Background

Some time ago, at the end of last year or so, I did set up a Minecraft server at home. It’s public, in the sense that anyone can join, but it’s not listed anywhere other than on its small website. So, for now it’s used by friends only.

But I thought, it would be nice to list the server somewhere on a big list, in the hope to get more players and build a community, right?

Except, I heard that small servers that get put on such lists tend to get DDoS’d just for fun or by the “competition”. I don’t know whether those rumors are true or not, but I didn’t want to risk it. Since my server runs at home, it would be my home network that would get attacked. Considering the ongoing pandemic and the working-from-home, having the home internet work, is a must.

My initial thoughts

So, at first I thought I’d have two options:

  1. Either get some proper, dedicated hardware firewall, or
  2. Host the server at some big dedicated server provider that includes free DDoS protection.

The first one probably wouldn’t work, considering I have a home-network connection with limited bandwidth, so there’s only so much a firewall could do… and any dedicated firewall that’s worth anything would probably cost too much to be worth it. And the second option too, can get pricey quickly (if I want something of similar power of the server I have at home).

The other solution I went for

So, I came up with another, third solution… I offloaded the network and firewall to “the cloud”! OK, bear with me, I really am hosting the server at home still… Let me explain!

I first looked for a big, reputable server provider that offers free DDoS protection for all their products, and found a tiny VPS for about 2-3 EUR (~US$3) per month.

So, what do I have now? A static IP address, and free DDoS protection… and a server at home. So, here’s where the fun begins:

I did set up a Minecraft server proxy on that VPS. The advantage of using a proxy instead of the next step alone, is that not only do I have a static IP now where people connect to (with free DDoS protection), but also that the server always appears online as long as the VPS is online, which should be more than 99% of the time.

The next step was, setting up a WireGuard tunnel (that’s a VPN) between that VPS and my home server.

So, what happens is this: Players connect to the VPS/proxy seamlessly as they would with any other server, that proxy is the one that does the handshake with the client and account verification in the background (as if it were a server on its own), and if all checks out, it will connect with the backend (my home server) through WireGuard. Players really don’t notice a thing about this, and no lag either when playing.

While I could have just used WireGuard without a Minecraft proxy, and just forward everything to my home server, I decided it makes sense to have some parts offloaded, and it should also improve the DDoS protection (otherwise I guess, one could spam that port and have it all forwarded, even if the packets are not legitimate, unless caught by the provider’s DDoS firewall). And since home networks are not as reliable as data center networks, I should get slightly better uptime towards outside observers. ;)

Conclusion

So, my home network is protected from DDoS since my IP is never shown to the public and because the proxy should only forward valid packets (or at least packets after authenticating with a valid Minecraft account) and the server/proxy itself should be protected from generic DDoS by the hoster’s firewall. I’m sure someone could find a way to bring down the proxy itself, depending on how the hoster’s firewall works, but it wouldn’t affect me. The backend isn’t publicly on the internet, and can only be accessed through the tunnel. Worst-case scenario, I “pull the plug” on the tunnel. But I hope it wouldn’t get that far, considering the layers of protection. (:

And that, is how I got Minecraft DDoS protection at home for cheap.

PS No, I don’t want you to test it. :D