Return to

Linode protect home minecraft server ip? {solved}

Most of the days. through this week (spring break)

Later this afternoon I’ll be on. About 1.5 hrs from now. I’m tango time (MST) btw.

I guess why I’m out getting my workout done I suggest you read through my thread just so you have a working familiarity so I’m not like referencing it and you have no idea what I’m talking about.

I hate it when I went through it the first time too because wire guard was a little abstract for me. Just understanding that there’s not really one central key exchange is part of the process. It’s not a server client VPN it’s a peer-to-peer

What’s your discord handle and I will hit you up when I’m done

1 Like

I am going to grab a shower and do somethings. Message me on discord. Ill hear the ping.

1 Like

Ok wd

MEssing with linode

Once we get your tunnel working NGINX reverse proxy is simple. We just TCP stream

You will want to enable BBR on the nginx side: (open root terminal)
sysctl -w net.core.default_qdisc=fq

sysctl -w net.ipv4.tcp_congestion_control=bbr

sysctl -w net.ipv4.tcp_notsent_lowat=16384

sysctl -p


Now add a stream block to the main nginx.conf

stream {
include /etc/nginx/tcp.d/*.conf;

Thats all we need there. We can make the actual config block in that folder

SO create the file /etc/nginx/tcp.d/00-minecraft.conf

upstream [NAME] {
server {
listen [PORT_OF_CHOICE];
proxy_pass [NAME];

nginx -t


nginx -s reload

If you already have a domain name via name cheap or someone else. Add a SRV record

Name     _minecraft._tcp.[IP].tld
Priority [0-65535]
Weight   [0-65535]
Port     [PORT]
Value    [IP]

Just open the Port you want to use FIRST on both ends! You can also change the defualt port you want to listen on here without changing the port on the server side end

If you want an example of my stream block for DNS (similar): Infrastructure Series -- Recursive DNS and Adblocking DoT w/NGINX

@SgtAwesomesauce correct me if Im wrong but thats all he should need right? Nothing too special. No ssl needed on the stream. Im assuming minecraft handles it

1 Like

cool we got your tunnel working… excellent. see above

Yeah, looks good to me.

1 Like

quote of the night

“all the fuckin tutorials online for wireguard are absolute shit” ~ @Argone


hes not wrong

quick question, proxy_pass name does that need to be something?

1 Like

Yeah it needs to be the name of your tcp socket.

Aka the same as what you named upstream

So say upstream minecraft {

Then when you write proxy pass

It’s proxy_pass minecraft;

You define the socket port and IP in the upstream block.

Your proxy pass the upstream sockets name

Does that make sense?

ehhh the one on the wireguard site is good if you take a minute to think about it.

The issue is that it’s very simple config that isn’t easy to grok until you’ve done it.

1 Like

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful



Assuming you’ve allowed it through all sides firewalls. Connecting to your linode on that port should tcp proxy stream to your minecraft server at home. There’s a disadvantage you can’t IP ban so you can only user/account ban. The only IP connecting will show as your linode. Which is fine :wink:


Make it so we are in business!


Yes now make an image of that and stops spending so much money on a TCP relay

think about all your lynode is doing is behaving as a relay It’s not doing any chunk loading it’s not doing any of the sort All it does is take the packet request and forwards it then forwards the answer back to your Minecraft clients

one gigabyte there’s no reason to pay 20 dollars instead of 5

Good luck Glad it worked out for you

You also have an added benefit here. If you don’t tie the server to a URL and you just tie it to an IP like you’re doing…

If someone tries to DDOS you just turn down the lanode request a new IP turn the linode back on

Update your friends on the new IP done

Additionally if you do tie it to a URL. You can hand that out to people you trust and then keep the IP public. So when you change the IP you can change a DNS record and assuming your attacker doesn’t know your URL then your friends will automatically receive the updated IP and you don’t need to talk to them about it and you can just change the IP publicly posted :wink:

That’s not 100% foolproof but it’s pretty good

there are other methods such as rate limiting and engine x but you got to keep in mind that that comes with its own fair share of headaches

I hope that this gives you an appreciation for the level of automation that these hosting services do in order to host your Minecraft server not only on a URL but also to provide a rudimentary amounts of DDoS protection

P.S change the ssh port so you stop bots trying to brute force it
P.S disable root login, make a user
P.S disable cockpit web socket if it exists on the linode :wink:
P.S use public key auth for your ssh. Passwords are so 2020


I think we’re adding unnecessary complexity here. Everyone who suggested running a little Wireguard tunnel on a Linode VPS is providing sound technical advice, however I think you should focus on the underlying problem – who are you trying to keep out of your network?

If you still wanted to stand up an NGINX or HAproxy node in front of your server to act as a reverse proxy, that may be fine, but you should invest more time in securing your Minecraft server or whatever is open to the web. Only open the ports you absolutely need (19132?). Try securing your server with a robust firewall and Fail2ban:

Cloudflare offers free tier service that can also assist in protecting and securing your server, but it’s no replacement for investing the time to lock down your environment. YMMV, good luck with your project, sir.

1 Like

If you want it public facing so any friend can access it you could use Bungeecord, then use Wireguard to tunnel between local and the VPS, or open the port and add a plugin on the mc server to only allow users from the VPS static IP and local network to connect.

What i did was the nginx reverse proxy approach anyone can connect now. The plan is to have it a public server.

1 Like