Public Facing (Sort Of) Game Server! ISP Defeated!
Public Facing Services (On a Budget?)
ISP Issues:
I live in a rural area, a very rural area. As a result, getting proper broadband services, or many other basic utilities, can be more than a hassle. However, having to work around these networking limitations has been a catalyst for learning and development! One of the largest impediments to my desire to kit out a real live-service homelab has been my ISP. Without naming names, my ISP utilizes a fixed-point-wireless mesh network to deliver broadband via roof-mounted antenna. As you can imagine, with a 2x2 low-gain array miles away from the nearest tower, service is patchy...and slow. This however has not been the biggest enemy; after all, you can still host web-servers and services on a patchy connection, just don't rely on it to pay your bills! No, in fact my greatest hindrance has been a particular quirk of my ISP's routing configuration.
Facing The Double NAT Issue:
As it turns out, contrary to many other ISPs, my, and my neighbors', roof-mounted antenna are not just antenna, they are routers. In fact, they appear to be interior routers that form a private network that exists over top of my home network. I learned of this when I was configuring my home router and continuously was provided a WAN address of 192.168.x.x (and no I am not afraid to give this out!). After some digging, I hunted down my actual public IP address and it seems to be shared with other homes on the block, then routed internally. This does not present a problem for generalist use, but it does present a huge problem for hosting services in a home lab! With Layer 3 networking out of my control, and no way to route public facing traffic, I was afraid I was stuck. Fortunately, though, software came to the rescue!
Layer 7 VPN Networking:
While it was true that I had no access to my actual "edge" routing appliance, I was not dead-in-the-water yet! After some research, I found a free and (mostly) Open-Source alternative to traditional public-facing services. Enter ZeroTier, the solution to my problems. I'll hop on the bandwagon and let ChatGPT define ZeroTier here:
One thing not mentioned by ChatGPT here, that is crucially important to MY situation, is that ZeroTier is largely based around an agent software that lives on each endpoint in the virtual network. By downloading this agent, the virtual network software takes care of routing through the internet! With this software, I was ready to finally start hosting something basic that I had always wanted to try out! A Minecraft Gaming Server!
Minecraft Server As a Proof Of Concept:
While not playing nearly as many video games as I used to, Minecraft has always held a special place in my heart! It also happens to be a fantastic testing ground for public-facing service hosting since it publishes it's network requirements and server-jar for free!
Creating The Server:
Here is where I will have to ask for some internet-grace! I have learned a lot, even from the few days ago when I stood up this server. The configuration that I created here is not the best or most efficient. BUT IT WORKS! Let's start with a picture:
领英推荐
In a nutshell, I did the following: Virtualized a minimal installation of Ubuntu LTS Jammy-Jellyfish; Updated all repositories; Installed jre-17; Installed the server.jar; Forklifted an existing world-file from my wife's laptop (her favorite!); Applied some light alterations to the server config. file; Launched the Java Virtual Machine instance and ran Minecraft! All things considered, it wasn't very complex. The issues came with troubleshooting versioning and swap memory issues on the virtual machine within Proxmox. After I confirmed that the world was working and that users within my LAN could access it from their clients via IP address, I got to work on the titular part of the story, the public face!
ZeroTier:
This part was...easy! I created a free account on ZeroTier's website and created my own virtual subnet. With a free subscription I can have up to 100 member devices/users within my private network! From there, I installed the agent software to the server with the command line and was given a pair of keys, one to identify my network and one to identify my node. By handing out this key (publicly or privately) I can allow anyone with the ZeroTier agent to exist on a virtual network with my Minecraft Virtual Server! After a quick test, it worked! Friends of mine miles away were able to safely and securely connect to my home server!
What I Did Well:
Inadvertently, this setup ended up forcing a lot of good practice from a cybersecurity standpoint! By using a cloud virtual network, I bypass the need to forward any ports on my own firewall infrastructure. Instead, traffic is only allowed to flow between authorized nodes running the agent software. This effectively gives opted-in devices two TCP/IP identities and allows me to manage them from both within, and outside of, my network. Secondly, by using a virtual machine on enterprise hardware, I am able to snapshot and regularly back up my guests. This means that I have extremely high uptime and significant failover tolerance. I also, as you can see in the screenshot above, configured the java virtual machine / server.jar to launch as a systemd daemon on reboot. This does two things: It allows me to manage "Minecraft" as I would any other system service through scripts and the built in systemctl command set; but it also makes certain that, in the event of a failure, the Minecraft service will gracefully shutdown and start when my VM launches again.
What I Should Have Done Better:
A few things come to mind when I consider what I should have done better with this project. One thing stands out first; I should have created a separate user within Ubuntu-Linux to host the files and run the daemon. Running server services as your home user is considered bad practice and increases the amount of damage an attacker could cause if they breached my system. Proper Linux Administration would demand parsed out permissions and user structures to manage each service. Another thing that is far more obvious to you more seasoned Linux Admins is the fact that I am hosting a server on a desktop instance of Ubuntu. This is a bad choice for multiple reasons. For one, it is highly inefficient and leads to valuable resources being eaten away by my desktop environment and display server. For another, it is less secure. With multiple TCP/IP services open on the same machine, that really only serves one purpose, I have way more doors into my system that are actually necessary to perform the task. This violates the Unix design philosophy, AND basic tenants of server administration. The reason I did this was one of simple lack of command-line experience. Without a graphical web-browser, I was unaware of how best to download and install the ZeroTier agent and Server.jar for my project. Perhaps a future article when I more totally grasp the command line!
Conclusion:
Is this "public facing" in the purest sense of the term? No. In fact, I am not sure that this ISP configuration would even allow me to perform such a thing. However, is it "public facing enough?" Yes! By publicizing the ZeroTier network keys I am, theoretically, allowed to have as many players (up to 100 on a free account) interacting with my service as my hardware will allow! For all intents and purposes, this is as public facing as I will get at the moment! Unfortunately, though, this does not stop players on my server from experiencing laggy gameplay! Not sure I can fix that one...
Thank you for reading!
(For more information and discussion join the Discord server linked in my description!)
Tyler Sell