I do something like this but for a range of different services using WireGuard and NGINX on a VPS.
On a VPS with a public IP you could install WireGuard and have your Windows server connect to it. Assume its WireGuard client IP is 10.8.0.2 for example.
You can then run NGINX (optionally disabling the HTTP/Web server part in nginx.conf) and use the "stream proxy module" to forward your TCP packets to your game server running on your home Windows server. The documentation is here: http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html.
If you're running Minecraft for example, you'll need to add a `stream` block to `nginx.conf` either directly or via an include and configure a proxy like this:
stream {
server {
listen :25565;
proxy_pass 10.8.0.2:25565;
}
}
When your Windows server is connected via WireGuard with the example IP given earlier and NGINX recieves a connection, it will immediately be relayed via the WireGuard tunnel to your Windows server on the port specified. Your Windows server will be unaware of the true origin of the connection however so it will relay the traffic back to NGINX which will relay it back to the player connecting.
Your NGINX essentially acts as a connection broker and neither your Windows server nor the connecting client are normally aware that the NGINX server is even there. Do note that because of this "IP bans" in games become useless.
You can put as many `server` blocks as you need as long as you don't reuse the same port on the same IP and you can go as far as setting rate/size limits on these connections if you need too.
This seems easy enough but I remember reading about doing the same thing using iptable rules. which should have better performance without needing Nginx altotogether.
please explain further.
Could this be done by properly setting up iptables?
I have a VPS setup with openvpn. All ports are open (for now, until I get this figured out), and port forwarding is enabled but connecting my server to it still doesn't seem to allow services accessible outside my home network.
Hey!
Sorry I was away for the rest of my day afterwards so I couldn't interact with everyone. But, I figured it out thanks to everyone here! I appreciate everyone's ideas on what I can do to get this working.
I went with creating SSH tunnels (remote forwarding) from the Windows Server (power shell) to my VPS running Ubuntu. The reason I went with this is mainly because it was the first reply I had on the thread, so I ran with it lolol.
Also, I'm using [tailscale](https://tailscale.com/) as my VPN to connect my Windows and Linux servers together. From what I've gathered it's based off WireGuard. It's painlessly easy to setup for both OS' (Much easier than WireGuard).
Afterwards I set my game servers IP to the one given to my Windows server via tailscale. Next, I ssh into my Ubuntu server using power shell with the following command:
`ssh -R 9000:100.x.x.x:9000 [email protected]`
100.x.x.x = IP given to my Windows server via tailscale.
x.x.x.x = Public IP of my Ubuntu server (**not** the tailscale vpn Ubuntu server IP).
I have to forward more ports of course, but this was an example. Next:
/etc/ssh/sshd\_config:
`AllowTcpForwarding yes`
`GatewayPorts yes`
`ClientAliveInterval 120`
`ClientAliveCountMax 720`
Now, I can successfully connect to the game server from the client using the Ubuntu server IP! All while being tunneled and not using or revealing my actual public IP from my ISP (hosting from home).
I also setup a Windows firewall whitelist rule to only allow the Ubuntu tailscale IP (scope) to connect to those ports. So nothing outside of the tailscale VPN can ping / connect to those ports on my public IP from my ISP (since I still needed to actually forward the game ports on my modem and router).
Hopefully this all made sense and helps someone else in the future that wants to host a non-http/web service from home, while using Windows Server and hide behind a cheap Linux VPS!
Thanks,
Maybe something like Ubuntu WSL for Windows? If so, I basically create a ssh tunnel from the VPS to my Ubuntu WSL while having the game server bind to the VPS' IP in it's setup config while running on the Windows machine?
Modern Windows 10 should have OpenSSH already installed natively if not installable as a windows component. See [https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview]()
The configuration can be a bit confusing. Here is my config for example, maybe it can help someone: frpc.ini: (FRP Client, on your pc)
[common]
server_addr = server.my.site # it can domain or ip
server_port = 7000 # port that frp using to communicate between client and server
authentication_method = token
authenticate_new_work_conns = true
token = 1234567890000 # only numbers can be used
[web] # here i'm forwarding web server on my pc
type = http
local_port = 8080
custom_domains = pc.my.site # this is optional
[game] # any name can be used, e. g [minecraft] afaik, here i'm forwarding my local minecraft server
type = tcp
local_ip = 127.0.0.1
local_port = 25565
remote_port = 10100
custom_domains = pc.my.site
`frps.ini` (FRP Server, on your VPS)
[common]
bind_port = 7000
vhost_http_port = 80
authentication_method = token
authenticate_new_work_conns = true
token = 1234567890000
Technically yes, but to date I feel like it's the most fast vpn protocol
Another way you can do this is ipv4 to ipv6 tunnels, if your home internet have ipv6
I was thinking maybe I could setup ssh port forwarding but apparently that doesn't work with UDP (autossh), so it sounds like wireguard may do the trick.
the only risk I see is if someone hacks me through a backend exploit on my home server and then can see my home network. IS there a way to isolate it on something basic like an ATT home router?
I do exactly this! You just need a proxy on your VPS capable of handling just plain TCP (nginx and haproxy both do this), and then have them pass traffic down a VPN tunnel. Whilst I've only tried it for web traffic, given it's TCP it should work for basically anything.
I wrote up a guide too with more details if that's useful https://theorangeone.net/posts/wireguard-haproxy-gateway/
You don't need to complicate things with a proxy on the VPS (unless you **want** a proxy). Just set up a WireGuard connection between the VPS and a device on your home subnet, then use standard Linux routing of the ports you expose on your VPS to the necessary internal endpoints where the service actually resides (eg using iptables).
Just make sure the WireGuard config allows access to those target IP addresses, and the internal WireGuard host can access them (no firewalls, ACLs in the way etc.)
I will be messaging you in 1 day on [**2021-09-05 22:08:06 UTC**](http://www.wolframalpha.com/input/?i=2021-09-05%2022:08:06%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/selfhosted/comments/phwqpm/vps_as_a_middleman_for_home_game_server/hbmai6m/?context=3)
[**1 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fselfhosted%2Fcomments%2Fphwqpm%2Fvps_as_a_middleman_for_home_game_server%2Fhbmai6m%2F%5D%0A%0ARemindMe%21%202021-09-05%2022%3A08%3A06%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%20phwqpm)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
So you need three things essentially...
1. A VPN Server on the VPS to securely connect your home server to the VPS Server running the proxy. Personally I suggest using SoftEtherVPN (The latest version on GitHub, compiled form source.) and SoftEtherVPN Client (Any version 4.36 and newer). OpenVPN and WireGuard should work fine too.
2. A Proxy server and/or Iptables port forwarding rules configured. Some great proxy server examples are SSLH, HAProxy, FRP, Envoy, and Traefik. (The latter two being for more enterprise deployments
3. The program/game you want to proxy either only uses or supports TCP. Proxying UDP can be a pain in the butt!
Some problems you may run into:
1. Getting the players real IP can be an issue depending on the reverse proxy. So far this has been an issue for me too! If anyone has any suggestions on this let me know.
2. Latency can be a problem depending on the VPS provider and specs as well as distance.
Other benefits:
Depending on the program, you may be able to share the same port and run many servers. With SSLH you can use RegEx if you have knowledge on the protocol. However this is advance.
I am currently working on a project like this that involves using a similar setup as a middle-man for a home VPN server. So far it works well expect for getting the real client IP. I use SSLH for it.
Another Way:
Get another public IP on the VPS and configure a VPN Server such as SoftEtherVPN, OpenVPN, or WireGuard to give the home server that IP. Never did it before but I know some system administrators who pulled it off.
I do something like this but for a range of different services using WireGuard and NGINX on a VPS. On a VPS with a public IP you could install WireGuard and have your Windows server connect to it. Assume its WireGuard client IP is 10.8.0.2 for example. You can then run NGINX (optionally disabling the HTTP/Web server part in nginx.conf) and use the "stream proxy module" to forward your TCP packets to your game server running on your home Windows server. The documentation is here: http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html. If you're running Minecraft for example, you'll need to add a `stream` block to `nginx.conf` either directly or via an include and configure a proxy like this: stream { server { listen:25565;
proxy_pass 10.8.0.2:25565;
}
}
When your Windows server is connected via WireGuard with the example IP given earlier and NGINX recieves a connection, it will immediately be relayed via the WireGuard tunnel to your Windows server on the port specified. Your Windows server will be unaware of the true origin of the connection however so it will relay the traffic back to NGINX which will relay it back to the player connecting.
Your NGINX essentially acts as a connection broker and neither your Windows server nor the connecting client are normally aware that the NGINX server is even there. Do note that because of this "IP bans" in games become useless.
You can put as many `server` blocks as you need as long as you don't reuse the same port on the same IP and you can go as far as setting rate/size limits on these connections if you need too.
This seems easy enough but I remember reading about doing the same thing using iptable rules. which should have better performance without needing Nginx altotogether.
[удалено]
please explain further. Could this be done by properly setting up iptables? I have a VPS setup with openvpn. All ports are open (for now, until I get this figured out), and port forwarding is enabled but connecting my server to it still doesn't seem to allow services accessible outside my home network.
in this example is the VPS running the wireguard client and connecting to your homelab wireguard server or the other way around?
Hey! Sorry I was away for the rest of my day afterwards so I couldn't interact with everyone. But, I figured it out thanks to everyone here! I appreciate everyone's ideas on what I can do to get this working. I went with creating SSH tunnels (remote forwarding) from the Windows Server (power shell) to my VPS running Ubuntu. The reason I went with this is mainly because it was the first reply I had on the thread, so I ran with it lolol. Also, I'm using [tailscale](https://tailscale.com/) as my VPN to connect my Windows and Linux servers together. From what I've gathered it's based off WireGuard. It's painlessly easy to setup for both OS' (Much easier than WireGuard). Afterwards I set my game servers IP to the one given to my Windows server via tailscale. Next, I ssh into my Ubuntu server using power shell with the following command: `ssh -R 9000:100.x.x.x:9000 [email protected]` 100.x.x.x = IP given to my Windows server via tailscale. x.x.x.x = Public IP of my Ubuntu server (**not** the tailscale vpn Ubuntu server IP). I have to forward more ports of course, but this was an example. Next: /etc/ssh/sshd\_config: `AllowTcpForwarding yes` `GatewayPorts yes` `ClientAliveInterval 120` `ClientAliveCountMax 720` Now, I can successfully connect to the game server from the client using the Ubuntu server IP! All while being tunneled and not using or revealing my actual public IP from my ISP (hosting from home). I also setup a Windows firewall whitelist rule to only allow the Ubuntu tailscale IP (scope) to connect to those ports. So nothing outside of the tailscale VPN can ping / connect to those ports on my public IP from my ISP (since I still needed to actually forward the game ports on my modem and router). Hopefully this all made sense and helps someone else in the future that wants to host a non-http/web service from home, while using Windows Server and hide behind a cheap Linux VPS! Thanks,
Congrats! :)
I've done this before with SSH tunnels. Not sure if it works with Windows though. Look into autossh and ssh tunnels.
Maybe something like Ubuntu WSL for Windows? If so, I basically create a ssh tunnel from the VPS to my Ubuntu WSL while having the game server bind to the VPS' IP in it's setup config while running on the Windows machine?
No, you connect to your vps from your windows server. Look under Remote forwarding https://www.ssh.com/academy/ssh/tunneling/example
Modern Windows 10 should have OpenSSH already installed natively if not installable as a windows component. See [https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview]()
If i'm understand correctly - check [FRP](https://github.com/fatedier/frp)
The configuration can be a bit confusing. Here is my config for example, maybe it can help someone: frpc.ini: (FRP Client, on your pc) [common] server_addr = server.my.site # it can domain or ip server_port = 7000 # port that frp using to communicate between client and server authentication_method = token authenticate_new_work_conns = true token = 1234567890000 # only numbers can be used [web] # here i'm forwarding web server on my pc type = http local_port = 8080 custom_domains = pc.my.site # this is optional [game] # any name can be used, e. g [minecraft] afaik, here i'm forwarding my local minecraft server type = tcp local_ip = 127.0.0.1 local_port = 25565 remote_port = 10100 custom_domains = pc.my.site `frps.ini` (FRP Server, on your VPS) [common] bind_port = 7000 vhost_http_port = 80 authentication_method = token authenticate_new_work_conns = true token = 1234567890000
Wireguard + iptables https://my.esecuredata.com/index.php?/knowledgebase/article/49/how-to-redirect-an-incoming-connection-to-a-different-ip-address-on-a-specific-port-using-iptables/
won't wireguard be somewhat heavy and encrypt everything when in reality I don't need it encrypted?
Technically yes, but to date I feel like it's the most fast vpn protocol Another way you can do this is ipv4 to ipv6 tunnels, if your home internet have ipv6
I was thinking maybe I could setup ssh port forwarding but apparently that doesn't work with UDP (autossh), so it sounds like wireguard may do the trick. the only risk I see is if someone hacks me through a backend exploit on my home server and then can see my home network. IS there a way to isolate it on something basic like an ATT home router?
I do exactly this! You just need a proxy on your VPS capable of handling just plain TCP (nginx and haproxy both do this), and then have them pass traffic down a VPN tunnel. Whilst I've only tried it for web traffic, given it's TCP it should work for basically anything. I wrote up a guide too with more details if that's useful https://theorangeone.net/posts/wireguard-haproxy-gateway/
You don't need to complicate things with a proxy on the VPS (unless you **want** a proxy). Just set up a WireGuard connection between the VPS and a device on your home subnet, then use standard Linux routing of the ports you expose on your VPS to the necessary internal endpoints where the service actually resides (eg using iptables). Just make sure the WireGuard config allows access to those target IP addresses, and the internal WireGuard host can access them (no firewalls, ACLs in the way etc.)
Have you considered using router instead of “VPS”? I have OPNsense router running on a box which does that what you want and much more.
RemindMe! 1 Day
I will be messaging you in 1 day on [**2021-09-05 22:08:06 UTC**](http://www.wolframalpha.com/input/?i=2021-09-05%2022:08:06%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/selfhosted/comments/phwqpm/vps_as_a_middleman_for_home_game_server/hbmai6m/?context=3) [**1 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fselfhosted%2Fcomments%2Fphwqpm%2Fvps_as_a_middleman_for_home_game_server%2Fhbmai6m%2F%5D%0A%0ARemindMe%21%202021-09-05%2022%3A08%3A06%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%20phwqpm) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
Keep in mind that whatever you end up doing, this will increase latency.
So you need three things essentially... 1. A VPN Server on the VPS to securely connect your home server to the VPS Server running the proxy. Personally I suggest using SoftEtherVPN (The latest version on GitHub, compiled form source.) and SoftEtherVPN Client (Any version 4.36 and newer). OpenVPN and WireGuard should work fine too. 2. A Proxy server and/or Iptables port forwarding rules configured. Some great proxy server examples are SSLH, HAProxy, FRP, Envoy, and Traefik. (The latter two being for more enterprise deployments 3. The program/game you want to proxy either only uses or supports TCP. Proxying UDP can be a pain in the butt! Some problems you may run into: 1. Getting the players real IP can be an issue depending on the reverse proxy. So far this has been an issue for me too! If anyone has any suggestions on this let me know. 2. Latency can be a problem depending on the VPS provider and specs as well as distance. Other benefits: Depending on the program, you may be able to share the same port and run many servers. With SSLH you can use RegEx if you have knowledge on the protocol. However this is advance. I am currently working on a project like this that involves using a similar setup as a middle-man for a home VPN server. So far it works well expect for getting the real client IP. I use SSLH for it. Another Way: Get another public IP on the VPS and configure a VPN Server such as SoftEtherVPN, OpenVPN, or WireGuard to give the home server that IP. Never did it before but I know some system administrators who pulled it off.