Tailscale Authentication For Minecraft

From Marvel vs DC
Jump to: navigation, search

Computers can perform a variety of tasks. Some are more efficient than others. My latest blog post will show how to authenticate to any service, such as Grafana. Some people saw the idea of Tailscale being used to authenticate to any service as an interesting fact. Others saw this as an opportunity to study new ways to use Tailscale authentication. This is the story of one of the instances. This is how you can make your Minecraft server join your tailnet and authenticate to it with Tailscale.



One question you might be asking is "Why on earth would you choose to do this?" I would like to respond with a different question: "Why not?" As a great man has stated, "Science isn't about 'why why?' but rather "why not?"" We take this premise seriously at Tailscale.



Putting your Minecraft server on your tailnet using Tailscale for authentication gives you these benefits:



You can limit access to your Minecraft server to only your tailnet, so only those who are trusted can access it. PREMIUM E If you don't want anyone except the known griefer to be able to connect, you can use ACLs. You can assign Minecraft users to Tailscale users to allow you to keep a better track of who is on the server. - You do not have to alter your Minecraft server using Forge, Bukkit, Paper or Spigot mods, this allows you to use an all-natural setup with very little extra configuration. You can use Node Sharing to add your friends, fellow citizens in blood, and your squadmates to your Minecraft server without having expose your server to the internet's scary whimsies. You can also share it with your less likely scary friends that are already on your tailnet. - Your Minecraft server will be visible on your tailnet, just like any other machine.



There are also a lot of negatives with this product:



- This will not work with the Bedrock version of Minecraft (the one that runs on phones, consoles tablets and phones). If you're not sure which version of Minecraft you are using, click here to find out how to distinguish between the two. You must disable the Minecraft server's authentication stack. If your server is to the internet's public it will allow anyone to join the server without proving who they are. This is exactly what we're looking for.



- You may be able to circumvent this making server-side mods, but those are out of scope for this article as we're focused on using unmodded Minecraft clients and servers.



To get around this, use an alternative email address.



This is done by creating an authentication proxy similar to Grafana. The proxy will listen for the traffic on your tailnet and forward it to the Minecraft server, with one important exception. When you start the Minecraft session the client will send the server a packet containing the username of the person trying to log in.



Normally, the server is supposed to examine the contents of the packet and compare it to Mojang authentication servers to ensure that you're actually authenticating as the username in your Minecraft launcher. Based on the results, the server will allow or deny connection. Instead of relying on Mojang to authenticate, by using Tailscale we can rely on Tailscale for authentication. If we also used Mojang to authenticate, the proxy will look up Tailscale identity information for that Minecraft session and replace the Minecraft username that the client provided you with the user's information from Tailscale - but Mojang's authentication servers will have no idea what to do about this. We just bypass them with offline mode in Minecraft, which does not require any authentication.



After the authentication process, the proxy will forward Minecraft traffic as a normal proxy. You can then mine and create the content you want with those you trust. You will be able to communicate with your colleagues and come up with amazing ideas together.



Setup



This patched infrared will allow you to configure this on your tailnet. Infrared is typically employed by Minecraft server networks to host giant Minecraft servers that can scale up to thousands of players at a time However, it's also general enough that it can be used to connect to a basic vanilla Minecraft server.



You can set everything up in the same way as you would with infrared. However, you must be sure you change the environment variable TS_AUTHKEY to create a new authkey. If you tag the key, your Minecraft server's key for node will never expire, so it stays connected to your tailnet which allows you to craft and mine for as long as you want!



One thing to remember is that infrared will require you to connect with the full domain name of the Minecraft server. It is very selective about this. We will use the MagicDNS domain that every tailnet gets for free. Assuming your Minecraft server is on port 25565, copy the following into configs/tailscale.json:



You can find this domain by visiting the DNS settings page and searching for the domain that ends in .beta.tailscale.net - it is the domain of your account followed by .beta.tailscale.net. Add minecraft-proxy. To get your full domain name, add minecraft-proxy at the end of this line.



Make sure you change server-ip's value to 127.0.0.1 and server-port to 25565 within your server.properties file so that it doesn't listen on the public internet:



We can be reached on Twitter @Tailscale in case you have any other ideas or innovative ways to use computers.



TJ Horner was a key player in the development of this beautiful creation. I hope you found this interesting.