Struggling with a reverse proxy

So, I've been setting up something to allow me to use nginx, openvpn, and a EC2 to have a remote proxy, mostly for the sake of hiding my actual IP address and security. The setup is as so: user -> [internet] -> AWS EC2 -> [OpenVPN] -> on_premises The setup I expect to work is basically, allowing inbound/outbound on 25565 and additionally openvpns required ports. (The issue is the proxy doesnt work unless the ip address is EXPLICITLY stated in the Network ACL of the VPC bound to the EC2, for some unknown reason) Basically at this point, im very prepared to rip everything out and start from scratch due to how long this is taking to get working, so, any sollutions or alternative ways to host with a reverse proxy in place?
71 Replies
Error110
Error1102mo ago
am I crazy or couldnt u just do a GRE tunnel if you have 2 machines
Error110
Error1102mo ago
BitLaunch News and Guides
How to set up and configure a GRE tunnel
This guide will walk through the setup and configuration of a GRE tunnel between two Linux hosts. The two Linux hosts are running Ubuntu 22.04 LTS.
Error110
Error1102mo ago
unless im missing something I'm not the best when it comes to networking but you could just GRE or run the proxy on the AWS vps then link the servers to the main I think theres a image of a setup like this 1s
Error110
Error1102mo ago
No description
Error110
Error1102mo ago
this is proxy example ofc the oracle part can be a aws machine if u wish
Upioti
Upioti2mo ago
If he's home hosting which by the setup im guessing he 100% is, this wont be possible as residential ips are behind nat and not dedicated, he wont recieve gre packets Also why are you using aws for the reverse? When there are like 2913883 better choices
DODECA
DODECAOP2mo ago
Correctamundo Also, eh? I dunno, just seemed like the easiest to setup, and I had someone helping me along with things. I kinda already got the openVPN part so it was just forwarding the traffic that had to be done
Error110
Error1102mo ago
ahh mbm b i mean he can still do proxy option
DODECA
DODECAOP2mo ago
I mean this is effectively what im doing My major issue is, the EC2 just refuses to let anyone else connect, so swapping the setup out wouldn’t quite work if the server remains unreachable
Error110
Error1102mo ago
ah
DODECA
DODECAOP2mo ago
I’ve already setup network ACLs so on so forth to allow connections, SGs seem fine, had someone else look at it, everything looks good
Upioti
Upioti2mo ago
Also why are you fowarding through openvpn? But like why amazon AWS is expensive as shit If the point was saving yourself the $25 bucks for tcpshield it won't really work for that
DODECA
DODECAOP2mo ago
Just seemed easy? And I mean, if the connection succeeds is it really like, an issue? And I’m running under AWS free tier
Upioti
Upioti2mo ago
Idk man i used aws free tier once for some experimentation then got an invoice for $70 worth of bandwidth costs
DODECA
DODECAOP2mo ago
I didnt really know something like that existed, everything or most places suggested just, running something similar to what im doing, so, openVPN and nginx seemed to make sense, my IP its self is never directly revealed anywhere
Upioti
Upioti2mo ago
Where did you even ask they don't know about the existence of reverse proxy services 😭 For a low price you have the reverse setup with anycast and near perfect uptime figured out, in addition to actually doing something against ddos attacks OpenVPN and Nginx.... both are just not... Is there any reason you can't point directly to your home ip? OpenVPN is gonna cause a massive performerance hit
DODECA
DODECAOP2mo ago
I mean, if i can save myself the trouble of just, having my IP sit in a home record, im gonna do that I know in the long run, if anything we’re to happen
Upioti
Upioti2mo ago
Just obfuscate the ddns
DODECA
DODECAOP2mo ago
The lack of my IP being on the internet is not going to change something, but it atleast lightens the load on my head
Upioti
Upioti2mo ago
Or you can code a script to update the reverse backend everytime your ip changes without the need for ddns So what exactly is the goal here? Just hiding your ip? DDoS protection?
DODECA
DODECAOP2mo ago
The general goal is yeah, the first part, hiding my IP and any additional security i can grant myself beyond “don’t open up 15 ports you don’t need”
Upioti
Upioti2mo ago
Did you try playit?
DODECA
DODECAOP2mo ago
I was mostly avoiding it since i don’t plan to exlusively use the reverse proxy for just minecraft, or just a single server
Upioti
Upioti2mo ago
Im pretty sure playit support any tcp/udp application
DODECA
DODECAOP2mo ago
If im gonna go from paying a server host 27 bucks a month to, paying a service 30 bucks a month, it kinda defeats the point in my head (even if AWS is more expensive, if it runs under that 27 bucks? what do i care)
Upioti
Upioti2mo ago
Playit is free??
DODECA
DODECAOP2mo ago
Play it lists they have a limit of 4 ports, and i’ve got a lot more im planning to host in house misread, 3 bucks, not 30, so fair
Upioti
Upioti2mo ago
Then do yourself a favor and at least upgrade to HAProxy and Wireguard Ah i miss the days when hosting was 30 bucks
DODECA
DODECAOP2mo ago
i mean okay, as far as im getting, just, scrap out the EC2, replace it with a proxy service (such as playit.gg), ?????, profit granted afais playit doesn’t have an ubuntu binary but, w/e
Upioti
Upioti2mo ago
Is it for friends? you planning on hosting a public server? And im pretty sure they do have that or something similar because i know hosts that use them
DODECA
DODECAOP2mo ago
mostly for friends, but at the same time, i plan to host some other things so, a proxy service that just does whatever’s needed is best as for the ubuntu binary, that’s hashed, just, using the raw binary seemed to handle it
Upioti
Upioti2mo ago
i mean as long as you do nothing production then playit should be just fine
DODECA
DODECAOP2mo ago
i mean that’s, kinda the end goal? like sure, im not running anything im making money off of, but, in the scope of things, being limited to exclusively TCP/UDP traffic is kinda ech but, ill deal i guess
Upioti
Upioti2mo ago
wdym ech the internet consists of tcp/udp
DODECA
DODECAOP2mo ago
coming back to this after a bit of reading, setting stuff up, and just, fiddling with things, Im unsure if I can even go with playit Mostly due to their dedicatedIPs being out of stock, and really wanting/needing the additional ports sure I can just run absolutely everything for one server on a single port which is oddly enough also their recommended way of doing things but to me just, doesn’t seem smart
Upioti
Upioti2mo ago
i mean, everything else is pretty much paid so
DODECA
DODECAOP2mo ago
I mean, im not chasing free, just, not overly expensive, as long as it beats $330/yr im cool Playit did beat that, but it lacks dedicated IPs and like, actual control over ports
Upioti
Upioti2mo ago
You want an entire dedicated ip for <$30/m?
DODECA
DODECAOP2mo ago
Even assuming pebblehost is getting some crazy deal with bulk allocations of IP addresses, they do that, for 30 a month
Upioti
Upioti2mo ago
assigning one ip from your /24 block to a minecraft server is very different from tunneling an entire IP
DODECA
DODECAOP2mo ago
Yes - I very much know and get that, im grossly simplifying for the sake of just, trying to get the point across of - i don’t think playit actually has all the features I’d be looking for Admittedly this wouldn’t be an issue if I saw support for some form of DDNS but I don’t, see that or a way to set that up? (And even then, I’d run out of tunnels)
Upioti
Upioti2mo ago
hmmm probably just get a vps that allows tunneling and setup wireguard vultr is fine ig has a few locs i have a friend that runs an entire gameserver host behind a vultr wireguard tunnel lol not that i recommend it but tbf his location is pretty fucked up for networking so thats basically the only choice if he wants to sell at $1/gb
DODECA
DODECAOP2mo ago
I mean im gonna be really real with you, that puts me right back where I stsrted I’ll check out vultr though since AWS was slowly forecasting me to eat up a ton of resources - which, I shouldn’t entirely believe what they say but, erring on the side of caution
Upioti
Upioti2mo ago
nono aws is expensive asf Vultr / DigitalOcean / Oracle which location are you in? @DODECA
DODECA
DODECAOP2mo ago
Oregon, US So really anywhere that has a US-West server Granted OVHCloud is like UNIRONICALLY 4 hours away from me
Upioti
Upioti2mo ago
then just get an ovh vps id recommend off a reseller though so you could get 10g bonus you get some basic ddos protection
DODECA
DODECAOP2mo ago
so, assuming, I’d basically, resetup everything i previously had with a different vps provider (so, OVHCloud) drop NGINX(?), and replace the openVPN tunnel with WireGuard
Upioti
Upioti2mo ago
Yes idk about you but openvpn gives me like 50-200mbps once you are within a vpn network im pretty sure you can just iptables foward traffic to the local vpn ip assigned to your backend server
Snow Kit
Snow Kit2mo ago
Yeah, like Upioti said, it's definitely possible to use iptables to forward/nat inbound connections to a service behind a VPN, however, you might need to ensure outbound traffic returns though the VPN you can also just run velocity on the VPS, which is lightweight enough to not cause performance issues, but is designed for minecraft, so the player's IP shows up correctly to the backend server
Upioti
Upioti2mo ago
The issue is he can't port foward I think? Or am I confusing?
Snow Kit
Snow Kit2mo ago
velocity over a vpn
Upioti
Upioti2mo ago
Ah i mean sure ¯\_(ツ)_/¯ But the vpn server will probably be 1gb ram 1vCore, while it could be enough for velocity why not just run it on the backend server?
Snow Kit
Snow Kit2mo ago
because velocity itself is a reverse proxy if he wants a simple reverse proxy to run on a vps for a minecraft server, then velocity fits the bill
Upioti
Upioti2mo ago
yes but hes setting up a vpn anyways why not just foward and take advantage of more resources on backend host
Snow Kit
Snow Kit2mo ago
yeah, velocity solves the reverse proxy/forwarding part
Upioti
Upioti2mo ago
iptables -t nat -A PREROUTING -p tcp -d 69.69.69.69 --dport 25565 -j DNAT --to-destination 10.0.0.2:25565 iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.2 --dport 25565 -j MASQUERADE ¯\_(ツ)_/¯
Snow Kit
Snow Kit2mo ago
okay, but how does the backend send data back to the server? Set the vpn as the default gateway? destnat only works if your using the machine running the NAT as your default gateway
Upioti
Upioti2mo ago
I mean you should probably bind velocity to the vpn IP
Snow Kit
Snow Kit2mo ago
and source nat will break the IP addresses of clients
Upioti
Upioti2mo ago
Idk im not sure, i have a friend that runs a host through a wireguard tunnel so theres a way to not break them
Snow Kit
Snow Kit2mo ago
anyways, I 100% agree that you can nat on the VPS server running a VPN, but if the user will never run into a performance bottleneck and there's a tool designed for proxying minecraft connections to a backend server, why not use it?
Aerospace911
Aerospace9112mo ago
are you still having this problem?
SilentBot
SilentBot2mo ago
Nginx streams /w proxy-protocol support is still probably the "easier" way of doing it to get source IPs still working as said raw ip-tables isn't enough, as you lose src address (ip bans, plugins which use IPs, e.g. alt checks) velocity is more recource intensive as it's at the application protocol level Though that can be seen as beneficial if you want to ensure a connection is authenticated against mojang before ever reaching the backend and you can run your vpn ban proxy plugins, etc. and prevent all that traffic reaching the backend where as nginx streams would just pass that right through
DODECA
DODECAOP2mo ago
Yeah, that’s one thing I’ll be careful to actually ensure occurs No not quite since ive just binned it all, working this week so it’ll be a bit before i actually hop back on to get things working, but ill tackle it just using WireGuard n iptables/ufw Additionally as much as i know just running velocity would be useful, this isn’t for the sake of exclusively the Minecraft server, other things are running through this reverse proxy, if i just needed Minecraft and exclusively Minecraft proxied? I already have a velocity instance running (but, since I realized I’d need a lot more, i tore that down for the time being - additionally because one (Minecraft) server would lock up, and lock up both the proxy and the other two)
Aerospace911
Aerospace9112mo ago
im using a nginx proxy paired with tailscale hers my nginx config stream { server { # Port number the reverse proxy is listening on for Minecraft Java E> listen 25565; # The original Minecraft server address for Java Edition proxy_pass minecraftserver01:25565; proxy_protocol on; } }
DODECA
DODECAOP2mo ago
Yeah that’s, more or less my exact config i had setup
Aerospace911
Aerospace9112mo ago
what was your issue?
DODECA
DODECAOP2mo ago
The issue came with the EC2 being unable to communicate with anyone not having their IP explicitly allowed in the ACL or SG
Aerospace911
Aerospace9112mo ago
you should use oracle they have free vms
DODECA
DODECAOP2mo ago
yeah im, now sorta learning that but, when i redo this ill be using OVHcloud since they’re just, in my state the rule was configured for custom tcp - (insert port) - 0.0.0.0/0 - allow and same for the SG
SilentBot
SilentBot5w ago
You'd need to allow it through the security group, the network access control list, and the VM's firewall (if one is configured) on EC2

Did you find this page helpful?