Struggling with a reverse proxy
So, I've been setting up something to allow me to use nginx, openvpn, and a EC2 to have a remote proxy, mostly for the sake of hiding my actual IP address and security.
The setup is as so:
user -> [internet] -> AWS EC2 -> [OpenVPN] -> on_premises
The setup I expect to work is basically, allowing inbound/outbound on 25565 and additionally openvpns required ports.
(The issue is the proxy doesnt work unless the ip address is EXPLICITLY stated in the Network ACL of the VPC bound to the EC2, for some unknown reason)
Basically at this point, im very prepared to rip everything out and start from scratch due to how long this is taking to get working, so, any sollutions or alternative ways to host with a reverse proxy in place?71 Replies
am I crazy or couldnt u just do a GRE tunnel
if you have 2 machines
BitLaunch News and Guides
How to set up and configure a GRE tunnel
This guide will walk through the setup and configuration of a GRE tunnel between two Linux hosts. The two Linux hosts are running Ubuntu 22.04 LTS.
unless im missing something
I'm not the best when it comes to networking but you could just GRE or run the proxy on the AWS vps
then link the servers to the main
I think theres a image of a setup like this 1s
this is proxy example
ofc the oracle part can be a aws machine if u wish
If he's home hosting which by the setup im guessing he 100% is, this wont be possible as residential ips are behind nat and not dedicated, he wont recieve gre packets
Also why are you using aws for the reverse? When there are like 2913883 better choices
Correctamundo
Also, eh? I dunno, just seemed like the easiest to setup, and I had someone helping me along with things. I kinda already got the openVPN part so it was just forwarding the traffic that had to be done
ahh mbm
b
i mean he can still do proxy option
I mean this is effectively what im doing
My major issue is, the EC2 just refuses to let anyone else connect, so swapping the setup out wouldn’t quite work if the server remains unreachable
ah
I’ve already setup network ACLs so on so forth to allow connections, SGs seem fine, had someone else look at it, everything looks good
Also why are you fowarding through openvpn?
But like why amazon
AWS is expensive as shit
If the point was saving yourself the $25 bucks for tcpshield it won't really work for that
Just seemed easy? And I mean, if the connection succeeds is it really like, an issue? And I’m running under AWS free tier
Idk man i used aws free tier once for some experimentation then got an invoice for $70 worth of bandwidth costs
I didnt really know something like that existed, everything or most places suggested just, running something similar to what im doing, so, openVPN and nginx seemed to make sense, my IP its self is never directly revealed anywhere
Where did you even ask they don't know about the existence of reverse proxy services 😭
For a low price you have the reverse setup with anycast and near perfect uptime figured out, in addition to actually doing something against ddos attacks
OpenVPN and Nginx.... both are just not...
Is there any reason you can't point directly to your home ip?
OpenVPN is gonna cause a massive performerance hit
I mean, if i can save myself the trouble of just, having my IP sit in a home record, im gonna do that
I know in the long run, if anything we’re to happen
Just obfuscate the ddns
The lack of my IP being on the internet is not going to change something, but it atleast lightens the load on my head
Or you can code a script to update the reverse backend everytime your ip changes without the need for ddns
So what exactly is the goal here? Just hiding your ip? DDoS protection?
The general goal is yeah, the first part, hiding my IP and any additional security i can grant myself beyond “don’t open up 15 ports you don’t need”
Did you try playit?
I was mostly avoiding it since i don’t plan to exlusively use the reverse proxy for just minecraft, or just a single server
Im pretty sure playit support any tcp/udp application
If im gonna go from paying a server host 27 bucks a month to, paying a service 30 bucks a month, it kinda defeats the point in my head (even if AWS is more expensive, if it runs under that 27 bucks? what do i care)
Playit is free??
Play it lists they have a limit of 4 ports, and i’ve got a lot more im planning to host in house
misread, 3 bucks, not 30, so fair
Then do yourself a favor and at least upgrade to HAProxy and Wireguard
Ah i miss the days when hosting was 30 bucks
i mean okay, as far as im getting, just, scrap out the EC2, replace it with a proxy service (such as playit.gg), ?????, profit
granted afais playit doesn’t have an ubuntu binary but, w/e
Is it for friends? you planning on hosting a public server?
And im pretty sure they do have that or something similar because i know hosts that use them
mostly for friends, but at the same time, i plan to host some other things so, a proxy service that just does whatever’s needed is best
as for the ubuntu binary, that’s hashed, just, using the raw binary seemed to handle it
i mean as long as you do nothing production then playit should be just fine
i mean that’s, kinda the end goal? like sure, im not running anything im making money off of, but, in the scope of things, being limited to exclusively TCP/UDP traffic is kinda ech but, ill deal i guess
wdym ech
the internet consists of tcp/udp
coming back to this after a bit of reading, setting stuff up, and just, fiddling with things, Im unsure if I can even go with playit
Mostly due to their dedicatedIPs being out of stock, and really wanting/needing the additional ports
sure I can just run absolutely everything for one server on a single port
which is oddly enough also their recommended way of doing things but to me just, doesn’t seem smart
i mean, everything else is pretty much paid so
I mean, im not chasing free, just, not overly expensive, as long as it beats $330/yr im cool
Playit did beat that, but it lacks dedicated IPs and like, actual control over ports
You want an entire dedicated ip for <$30/m?
Even assuming pebblehost is getting some crazy deal with bulk allocations of IP addresses, they do that, for 30 a month
assigning one ip from your /24 block to a minecraft server is very different from tunneling an entire IP
Yes - I very much know and get that, im grossly simplifying for the sake of just, trying to get the point across of - i don’t think playit actually has all the features I’d be looking for
Admittedly this wouldn’t be an issue if I saw support for some form of DDNS but I don’t, see that or a way to set that up? (And even then, I’d run out of tunnels)
hmmm
probably just get a vps
that allows tunneling
and setup wireguard
vultr is fine ig has a few locs
i have a friend that runs an entire gameserver host behind a vultr wireguard tunnel lol
not that i recommend it but tbf his location is pretty fucked up for networking so thats basically the only choice if he wants to sell at $1/gb
I mean im gonna be really real with you, that puts me right back where I stsrted
I’ll check out vultr though since AWS was slowly forecasting me to eat up a ton of resources - which, I shouldn’t entirely believe what they say but, erring on the side of caution
nono aws is expensive asf
Vultr / DigitalOcean / Oracle
which location are you in? @DODECA
Oregon, US
So really anywhere that has a US-West server
Granted OVHCloud is like UNIRONICALLY 4 hours away from me
then just get an ovh vps
id recommend off a reseller though so you could get 10g
bonus you get some basic ddos protection
so, assuming, I’d basically, resetup everything i previously had with a different vps provider (so, OVHCloud) drop NGINX(?), and replace the openVPN tunnel with WireGuard
Yes
idk about you but openvpn gives me like 50-200mbps
once you are within a vpn network im pretty sure you can just iptables foward traffic to the local vpn ip assigned to your backend server
Yeah, like Upioti said, it's definitely possible to use iptables to forward/nat inbound connections to a service behind a VPN, however, you might need to ensure outbound traffic returns though the VPN
you can also just run velocity on the VPS, which is lightweight enough to not cause performance issues, but is designed for minecraft, so the player's IP shows up correctly to the backend server
The issue is he can't port foward
I think?
Or am I confusing?
velocity over a vpn
Ah
i mean sure
¯\_(ツ)_/¯
But
the vpn server will probably be 1gb ram 1vCore, while it could be enough for velocity why not just run it on the backend server?
because velocity itself is a reverse proxy
if he wants a simple reverse proxy to run on a vps for a minecraft server, then velocity fits the bill
yes but hes setting up a vpn anyways
why not just foward and take advantage of more resources on backend host
yeah, velocity solves the reverse proxy/forwarding part
iptables -t nat -A PREROUTING -p tcp -d 69.69.69.69 --dport 25565 -j DNAT --to-destination 10.0.0.2:25565
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.2 --dport 25565 -j MASQUERADE
¯\_(ツ)_/¯
okay, but how does the backend send data back to the server? Set the vpn as the default gateway?
destnat only works if your using the machine running the NAT as your default gateway
I mean you should probably bind velocity to the vpn IP
and source nat will break the IP addresses of clients
Idk im not sure, i have a friend that runs a host through a wireguard tunnel so theres a way to not break them
anyways, I 100% agree that you can nat on the VPS server running a VPN, but if the user will never run into a performance bottleneck and there's a tool designed for proxying minecraft connections to a backend server, why not use it?
are you still having this problem?
Nginx streams /w proxy-protocol support is still probably the "easier" way of doing it to get source IPs still working
as said raw ip-tables isn't enough, as you lose src address (ip bans, plugins which use IPs, e.g. alt checks)
velocity is more recource intensive as it's at the application protocol level
Though that can be seen as beneficial if you want to ensure a connection is authenticated against mojang before ever reaching the backend
and you can run your vpn ban proxy plugins, etc. and prevent all that traffic reaching the backend
where as nginx streams would just pass that right through
Yeah, that’s one thing I’ll be careful to actually ensure occurs
No not quite since ive just binned it all, working this week so it’ll be a bit before i actually hop back on to get things working, but ill tackle it just using WireGuard n iptables/ufw
Additionally as much as i know just running velocity would be useful, this isn’t for the sake of exclusively the Minecraft server, other things are running through this reverse proxy, if i just needed Minecraft and exclusively Minecraft proxied? I already have a velocity instance running (but, since I realized I’d need a lot more, i tore that down for the time being - additionally because one (Minecraft) server would lock up, and lock up both the proxy and the other two)
im using a nginx proxy paired with tailscale
hers my nginx config
stream {
server {
# Port number the reverse proxy is listening on for Minecraft Java E>
listen 25565;
# The original Minecraft server address for Java Edition
proxy_pass minecraftserver01:25565;
proxy_protocol on;
}
}
Yeah that’s, more or less my exact config i had setup
what was your issue?
The issue came with the EC2 being unable to communicate with anyone not having their IP explicitly allowed in the ACL or SG
you should use oracle they have free vms
yeah im, now sorta learning that but, when i redo this ill be using OVHcloud since they’re just, in my state
the rule was configured for custom tcp - (insert port) - 0.0.0.0/0 - allow and same for the SG
You'd need to allow it through the security group, the network access control list, and the VM's firewall (if one is configured) on EC2