Sample TLS Configuration - Revision history

Tamarindo: Linked to Tamarindo's stunnel implementation

2020-03-01T13:06:35Z

Linked to Tamarindo's stunnel implementation

Vadi at 03:27, 3 February 2019

2019-02-03T03:27:22Z

Vadi: Created page with "To add TLS (secure connection) support to your game without changing your code base, while still having your server see the originating IP address, see below. (Normal SSL tunn..."

2019-02-02T15:33:59Z

Created page with "To add TLS (secure connection) support to your game without changing your code base, while still having your server see the originating IP address, see below. (Normal SSL tunn..."

New page

To add TLS (secure connection) support to your game without changing your code base, while still having your server see the originating IP address, see below. (Normal SSL tunnels will show the IP of the proxy server). This has been tested on a fresh Debian stable install.

Credit to Paul Saindon from Iron Realms for writing this up.

1. Install Stunnel4

$ sudo apt-get install stunnel4

2. Create stunnel4 file <code>/etc/stunnel/rapture.conf</code> (rapture is an example, replace with any server engine.)

pid = /run/rapture-stunnel.pid
[rapture]
cert = /etc/stunnel/localhost.crt
key = /etc/stunnel/localhost.open.key
accept = 6003
connect = 127.0.0.1:6002
transparent = source

{{Note}} In this example, 6003 is the port for ssl requests and 6002 is the normal server port. Change accordingly. You must also replace the cert and key with your own cert/key.

3. Enable stunnel. Open file <code>/etc/default/stunnel4</code> and change

ENABLED=0
-- to --
ENABLED=1

4. Start stunnel

$ sudo systemctl start stunnel4.service

5. Install ipset

$ sudo apt-get install ipset

6. Create ipset to use

$ sudo ipset create stunneled hash:ip,port -exist timeout 300

7. Configure IPTables

$ sudo iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 6003 -j SET --add-set stunneled src,srcport
$ sudo iptables -t mangle -N DIVERT
$ sudo iptables -t mangle -A OUTPUT -p tcp -m set --match-set stunneled dst,dstport -m tcp --sport 6002 -j DIVERT
$ sudo iptables -t mangle -A DIVERT -j MARK --set-mark 1
$ sudo iptables -t mangle -A DIVERT -j ACCEPT

8. Add routing rule

$ sudo ip rule add fwmark 1 lookup 100
$ sudo ip route add local 0.0.0.0/0 dev lo table 100

9. Disable RP Filter for <code>lo</code>

$ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter"

{{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot.

← Older revision		Revision as of 13:06, 1 March 2020
Line 62:		Line 62:

	{{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot.		{{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot.
		+
		+	{{Note}} Based on the above, [https://github.com/age-of-elements/age-of-elements#encrypt-data-in-transit here] is Tamarindo's implementation deployed on AWS - Amazon Linux 2.

← Older revision		Revision as of 03:27, 3 February 2019
Line 53:		Line 53:

	$ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter"		$ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter"
		+
		+	10. Turn on <code>route_localnet</code> (depends on OS)
		+
		+	sysctl -w net.ipv4.conf.default.route_localnet=1
		+	sysctl -w net.ipv4.conf.all.route_localnet=1
		+
		+

	{{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot.		{{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot.