Sample TLS Configuration
To add TLS (secure connection) support to your game without changing your code base, while still having your server see the originating IP address, see below. (Normal SSL tunnels will show the IP of the proxy server). This has been tested on a fresh Debian stable install.
Credit to Paul Saindon from Iron Realms for writing this up.
1. Install Stunnel4
$ sudo apt-get install stunnel4
2. Create stunnel4 file /etc/stunnel/rapture.conf
(rapture is an example, replace with any server engine.)
pid = /run/rapture-stunnel.pid [rapture] cert = /etc/stunnel/localhost.crt key = /etc/stunnel/localhost.open.key accept = 6003 connect = 127.0.0.1:6002 transparent = source
Note: In this example, 6003 is the port for ssl requests and 6002 is the normal server port. Change accordingly. You must also replace the cert and key with your own cert/key.
3. Enable stunnel. Open file /etc/default/stunnel4
and change
ENABLED=0 -- to -- ENABLED=1
4. Start stunnel
$ sudo systemctl start stunnel4.service
5. Install ipset
$ sudo apt-get install ipset
6. Create ipset to use
$ sudo ipset create stunneled hash:ip,port -exist timeout 300
7. Configure IPTables
$ sudo iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 6003 -j SET --add-set stunneled src,srcport $ sudo iptables -t mangle -N DIVERT $ sudo iptables -t mangle -A OUTPUT -p tcp -m set --match-set stunneled dst,dstport -m tcp --sport 6002 -j DIVERT $ sudo iptables -t mangle -A DIVERT -j MARK --set-mark 1 $ sudo iptables -t mangle -A DIVERT -j ACCEPT
8. Add routing rule
$ sudo ip rule add fwmark 1 lookup 100 $ sudo ip route add local 0.0.0.0/0 dev lo table 100
9. Disable RP Filter for lo
$ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter"
Note: These rules are not permanent by default. Test and then use your preferred method to restore on reboot.