Hello everyone :D
I’m looking to host some gaming servers to play with my friends (minecraft, enshrouded, and others), and some apps (paperless-ng, jellyfin, seafile, etc.). Each game server must be accessible from the Internet, but only certain applications will be accessible (jellyfin, etc.)
I don’t want to open any ports on my router or share my public IP. I already have a domain name, and I’m thinking of using some VPS to host a reverse proxy with tailscale or netbird.
For the VPS, I’m thinking of using OVH with unlimited bandwidth. I already have the domain name here, and I live in France where the servers are.
A few questions :
- Is this a good idea ? Any better solution is welcome.
- I don’t really know how I’m going to redirect subdomains to use the correct reverse proxy. Local DNS on the VPS ?
- Tailscale or Netbird ? (I actually don’t have any idea)
- Won’t using Tailscale or Netbird like this cause performance losses on game servers ?
Reverse proxy :
Using a VPN (like Tailscale or Netbird) will make setup very easy, but probably a bit slower, because they probably connect through the VPN service’s infrastructure.
My recommended approach would be to use a directly connected VPN, like OpenVPN, that just has two nodes on it – your VPS, and your home server. This will bypass the potentially slow infrastructure of a commercial VPN service. Then, use iptables rules to have the VPS forward the relevant connections (TCP port 80/443 for the web apps, TCP/UDP port 25565 for Minecraft, etc.) to the home server’s OpenVPN IP address.
My second recommended approach would be to use a program like openbsd-inetd on your VPS to forward all relevant connections to your real IP address. Then, open those ports on your home connection, but only for the VPS’s IP address. If some random person tries to portscan you, they will see closed ports.
Just chiming in about Tailscale.
The initial connection uses their server just to reach / connect to the other peer. After that, the peers are connected directly and all communication is direct.
That’s a good news.
I’m going to try your first approach, which seems to be what I want.
The second one looks tempting, but the first one seems to be more secure, I think.