Alpha Proxy Guide (kondrah/otclient multi-path proxy)

[Michael Orsino]

Kondrah Alpha Multi Proxy Solution

This guide is written by @Michael Orsino, with thanks and credit to @Alpha—full attribution at the end.
Difficulty level: Hard – This guide assumes knowledge of Linux, firewalls, C++, and Lua.
Reading time: Approx. 10 minutes

Due to the increased frequency of DDoS ransom attacks against our community over recent months, I decided to write this guide in hopes that it will help you protect your game and provide the best experience to your players.

What is this?
This guide explains how to implement the proxy system written by @Kondrah for OTClientv8. (Note: the client-side feature has also been ported to and released for OTClient Redemption by @Gesior.pl). This guide can be used for both OTCv8 & OTC Redemption.
The guide references an external repository containing the backend proxy application created by @Kondrah, with important bug fixes by Alpha that address a few key issues that were present in the original software.
If you currently run the version and configuration of this solution installed by @Gesior.pl, provided you understand what he has done, this guide can be used to simplify your infrastructure.
From here on out, I will be referring to this system as Alpha Proxy.

What does it do?
Using this proxy system allows the game client to establish and maintain connections with multiple forward proxy servers simultaneously and to send and receive game packets over the best two. With the full intended configuration outlined in this guide, the backend game server remains unknown to the public and therefore cannot be attacked directly. Additionally, players benefit from route redundancy by being connected to multiple forward proxy servers, reducing the risk of lag and disconnects. In many cases players will also benefit from latency-optimised routing to the game server thanks to the use of strategic forward proxy locations and providers.

Prerequisites

• A game server running on Linux (This guide will assume TFS1.4 & Ubuntu 24.04)
• A minimum of two other Linux servers to act as a forward proxies (technically, you could use windows for this, but... don't)
• An unknown/secret IP for your backend (the game server machine)
• Your web server must either be proxied (e.g. by cloudflare) and/or on a separate machine (so that your backend IP remains hidden at all times)
• Necessary ports opened in the firewalls of all servers. You can use whatever you like, but for this guide we will use the following:
  • Backend Game Server (Secret IP):
    • 7100 TCP (HAProxy listener for login)
    • 7200 TCP (HAProxy listener for status)
    • 7300 TCP (Alpha Proxy Listener)
    • For an extra (probably unnecessary) layer of security, restrict the above ports to only allow from each of your forward proxy IP addresses
  • Forward Proxy Servers:
    • 7100 TCP (HAProxy listener for login)
    • 7200 TCP (HAProxy listener for status)
    • 7300 TCP (HAProxy listener for game)

Note: If your server is already live and/or your IP is already public, you have two choices:

1. Prepare to migrate to a new server with a new IP (easy, no new knowledge required), or;
2. Buy a secondary IP address for your server if available (also easy, but will require some new knowledge to configure your machine to use both IP addresses. Your provider may provide a guide or use chatGPT for instructions).
   If you go down this path, you would configure the proxy system for the new IP address only, and once ready, to enable it, you would disable (deny all ipv4 on) the original IP address network edge firewall.

How many, with who, how much, and where
For this configuration to be at all worth implementing, you need at least 2 forward proxy servers, however, the typical recommendation is at least 5.
While technically the configuration can run with only 1, if you can only afford 1 then there is a far easier method than this, check out this thread instead: Proxy Tunnel Solution | With Client IP Passthrough

To keep things simple, I recommend you stick with large hosting providers that offer very affordable VPS hosting like OVH & Hetzner.
For those a little more advanced, you might also consider AWS, GCP, etc.
If you want to take things even further, feel free to send me a message.

You don't need to break the bank on these forward proxy servers. They will not use much power or bandwidth, so typically you want to get the cheapest VPS that the company offers. That might look something like 1vCore + 1 GB Ram for $5/m.

To get the most out of this configuration, you will want to geographically distribute your forward proxy servers with reference to your player base. Most importantly though, you will want at least 1 forward proxy server as close as possible to your backend game server.
My quick recommendations for forward proxy locations would be:

• Vint Hill, USA (OVH) and/or Beauharnois, CA (OVH)
• London, UK (OVH)
• Warsaw, PL (OVH)
• Falkenstein, DE (Hetzner) and/or Nuremberg, DE (Hetzner)
• Miami, USA (Gcore)

Lets get started!
1. TFS Source Changes
There are too many source changes to direct each individual edit in this post, so instead I have created a patch file for TFS1.4 (attached).
The changes are not particularly complicated, if you use a different version of TFS (or OTX, TVP, etc.), you should still be able to follow and make these changes manually.

With the source changes compiled successfully, you can update your config.lua as follows:

ip = "127.0.0.1" -- important, do not change
statusIP = "123.456.78.9" -- set this to your closest forward proxy server IP
bindOnlyGlobalAddress = true -- important, do not change
loginProtocolPort = 7171
gameProtocolPort = 7172
statusProtocolPort = 7171

2. Client Configuration
Assuming you have not already butchered your client_entergame module to force different IP's & ports, there isn't much you need to do to prepare the client.
Players will connect to the login server as normal, and the login server will pass all the necessary information to the client.
It is possible to 'hardcode' the forward proxy IP's into the client, and this is what many choose to do because it is 'easier', however, that was not the intended configuration and is not as flexible as sending the proxy list during login (which is what we will do, assuming you followed the TFS changes in section 1).

3. Forward Proxy Configuration
As the name suggests, this configuration is for each of your forward proxy servers.
$ sudo apt update
$ sudo apt-get update
$ sudo apt upgrade
$ sudo apt install haproxy
$ sudo vim /etc/haproxy/haproxy.cfg
Important: replace BACKENDIP with your actual backend IP!

Tip: Pressing gg -> wg while in vim will take you to the top of the file and then delete everything in the file, allowing you to paste immediately (typically right-click while in `i`nput mode). If your paste is auto indenting, press esc -> : -> set: paste and then try again.

global
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

defaults
        timeout connect 4s
        timeout client  50s
        timeout server  50s

# login connections
listen l1
        bind 0.0.0.0:7100
        mode tcp
        server srv1 BACKENDIP:7100 send-proxy-v2
# game connections
listen l2
        bind 0.0.0.0:7200
        mode tcp
        server srv2 BACKENDIP:7200 send-proxy-v2
# status connections
listen l3
        bind 0.0.0.0:7300
        mode tcp
        server srv3 BACKENDIP:7300 send-proxy-v2

$ sudo systemctl restart haproxy

4. Reverse Proxy Configuration
You will also configure an instance of HAProxy on your backend server to listen for and handle login + status server connections.
$ sudo apt install haproxy
$ sudo vim /etc/haproxy/haproxy.cfg

global
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

defaults
        timeout connect 4s
        timeout client  50s
        timeout server  50s

# login connections
listen l1
        bind 0.0.0.0:7100 accept-proxy
        mode tcp
        server srv1 127.0.0.1:7171 send-proxy-v2
# status connections
listen l2
        bind 0.0.0.0:7300 accept-proxy
        mode tcp
        server srv1 127.0.0.1:7171 send-proxy-v2

$ sudo systemctl restart haproxy

5. Alpha Proxy
This is the application that will listen for and handle each of the game connections proxied by your forward proxy servers, it is where most of the magic happens.

Compile the proxy application:
$ git clone [email protected]:thatmichaelguy/alpha-proxy.git
$ mkdir build && cd build
$ cmake ..
$ make

Create a systemd service file to ensure the Alpha Proxy is always running.
Ensure you update the following:

• ExecStart path to match that of your compiled Alpha Proxy binary
• WorkingDirectory path to match the Alpha Proxy binary directory
• User & Group fields if necessary
• The first param of the ExecStart binary is the listen port
• The second param of the ExecStart binary is the max connections per IP (4 proxies = 4 connections per IP per open client)

$ sudo vim /usr/lib/systemd/system/alpha-proxy.service

[Unit]
Description=Alpha Proxy
After=network.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/path/to/the/proxy/build/alpha-proxy 7200 20
WorkingDirectory=/path/to/the/proxy/build/
Restart=always
User=ubuntu
Group=ubuntu
LimitCORE=104857600
LimitNOFILE=50000

[Install]
WantedBy=default.target

$ sudo systemctl daemon-reload
$ sudo systemctl start alpha-proxy
$ sudo systemctl enable alpha-proxy

6. Database
The final step is to create a table in your database for your proxy servers - this is where the login server will read from. Adjust the INSERT query below to match the IP addresses of your forward proxy servers.
- The disabled column can be utilized to temporarily disable a proxy if desired.
- The priority column can be used to adjust how the client will pick proxy servers, you may want to use this if there are bandwidth limitations on some of your forward proxy servers

CREATE TABLE `proxies` (
  `id` int(11) NOT NULL,
  `host` tinytext NOT NULL,
  `port` smallint(5) UNSIGNED NOT NULL DEFAULT 0,
  `priority` smallint(5) UNSIGNED NOT NULL DEFAULT 0,
  `disabled` tinyint(3) UNSIGNED NOT NULL DEFAULT 0
);

ALTER TABLE `proxies`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT
  ADD PRIMARY KEY (`id`) USING BTREE,
  ADD KEY `disabled` (`disabled`) USING BTREE;
 
INSERT INTO `proxies` (`id`, `host`, `port`, `priority`, `disabled`) VALUES
(1, '123.456.78.9', 7200, 0, 0),
(2, '123.456.78.8', 7200, 0, 0),
(3, '123.456.78.7', 7200, 0, 0),
(4, '123.456.78.6', 7200, 0, 0),
(5, '123.456.78.5', 7200, 0, 0);

Otservlist compliance
Otservlist has been requiring that popular servers provide additional information to help maintain the integrity of player counts displayed in the server list. This isn't really a privacy concern, as no personal data is associated with lsof. This isn't the thread to discuss how you feel about it anyway, this is only where you learn how to comply with it.

Otservlist requests an output of the lsof command to assist in verifying that the amount of players you report as online is congruent with the amount of active connections, and that you are respecting the limit of 4 players reported as online per IP address.
When using multiple proxy servers in this configuration, you need to provide the requested lsof output from each proxy server, as well as from your backend game server.

I wrote a simple script that you can run at an interval with cron to fetch each output of the lsof command and dump it in a specified directory on your web server. The script also redacts your backend IP from the lsof.
You can optionally restrict access to this directory by IP or by password so that only otservlist can access it - chatGPT can probably help you achieve that.

1. To generate the lsof.log output at an interval on your forward proxy servers, set up a cronjob such as the following:
   * * * * * sudo lsof -nP -i :7300 > /tmp/lsof.log && md5sum /tmp/lsof.log > /tmp/lsof.md5
2. To generate the lsof.log output at an interval on your backend server, set up a cronjob such as the following (note that this command redacts your backend IP as long as you update it as necessary):
   * * * * * sudo lsof -nP -i :7300 | sed 's/123.456.78.9/BACKEND_IP/g' > /tmp/lsof.log && md5sum /tmp/lsof.log > /tmp/lsof.md5
3. To pull all of the files to your web server, you can use a script like below
   Note if you chose different forward proxy or alpha proxy listen ports, don't forget to update those ports in the above cronjobs so that the lsof output is correct:

#!/bin/bash

PASSWORD="password123" # to simplify things, we are using the same password for each forward proxy server. If you use SSH keys, you could modify this script to not require the sshpass utility

# Array of remote file (lsof.log) and local destination directory pairs
# Format: "user@host:/remote/path/to/file /local/path/to/destination"
FILES_TO_RETRIEVE=(
    "[email protected]:/tmp/lsof.log /var/www/lsof.comain.com/lsof-ovh01.log"
    "[email protected]:/tmp/lsof.md5 /var/www/lsof.comain.com/lsof-ovh01.md5"
)

for entry in "${FILES_TO_RETRIEVE[@]}"; do
    REMOTE_FILE=$(echo "$entry" | awk '{print $1}')
    LOCAL_PATH=$(echo "$entry" | awk '{print $2}')
    sshpass -p "$PASSWORD" scp "$REMOTE_FILE" "$LOCAL_PATH"
    if [[ $? -ne 0 ]]; then
        echo "Failed to retrieve $REMOTE_FILE"
    else
        echo "Successfully retrieved $REMOTE_FILE"
    fi
done

Website
If your website relies on status protocol for online status and/or count, you will need to update the IP/PORT it is using to suit your new configuration (note some websites pull this directly from a config.lua)

Credits

• @Kondrah: Developer of the backend proxy app, the otclient proxy feature, and the necessary TFS changes to bring it all together
• @Alpha: Bug fixes on the backend proxy app & taught me how to implement the system (the right way)
• @Gesior.pl: Porting the client proxy feature to OTClient Redemption (and putting in his own efforts to help people implement this system)
• @Michael Orsino: Writing this guide

Donations
If you found this guide useful and feel so inclined, you may direct any donations to Michael Orsino and/or Alpha

Footnotes

• Apparently this proxy system can also be used with real tibia clients, however, I am not at all familiar with this. Ref: feat: OTCv8 proxy system by @Gesior.pl · Pull Request #978 · mehah/otclient (https://github.com/mehah/otclient/pull/978#issuecomment-2509871565)
• There is a draft pull request to implement the game server changes into TFS. I haven't reviewed it, and the changes that I instruct here may differ from that PR. Ref: OTCv8 proxy + HAProxy by @Gesior.pl · Pull Request #4860 · otland/forgottenserver (https://github.com/otland/forgottenserver/pull/4860)

 

[Erikas Kontenis]

Super thank you

 

[mRefaat]

Thanks for the guide!

 

[Ciosny]

THANKS !!

 

[Addams]

Great contribution! As always. Thank you.

 

[gerber]

Thanks!

 

[Baxnie]

Nice post, a few questions:

1) How do you deal with CPU steal when using VPS with a single vCPU? I've tested VPS a few months ago, however every day 9pm the CPU steal increased a lot and affected my users. Probably due to another VPS user doing some heavy task. Tried finding for dedicated vCPUs however they are rare. So I'm sticking with dedicated server for that. A little bit overkill, but it's working.
2) How are you calculating ping for every route? It seemed that there are 3 active connections and you discard the worst one. feat: OTCv8 proxy system by gesior · Pull Request #978 · mehah/otclient (https://github.com/mehah/otclient/pull/978/files#diff-819b71a4468294870ff8674af9a35b55e2abd63f71314b66482b29411e72815fR395)
But when you reach 3 connections, isn't there a chance to never find the best connection? In my case i'm pinging every proxy and getting their ping to the backend server. This way I can calculate the real ping to the private server
3) Just to be sure, you are sending and receiving packets from all of the 3 connections at the same time, right? And the backend proxy gets the first packet and discard the other 2.
4) Plans on dealing with jitter? I'vent started tackling this one myself.

 

[azuusiek]

@Baxnie it should be question to the author of the code, not to the "fix" or tutorial creator

To topic: Calling it your creation, or even your name sounds disgusting xd
As for the code, there were some positive changes, but the software itself worked rather well and didn't have too many problems. It's still someone else's property. I wonder why someone didn't publish it for free before him.

 

[alejandro762]

Seems very nice, unfortunately linux computer doesn't exist here.

 

[Gallus]

Calling it "Alpha Proxy" instead "Kondrah Proxy" is awful but what can you expect from OTAcademy leechers, even administrators there are thieves

 

[Baxnie]

@Baxnie it should be question to the author of the code, not to the "fix" or tutorial creator

To topic: Calling it your creation, or even your name sounds disgusting xd
As for the code, there were some positive changes, but the software itself worked rather well and didn't have too many problems. It's still someone else's property. I wonder why someone didn't publish it for free before him.

I was actually hoping that people who understand a lot about the subject would eventually read this and discuss about it

 

[azuusiek]

I was actually hoping that people who understand a lot about the subject would eventually read this and discuss about it

Just take a look in Session::selectProxies(). It is connected with max m_maxConnections(in session is default = 3) proxies and can be refreshed if some proxy can be 20ms less than the worst ping

 

[Gesior.pl]

Description 'how it works' below is about OTCv8 proxy, not alpha proxy, but it must be similar system. Maybe some numbers are different ex. send packets thru 3 proxies instead of 2.

1) How do you deal with CPU steal when using VPS with a single vCPU?

You do not care. OTSes often have 5+ VPSes in different datacenters. As long as any of them works, players won't notice lags in game.
With 300 players online, CPU load on haproxy is below 50% on 4 EUR/month cloud server in Hetzner.
I described below how it changes proxy VPS to reduce ping.

2) How are you calculating ping for every route?

End to end. From 'client' to 'alpha proxy' app running on dedic with OTS, so it's real ping to OTS, not 'ping to VPS with haproxy'.

3) Just to be sure, you are sending and receiving packets from all of the 3 connections at the same time, right? And the backend proxy gets the first packet and discard the other 2.

You can add 2, 5 or 20 VPSes with haproxy. Client connects thru all of them and checks ping every second to all of them.
Each packet from client to server and from server to client is send thru 2 proxy connections with lowest ping. Proxies are changed to proxies with lowest ping every second - if there is noticeable difference in ping, there is some threshold to do not waste CPU/network on changing proxies all time to reduce ping by 2 ms.

Proxy server and client track received packet IDs and drop duplicates.

4) Plans on dealing with jitter? I'vent started tackling this one myself.

Packets are send thru 2 connections, if 1 of them jitter, it's not noticeable by player.

The final step is to create a table in your database for your proxy servers

Code to read list of proxy servers from OTS, when client logins to account works only in OTCv8 (+some more lines except these 2 places):

otclientv8/modules/client_entergame/entergame.lua at master · OTAcademy/otclientv8

Mirror of official OTClientV8. Contribute to OTAcademy/otclientv8 development by creating an account on GitHub.

github.com

otclientv8/modules/gamelib/protocollogin.lua at master · OTAcademy/otclientv8

Mirror of official OTClientV8. Contribute to OTAcademy/otclientv8 development by creating an account on GitHub.

github.com

I did not add these changes in OTC Mehah version.

This tutorial misses important step:
Edit init.lua of OTC to make it use proxy system from start, not after you login to account and get list of proxies.
Config should look like this:
1. Set OTS IP to 127.0.0.1, then proxy system in client will send all packets - including login to account - thru proxies:

Servers = {
  MyOtsName= "127.0.0.1:7171:1098"
}

2. List some/all proxies to use:

g_proxy.addProxy("p1.myworld.com", 7162, 0)
g_proxy.addProxy("p2.myworld.com", 7162, 0)
g_proxy.addProxy("p3.myworld.com", 7162, 0)
g_proxy.addProxy("p4.myworld.com", 7162, 0)
g_proxy.addProxy("p5.myworld.com", 7162, 0)

3rd parameter is 'ping offset', so you can add ex. '+50 ms' to some proxy server, which has paid transfer (ex. google cloud, AWS) to reduce it's usage by players, when server is not under DDoS.

You will also configure an instance of HAProxy on your backend server to listen for and handle login + status server connections.

You don't really have to. You can set OTS IP in config.lua to it's public IP, then haproxy on VPSes will connect directly to it. Just setup firewall to block connections to 7171 from other IPs than your proxy servers.

@Michael Orsino
I also absolutely does not get what you are doing with 7100 and 7200 ports. Port of connection (7171/7172) is passed inside OTCv8 proxy protocol. You just use any port ex. 7162 (by default) and all packets (login to account, login to game, play game etc.) are passed thru it. "OTCv8 proxy app" on server unpacks them and send to right port on machine with OTS.
With basic configuration haproxy should only proxy 7162 port to OTS machine 7162 (+7171 to 7171, if you want add server with status to otservlist).

 

[Baxnie]

Thanks for the detailed answer @Gesior.pl

I've been doing a different approach since my proxy system had the single purpose of defending against DDoS.
I had only 1 active connection and the second connection was just on hold waiting for the first one to fail. This was meant to save bandwidth, probably due to my system being developed 11 years ago and this was more of a thing back then.
By having 4$ VPS this becomes irrelevant.

Thanks for the estimate on CPU load with 300 players. It seems that my own proxy is not so far behind it.

Going to follow on this 2 active connections route. It solves 3 of my problems: jitter, reconnect time, and being able to use vps due to cpu steal

Giving a few suggestions:

• I'm using round-robin on my dns so it's easy to add/remove IPs without updating the client
• Add something to track to which datacenter the server belongs. Some games might need 2+ servers in the same datacenter to handle load, and if it goes down, probably all the servers in this datacenter will go down. When I'm choosing the 2nd connection, my goal is to always connect to a different datacenter
• Save the preferred proxy from last session. It's really likely that the best proxy yesterday is the best proxy today. So you'll have fewer reconnects and thus smaller loads on the proxies

 

[Alpha]

Calling it "Alpha Proxy" instead "Kondrah Proxy" is awful but what can you expect from OTAcademy leechers, even administrators there are thieves

FYI it wasn't my idea to change any name whatsoever and I gave no input on anything about the guide, Michael wrote it on his own.
For all I care he can call it Gallus Super Proxy 3000

 

[Acubens]

Excellent, without a doubt, this is a great contribution to the open tibia community.

 

[Gesior.pl]

I'm using round-robin on my dns so it's easy to add/remove IPs without updating the client

I recommend to use config with domains, not IPs. If your domain is already in CloudFlare, you can setup it to refresh IPs after 60 seconds:

g_proxy.addProxy("p1.myworld.com", 7162, 0)
g_proxy.addProxy("p2.myworld.com", 7162, 0)
g_proxy.addProxy("p3.myworld.com", 7162, 0)
g_proxy.addProxy("p4.myworld.com", 7162, 0)
g_proxy.addProxy("p5.myworld.com", 7162, 0)

EDIT:
I often add 10-20 subdomains in client with names p1-p20. Most of them are not assigned to any IP on DNS.
Domains that do not point to any IP are checked every few seconds by OTC proxy and if you assign it to some proxy IP, it will work without client restart.
So you can add/move proxy servers by using multiple subdomains listed in client - it works even on networks that use custom DNS cache times, that do not allow TTL set to 60 seconds (too low for some internet providers), as they often do not cache 'not assigned IP' answer from CF DNS. So your newly added IP will be detected in seconds.

Some games might need 2+ servers in the same datacenter to handle load

I always configure 8 proxy servers ("alpha server app") and 8 ports ex. 6501-6508 and pick random port in init.lua of OTC to balance CPU usage.
haproxy CPU usage is part of a problem, other problem is CPU usage of alpha server app that may increase ping, if you try to process all players using single app.

Save the preferred proxy from last session

It does not matter with that system. All proxies are pinged every second and they can change when player is online without any lag.

 

[fridai]

You deserve a medal for this.

 

[Michael Orsino]

@azuusiek & @Gallus
It's a fully credited fork. Renaming a fork whatever you like is completely acceptable, and often encouraged to avoid confusion, provided proper credit is given to the original authors.
You'd have a hard time reading this guide and not realizing who created the original application.
Also, I don't think the original app really had a name at all. We all just colloquially called it the "kondrah proxy" because he was the one that created it, and it wasn't clearly named anything else.

@Gesior.pl
Thanks for taking the time to answer some of the questions people have been asking.
I'll experiment with the method you described of setting the login server to localhost and injecting the proxies in init.lua.
I'm not a huge fan of having the proxies hardcoded like that, but if it works well for handling login connections through the proxy configuration too, I can definitely see the value in it.
Edit: Just a passing thought - maybe we can receive the "login proxy" list over http when the client is opened - that'd keep me happy haha