Minecraft, the beloved sandbox game, often sparks a desire in young players (and adults alike) to create their own private worlds. Hosting a Minecraft server allows you and your friends to explore, build, and adventure together in a persistent, customized environment. Imagine crafting elaborate castles or delving into uncharted caves with your close-knit group, all within your personal digital playground.
However, the path to setting up a Minecraft server can sometimes lead to unintended security risks. Take the experience of a tech-savvy parent whose son, eager to play with friends remotely, inadvertently created a potential vulnerability in their home network. By using a VPN to invite friends, the son unknowingly opened a door that could have potentially exposed the entire network.
Concerned parent’s reaction to son’s VPN server setup.
This scenario highlights a common challenge: how do you enable friends to join your Minecraft server without compromising your home network’s security? Traditional methods like port forwarding or VPNs can introduce risks. Port forwarding exposes your server directly to the internet, making it potentially vulnerable to attacks. VPNs, while more secure, can grant users access to your entire network, which might be more access than you intend to give.
The solution? A Zero Trust Network. This approach to networking operates on the principle of “never trust, always verify.” Instead of granting broad network access, Zero Trust allows you to create secure, segmented access, ensuring that users can only reach the specific resources they need – in this case, your Minecraft server – and nothing else.
This guide will walk you through setting up a secure Minecraft server using a Zero Trust Network powered by OpenZiti. This method ensures your friends can join your Minecraft world safely, without compromising your network’s integrity.
Understanding the Need for Zero Trust for Minecraft Servers
Before diving into the setup, let’s understand why a Zero Trust approach is particularly beneficial for hosting a Minecraft server at home.
Traditional Network Risks:
- Port Forwarding: Directly exposing your Minecraft server port to the internet makes it discoverable and potentially vulnerable to anyone scanning for open ports. This can lead to unwanted intrusions or even denial-of-service attacks.
- VPNs: While VPNs offer a layer of security, they often grant users access to a broader range of your network than necessary. If a malicious actor were to compromise a friend’s VPN access, they could potentially gain access to other devices and services on your home network.
The Zero Trust Advantage:
- Micro-segmentation: Zero Trust networks create isolated segments, ensuring that access is granted only to the Minecraft server and nothing else on your network.
- Least Privilege Access: Users are granted the minimum level of access required to play Minecraft and nothing more.
- Secure Remote Access: Friends can connect to your server from anywhere in the world without requiring them to be on your local network or exposing your entire network.
With Zero Trust, you can confidently invite friends to your Minecraft server, knowing that your home network remains secure and protected.
Getting Started: Prerequisites
To set up your secure Minecraft server using OpenZiti, you’ll need the following:
- A Virtual Private Server (VPS): While technically you can host the OpenZiti network on your local machine, using a VPS is highly recommended for security and accessibility. A VPS provides a public endpoint for your Zero Trust network, without exposing your home network directly. We will be using Oracle Cloud Infrastructure (OCI) Free Tier in this guide as it offers a free tier suitable for this purpose. You can sign up for a free account and follow this guide to set up your VPS.
- A Computer to Host Your Minecraft Server: This will be your home computer or a dedicated server in your home network where you will run the Minecraft server software.
- Client Devices: The computers your friends will use to connect to your Minecraft server.
- OpenZiti Desktop Edge Client: You’ll need to install the OpenZiti Desktop Edge client on both your server host machine and your friends’ client devices. You can download the appropriate client for your operating system here:
- Ziti Desktop Edge for Windows
- Ziti Desktop Edge for Mac
- Ziti Tunneler SDK for Linux (For Linux server hosts, desktop client is under development)
Step-by-Step Guide: Configuring Your Zero Trust Minecraft Server
This guide assumes you have a VPS set up with OpenZiti as outlined in the prerequisites. Let’s proceed with configuring your Zero Trust network for Minecraft.
Step 1: Define Configuration Variables
To simplify the configuration process, we’ll define a few variables that you can customize to match your setup. Open your terminal or command prompt on your VPS and set these variables:
export DEVICE_NAME="my.minecraft.server"
export MY_NAME="my.name.here"
export PORT=25565DEVICE_NAME: Choose a unique name for your Minecraft server device within your Zero Trust network. This name will also be used as part of the server address your friends will use to connect.MY_NAME: Choose a name to identify yourself as the administrator or host.PORT: This is the port your Minecraft server will use. The default Minecraft port is 25565, but you can change it if needed.
Example of setting configuration variables in the terminal.
Step 2: Create Identities
Identities are digital certificates that represent devices and users within your Zero Trust network. We need to create identities for:
- Your Minecraft Server Host: This identity will represent the computer hosting your Minecraft server.
- Yourself (Administrator): This identity will represent you and grant you administrative access.
- Your Friends (Players): You will create identities for each friend you want to invite to your server.
Create Identity for the Minecraft Server Host:
Run the following command in your VPS terminal:
ziti edge create identity device ${DEVICE_NAME} -o ${DEVICE_NAME}.jwt -a "${DEVICE_NAME}.hosts"This command does the following:
ziti edge create identity device: Creates a new device identity.${DEVICE_NAME}: Uses theDEVICE_NAMEvariable you defined earlier for the identity name.-o ${DEVICE_NAME}.jwt: Exports the enrollment token (JWT file) to a file named${DEVICE_NAME}.jwt. Keep this file safe; you’ll need it to enroll your server host device.-a "${DEVICE_NAME}.hosts": Assigns the attribute${DEVICE_NAME}.hoststo this identity. We’ll use this attribute later for authorization policies.
Create Identity for Yourself (Administrator):
Run the following command:
ziti edge create identity user ${MY_NAME} -o ${MY_NAME}.jwt -a "${DEVICE_NAME}.clients"This command is similar to the previous one, but it creates a user identity for yourself and assigns the attribute ${DEVICE_NAME}.clients. You will use this identity to connect to your server for testing.
Example output after creating device and user identities.
You should now have two new .jwt files in your VPS working directory: ${DEVICE_NAME}.jwt and ${MY_NAME}.jwt. These files are your enrollment tokens.
Example of JWT enrollment token files generated.
Step 3: Create a Service and Configurations
In OpenZiti, a Service represents the application or resource you want to secure – in this case, your Minecraft server. Configurations define how the Zero Trust network connects to your server.
Create Service Configurations:
Run these commands in your VPS terminal:
ziti edge create config ${DEVICE_NAME}.hostv1 host.v1 '{"protocol":"tcp", "address":"localhost","port":'${PORT}'}'
ziti edge create config ${DEVICE_NAME}.interceptv1 intercept.v1 '{"protocols":["tcp"],"addresses":["'${DEVICE_NAME}'.ziti"], "portRanges":[{"low":'${PORT}', "high":'${PORT}'}]}'- The first command creates a
host.v1configuration named${DEVICE_NAME}.hostv1. This configuration tells the Zero Trust network how to connect to your Minecraft server running onlocalhost(your server host machine) on the specifiedPORT. - The second command creates an
intercept.v1configuration named${DEVICE_NAME}.interceptv1. This configuration defines how clients will connect to the service. It specifies that clients will connect to the address${DEVICE_NAME}.zition the samePORT.
Create the Service:
Now, create the service and associate it with the configurations you just created:
ziti edge create service ${DEVICE_NAME} --configs "${DEVICE_NAME}.hostv1,${DEVICE_NAME}.interceptv1"This command creates a service named ${DEVICE_NAME} and links it to the host and intercept configurations.
Example output after creating the service.
Step 4: Create Service Policies
Service Policies define who is authorized to access the service. We need to create two policies:
- Bind Policy: Authorizes the Minecraft server host identity to “bind” or host the service.
- Dial Policy: Authorizes client identities (you and your friends) to “dial” or connect to the service.
Create Bind Service Policy:
ziti edge create service-policy "${DEVICE_NAME}.bind" Bind --service-roles "@${DEVICE_NAME}" --identity-roles "#${DEVICE_NAME}.hosts"This command creates a Bind policy named ${DEVICE_NAME}.bind that:
Bind: Specifies the action being authorized (hosting the service).--service-roles "@${DEVICE_NAME}": Applies to the service with the name${DEVICE_NAME}.--identity-roles "#${DEVICE_NAME}.hosts": Authorizes identities with the attribute${DEVICE_NAME}.hosts(which we assigned to your server host identity).
Create Dial Service Policy:
ziti edge create service-policy "${DEVICE_NAME}.dial" Dial --service-roles "@${DEVICE_NAME}" --identity-roles "#${DEVICE_NAME}.clients"This command creates a Dial policy named ${DEVICE_NAME}.dial that:
Dial: Specifies the action being authorized (connecting to the service).--service-roles "@${DEVICE_NAME}": Applies to the service with the name${DEVICE_NAME}.--identity-roles "#${DEVICE_NAME}.clients": Authorizes identities with the attribute${DEVICE_NAME}.clients(which we assigned to your user identity and will assign to your friends’ identities).
Example output after creating bind and dial service policies.
Step 5: Enroll Identities using Ziti Desktop Edge
Now, you need to enroll the identities you created using the JWT files.
Enroll the Minecraft Server Host Device:
- Transfer the
${DEVICE_NAME}.jwtfile from your VPS to your Minecraft server host machine. You can usescp,rsync, or any file transfer method you prefer. - Install Ziti Desktop Edge on your Minecraft server host machine if you haven’t already.
- Open Ziti Desktop Edge and click the “+” button to “Add Identity”.
- Select the
${DEVICE_NAME}.jwtfile you transferred. - Click “Enroll”. The identity should now be enrolled and connected.
Enroll Your Client Device (and Friends’ Devices):
- Transfer the
${MY_NAME}.jwtfile (and JWT files you create for your friends) to your client device(s). - Install Ziti Desktop Edge on your client device(s).
- Open Ziti Desktop Edge and click the “+” button to “Add Identity”.
- Select the JWT file you transferred.
- Click “Enroll”. The identity should now be enrolled and connected.
Step 6: Test Your Secure Minecraft Server
With all configurations in place and identities enrolled, it’s time to test your secure Minecraft server.
- Start your Minecraft server on your server host machine as you normally would. Ensure it’s running on the port you specified in the
PORTvariable (default 25565). - On your client machine, open Minecraft and go to Multiplayer.
- Click “Add Server”.
- In the “Server Address” field, enter
${DEVICE_NAME}.ziti. For example, if you usedmy.minecraft.serverforDEVICE_NAME, entermy.minecraft.server.ziti. - Click “Done”.
You should see your server appear in the server list with a green connection indicator.
Entering the Zero Trust Minecraft server address in the Minecraft client.
Select your server and click “Join Server”. You should be able to connect and play on your securely hosted Minecraft server!
Minecraft server showing as online in the multiplayer server list.
Successful connection to the secure Minecraft server.
Inviting Friends
To invite friends, you need to create user identities for them and provide them with their enrollment tokens.
-
Create a User Identity for Each Friend:
Run the following command in your VPS terminal for each friend, replacingfriend1.namewith their desired name:ziti edge create identity user friend1.name -o friend1.name.jwt -a "${DEVICE_NAME}.clients" -
Securely Share the JWT File: Send the generated
friend1.name.jwtfile to your friend using a secure method (e.g., password-protected zip file, secure file sharing service). -
Instruct Your Friends to Enroll: Guide your friends to install Ziti Desktop Edge and enroll their identities using the JWT file you provided, following the same enrollment steps as you did for your client device.
Once enrolled, your friends can connect to your Minecraft server using the ${DEVICE_NAME}.ziti address, just like you did.
Conclusion: Secure Minecraft Fun with Zero Trust
By following these steps, you’ve successfully set up a secure Minecraft server using a Zero Trust Network. Your friends can now join your private Minecraft world without compromising the security of your home network.
Network architecture with Zero Trust, securing Minecraft server access.
Zero Trust networking offers a robust and granular approach to security, perfect for home server setups like Minecraft. You have fine-grained control over who can access your server and what they can access, minimizing your attack surface and maximizing your peace of mind. Enjoy your secure Minecraft adventures!
