Tools required: Linux, iptables (Implied medium knowledge in both)
Why?
Unfortunately some ISP (Internet Service Provider)s do not delegate every customer a public IP address. In these situations an ISP will typically rely on Carrier Grade NAT (CGNAT) to place multiple customers under one public IP that the customer has no control over. This can have the advantage of the ISP needing less public address space, but typically comes at the cost of the customer not being able to host public services or having issues with NAT (Network Address Translation).
ISPs get away with this because some customers don’t always need a public IP, but those who want to game will often feel the pain of having issues with Peer-to-Peer (P2P) online play or Game hosting.
There are some ways to get around this for dedicated server hosting. Personally I would recommend looking into SD-WAN (Software Defined WAN) style of services such as:
Using services like above provide a method to expose services without needing a public IP address from their ISP and typically give the user some access control.
The hard way
Why do something the easy way? For a few bucks a month, a low powered VPS (Virtual Private Server) can be purchased from the likes of OVH or DigitalOcean.
We can use the public address they provide as a front for hosting internet services. As these are typically low powered, the game service isn’t directly hosted on the VPS, but on another server, such as your gaming rig.
This post is not intended to describe every step of the journey but do describe a method I used that works well.
On the machine actually hosting, we need to find some kind of method for it to communicate to the VPS. I recommend using OpenVPN for this as there is a fantastic command script installer to setup the server on your VPS.
By running this, I will assume your VPS / Game Server looks something like the following:
------- ---------------
< -- INTERNET -->| VPS | <-- OPEN VPN -->| GAME SERVER |
------- ---------------
For this article, we’ll also assume:
- that your private OpenVPN has a subnet of
192.168.192.0/24 - a gateway on the VPS of
192.168.192.1 - your Game Server is connected to OpenVPN with an IP of
192.168.192.10 - We’re hosting a minecraft server on UDP port
19132
For the VPS to front traffic and redirect this to your Game Server, we can do this with a couple of commands:
iptables -t nat -I POSTROUTING 1 -o tun0 -d 192.168.192.10 -p udp --dport 19132 -j SNAT --to-source 192.168.192.1
This tells iptables to:
- Alter the network translation table and place the rule in
POSTROUTINGwith a high priority (1) - for traffic on port
19132that leaves the network interfacetun0(our OpenVPN interface), re-write the destination IP192.168.192.10 - when traffic matches, re-write the source IP address to
192.168.192.1This allows your Game Server to return traffic back over OpenVPN.
Technically this is all you need to use the public IP of your VPS and send traffic to your game sever. However, I recommend some additional security by limiting which IP addresses can access this game server.
Conceptually, we are forwarding traffic across one interface (our publicly exposed) to the OpenVPN interface. Similar to POSTROUTING iptables has a FORWARD chain. Slightly implied by name, the FORWARD chain gets evaluated before POSTROUTING when iptables handles packets. Let’s use the forward chain to look for traffic from allowed source IPs and then block everything else:
iptables -A FORWARD -s 386.22.361.168,95.433.339.142 -i eth0 -p udp --dport 19132 -j ACCEPT # control access to source ips
iptables -A FORWARD -i eth0 -p udp --dport 19132 -j DROP
Wrapping up
If you’re going for this method, the chances are you have good knowledge in networking and Linux foo. You should be taking additional steps to secure your server and iptables configuration.
EOF
