0

I am going to try my best to explain my issue however this is my first experience with self hosting a game server behind an OpenVPN server and I'm not experienced in doing so.

Currently I am hosting a game server on a VPS (I'll call this GS VPS). I am also hosting an OpenVPN server on a separate VPS (I'll call this VPN VPS). I am using the VPN VPS as an entry point to GS VPS as the GS VPS provider has no DDOS protection and a very strict don't get DDOSed TOS, the VPN VPS has DDOS protection and is half the bandwidth of the GS VPS.

My configuration is I have an OpenVPN server hosted on VPN VPS and I am connected to that VPS with GS VPS (so GS VPS is the client and VPN VPS is the host). I am forwarding traffic incoming to the VPS VPN using an iptables NAT.

sudo iptables -t nat -A PREROUTING -p udp --dport <game server port> -j DNAT --to-destination <OpenVPN client local address>:<game server port>
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

Now to my issue. On the game server all incoming traffic registers as coming from the local IP address of the OpenVPN server tunnel. This is an issue as being able to see players IP addresses is crucial in moderating. So my question: is there any way to hide a game server behind a proxy however at the same time preserve the IP addresses of connecting clients on the game server?

I've tried to lookup a solution online however I am not getting any hits. Is this possible with OpenVPN or any other proxy software? I am using Ubuntu Server 20.04.

Improve this question
0

2 Answers 2

Reset to default
0

It's possible with all VPN software. The only reason you're not seeing your clients' IP addresses is because of that MASQUERADE rule right there. Its literal purpose is to make the router rewrite the source IP address with the router's own. So the first step is to remove it.

But you needed that rule for its side-effect: because the source addresses are rewritten, that makes your game server send responses back over the VPN, and not directly over the internet. So the second step is to configure your game server to route everything through the VPN.

There are two ways to implement the 2nd part:

  • Simpler: Route everything through the VPN. This might be better in your case because it protects the server's real IP address more; it's basically what you would do if you were using a VPN for privacy.

    OpenVPN can configure this automatically with this option:

    redirect-gateway

  • More complex: Configure "policy routing". This makes only responses to your clients go through the VPN, but when the game server itself initiates a connection, that still goes directly to the internet.

Note: With "redirect-gateway", you won't be able to SSH directly to the game server from anywhere except from the VPN server.

Improve this answer
5
  • That's done by your first rule (the DNAT one).
    – grawity_u1686
    Commented Dec 26, 2020 at 13:40
  • The gateway has to change on the game server, which I understand is the OpenVPN client. (Your config shows that you already push that option from the server, which should do the job fine, as long as the client has pull of course...)
    – grawity_u1686
    Commented Dec 26, 2020 at 13:58
  • Just pull alone would be enough to import all the options that the server is trying to push. (Without it, those 'push' options on the server are kinda useless...) But it's up to you whether you want the client to "pull" options from the server, or whether you want to directly add redirect-gateway on the client itself, it'll end up doing the same thing.
    – grawity_u1686
    Commented Dec 26, 2020 at 15:30
  • Though before doing this, maybe make sure that you have some kind of console access to the game server, in case SSH stops working. Most likely you won't be able to SSH directly, but you should still be able to SSH first to the VPN server, and from there to the game server's "VPN client local address".
    – grawity_u1686
    Commented Dec 26, 2020 at 15:33
  • @Alsors: It is possible, but then you need the "policy routing" method. This is better documented elsewhere, but it involves using ip rule (and optionally iptables "mark") to select a whole routing table based on various conditions. Note that you probably won't need complex port-based iptables stuff – it is usually enough to just have a single policy rule that checks the source IP address (ip rule add from <VPNip> ...) and that'll match all responses that the game server sends to your clients.
    – grawity_u1686
    Commented Dec 27, 2020 at 11:40
0

Here’s the structure I understood:

network diagram

Unless your Gaming VPS were to join the VPN directly (probably not happening?) this will not work for the following reasons:

  • Your VPN VPS is most likely prohibited from sending traffic with anything but its own IP address
  • Even if it could, …
    • this would result in the response not returning to the VPN VPS (only traffic to the VPS’ IP address(es) would reach it)
    • it would be using address internal to the VPN

So basically to have any chance at all to implement this, you’d need a large enough IP pool you could then use to 1:1 NAT the VPN’s internal IP addresses to public IP addresses that would all point at your VPN VPS.

There is absolutely no way to use the clients’ original IP addresses in all this.

My suggestion is to simply use a different game hosting provider with DDoS protection.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .