Secure Your Blocky Kingdom: A Comprehensive Guide to Set Up Minecraft Server with Zero Trust

Minecraft, the boundless sandbox game, sparks creativity and adventure in millions, especially kids. The desire to create a personal multiplayer world is a natural progression for many young players. Imagine a realm where you and your friends collaborate, explore, and build without limits – that’s the allure of hosting your own Minecraft server.

However, the path to setting up a Minecraft server can quickly become technically complex, and sometimes, even risky. Like the story of a tech-savvy son who, in his enthusiasm, inadvertently created a security vulnerability by directly inviting friends to his home network to play Minecraft. Sharing access like this, while seemingly convenient, opens doors to potential security threats.

This article will guide you through setting up a Minecraft server with a robust security approach: Zero Trust Networking. We’ll leverage OpenZiti, a powerful open-source zero trust platform, to create a secure and controlled environment for your Minecraft world. This method not only lets you play with friends securely but also gives you granular control over who accesses your server and what they can access.

Figure 1: The surprised reaction to an insecure Minecraft server setup highlighting the need for secure solutions.

Why Zero Trust for Your Minecraft Server?

Traditional methods of allowing friends to join your Minecraft server often involve directly exposing your home network, which can be risky. Opening firewall ports or using VPNs can grant broader access than intended, potentially exposing other devices on your network.

Zero Trust operates on the principle of “never trust, always verify.” Instead of assuming everyone inside your network is safe, Zero Trust requires every user and device to be authenticated and authorized before granting access to specific resources – in this case, your Minecraft server.

With a Zero Trust approach using OpenZiti, you achieve:

• Enhanced Security: External users gain access only to the Minecraft server and nothing else on your network. Lateral movement, a common tactic in cyberattacks, is effectively blocked.
• Granular Control: You precisely control who can access your server and can easily revoke access at any time.
• Flexibility: Invite friends from anywhere in the world to join your server securely, without compromising your home network.

Understanding the Network Landscape

Currently, without any specific configuration, your home network acts as a secure perimeter. Your Minecraft server, running on your local machine, is inaccessible from the outside internet due to your firewall.

Figure 2: Illustrating the default network setup where the firewall blocks external connections to the Minecraft server.

Our goal is to introduce a secure pathway using OpenZiti’s Zero Trust overlay network, allowing authorized players to connect to your Minecraft server without compromising your network’s overall security.

Getting Your Server Ready: Prerequisites

To set up your secure Minecraft server with OpenZiti, you’ll need the following:

1. A Virtual Private Server (VPS): This acts as the central hub for your Zero Trust network. We recommend Oracle Cloud Infrastructure (OCI) Free Tier, which offers a free VPS suitable for this purpose. You can follow this guide to set up your free Oracle Cloud VPS. While technically you could host the OpenZiti network on your local machine, a VPS provides a necessary separation and avoids exposing your home network directly.
2. OpenZiti Command Line Interface (CLI): You’ll use the Ziti CLI on your VPS to configure your Zero Trust network. The linked Oracle Cloud setup guide covers installing the Ziti CLI.
3. Ziti Desktop Edge for your Devices: Players (including yourself) will need to install the Ziti Desktop Edge application on their computers to connect to the Zero Trust network and access the Minecraft server. Download the appropriate version for your operating system:
   • Ziti Desktop Edge for Windows (Windows 9 and later)
   • Ziti Desktop Edge for Mac
   • Ziti Tunnel SDK for Linux (Linux setup is slightly different and may be covered in a future article. The OpenZiti community forum is a great resource for Linux users: OpenZiti Discourse Forum)
4. A Running Minecraft Server: Ensure your Minecraft server is already set up and running on the machine you intend to host it from.

Streamlining Configuration with Variables

To simplify the configuration process, we’ll define a few environment variables. This allows you to copy and paste commands, easily adapting them to your specific setup. You can customize these values as you wish:

export DEVICE_NAME="my.minecraft.server"
export MY_NAME="my.name.here"
export PORT=25565

• DEVICE_NAME: A unique name for your Minecraft server device within the Zero Trust network (e.g., “minecraft-server”, “my-mc-world”). This name will also be used as part of the server address players will use.
• MY_NAME: A name to identify yourself as a user (e.g., “yourname”, “admin-user”).
• PORT: The port your Minecraft server uses. The default Minecraft port is 25565.

Figure 3: Example environment variable settings for device name, user name, and port.

Remember to execute these export commands in your VPS terminal session before proceeding with the network configuration.

Configuring Your Zero Trust Network

With the prerequisites in place and variables defined, let’s configure your Zero Trust network step-by-step.

Step 1: Create Identities

Identities represent users and devices within the Zero Trust network. We need to create identities for:

• The Host Device: The computer running your Minecraft server.
• Your User Identity: Your personal identity to access the server.
• Identities for Friends: (Later) For each friend you want to invite.

To view existing identities, use the command: ziti edge list identities

Figure 4: Example output of ziti edge list identities command before creating new identities.

Create Identity for the Host Device

This command creates a “device” identity for your Minecraft server host. The -o flag saves an enrollment token (.jwt file) which will be used to enroll the host device into the network. The -a flag assigns the attribute "${DEVICE_NAME}.hosts" to this identity, which will be used later in service policies.

ziti edge create identity device ${DEVICE_NAME} -o ${DEVICE_NAME}.jwt -a "${DEVICE_NAME}.hosts"

Create Identity for Yourself

This command creates a “user” identity for you. Similar to the device identity, it generates a .jwt file and assigns the attribute "${DEVICE_NAME}.clients".

ziti edge create identity user ${MY_NAME} -o ${MY_NAME}.jwt -a "${DEVICE_NAME}.clients"

Verify Identities and JWT Tokens

After running these commands, you should see two new identities listed when you run ziti edge list identities again.

Figure 5: Example output after creating host and user identities showing the newly added entries.

You’ll also find two new .jwt files in your current directory on the VPS. These tokens are crucial for enrolling devices and users into the Zero Trust network. Keep them secure and accessible.

Figure 6: File explorer showing the generated JWT tokens for host and user identities.

Step 2: Create Service and Configurations

In OpenZiti, a “service” represents the application or resource you want to secure – in our case, the Minecraft server. Service configurations define how the Zero Trust network connects to your Minecraft server.

To view existing services and configurations, use ziti edge list services and ziti edge list configs respectively. Initially, these lists will likely be empty.

Service Configurations

These commands create two configurations:

• Host Configuration (${DEVICE_NAME}.hostv1): Defines how the OpenZiti network connects to your Minecraft server locally on the host machine. It specifies the protocol (tcp), address (localhost), and port (${PORT}).
• Intercept Configuration (${DEVICE_NAME}.interceptv1): Defines how external users will access the service through the Zero Trust network. It specifies the protocols (tcp), the address users will use to connect (${DEVICE_NAME}.ziti), and the port range (${PORT}).

ziti edge create config ${DEVICE_NAME}.hostv1 host.v1 '{"protocol":"tcp", "address":"localhost","port":'${PORT}'}'
ziti edge create config ${DEVICE_NAME}.interceptv1 intercept.v1 '{"protocols":["tcp"],"addresses":["'${DEVICE_NAME}'.ziti"], "portRanges":[{"low":'${PORT}', "high":'${PORT}'}]}'

Service Creation

This command creates the Minecraft service, associating it with the configurations created in the previous step.

ziti edge create service ${DEVICE_NAME} --configs "${DEVICE_NAME}.hostv1,${DEVICE_NAME}.interceptv1"

Verify Service Creation

Running ziti edge list services will now show your newly created Minecraft service.

Figure 7: Example output of ziti edge list services showing the newly created Minecraft service.

Step 3: Create Service Policies

Service policies define who is authorized to access a service and what actions they are allowed to perform. We need to create two policies:

• Bind Policy (${DEVICE_NAME}.bind): Allows the host device to “bind” to the service, meaning it can host and make the service available on the Zero Trust network.
• Dial Policy (${DEVICE_NAME}.dial): Allows users with the correct attribute to “dial” or connect to the service (Minecraft server).

These policies use the attributes we assigned to the identities earlier ("${DEVICE_NAME}.hosts" and "${DEVICE_NAME}.clients") to control access. This attribute-based access control is a key feature of Zero Trust, making user management much easier.

ziti edge create service-policy "${DEVICE_NAME}.bind" Bind --service-roles "@${DEVICE_NAME}" --identity-roles "#${DEVICE_NAME}.hosts"
ziti edge create service-policy "${DEVICE_NAME}.dial" Dial --service-roles "@${DEVICE_NAME}" --identity-roles "#${DEVICE_NAME}.clients"

Verify Service Policies

Running ziti edge list service-policy will display the newly created service policies.

Figure 8: Example output of ziti edge list service-policy showing the bind and dial policies for the Minecraft service.

Step 4: Enroll Identities

Now it’s time to enroll your devices and user into the Zero Trust network using the .jwt tokens generated earlier.

Enroll the Host Device

1. Locate the ${DEVICE_NAME}.jwt file. This is the enrollment token for your Minecraft server host.
2. Install Ziti Desktop Edge on your Minecraft server host machine.
3. Open Ziti Desktop Edge.
4. Click the “+” button (“Add an Identity”).
5. Navigate to and select the ${DEVICE_NAME}.jwt file.
6. Click the “Enroll” button.

Once enrolled, the Ziti Desktop Edge application on your server host will establish a secure connection to the OpenZiti network, making your Minecraft server accessible through the Zero Trust overlay.

Enroll Your User Identity

1. Locate the ${MY_NAME}.jwt file. This is your user enrollment token.
2. Install Ziti Desktop Edge on your computer (the one you’ll use to play Minecraft).
3. Open Ziti Desktop Edge.
4. Click the “+” button (“Add an Identity”).
5. Navigate to and select the ${MY_NAME}.jwt file.
6. Click the “Enroll” button.

Enrolling your user identity allows your computer to connect to the Zero Trust network and access the Minecraft server.

The Secure Network in Action

With configurations and enrollments complete, your network now looks like this:

Figure 9: Illustrating the secure network setup with OpenZiti, allowing authorized access to the Minecraft server through the Zero Trust overlay.

External connections to your Minecraft server now flow through the secure OpenZiti overlay network, ensuring only authorized and authenticated users can access it, without exposing your entire home network.

Testing Your Secure Minecraft Server

Let’s test if everything is working correctly.

1. Ensure your Minecraft server is running on the host machine.
2. Make sure Ziti Desktop Edge is running on both your host machine and your client machine (the one you are playing from).
3. Launch Minecraft on your client machine.
4. Select “Multiplayer”.
5. Click “Add Server”.
6. In the “Server Address” field, enter: ${DEVICE_NAME}.ziti. For example, if your DEVICE_NAME was “my-mc-server”, enter my-mc-server.ziti.

Figure 10: Adding the Minecraft server in the game using the .ziti address.

If configured correctly, your server should appear online in the Minecraft multiplayer server list.

Figure 11: The Minecraft server list showing the server online and accessible via the Zero Trust network.

Join your server and enjoy secure Minecraft gameplay!

Figure 12 & 13: Screenshots from inside the securely hosted Minecraft server, demonstrating successful connection and gameplay.

Inviting Friends Securely

To invite friends, you’ll need to create a user identity for each of them, similar to how you created your own user identity. When creating their identity using the ziti edge create identity user command, ensure you include the attribute "${DEVICE_NAME}.clients" to grant them access to your Minecraft service.

Distribute their .jwt token securely (e.g., through a secure messaging app). They will then follow the same enrollment process using Ziti Desktop Edge to gain access to your server.

You retain full control and can revoke access at any time by deleting their identities or modifying service policies.

Embrace Secure Minecraft Hosting

Setting up a Minecraft server with Zero Trust might seem a bit more involved initially, but the enhanced security and control it provides are well worth the effort. By leveraging OpenZiti, you create a safe and secure environment for your Minecraft adventures, protecting your home network while enjoying online multiplayer with friends. Explore the possibilities of secure and controlled access – your blocky kingdom will be safer than ever!