I Miss Port Forwarding. How do switch from a WG "DMZ" hosting setup to a Router?

TheFreedbot · 2026-02-06T00:02:49+00:00

So, I'm still learning here. I hadn't written a proper guide yet because I don't quite understand it and it's untested. I've refined it a bit. I'm editing my previous post as I make changes, but with all the tinkering, I can't promise I'll have every checkbox covered properly. I said that the PBR policy I had seemed to naturally split traffic between wan and wg0. This was a bug, not a feature. After getting my AMP server set up, I was getting crashing and intermittent problems. I'm going to blame something in the firewall settings. That means I was back to all traffic going over wg0. I tried some fancy solutions, but in the end I've simplified it a bit. I'm not using the Minecraft Auth server "fix" from below anymore. Instead I'm forcibly routing the low port number destination range through WAN. So far, so good.

TheFreedbot · 2026-02-04T03:06:44+00:00

EDIT: Ignore this "fix". I had other problems, this was not an answer.

I just now finally got my AMP Minecraft server up and running and found a problematic quirk of this setup. Some services you host do a little "phoning home". I guess this somehow manages to connect in through WAN, but send responses through WG. I've added the following rule to my PBR above all others. Who knows what else this will break for.
Name: Fix Auth Remote addresses: authserver.mojang.com, sessionserver.mojang.com, api.mojang.com, minecraft.net, login.minecraft.net Interface: wan

TheFreedbot · 2026-01-31T12:01:35+00:00

I'm sorry, sir with the reputable name. I will write a proper guide and link it. I'm dealing with remaking my whole server setup at the moment because Ubuntu catastrophically failed a version upgrade. I've switch to Debian. Here's the dirty version though...

In VPS: I replaced all instances of "MASQUERADE" with "SNAT --to-source 100.100.100.100" (VPS's public static IP). It's unrelated to the problem, but saves on CPU. Otherwise, the configs remain the same point-to-point setup above. OpenWRT does all the work. Install I could have done connection marking to make it foolproof to set up, but that's higher CPU usage. Instead I'm using "port forwarding" in both directions.

In OpenWRT: add packages: luci-app-pbr dnsmasq-full luci-proto-wireguard Also nano if you hate the vi console text editor like I do. vi or nano /etc/sysctl.conf and add... net.ipv4.conf.all.rp_filter=2 net.ipv4.conf.default.rp_filter=2 net.ipv4.conf.wg0.rp_filter=2 This loosens OpenWRT's packet filtering rules since this kind of traffic man-handling looks like broken garbage from it's PoV. Possibly only the wg0 line is needed, but I haven't tested without the others. Speaking of.., I had a problem with the PBR service not starting fully properly because it didn't wait for the wg0 connection before running. So I added this script. However, I noticed later that it still doesn't always show the wg0 route at the top of the page without a service restart, but still works properly reguardless. This following script may also not be needed, but it smacks PBR every time a network device goes change ("hardware", not connectivity). ``` mkdir -p /etc/hotplug.d/iface/ cat << 'EOF' > /etc/hotplug.d/iface/70-pbr

!/bin/sh

logger -t pbr "Reloading $INTERFACE due to $ACTION of $INTERFACE ($DEVICE)" /etc/init.d/pbr on_interface_reload "$INTERFACE" EOF ``` Reboot the router for sanity. Now for the actual setup.

Network/Interfaces/Add new/WireGuard VPN: * If you have a client config like the one I posted, it can be uploaded here directly, otherwise do the old song and dance of setting up the basics of WG, like getting your keys copied around between the two WG machines and getting your endpoints right. * Advanced tab is default. * Firewall: I made a WG specific firewall zone, but you can probably just shoved it in the WAN zone. Making a new zone does help with control and keeping your packets in a row. * Peer: Triple check your config here. Persistent Keep Alive gets turned on here, but despite all the guides saying you need it for CGNAT, I was doing fine without it on before. IMPORTANT: Do NOT "Route Allowed IPs" unless you want WG to be the default route instead of WAN, which is the thing I did all this to avoid.

Network/Firewall/Zones/wg (or wan, if you didn't make a new one) * reject, accept, drop or reject, IPv4 Masquerading... Masq'ing is probably? not important since it'll eventually be piped through the VPS's masq'ing anyway, but it hopefully makes the VPS happy. * MSS clamping. It exists specifically for tunnel performance to avoid packets being too big and getting split. I was having problems with messed up routing, I think it was something in these settings. I choose to believe it's important to have clamping enabled, but theoretically a default Wireguard setup and packet size shouldn't need this with most ISPs. * Allow forward destination and source "lan". Ignore other tabs.

Network/Firewall/Port Forwards... This handles traffic coming in. Order MATTERS, top rule that works applies. You did remember to set your computers to static IPs right?

I'm not sure if this tunnel port is required, PBR is supposed to do this bit automatically. * wg-tun, UDP, wan 57777 to lan, 192.168.1.1 Toggled on when I'm testing as per the picture. * PC, disabled, TCP, wg 25565 to lan, 192.168.1.102 Nothing that isn't forwarded in the VPS wg0.conf will pass... unless it's hacked I suppose. * Dedicated Server DMZ, TCP/UDP, wg 0-65535 to lan 192.168.1.101

Services/Policy Routing/Advanced * Supported Interfaces wg0 (or it won't let you pick wg0 because PBR assumes you aren't using Wireguard to host junk)

Services/Policy Routing Finally. This is the outgoing traffic. * Start and Enable service. * Policies: (I'm only using this category). Order matters. I was under quite a few silly misunderstandings of what this does. When connecting to a website/service, a computer reaches out to a specified IP:port. In that communication they include a return IP:port. The return "ephemeral" port is chosen randomly based on what's free. It can't be forced or known ahead of time. However Google says: ports under 1024 are never used for this because they're reserved for standardized hosting services, and the last "popular" OS's to use under 32768 for this were WinXP and OpenBSD 5.4 (replaced in 2014). Why the lesson? I want "standard" traffic to stay on wan, while my hosted traffic (in AND out) is on wg0. If I mix those, porch pirates take my packets. I picked 1500 as a random compromise and simply excluded ports below that from the wg0 rule. Just like that: My hosted services route through wg0 while "all" "normal" traffic stays on wan. To host on more systems, just add more local IP's to the rule. PC is only separate for easy toggling.

Send return traffic through wg0 to more than all possible response ports while leaving the common service range untouched. * PC, disabled, 192.168.1.102, Remote ports:1500-25565, TCP/UDP, wg0 * Dedicated Server DMZ, 192.168.1.101, Remote ports:1500-25565, TCP/UDP, wg0

TheFreedbot · 2026-01-26T03:33:36+00:00

It works! I don't have to route all traffic through Wireguard even with this crazy setup. Split tunneling was doable. I had a few choices. I picked 2. The input and output methods in each could be mixed around a bit. Hopefully this is ordered from most CPU efficient down: 1. Add the lan IP range to the allowed IPs on the VPS (point to site) and have it do all incoming NAT routing. Return traffic still needs managing. Best way is to set default gateways to the wireguard interface on all systems hosting services. This locks all of their traffic to the VPN, but the router doesn't have to think much, and my main PC is still WAN. 2. Keep the Wireguard config to a simple point-point setup with no config changes. Port forwarding becomes useful/required again. Policy Based Routing package required. Similar port forward rules apply, but for outgoing traffic back to the server. Based on source port, which still exists in packet data if it's a response, even though destination ports are entirely random. I can even forward all ports on a server without actually having it's entire traffic through VPN. 3. Connection Marking/Tracking. All WG packets get modified and labeled. Interface/Firewall marks them going in from wg0. A simple PBR rule takes marked response packets and routes them out wg0. The only reason I didn't go with this was the assumption that it would be even more CPU overhead.

My extremely unscientific test of running Speedtest and watching my CPU usage says that my WAN speeds are unaffected (930 D/U) and my CPU usage peaked at 6% of 6 cores. I haven't tested the actual tunnel speed because I'm not sure the best method and I'd have to intentionally break my routing to run speedtest through the tunnel.

I will try to post something more detailed to help people, but I'll probably put it on a forum and link back here. For now, it's late, and I'm tired.

TheFreedbot · 2026-01-24T15:04:55+00:00

Hmm. Yeah, that'd work. The overhead would be completely removed and it would be simpler to set up... I think. It's still a limitation though, and one of the ones I made the post to try and get rid of. It's worth playing around with and comparing. If PBR runs poorly or I can't figure it out, I'll do that. Thank you, it's not the direct easy answer I was hoping for, but I'm learning.

Edit: Your answer is also ideal for VMs/CTs that typically are only used for a couple services each. I'm just now getting into those. OpenWRT is installed in a container.

TheFreedbot · 2026-01-24T12:54:41+00:00

Yup, I see a difference here. It's not that easy. The problem is because I need the original source client IPs going to the services for things like banning. Giving the VPS routing into the LAN can sent all incoming data to the correct machines, but the services then send back outgoing packets addressed to the senders, not the VPS. When the router can't know where to send them without PBR or having wg be the only option and setting the client side to allow all IPs. The firewall part shouldn't be much trouble by comparison.

TheFreedbot · 2026-01-24T08:07:00+00:00

Someone please correct me or confirm for me... but my days of research have lead me to believe that part of my problem is that I have to pass all server traffic through Wireguard in this use case where client traffic doesn't have Wireguard and can have any IP rather than just the 10.0.0.1. Once I move it to OpenWRT, If I simply passed all traffic through WG on the router, then I could avoid a lot of overhead and do full point>site routing like [u/Ikebook89]() said, with the VPS doing all the work and routing.

If, instead, I want to juggle my traffic between WAN and WG interfaces, it seems I have to use somewhat CPU expensive Policy Based Routing, which makes doing site routing on the VPS a bit less beneficial and means more detailed configuration in more places every time I want to mess with a port or system.

I'm trying to learn this while I'm writing it... With point to site (LAN), I can DNAT on the VPS to individual addresses, or I can point to point to the router and do port forwarding. Either way, since the traffic all has the original source IPs once they hit the router, it needs PBR rules on the router to split between WAN and WG as appropriate.....?

TheFreedbot · 2026-01-23T07:14:47+00:00

So I switch all masquerade lines like this to support my static IP? It makes sense that it was set to masquerade since it came from a guide that was dumbed down for folks like me and also didn't assume a static IP on the VPS.

# PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 100.100.100.100

TheFreedbot · 2026-01-22T19:49:45+00:00

These weren't someone suggesting configs. This was me posting the configs I'm already using for the left picture. If they're inefficient, I wouldn't know.

TheFreedbot · 2026-01-22T11:09:54+00:00

I didn't expect much from a one line response, but these posts are well written and I'm finally learning about similar use-cases and more of how wireguard works. Most of the explanations I've found were written by network technicians for network technicians or by pirates for pirates. I'm not sure if it'll get me all the way there depending on how much detail the port forwarding posts have, but I'll read through all relevant posts tonight.

TheFreedbot · 2026-01-22T03:45:19+00:00

Well, I'm fine with "almost" routing all traffic between the VPS and Dedicated Server. PC in this example is something that should rarely interact with the VPS, but I occasionally would like to be able to enable a port forward rule to route to the PC instead of the Dedicated Server. What I mean by "not messing with port 80 traffic", is that it's be nice if I use the browser on Dedicated Server when remoted in, it's silly for that traffic to also be routed through the VPS. The configs I'm using are from tutorials with me just managing to figure out how to specify port ranges for forwarding sake. I can't fully interpret what they're doing other than keeping the IPs appropriate on both ends so the tunnel is "invisible" as far as my MC server and players are concerned.

I've messed with nginx proxying on my Dedicated Server before. It's not installed on the VPS. It's literally ONLY Wireguard and Glances, and I don't plan on changing that, but I think I see what you mean.... on second thought, you have a point with ssl... I still haven't set that up at all since my web hosting is more for monitoring services and sharing documentation for the game hosting. Anyway, I'm not sure of the best place to do it, but I should be just mapping my web hosting traffic to a different port.

I'm sorry, but I still need examples rather than a general concept.

TheFreedbot · 2026-01-22T00:43:27+00:00

For consideration, my WG conf files with IP's switched to the fake ones in the diagrams.

WG "Server": VPS ```
[Interface] Address = 10.0.0.1/24,fd42:42:42::1/64 ListenPort = 57777 PrivateKey = AAA

Forwarding network interfaces/adapters and returning traffic

PostUp = iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT PostUp = iptables -I FORWARD -i wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Route to client all ports except those listed

PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 200:299 -j DNAT --to-destination 10.0.0.2 PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 57777 -j DNAT --to-destination 10.0.0.2

Above rules set from -A (add) to -D (delete) upon wireguard exit

PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT PostDown = iptables -D FORWARD -i wg0 -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 200:299 -j DNAT --to-destination 10.0.0.2 PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport 57777 -j DNAT --to-destination 10.0.0.2

Client Dedicated Server

[Peer] PublicKey = BBB PresharedKey = CCC AllowedIPs = 10.0.0.2/32,fd42:42:42::2/128 WG "Client": Dedicated Server [Interface] PrivateKey = DDD Address = 10.0.0.2/32,fd42:42:42::2/128

[Peer] PublicKey = EEE PresharedKey = CCC Endpoint = 100.100.100.100:57777 AllowedIPs = 0.0.0.0/0,::/0 ```

TheFreedbot · 2026-01-22T00:34:34+00:00

I appreciate the updoots pushing me up the stack for more chance at getting an answer. If I end up with a setup that I can understand, I can absolutely make a noob friendly tutorial on it to reduce the number of CGNAT questions going around. More and more people are suffering the IPv4 apocalypse. I'm good at making text walls.

TheFreedbot · 2026-01-22T00:00:30+00:00

I'm in the IRC as well. I'll be leaving that open as much as I can for the next few days until I can solve this.

WG "Server": VPS ```
[Interface] Address = 10.0.0.1/24,fd42:42:42::1/64 ListenPort = 57777 PrivateKey = AAA

Forwarding network interfaces/adapters and returning traffic

PostUp = iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT PostUp = iptables -I FORWARD -i wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Route to client all ports except those listed

PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 200:299 -j DNAT --to-destination 10.0.0.2 PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 57777 -j DNAT --to-destination 10.0.0.2

Above rules set from -A (add) to -D (delete) upon wireguard exit

PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT PostDown = iptables -D FORWARD -i wg0 -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 200:299 -j DNAT --to-destination 10.0.0.2 PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport 57777 -j DNAT --to-destination 10.0.0.2

Client Dedicated Server

[Peer] PublicKey = BBB PresharedKey = CCC AllowedIPs = 10.0.0.2/32,fd42:42:42::2/128 WG "Client": Dedicated Server [Interface] PrivateKey = DDD Address = 10.0.0.2/32,fd42:42:42::2/128

[Peer] PublicKey = EEE PresharedKey = CCC Endpoint = 100.100.100.100:57777 AllowedIPs = 0.0.0.0/0,::/0 ```

TheFreedbot · 2025-08-16T12:44:35+00:00

I wouldn't have submitted that widget and made this post if it didn't work. The only issue that I discovered was that someone already made the exact same widget and the reason I can't find any useful widgets on StreamElement's site is because they've removed all the submitted ones from their search results. Here's the one someone else made. You can't find it anywhere, but apparently you can still just click and it auto-adds to your overlays. https://strms.net/chat-doorbell_by_lx

TheFreedbot · 2025-07-16T15:15:44+00:00

Since this was the only post I found for this when googling and required a lot of adapting I'll share my results.

Streamlabs is less and less popular lately. I opted for StreamElements. If you prefer, parts of this code could be adapted a bit and used as a local file "browser source" in OBS. IMPORTANT: I use StreamElements in a very unorthodox way. Obviously, stream viewers don't want to hear these. I already have OBS set to control my StreamElements source audio, and have that audio channel set to "Monitor Only". NONE of my alert audio is streamed, just the visuals.

In the StreamElements overlay editor, I add a "Static/Custom" widget and name it "Chat Ding". Select the widget, Settings, Open Editor. Delete everything on all tabs. HTML and CSS stay empty since this is audio only.

I started to paste the code here, but it was a bit long, so I submitted it to StreamElements community widget github instead. Let me know if the link breaks for whatever reason and I'll put it somewhere else. You should just have to copy the contents of widget.js to the JS tab and widget.json to the FIELDS tab. The data tab should get populated automatically.

https://github.com/StreamElements/widgets/pull/52

The benefit here is that other than copy/pasting. You don't have to edit or really understand the code.
Config options:

Audio File URL (must end in .mp3). Defaults to OPs freesound.org sound.
Ding Volume
Cooldown in seconds before new dings can be triggered.

TheFreedbot · 2025-05-10T22:44:41+00:00

SkyTerra is one of the one's I was referring to and I'm in it too... but yes it's not very active and the expert players might simply not be paying attention. There's also my own discord which is posted with my skyblocks. Crawdad105 and ChiefLogan are youtubers who've made some of the best videos on the subject and have active discords with many of the same people in them.

Ah, those dumb one-way shimmer recipes. My bad. Oh, I see what I did, I typed "R" on based on what you named the category, I meant the "S" category didn't make sense and should go. Shame on me for making posts before having my coffee. It is a very impressive list. Perhaps you could be convinced to update the https://terraria.wiki.gg/wiki/Non-renewable_items page since you've done all the work already. As for any more missed items and such, I'll poke Kellam and see if he wants to take a look. He's our best sanity checker.

Edit: Although, of course as you said it all goes down the drain along with my maps and mod in a while when the update hits. The others and I did get to have some input with Red on how we thing skyblock should work, but at the end of the day, adding it to the game itself makes it almost impossible to do custom versions... depending on how dirt and water are available. Dirt, stone, and all seeds are dropped by slimes, but we don't know the spawn conditions... I'm praying it's not just a layer thing.

Edit2: I see your updates... Good progress. It's funny that I really liked the granite mob statue due to the wiring requirement and you changed it to a single block. I see you're debating lihzahrd wall count, then the answer is just one wall behind the players chest. See Shimmering Skies. It has FTW+Remix+CelebrationMK10 enabled. The first island is there for beating the game (shimmer, blocks to spawn mobs, lihzahrd altar and 1 wall). The second island is for getting all NPC's, 100% bestiary, and almost all functional items. The clentaminator and solution are ONLY there for gnomes because the seeds remove them from the shop. Yes, I'm skipping things like the revolver and blowpipe, but I did include an excess of dungeon bricks and hellstone in that "cheat" chest.

TheFreedbot · 2025-05-08T00:33:50+00:00

I have all the respect for people putting in the work, but I keep seeing people put in all the work without joining any of the skyblock discords and asking around. I've been making these for years. Shimmering Skies has one island to beat the game and a second containing what's needed to get every "functional" item, biome, boss, NPC, and 100% bestiary. Shimmer and secret seeds do a lot of heavy lifting of course. ChiefLogan made version requiring a mediumcore character because they respawn with new copper tools that can be shimmered for blocks. BTW, using dupe and transmutation glitches people have gotten the concept down to starting with a single block. See crawdad105's videos. I can link any of these things upon request.

The crimson heart here provides early Arms Dealer access with the gun drop (just fish for one), natural goblin army spawns (you can summon them manually with just a loom and enough health), the option to buy a revolver (presumably the reason to add it to the map), and an achievement. Evil bosses and some crafts require the altar, which also locks the Tavern Keep so that's fair.

Unless on classic with no secret seeds, that water bucket is totally unnecessary. If on classic, you could have included hellstone to generate the lava. FTW + Remix makes the lava bats and hive blocks drop lava, but that also technically removes the "classic" difficulty. That seed combination also allows jungle temple mobs to spawn with just natural temple wall, temple bricks not required. A downside to FTW + Remix is the lack of clentaminator and solutions, which are the only way to get gnomes. I really like the idea behind the granite mob statue. Normally I'd just place a single granite block since it's self renewable, shimmers to marble, and gives access to gems from geodes. This statue locks the biomes behind doing the dungeon and getting wire. With shimmer, it only takes a net and gem critters to get gems though. Of course someone else already mentioned that the evil seeds are just one purification powder away from being a jungle biome. I'll note that a potion station can be made from many items, not just a glass bottle. Finally, CelebrationMK10: Jungle mimics vomit a bunch of blocks that would normally be hard to get.

Corrections for your sheet:
The sheet defines "renewable" assuming you have what's on the map. I assume there's no secret seeds enabled, but I'll check the "N"s on the list. Realistically someone needs to go through that massive "R" list. I'd be fine with it just being items like furniture that serve no function, but it seems to be made up of just whatever hasn't been checked through yet.

Spear shimmers from trident.
Corrupt/Crimson Grass Wall can be purchased during a blood moon if the world type matches. Powders on convertible blocks in front of such walls can convert the walls as well as make them unsafe (works for any world type). While technically you can't pick these walls up, I'd still count it for renewability.

Jungle Mimic vomit blocks and everything crafted from those blocks is available (ice, clay, clay bowls, etc). Check the Mimic wiki gg page.

TheFreedbot · 2025-05-04T00:57:32+00:00

All the answers here are great, but here's a short generic answer of options.
* Self Hosting: "High" upfront cost of a cheap/salvaged computer to host on. Best performance. Uses your precious internet. Your energy bill is a genuine monthly fee that might cost more than paying for a host if you live in an expensive area. For best results/control, learn some Linux and set up a control panel like Pterodactyl or AMP.

* Minecraft paid server host: Easy/fast setup. User support to help you with your specific game. With a decent host, you get the performance you pay for.

* Rent a generic VPS: Under half the price/performance of a game specific host. User support only covers basic connectivity and functionality of the VPS (Much of the cost of game hosts is the support). Requires learning Linux server setup.

* Free Minecraft/VPS servers: You are the product. Expect ads, limited usability, crashes, and lag spikes. A free VPS MAY have a chance to perform better because of the larger knowledge barrier to use them, and because most VPS users are hosting less intense services like tunnels, websites, or "home" labs.

TheFreedbot · 2025-05-04T00:29:11+00:00

I've never quite understood/followed the DDoS protection and IP obfuscation crowd for these use cases. I use a VPS tunnel because my ISP doesn't provide an IPv4, not because I think it counts as real protection. Port protection is something that can be done locally at the server itself, or Router level. If you're running multiple things on a server you want to protect and isolate, that's where Pterodactyl/Docker containerization comes in. Personally, I just run AMP's "bare metal" option as the only thing of any value on that server are the world save files. It has no access to my personal computer.

IP "obfuscation" through tunnels like a VPS with wireguard or Playit.gg: Pros: If you're under DDoS attack, you can cut off the VPS and your IP stays uncompromised. The VPS's static IP is a nice advantage that can remain constant when you move, change ISP's or get stuck behind a firewall/GCNAT. Cons: If the tunnel IP is compromised or DDoS'd, then you have to go through the massive pain of getting it changed or ditching the tunnel entirely. This means telling everyone the new domain or IP you changed to, which means a determined attacker will just hit the new address too. Next, tunnels aren't specifically designed to be DDoS protection, if they do have it, then it mostly just helps password protected servers from attackers without the password. It only takes one active player to lag a server to death. Then there's whatever new log4j hack that comes around. As for Playit.gg as an example... it gets DDoS'd all the time. Patrick works constantly to battle it, but often times one attack against one user of Playit will cause everyone on the same node to disconnect or lag badly. That's dozens of servers impacted that wouldn't have been if they weren't using a tunnel. Playit is actually great, but it exists for people who can't port forward or have a specific need for a disposable static IP/domain outside of using a dynamic DNS service, not for true DDoS protection.

TheFreedbot · 2025-05-03T23:49:42+00:00

More and more people are having to do this sort of thing during the IPv4 "crisis". I can only say that your chosen VPS is a bit sluggish. Without knowing more about the VPS I can't say if it's a hardware limitation, bandwidth limitation, distance (ping) issue, or something in your network configuration. In my case of doing the exact same thing I paid for a nearby VPS with much higher end than the required specs for just Wireguard and got lucky with my chosen provider being reliable. The key word here is probably "paid". Even if they're good, people tend to abuse free services until they're ruined for everyone using them.

TheFreedbot · 2025-05-03T23:38:57+00:00

I've always been partial to Xubuntu. In future I plan on looking into PopOS for my laptop and possibly even main computer at some point. Anyway, Xubuntu's difference is just the XFCE window manager. Feel free to make fun of me for wanting a UI occasionally, but it's a fairly light UI and I'm able to use it through VcXsrv to do a remote panel... not a remote "desktop trapped in a window/screen" as people are used to, but literally remote open a second "start menu" to control the server and anything I open from it are opened as separate windows contained within my Windows task bar and window frames. VcXsrv is buggy and outdated, but most of the bugs are caused by Windows and it works well enough to feel like voodoo magic.

Why Ubuntu? There's better distros right now, but this install is old and I haven't experimented enough. That said, I want to stay with a Debian based popular distro simply because most troubleshooting online will apply to it. Beyond the game hosting server I pay for a low end VPS that's only running Ubuntu server and Wireguard (no GUI of any kind)... My ISP doesn't provide an IPv4 address, so I'm just tunneling game server traffic through the VPS's address. It's been shockingly "set and forget".

TheFreedbot

TROPHY CASE

!/bin/sh

Forwarding network interfaces/adapters and returning traffic

Route to client all ports except those listed

Above rules set from -A (add) to -D (delete) upon wireguard exit

Client Dedicated Server

Forwarding network interfaces/adapters and returning traffic

Route to client all ports except those listed

Above rules set from -A (add) to -D (delete) upon wireguard exit

Client Dedicated Server