Difference between revisions of "Sample TLS Configuration"
(Created page with "To add TLS (secure connection) support to your game without changing your code base, while still having your server see the originating IP address, see below. (Normal SSL tunn...") |
m (Linked to Tamarindo's stunnel implementation) |
||
(One intermediate revision by one other user not shown) | |||
Line 53: | Line 53: | ||
$ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter" | $ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter" | ||
+ | |||
+ | 10. Turn on <code>route_localnet</code> (depends on OS) | ||
+ | |||
+ | sysctl -w net.ipv4.conf.default.route_localnet=1 | ||
+ | sysctl -w net.ipv4.conf.all.route_localnet=1 | ||
+ | |||
+ | |||
{{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot. | {{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot. | ||
+ | |||
+ | {{Note}} Based on the above, [https://github.com/age-of-elements/age-of-elements#encrypt-data-in-transit here] is Tamarindo's implementation deployed on AWS - Amazon Linux 2. |
Latest revision as of 13:06, 1 March 2020
To add TLS (secure connection) support to your game without changing your code base, while still having your server see the originating IP address, see below. (Normal SSL tunnels will show the IP of the proxy server). This has been tested on a fresh Debian stable install.
Credit to Paul Saindon from Iron Realms for writing this up.
1. Install Stunnel4
$ sudo apt-get install stunnel4
2. Create stunnel4 file /etc/stunnel/rapture.conf
(rapture is an example, replace with any server engine.)
pid = /run/rapture-stunnel.pid [rapture] cert = /etc/stunnel/localhost.crt key = /etc/stunnel/localhost.open.key accept = 6003 connect = 127.0.0.1:6002 transparent = source
Note: In this example, 6003 is the port for ssl requests and 6002 is the normal server port. Change accordingly. You must also replace the cert and key with your own cert/key.
3. Enable stunnel. Open file /etc/default/stunnel4
and change
ENABLED=0 -- to -- ENABLED=1
4. Start stunnel
$ sudo systemctl start stunnel4.service
5. Install ipset
$ sudo apt-get install ipset
6. Create ipset to use
$ sudo ipset create stunneled hash:ip,port -exist timeout 300
7. Configure IPTables
$ sudo iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 6003 -j SET --add-set stunneled src,srcport $ sudo iptables -t mangle -N DIVERT $ sudo iptables -t mangle -A OUTPUT -p tcp -m set --match-set stunneled dst,dstport -m tcp --sport 6002 -j DIVERT $ sudo iptables -t mangle -A DIVERT -j MARK --set-mark 1 $ sudo iptables -t mangle -A DIVERT -j ACCEPT
8. Add routing rule
$ sudo ip rule add fwmark 1 lookup 100 $ sudo ip route add local 0.0.0.0/0 dev lo table 100
9. Disable RP Filter for lo
$ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter"
10. Turn on route_localnet
(depends on OS)
sysctl -w net.ipv4.conf.default.route_localnet=1 sysctl -w net.ipv4.conf.all.route_localnet=1
Note: These rules are not permanent by default. Test and then use your preferred method to restore on reboot.
Note: Based on the above, here is Tamarindo's implementation deployed on AWS - Amazon Linux 2.