited
ip6greNoN/A28 bytesLimited

Protocol Selection Guide

  • WireGuard: Best for secure peering, supports both IPv4 and IPv6
  • GRE: Simple, widely-supported, good for IPv4 peering
  • SIT/ip6gre: Use when you only need IPv6 transport over IPv4

MTU Considerations

Layer 3 tunnels add overhead to each packet. Adjust your MTU accordingly:

ProtocolOverheadRecommended MTU
WireGuard32 bytes1468
GRE28 bytes1472
SIT20 bytes1480
ip6gre28 bytes1472

Example for WireGuard:

ip link set dev {name} mtu 1468

Next Steps

Once you have configured the tunnel:

  1. Verify connectivity using ping or traceroute
  2. Configure your BGP daemon (BIRD, FRR, etc.) to use the tunnel interface
  3. Contact us to finalize the peering session

After successfully setting up the tunnel, contact us to finalize the peering session with AS203314.

Peering via Layer 2 Tunnel

Configure Layer 2 tunnel peering with AS203314 using GRETAP or VxLAN protocols.

IP Transit Services

IP-Transit services from Hats Network Inc. (AS203314) across Asia and Europe. High-quality bandwidth with diverse upstream connectivity.

On this page

WireGuard
GRE Tunnel
SIT / ip6gre (IPv6 Tunneling)
Protocol Comparison
MTU Considerations
Next Steps