Programmer NEED GOOD TUNELLING SYSTEM

[M4rcin]

Yes, I'll personally ask all the players who start playing to download Exitlag and learn how to use it. Thanks for the tip, man.

If this is the best idea you can come up with, then well, not everyone is equally gifted.
Most of the players who play over big distances already use it.

Your single VPS located in the very same place will only allow some petty hacker to DDoS you easier (since now its only the VPS that has to go down), but I am not going to repeat myself again, you already have hints in my previous posts and you will surely be reading them when you run into the issue I mentioned.

Edit: Actual solution to all issues mentioned in this thread, that came to my mind now, which use nodes around every single one of us, for free, have been posted by Kor recently, and no one mentioned it - WebSocket over cloudflare.
Kondrah proxy is old news, older than most of your accounts. If you feel like you are innovative because you came up with “multiple vps form multiple providers” then really, get some experience and maybe think again.

 

[Engradiel]

 

[Gallus]

You can achieve that only if you go around a faulty route, which implies that the node will not share the same route.
Making it true for users around the globe will generate costs.

If you have server for example in Berlin you can have one datacenter but 5 different companies and each of them will have different route when you connect to them because peering depends on company.

OVH is known for rather poor pings; generally by buying VPS in random hostings and setting it up as proxy you immediately get 10–20 ms better ping (of course as long as you dont live close to data center).

Your single VPS located in the very same place will only allow some petty hacker to DDoS you easier (since now its only the VPS that has to go down), but I am not going to repeat myself again, you already have hints in my previous posts and you will surely be reading them when you run into the issue I mentioned.

You see, point is that with this proxy system it doesnt matter if some VPS goes down for 1-5 minutes, it wont affect players connection in any way. In case of ExitLag if one server goes down you lose connection until it reconnects, its much worse.

Even for anonymity's sake, if you want a proxy as resilient as a single dedicated server, you need at least one dedicated server in your nodes, which doubles your costs at the very start. I get you can get cheap VPS's, but most of these VPS's will nullroute as soon as the attack start, and you might be left out with no nodes available otherwise.

Thats exactly point - you dont need any highly resilient server. You can buy 10–20 servers for $5 each and spend $50 and at the moment no attacker is able to take all of them down at once. If needed, you can quickly add more. Do you think single 1–10 Gbps server is better? Of course you can buy a better connection (and attacker can still take you down with more power) but it will cost hundreds of dollars compared to $50–100 you would spend on proxies from which you gain more than ddos protection.

Talking to you is like talking to wall, thats exactly why SOE has been having problems with attacks for year or longer, while other large servers have no issues at all. I guess after every attack you send tcpdump to OVH and ask them to fix edge firewall? Great solution

I will also add that CipSoft uses similar system and when you connect to their servers you get two or more connections like Cloudflare + Amazon. Even if one stops working you still have other one. Its same principle.

Edit: Actual solution to all issues mentioned in this thread, that came to my mind now, which use nodes around every single one of us, for free, have been posted by Kor recently, and no one mentioned it - WebSocket over cloudflare.

"When Cloudflare releases new code to its global network, we may restart servers, which terminates WebSockets connections."
Awesome solution

The system initially worked well, and I will improve it.

I have one problem: I have a feature that, when the player's IP address is 0, the creatures ignore them (this is good because in case of power or internet outages, the player is protected).

However, with Alpha Proxy (hasproxy), when exiting the character, it takes 30 seconds to lose the IP address. Does anyone know how to adjust this setting?


Demonstration video: Watch WhatsApp Video 2025-12-16 at 19.20.16 | Streamable (https://streamable.com/vgz4o7)

If I remember correctly timeout after which TFS <-> proxy session is closed is 30 seconds.

 

[M4rcin]

If you have server for example in Berlin you can have one datacenter but 5 different companies and each of them will have different route when you connect to them because peering depends on company.

Surely most of the route wont be shared tho

Thats exactly point - you dont need any highly resilient server. You can buy 10–20 servers for $5 each and spend $50 and at the moment no attacker is able to take all of them down at once. If needed, you can quickly add more. Do you think single 1–10 Gbps server is better? Of course you can buy a better connection (and attacker can still take you down with more power) but it will cost hundreds of dollars compared to $50–100 you would spend on proxies from which you gain more than ddos protection.

Most of 5$ USD VPS nullroutes, this is plain malicious to spread misinformation like that.

Talking to you is like talking to wall, thats exactly why SOE has been having problems with attacks for year or longer

All it takes to check if you are correct is a single click

while other large servers have no issues at all

Sure

"When Cloudflare releases new code to its global network, we may restart servers, which terminates WebSockets connections."
Awesome solution

As everything, this has to be correctly implemented.

View attachment 96745

Yea, with Kondrah's proxy connection starts flying over the ocean - great infographic

I will reiterate.
Given you are connected to multiple nodes, there is a chance your route slows down and then even shit ping proxy will be better than no connection.
This approach requires you to at least double your hosting costs by having one reliable node (5$ vps likely won’t be reliable) or you just decreased your resilience by an order of magnitude. It requires you to have numerous nodes around the world, so they don’t share routes, and still won’t give you guarantee that the problem won’t occur somewhere between the node and the user, or on your route.

This makes it a very ineffective endeavour for a small business owner, while there are cheap solutions like ExitLag.
Hell, you could even partner up with ExitLag like @imperianic did.
But suggesting someone to become ExitLag is a pretty detached thing to say.

And after all, you don’t need it. All you need is a dedicated server from OVH.

 

[Gallus]

Surely most of the route wont be shared tho

We are talking mostly about ddos protection and you should still buy servers in different places.

XD Your 5$ USD VPS nullroutes, this is plain malicious to spread misinformation like that.
You never actually did it in your life, you just repeat stuff.

So what? I already said that it doesnt matter if one server out of 10-20 goes down for an hour, two, a day, or more. You are repeating bullshit trying to prove something.

Kondrahs proxy actually increases ping, since rarely the proxy nodes are going to be located near you, effectively increasing the distance the connection travels.

This is not true. I already explained.

All it takes to check if you are correct is a single click, but you doesnt seem like a person who would dare to be wrong

Sure, some otservlist uptime is definitely more accurate than player messages on server discord.

 

[M4rcin]

We are talking mostly about ddos protection

Nope, you got lost, read the first OP's post.

So what? I already said that it doesnt matter if one server out of 10-20 goes down for an hour, two, a day, or more. You are repeating bullshit trying to prove something.

All your shit 5$ vps will nullroute, all, you understand? Todos VPSos, comprende amigo?

This is not true. I already explained.

It is true that connection travels over distance, if you prolong the distance, there are more failure points, and the ping will be higher.
It is an edge case in which this is not true.

 

[Gallus]

Nope, you got lost, read the first OP's post.

"Hi everyone, I'm looking for someone with experience who has already developed an effective tunnel that doesn't suffer attacks and automatically chooses the best route."

All your shit vps will nullroute, all, you understand? Todos VPSos, comprende amigo?

If you dont know how to configure it, sure. This isnt solution for people who think just make regular proxy and everything will be fine.
You literally have no idea what idea behind this proxy is.

It is true that connection travels over distance, if you prolong the distance, there are more failure points, and the ping will be higher.
It is an edge case in which this is not true.

Once again, its matter of configuration and choosing right servers. As I said, OVH pings are bad and almost always even cheap 5$ VPS will make latency better.

 

[M4rcin]

"Hi everyone, I'm looking for someone with experience who has already developed an effective tunnel that doesn't suffer attacks and automatically chooses the best route."

.About 10% of players experience this and sometimes complain about lag and kicks when it's normal for others.

You didn't read man, you cherrypick what fits your narrative.

If you dont know how to configure it, sure.

I am having success with less than you suggest, and apparently I am the one who dont know how to configure stuff.
Yes, otslist pings every minute and its 100% uptime. If any of the attacks were successful, I am pretty sure we would at least miss that one ping, no?
Tools are usually more reliable than nontechnical player feedback, and it's not the only tool, but the only one you can fact-check yourself.

This isnt solution for people who think just make regular proxy and everything will be fine.

Yeah, multiple weak VPS are not a solution, and let's put the comma here.
Instead of quoting me again, please post some proof that you are not just starved for my attention.
Proof that you host something, and it has at least similar uptime - if you fail to do so, don't expect any more of that attention.

 

[Gallus]

You didn't read man, you cherrypick what fits your narrative.

He also asked about protection against attacks and choosing best route. In this entire discussion you choose what fits your narrative.

Yes, otslist pings every minute and its 100% uptime.

After this sentence you really have no idea about attacks/network problems. If you are attacked 10:00:00 - 10:00:30 and otservlist uptime is checked at 10:00:35, will otslist show problem? or 30 seconds ddos attack which makes your players disconnect is nothing? Now I get why SOE have problems since year.

Thats exactly how you pick dumb solutions to suit yourself, so it looks like you are right and have 100% uptime, while in reality it doesnt show anything at all.

Yeah, multiple weak VPS are not a solution, and let's put the comma here.
Instead of quoting me again, please post some proof that you are not just starved for my attention.
Proof that you host something, and it has at least similar uptime - if you fail to do so, don't expect any more of that attention.

Of course there are better solutions but Kondrah proxy is cheapest, most effective and helps with many problems.

 

[M4rcin]

bla bla bla i am noob i repeat stuff

No proof

You never hosted anything. Lets conclude it here.

 

[Gallus]

No proof

Yes, otslist pings every minute and its 100% uptime.

 

[M4rcin]

View attachment 96755
View attachment 96756

You just found 5 players (SoE has around 10K daily players) that had connection issues and a post from 4 months ago when there was the last succesfull attack.

I am asking for proof of you actually having success with your approach, not cherrypicked messages of localised issues..

 

[Gallus]

You just found 5 players (SoE has around 10K daily players) that had connection issues and a post from 4 months ago when there was the last succesfull attack.

I am asking for proof of you actually having success with your approach, not cherrypicked messages of localised issues.

Since you’ve never actually tried it and don't have data to compare, let's forget about mine and let’s run your benchmark on someone else’s data - say Dura, the server run by the guy who posted the proxy guide. He surely knows what he’s doing, right?

Let’s also ignore that we launched much more recently and that Dura has 15-20x fewer players.
With at least double the hosting costs, the impact should be obvious.

Right?

Wrong.

View attachment 96758

How many more times will you edit your messages? Because I dont know if I can reply yet
Actually there is no point in talking with you, you manipulate and respond in way that suits you Mrs 100% uptime



March 2024 and we still have DDoS, 1.5 year later and still nothing changed. Perfect setup

 

[M4rcin]

How many more times will you edit your messages? Because I dont know if I can reply yet
Actually there is no point in talking with you, you manipulate and respond in way that suits you Mrs 100% uptime

View attachment 96761View attachment 96762View attachment 96763

The messages you found are older than your account, and you call me manipulative?
I asked you for your data, but you don't have it.

Is your argument really that weak that, to defend it, all you can do is fixate on SoE Discord messages from last year?

March 2024 and we still have DDoS

You are losing composure, and your messages are becoming nonsensical.

 

[Gallus]

The messages you found are older than your account, and you call me manipulative?

So what? What difference does that make? Its funny that you could deal with these attacks by using proxy servers but instead you prefer to throw shit at them

You are losing composure, and your messages are becoming nonsensical.

Yes, sorry

Is your argument really that weak that, to defend it, all you can do is fixate on SoE Discord messages from last year?

I think best way to verify what you are claiming about OVH DDoS protection is to look at how your server actually works - and we can see it doesnt work well, so you shouldnt be talking about protection that clearly isnt working on your end. Its clear that nothing has changed from March 2024 to August 2025.

You are asking me for proof but its enough to look at big servers like Kasteria, Aurera, Realera, Kaldrox and others, which dont have these kinds of problems (ddos). I would not say Dura is good example because nobody really plays there, its more 4fun server

Lets end this here. Protect your servers however you want but dont recommend those poor solutions to others

 

[M4rcin]

Its funny that you could deal with these attacks by using proxy servers but instead you prefer to throw shit at them

And you still think you understand the situation?

I think best way to verify what you are claiming about OVH DDoS protection is to look at how your server actually works.

Its clear that nothing has changed from March 2024 to August 2025.

Welcome in December, 2025. I guess your rent might be due.

 

[kor]

Awesome solution

Please note that it says they may, not that they do it every time. IMO this option is more likely to be used only when updating areas related to Websockets. Furthermore, if they offer such a service, they probably tend not to release new code every few hours so as not to impact their users.

If you'd like, we can test this approach together and assess how reliable it is.

 

[Gallus]

Please note that it says they may, not that they do it every time. IMO this option is more likely to be used only when updating areas related to Websockets. Furthermore, if they offer such a service, they probably tend not to release new code every few hours so as not to impact their users.

If you'd like, we can test this approach together and assess how reliable it is.

Yeah, you are probably right. @gunz has been using this solution for long time, maybe he can comment on it

Actually, I see he already did

The AWS disconnects are minimal, CF once per few hours, Google is once per hour.

 

[Engradiel]

Just so they can't say I never helped anyone in Otland.

# LIMITA O TRAFEGO NA PORTA PRA EVITAR SPOFF
-A INPUT -p tcp --dport 6800:6809 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp --dport 6800:6809 -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 40/min --hashlimit-burst 41 --hashlimit-mode srcip --hashlimit-name conn_proxy_rate_min -j REJECT --reject-with tcp-reset
-A INPUT -p tcp --dport 6800:6809 -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 6 --hashlimit-mode srcip --hashlimit-name conn_proxy_rate_sec -j REJECT --reject-with tcp-reset
-A INPUT -p tcp --dport 6800:6809 -m hashlimit --hashlimit-above 449/sec --hashlimit-burst 450 --hashlimit-mode srcip --hashlimit-name conn_proxy_rate_packets_sec -j REJECT --reject-with tcp-reset
-A INPUT -p tcp --dport 6800:6809 -m hashlimit --hashlimit-above 100kb/s --hashlimit-mode srcip --hashlimit-name bandwidth_proxy_sec -j REJECT --reject-with tcp-reset
-A INPUT -p tcp --dport 6800:6809 -j ACCEPT

By also using Fail2Ban, your VPS will become much more difficult to take down continuously.

They talk about problems with VPS attacks but don't know how to protect the connection at least minimally.

 

[M4rcin]

If you'd like, we can test this approach together and assess how reliable it is.

Soon, just didn't have any actual stimuli to do so yet - but that's definitely a thing I want to explore.

Just so they can't say I never helped anyone in Otland.
View attachment 96776


By also using Fail2Ban, your VPS will become much more difficult to take down continuously.

They talk about problems with VPS attacks but don't know how to protect the connection at least minimally.

This setup is incomplete, also this panel is only one of the tools you can set up on OVH, given you have full protection available (likely not on VPS).

Edit:
Another option worth consideration is using Don Daniello's service.