This guide is written by @Michael Orsino, with thanks and credit to @Alpha—full attribution at the end.
Difficulty level: Hard – This guide assumes knowledge of Linux, firewalls, C++, and Lua.
Reading time: Approx. 10 minutes
Due to the increased frequency of DDoS ransom attacks against our community over recent months, I decided to write this guide in hopes that it will help you protect your game and provide the best experience to your players.
What is this?
This guide explains how to implement the proxy system written by @Kondrah for OTClientv8. (Note: the client-side feature has also been ported to and released for OTClient Redemption by @Gesior.pl). This guide can be used for both OTCv8 & OTC Redemption.
The guide references an external repository containing the backend proxy application created by @Kondrah, with important bug fixes by Alpha that address a few key issues that were present in the original software.
If you currently run the version and configuration of this solution installed by @Gesior.pl, provided you understand what he has done, this guide can be used to simplify your infrastructure.
From here on out, I will be referring to this system as Alpha Proxy.
What does it do?
Using this proxy system allows the game client to establish and maintain connections with multiple forward proxy servers simultaneously and to send and receive game packets over the best two. With the full intended configuration outlined in this guide, the backend game server remains unknown to the public and therefore cannot be attacked directly. Additionally, players benefit from route redundancy by being connected to multiple forward proxy servers, reducing the risk of lag and disconnects. In many cases players will also benefit from latency-optimised routing to the game server thanks to the use of strategic forward proxy locations and providers.
Prerequisites
- A game server running on Linux (This guide will assume TFS1.4 & Ubuntu 24.04)
- A minimum of two other Linux servers to act as a forward proxies (technically, you could use windows for this, but... don't)
- An unknown/secret IP for your backend (the game server machine)
- Your web server must either be proxied (e.g. by cloudflare) and/or on a separate machine (so that your backend IP remains hidden at all times)
- Necessary ports opened in the firewalls of all servers. You can use whatever you like, but for this guide we will use the following:
- Backend Game Server (Secret IP):
- 7100 TCP (HAProxy listener for login)
- 7200 TCP (HAProxy listener for status)
- 7300 TCP (Alpha Proxy Listener)
- For an extra (probably unnecessary) layer of security, restrict the above ports to only allow from each of your forward proxy IP addresses
- Forward Proxy Servers:
- 7100 TCP (HAProxy listener for login)
- 7200 TCP (HAProxy listener for status)
- 7300 TCP (HAProxy listener for game)
- Backend Game Server (Secret IP):
- Prepare to migrate to a new server with a new IP (easy, no new knowledge required), or;
- Buy a secondary IP address for your server if available (also easy, but will require some new knowledge to configure your machine to use both IP addresses. Your provider may provide a guide or use chatGPT for instructions).
If you go down this path, you would configure the proxy system for the new IP address only, and once ready, to enable it, you would disable (deny all ipv4 on) the original IP address network edge firewall.
For this configuration to be at all worth implementing, you need at least 2 forward proxy servers, however, the typical recommendation is at least 5.
While technically the configuration can run with only 1, if you can only afford 1 then there is a far easier method than this, check out this thread instead: Proxy Tunnel Solution | With Client IP Passthrough
To keep things simple, I recommend you stick with large hosting providers that offer very affordable VPS hosting like OVH & Hetzner.
For those a little more advanced, you might also consider AWS, GCP, etc.
If you want to take things even further, feel free to send me a message.
You don't need to break the bank on these forward proxy servers. They will not use much power or bandwidth, so typically you want to get the cheapest VPS that the company offers. That might look something like 1vCore + 1 GB Ram for $5/m.
To get the most out of this configuration, you will want to geographically distribute your forward proxy servers with reference to your player base. Most importantly though, you will want at least 1 forward proxy server as close as possible to your backend game server.
My quick recommendations for forward proxy locations would be:
- Vint Hill, USA (OVH) and/or Beauharnois, CA (OVH)
- London, UK (OVH)
- Warsaw, PL (OVH)
- Falkenstein, DE (Hetzner) and/or Nuremberg, DE (Hetzner)
- Miami, USA (Gcore)
1. TFS Source Changes
There are too many source changes to direct each individual edit in this post, so instead I have created a patch file for TFS1.4 (attached).
The changes are not particularly complicated, if you use a different version of TFS (or OTX, TVP, etc.), you should still be able to follow and make these changes manually.
With the source changes compiled successfully, you can update your config.lua as follows:
LUA:
ip = "127.0.0.1" -- important, do not change
statusIP = "123.456.78.9" -- set this to your closest forward proxy server IP
bindOnlyGlobalAddress = true -- important, do not change
loginProtocolPort = 7171
gameProtocolPort = 7172
statusProtocolPort = 71712. Client Configuration
Assuming you have not already butchered your
client_entergame module to force different IP's & ports, there isn't much you need to do to prepare the client.Players will connect to the login server as normal, and the login server will pass all the necessary information to the client.
It is possible to 'hardcode' the forward proxy IP's into the client, and this is what many choose to do because it is 'easier', however, that was not the intended configuration and is not as flexible as sending the proxy list during login (which is what we will do, assuming you followed the TFS changes in section 1).
3. Forward Proxy Configuration
As the name suggests, this configuration is for each of your forward proxy servers.
$
sudo apt update$
sudo apt-get update$
sudo apt upgrade$
sudo apt install haproxy$
sudo vim /etc/haproxy/haproxy.cfgImportant: replace
BACKENDIP with your actual backend IP!Tip: Pressing
gg -> wg while in vim will take you to the top of the file and then delete everything in the file, allowing you to paste immediately (typically right-click while in `i`nput mode). If your paste is auto indenting, press esc -> : -> set: paste and then try again.
Code:
global
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
timeout connect 4s
timeout client 50s
timeout server 50s
# login connections
listen l1
bind 0.0.0.0:7100
mode tcp
server srv1 BACKENDIP:7100 send-proxy-v2
# game connections
listen l2
bind 0.0.0.0:7200
mode tcp
server srv2 BACKENDIP:7200 send-proxy-v2
# status connections
listen l3
bind 0.0.0.0:7300
mode tcp
server srv3 BACKENDIP:7300 send-proxy-v2sudo systemctl restart haproxy4. Reverse Proxy Configuration
You will also configure an instance of HAProxy on your backend server to listen for and handle login + status server connections.
$
sudo apt install haproxy$
sudo vim /etc/haproxy/haproxy.cfg
Code:
global
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
timeout connect 4s
timeout client 50s
timeout server 50s
# login connections
listen l1
bind 0.0.0.0:7100 accept-proxy
mode tcp
server srv1 127.0.0.1:7171 send-proxy-v2
# status connections
listen l2
bind 0.0.0.0:7300 accept-proxy
mode tcp
server srv1 127.0.0.1:7171 send-proxy-v2sudo systemctl restart haproxy5. Alpha Proxy
This is the application that will listen for and handle each of the game connections proxied by your forward proxy servers, it is where most of the magic happens.
Compile the proxy application:
$
git clone [email protected]:thatmichaelguy/alpha-proxy.git$
mkdir build && cd build$
cmake ..$
makeCreate a
systemd service file to ensure the Alpha Proxy is always running.Ensure you update the following:
ExecStartpath to match that of your compiled Alpha Proxy binaryWorkingDirectorypath to match the Alpha Proxy binary directoryUser&Groupfields if necessary- The first param of the
ExecStartbinary is the listen port - The second param of the
ExecStartbinary is the max connections per IP (4 proxies = 4 connections per IP per open client)
$
sudo vim /usr/lib/systemd/system/alpha-proxy.service
Code:
[Unit]
Description=Alpha Proxy
After=network.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/path/to/the/proxy/build/alpha-proxy 7200 20
WorkingDirectory=/path/to/the/proxy/build/
Restart=always
User=ubuntu
Group=ubuntu
LimitCORE=104857600
LimitNOFILE=50000
[Install]
WantedBy=default.targetsudo systemctl daemon-reload$
sudo systemctl start alpha-proxy$
sudo systemctl enable alpha-proxy6. Database
The final step is to create a table in your database for your proxy servers - this is where the login server will read from. Adjust the
INSERT query below to match the IP addresses of your forward proxy servers.- The
disabled column can be utilized to temporarily disable a proxy if desired.- The
priority column can be used to adjust how the client will pick proxy servers, you may want to use this if there are bandwidth limitations on some of your forward proxy servers
SQL:
CREATE TABLE `proxies` (
`id` int(11) NOT NULL,
`host` tinytext NOT NULL,
`port` smallint(5) UNSIGNED NOT NULL DEFAULT 0,
`priority` smallint(5) UNSIGNED NOT NULL DEFAULT 0,
`disabled` tinyint(3) UNSIGNED NOT NULL DEFAULT 0
);
ALTER TABLE `proxies`
MODIFY `id` int(11) NOT NULL AUTO_INCREMENT
ADD PRIMARY KEY (`id`) USING BTREE,
ADD KEY `disabled` (`disabled`) USING BTREE;
INSERT INTO `proxies` (`id`, `host`, `port`, `priority`, `disabled`) VALUES
(1, '123.456.78.9', 7200, 0, 0),
(2, '123.456.78.8', 7200, 0, 0),
(3, '123.456.78.7', 7200, 0, 0),
(4, '123.456.78.6', 7200, 0, 0),
(5, '123.456.78.5', 7200, 0, 0);Otservlist compliance
Otservlist has been requiring that popular servers provide additional information to help maintain the integrity of player counts displayed in the server list. This isn't really a privacy concern, as no personal data is associated with
lsof. This isn't the thread to discuss how you feel about it anyway, this is only where you learn how to comply with it.Otservlist requests an output of the
lsof command to assist in verifying that the amount of players you report as online is congruent with the amount of active connections, and that you are respecting the limit of 4 players reported as online per IP address.When using multiple proxy servers in this configuration, you need to provide the requested
lsof output from each proxy server, as well as from your backend game server.I wrote a simple script that you can run at an interval with cron to fetch each output of the
lsof command and dump it in a specified directory on your web server. The script also redacts your backend IP from the lsof.You can optionally restrict access to this directory by IP or by password so that only otservlist can access it - chatGPT can probably help you achieve that.
- To generate the lsof.log output at an interval on your forward proxy servers, set up a cronjob such as the following:
* * * * * sudo lsof -nP -i :7300 > /tmp/lsof.log && md5sum /tmp/lsof.log > /tmp/lsof.md5 - To generate the lsof.log output at an interval on your backend server, set up a cronjob such as the following (note that this command redacts your backend IP as long as you update it as necessary):
* * * * * sudo lsof -nP -i :7300 | sed 's/123.456.78.9/BACKEND_IP/g' > /tmp/lsof.log && md5sum /tmp/lsof.log > /tmp/lsof.md5 - To pull all of the files to your web server, you can use a script like below
Note if you chose different forward proxy or alpha proxy listen ports, don't forget to update those ports in the above cronjobs so that the lsof output is correct:
Bash:
#!/bin/bash
PASSWORD="password123" # to simplify things, we are using the same password for each forward proxy server. If you use SSH keys, you could modify this script to not require the sshpass utility
# Array of remote file (lsof.log) and local destination directory pairs
# Format: "user@host:/remote/path/to/file /local/path/to/destination"
FILES_TO_RETRIEVE=(
"[email protected]:/tmp/lsof.log /var/www/lsof.comain.com/lsof-ovh01.log"
"[email protected]:/tmp/lsof.md5 /var/www/lsof.comain.com/lsof-ovh01.md5"
)
for entry in "${FILES_TO_RETRIEVE[@]}"; do
REMOTE_FILE=$(echo "$entry" | awk '{print $1}')
LOCAL_PATH=$(echo "$entry" | awk '{print $2}')
sshpass -p "$PASSWORD" scp "$REMOTE_FILE" "$LOCAL_PATH"
if [[ $? -ne 0 ]]; then
echo "Failed to retrieve $REMOTE_FILE"
else
echo "Successfully retrieved $REMOTE_FILE"
fi
doneWebsite
If your website relies on status protocol for online status and/or count, you will need to update the IP/PORT it is using to suit your new configuration (note some websites pull this directly from a config.lua)
Credits
- @Kondrah: Developer of the backend proxy app, the otclient proxy feature, and the necessary TFS changes to bring it all together
- @Alpha: Bug fixes on the backend proxy app & taught me how to implement the system (the right way)
- @Gesior.pl: Porting the client proxy feature to OTClient Redemption (and putting in his own efforts to help people implement this system)
- @Michael Orsino: Writing this guide
If you found this guide useful and feel so inclined, you may direct any donations to Michael Orsino and/or Alpha
Footnotes
- Apparently this proxy system can also be used with real tibia clients, however, I am not at all familiar with this. Ref: feat: OTCv8 proxy system by @Gesior.pl · Pull Request #978 · mehah/otclient (https://github.com/mehah/otclient/pull/978#issuecomment-2509871565)
- There is a draft pull request to implement the game server changes into TFS. I haven't reviewed it, and the changes that I instruct here may differ from that PR. Ref: OTCv8 proxy + HAProxy by @Gesior.pl · Pull Request #4860 · otland/forgottenserver (https://github.com/otland/forgottenserver/pull/4860)
Last edited:
