2

I've heard about the dangers of port forwarding to let people play on a minecraft server hosted on your computer. But I was wondering, could having a VPN on the computer with the server possibly avoid the danger or make it safer?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bluesandbox
  • 61
  • 1
  • 1
  • 6
  • 7
    Not sure why the downvotes... I wouldn't upvote this question, but it's a valid concern that someone with just enough knowledge to host a server from home would have, and shows interest in keeping themselves secure. – Ghedipunk Oct 23 '19 at 22:15
  • Just throwing technology at the problem won't be a solution. What do you mean by "VPN"? What are you thinking a VPN will do for you? Who accesses the minecraft server? – schroeder Oct 25 '19 at 12:16
  • I was just curious. I doubted it would work but i asked the question anyway. – Bluesandbox Oct 26 '19 at 14:28

4 Answers4

4

To answer your question bluntly, "No, it would not make you more secure." However, your question shows that you are relatively new to networking and security, so I would like to expand my answer a bit, to give you some context for it.

What is a port?

The internet works based on IP addresses. A typical IPv4 address will look something like 173.194.222.139. This address represents one computer1 somewhere on the internet. In order to communicate with a specific application on that computer (e.g. a Minecraft server), that application listens to a specific port, such as 25565.

A packet sent to a computer has to contain it's address, but also the port which corresponds to the application that is supposed to handle the packet. This is done so that a computer can have many different applications running at the same time, with each listening to different port. That means your computer could be running a Minecraft server on port 25565, an Unreal Tournament 2004 server on port 7777 and a web server on port 80 and 443.

What is port forwarding?

If you are at home and have multiple devices at hand, you can search for your external IP address and you will see that all of them likely have the same address. How is this possible, if above I said each address corresponds to one computer?

The answer is NAT. I won't go into detail, but think of it like a hotel lobby. The hotel has one address, but many rooms internally. Mails sent from the hotel go to the lobby, which then send the mail out. The sender is the hotel, and the recipient sees that it comes from the hotel. The recipient will write a reply to the hotel, and the hotel lobby will give the mail to the person who initially sent the mail.

The disadvantage is that this only works if the person in the hotel writes first. If someone would like to send a mail to someone living in this hotel, the hotel wouldn't know what to do and just throws the letter away.

This is where port forwarding comes into play. It essentially means "If traffic comes to this port, I will forward it to this internal machine on that port". In terms of our mail analogy, it's akin to writing "To: Awesome Hotel, Room 1337". The lobby will know where to forward that to.

Concretely, if we set up the gateway computer (the hotel lobby in our analogy) to forward all traffic to port 25565 to your internal computer running the Minecraft server on port 25565, then people connecting to your external IP on that port will actually be forwarded to your internal computer on that port.

Is port forwarding unsafe?

It's a necessary evil. By forwarding one port to your internal computer, it means everybody on the internet can attempt to connect to that port. This is necessary, as otherwise nobody could play Minecraft on your server.

The problem is that if the server has any security vulnerabilities, be it in the base software, a mod you installed, etc, then this directly affects your computer. It's a risk in theory, but in practice, I would not worry too much about it.

Can a VPN help me?

I'm sure you've heard all the YouTubers talk about how a VPN can help you be safe from hackers and all that nonsense. It's just marketing talk, and very dishonest. VPN's do provide security, in specific scenarios, against specific attacks. Claiming they solve all problems and you're just 7,99€ per month away from perfect security is dishonest.

The only scenario in which a VPN would help you is if you ran a VPN gateway in your network and have the Minecraft server accessible only to those with access to your VPN. The problem is, that this is way more difficult to set up, and even more difficult to set up in a secure manner. Just forwarding a port to your Minecraft server is way less likely to get you into any troubles.

My own Minecraft server also runs on my local PC and just has a forwarded port, so it's certainly not an extremely insecure way to do it.

1: Yes, even if it's NAT'ed it's still one box that handles all the NAT.

  • 1
    I like the hotel mail analogy. As long as you are explaining the basics, it might be worth a quick mention of why ports exist in the first place. I'm sure there are many reasons, but here the most relevant is (probably) just so a computer can have more than one application listening for internet connections, since you only have one ip address – Conor Mancone Oct 25 '19 at 12:38
  • You could also explain that you may want to be in this hotel because you want to be able to communicate with people via mail, but don't want just anyone to send letters to you. –  Oct 25 '19 at 12:41
  • If the hotel has a hot tub then that's reason enough to want to be there! – Conor Mancone Oct 25 '19 at 12:59
  • Thanks! That helped a lot. – Bluesandbox Oct 26 '19 at 14:24
1

The danger of port-forwarding is that it lets computers on the internet communicate with any program on your computer that is listening on that port. If you instead host your server through a VPN, you'll still need to allow traffic to the port somehow; the content of the traffic isn't fundamentally changed by it coming through a VPN to your computer. If you're only running a Minecraft server on that port, and you do actually want people to connect to it, then there's no danger to forwarding the port.

Most VPNs don't let you forward ports (which wouldn't be usable for hosting a Minecraft server), or they expose all ports (which would be like forwarding all ports to your computer), so a VPN might even be worse on this measure.

There are other dangers that hosting through a VPN could address though. If you wanted to obscure what city you lived in, or you were worried that someone might DDOS you and slow down your home's whole internet access, then hosting through a VPN would help with these.

Macil
  • 1,482
  • 9
  • 11
  • Everywhere I've seen on this website says that port forwarding is dangerous and people can use the hole in your firewall to do stuff – Bluesandbox Oct 24 '19 at 00:05
  • 1
    The stuff they could do if you open a port is talk to any programs on your computer listening on that port. If you actually want people to talk to your minecraft server and you only open the port used by your minecraft server, then you're fine. The advice against opening ports is like "Leaving your front door open is dangerous, because people can come inside.". If you want your friend to come inside, then you do actually want to open the door for them. – Macil Oct 24 '19 at 00:34
  • from what I've read people can use the open door as well as friends to gain access to your computers and stuff, is this not true? – Bluesandbox Oct 24 '19 at 00:57
  • If the program listening on the port (the minecraft server) is insecure, then letting people communicate with it could be dangerous. If you still want people to communicate with the minecraft server, you could either accept the risk, or you could try to lower the risk by running the minecraft server in its own user account, in a sandbox, in a VM, or on another machine entirely. A VPN doesn't do anything to address the risk that comes from letting other people talk to an insecure program on your computer. – Macil Oct 25 '19 at 23:34
  • The server will be on a separate device only for the server. But couldn't someone use the communication to somehow compromise the network? – Bluesandbox Oct 26 '19 at 14:27
0

Installing a VPN client does not help, but installing a VPN server and making your friends connect to it will mostly solve the problem. I will explain.

If you just install a client, it does not change anything. Anyone can connect to your computer, no matter if the VPN is connected or not. Your outgoing connections will go thru VPN, but incoming connections don't.

On the other hand, if you install a VPN server, and make Minecraft listen only to the interface the VPN created, nobody outside can connect, except those coming from the VPN itself. You create a port forward for the VPN server, send login/password for your friends, and you are safe.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
-1

VPN does not help. If you are running a server and want to allow outsiders to connect to the server, you need to give the outsiders an internet-routable IP address, protocol (usually tcp) and port number to connect to.

TCP sockets that outsiders connect to that public IP/protocol/port will be forwarded to your private IP/port.

Using VPN just makes the server less reliable, or allows you to delete the known public IP in the future. But if you want to make the server available, you have to make the server available.

If the Minecraft server software you are running is vulnerable to (for example) a buffer overflow attack, a hacker that is connected to your server may be able to trick the software into “phoning home” (opening up an outbound tcp socket to a home base allowing remote control).

One mitigation is to block outbound sockets from your server, other than what is needed to run the server (DNS and software updates for example).

Another mitigation is to have no valuable information on the Minecraft server, and have no other systems accessible from the server. But even then, a successful hacker might get your Minecraft players’ usernames and passwords. Getting a second Internet connection and only putting the dedicated Minecraft server on it is one easy way to achieve this.

Regularly updating the Minecraft server software will also help.

Darrell Root
  • 1,462
  • 1
  • 7
  • 8
  • when you say getting a second internet connection you mean like a subnet or something, separate from your home network? – Bluesandbox Oct 24 '19 at 12:33
  • You could implement an isolated net using a router or firewall with two inside subnets and ACLs which prevent cross communication, but that is a more advanced and error-prone configuration. I was suggesting you get two internet connections: perhaps one DSL from phone provider, one cable modem from cable provider. Then you have two airgapped networks. That is expensive, but easier for a non-network-engineer to implement. – Darrell Root Oct 24 '19 at 17:13