Most of the days. through this week (spring break)
Later this afternoon I’ll be on. About 1.5 hrs from now. I’m tango time (MST) btw.
I guess why I’m out getting my workout done I suggest you read through my thread just so you have a working familiarity so I’m not like referencing it and you have no idea what I’m talking about.
I hate it when I went through it the first time too because wire guard was a little abstract for me. Just understanding that there’s not really one central key exchange is part of the process. It’s not a server client VPN it’s a peer-to-peer
What’s your discord handle and I will hit you up when I’m done
I am going to grab a shower and do somethings. Message me on discord. Ill hear the ping.
Ok wd
MEssing with linode
Once we get your tunnel working NGINX reverse proxy is simple. We just TCP stream
You will want to enable BBR on the nginx side: (open root terminal)
sysctl -w net.core.default_qdisc=fq
sysctl -w net.ipv4.tcp_congestion_control=bbr
sysctl -w net.ipv4.tcp_notsent_lowat=16384
sysctl -p
Done
Now add a stream block to the main nginx.conf
stream {
include /etc/nginx/tcp.d/*.conf;
}
Thats all we need there. We can make the actual config block in that folder
SO create the file /etc/nginx/tcp.d/00-minecraft.conf
upstream [NAME] {
server [YOUR_MINECRAFT_SERVER IP_INTERNAL/HOME]:[PORT_OF_SERV];
}
server {
listen [PORT_OF_CHOICE];
proxy_pass [NAME];
}
Test
nginx -t
Reload
nginx -s reload
If you already have a domain name via name cheap or someone else. Add a SRV record
Name _minecraft._tcp.[IP].tld
Priority [0-65535]
Weight [0-65535]
Port [PORT]
Value [IP]
Just open the Port you want to use FIRST on both ends! You can also change the defualt port you want to listen on here without changing the port on the server side end
If you want an example of my stream block for DNS (similar): Infrastructure Series -- Recursive DNS and Adblocking DoT w/NGINX
@SgtAwesomesauce correct me if Im wrong but thats all he should need right? Nothing too special. No ssl needed on the stream. Im assuming minecraft handles it
cool we got your tunnel working… excellent. see above
Yeah, looks good to me.
quote of the night
“all the fuckin tutorials online for wireguard are absolute shit” ~ @Argone
LOL
hes not wrong
quick question, proxy_pass name does that need to be something?
Yeah it needs to be the name of your tcp socket.
Aka the same as what you named upstream
So say upstream minecraft {
Then when you write proxy pass
It’s proxy_pass minecraft;
You define the socket port and IP in the upstream block.
Your proxy pass the upstream sockets name
Does that make sense?
ehhh the one on the wireguard site is good if you take a minute to think about it.
The issue is that it’s very simple config that isn’t easy to grok until you’ve done it.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Lol
Assuming you’ve allowed it through all sides firewalls. Connecting to your linode on that port should tcp proxy stream to your minecraft server at home. There’s a disadvantage you can’t IP ban so you can only user/account ban. The only IP connecting will show as your linode. Which is fine
So
Make it so
45.79.183.159:25565 we are in business!
Yes now make an image of that and stops spending so much money on a TCP relay
think about all your lynode is doing is behaving as a relay It’s not doing any chunk loading it’s not doing any of the sort All it does is take the packet request and forwards it then forwards the answer back to your Minecraft clients
one gigabyte there’s no reason to pay 20 dollars instead of 5
Good luck Glad it worked out for you
You also have an added benefit here. If you don’t tie the server to a URL and you just tie it to an IP like you’re doing…
If someone tries to DDOS you just turn down the lanode request a new IP turn the linode back on
Update your friends on the new IP done
Additionally if you do tie it to a URL. You can hand that out to people you trust and then keep the IP public. So when you change the IP you can change a DNS record and assuming your attacker doesn’t know your URL then your friends will automatically receive the updated IP and you don’t need to talk to them about it and you can just change the IP publicly posted
That’s not 100% foolproof but it’s pretty good
there are other methods such as rate limiting and engine x but you got to keep in mind that that comes with its own fair share of headaches
I hope that this gives you an appreciation for the level of automation that these hosting services do in order to host your Minecraft server not only on a URL but also to provide a rudimentary amounts of DDoS protection
P.S change the ssh port so you stop bots trying to brute force it
P.S disable root login, make a user
P.S disable cockpit web socket if it exists on the linode
P.S use public key auth for your ssh. Passwords are so 2020
I think we’re adding unnecessary complexity here. Everyone who suggested running a little Wireguard tunnel on a Linode VPS is providing sound technical advice, however I think you should focus on the underlying problem – who are you trying to keep out of your network?
If you still wanted to stand up an NGINX or HAproxy node in front of your server to act as a reverse proxy, that may be fine, but you should invest more time in securing your Minecraft server or whatever is open to the web. Only open the ports you absolutely need (19132?). Try securing your server with a robust firewall and Fail2ban: http://www.fail2ban.org/
Cloudflare offers free tier service that can also assist in protecting and securing your server, but it’s no replacement for investing the time to lock down your environment. YMMV, good luck with your project, sir.
If you want it public facing so any friend can access it you could use Bungeecord, then use Wireguard to tunnel between local and the VPS, or open the port and add a plugin on the mc server to only allow users from the VPS static IP and local network to connect.
What i did was the nginx reverse proxy approach anyone can connect now. The plan is to have it a public server.