AWS Proxy
Note: These instructions focus on the AWS proxy server and do not cover setting Stage up the Minecraft server itself. Note: After use, the AWS proxy was too laggy to provide any real value
The advantage of using a free instance of an AWS compute node as a proxy is that the instance inherits the reliability and resilience of Amazon cloud service. The instance is not likely to go offline and the network protections can prevent DDoS and other attacks on the home network.
Stages:
- Stage 1: Create an AWS Instance
- Stage 2: Create an Elastic IP for the instance
- Stage 3: Setup Dynamic IP for home server
- Stage 4: Setup AWS firewall for access
- Stage 5: SSH access to the AWS Instance
- Stage 6: Install and Configure Proxy
- Stage 7: Test the Configuration
Stage 1: Create an AWS Instance
- Sign up for an Amazon AWS Account
- Search for EC2 (Virtual Servers in the Cloud)
- Select Launch Instance
- Enter ec2 in the search bar and press enter.
- Select the Amazon Linux 2 AMI (HVM) - Free tier eligible (x86 version)
-
After this, the prompt will ask to create a key pair.
- 9a. Provide a Key pair name
- 9b. Download Key Pair
- 9c. Launch Instance (Remember where you store this file. You need it for SSH access.)
- Select View Instances
Stage 1: Complete. Instance Created
Stage 2: Create Elastic IP and assign it to the instance.
Assigning an Elastic IP means the instance will always have the same IP address. If using the Public IP address on the EC2 instance, any reboot of the server will assign a new IP. Elastic IP avoids this issue.
When creating an Elastic IP it must be associated to a running instance. If the Elastic IP exists and no instance is running against it, Amazon will charge a small fee to maintain it. As of this writing, the Elastic IP is currently free when assigning it to an instance. We do this first to prevent us from having to reconfigure the proxy later.
-
Leave the defaults on Allocate Elastic IP address screen and select Allocate
-
Select the Elastic IP that was created by checking the box, then in the Actions drop down select Associated Elastic IP address
-
On the Associate Elastic IP address page, select the instance you just created and its private IP. Then select the Associate button
-
Return to Instances and your instance should reflect the Elastic IP address you just assigned.
This instance is now available using the Elastic IP address established in this step. It was possible to access it using the previous Public IP that was assigned to the instance.
Stage 2 Complete: Elastic IP configured and assigned to instance
Stage 3: Setup Dynamic IP for home server There are two parts to this so that your home IP address will always be accessible to the proxy and to your gamers.
Part 1: DynamicDNS setup Most home internet providers have a dynamic IP address assigned to them. In order to accomodate for an IP change, we will need to setup a DynamicDNS resolver service. I actually pay annually for NOIP service. For the IP address to be updated regularly, a client will need to be installed on the Linux server. It will periodically update the NOIP service so that your DNS entry will resolve to your home. Do not use the NOIP software that they provide. It has historically been insecure. ddclient is a capable and secure client that supports NOIP. Here is my ddclient configuration on Ubuntu LTS:
> sudo cat /etc/ddclient.conf
# /etc/ddclient.conf
daemon=30
syslog=yes
cache=/tmp/ddclient.cache
pid=/var/run/ddclient.pid
wildcard=YES
protocol=noip
use=web
ssl=yes
login=<your-email-login-for-noip>
password='<your-password-for-noip-in-single-quotes'
<the-fully-qualified-domain-you-created-in-noip>
Verify that NOIP is getting the correct address for your home IP.
Part 2: Port Forwarding On your home router, the port forwarding will need to be setup to point to the server you have installed in your home. If the router supports its, for added security, you want to setup the SOURCE address to be equal to the Elastic IP address you created. This means, that even though the port forwarding will send all requests interally to your Minecraft server, it will only accept the request that come from your proxy in AWS and block all other connections.
Stage 3: Complete. Dynamic DNS setup with daemon and firewall/port forwarding ready
Stage 4: Setup AWS firewall for access Next, the AWS instance and its Elastic IP need to be opened up for access to port 25565- the default port used by Minecraft for gameplay.
From the Security Groups menu option, select the "launch-wizard-1" check box and from Action select Edit inbound rules.
On the resulting screen, Add rule: Type: Custom TCP Port Range: 25565 Source: Custom | 0.0.0.0/0 Description (optional): Minecraft Proxy SAVE RULE
Stage 4: Complete. Server Ready to accept connections on port 25565
Stage 5: SSH access to the AWS Instance The rest of this configuration will need to be performed by logging directly into the command line of the server instance in AWS. Using the SSH key file downloaded in stage 1, open your SSH client of choice. Since I use a Linux desktop, I will use standard terminal.
- Access the Instance using your SSH key
> ssh -i <path-to>/<keyfile-downloaded>.pem ec2-user@<your-instance-name>
This should drop you right into the command line of your server.
Stage 5: Complete. SSH access to AWS server (that was a short step)
Stage 6: Install and Configure Proxy
- Install required packages Next we need to install epel (extra packages for enterprise linux) and sslh (port multiplexer)
- EPEL is needed to be able to install sslh.
- sslh is going to function as the proxy.
> sudo amazon-linux-extras install epel
> sudo yum install sslh
- Configure sslh In other instructions, there has been reference to /etc/default/sslh. This is no longer part of the configuration as of this writing. The file to edit is /etc/sslh.cfg. (Using your favorite editor (vim/ nano) in Linux is not part of this instruction.)
Here is a copy of my configuration with minor edits:
verbose: false;
foreground: true;
inetd: false;
numeric: false;
transparent: false;
timeout: 2;
pidfile: "/var/run/sslh.pid"
user: "sslh";
# Change hostname with your external address name.
listen:
(
{ host: "<internal-ip-of-instance>"; port: "25565"; }
);
protocols:
(
{ name: "anyprot"; host: "<noip-domain-for-your-house>"; port: "25565"; }
);
The listen address is the internal IP address (not the public Elastic IP address) since Elastic IP is routing traffic to this internal IP from its public IP address. The protocols should be set for the domain name set up in NOIP (or other provider). Ports should both be 25565 for listen and protocol.
Also, the pidfile entry is an added entry created. That entry may not be required.
- Enable and start sslh
We first need to enable the service so that it will start on system restart. After that, we start the server and check its status.
> sudo systemctl enable sslh
> sudo systemctl start sslh
> sudo systemctl status sslh
This is what successful status check looks like (ip addresses redacted)
If you get an error message, then its likely a misconfiguration in the /etc/sslh.cfg file.
Stage 6: Complete. Proxy configured and ready for connections
Stage 7: Test the Configuration
At this point...
- The AWS server is online and ready to accept connections.
- The proxy is ready to forward those requests to the home ip which was made accessible by the DynamicDNS client.
- Your home router is configured to allow connections and forward them to your server
Launch Minecraft and under Multiplayer > Direct Connection use the AWS domain name shown in Instances.
Note: If you prefer something simpler than the AWS domain name (since you will likely give it to friends), I recommend creating a CNAME record in NOIP. This allows the simpler "noip name" to point to the Elastic IP domain name. Because this IP will never change, you will not need to install a DynamicDNS client on the AWS server to update the IP registration.
Stage 7: Complete. Your Minecraft server is now protected through AWS services.
Security notes: By not publishing your home ip address for your Minecraft server, it reduced the amount of probing that might occur on your home IP. In addition, by specifying the AWS server ONLY in your port forwarding rules for incoming connections, you block a lot of additional probing.
Note: The following view does not represent the actual routing of traffic, but rather reflects the logical flow.