Tailscale Authentication For Minecraft

From Valentino Fans
Jump to: navigation, search

There are many things you can accomplish using computers. Some are more efficient than others. My blog post explains how to authenticate to Grafana. Some people were able to see the idea of Tailscale being used to authenticate to any service as a cool fact. Others saw it as an opportunity to explore new ways to use Tailscale authentication. This is the story of one the latter instances. This is how you can make your Minecraft server join your tailnet, and then authenticate to it using Tailscale.



One question you might be asking yourself is "Why why would you want to do this?" I would like to answer this with a different question: "Why not?" Minecraft A great man has said, "Science isn't about 'why why?' but rather 'why not?'" We take this concept seriously at Tailscale.



Connecting your Minecraft server on your tailnet with Tailscale for authentication gives you these benefits:



You can limit access to your Minecraft server to just your tailnet, so only those you know can access it. If you don't want everyone except for the known griefer be connected, you can use ACLs. Games You can assign Minecraft users to Tailscale users to allow you to keep a greater record of who is using the server. It is not necessary to modify your Minecraft server using Forge, Bukkit, Paper or Spigot mods. This allows you to use an all-natural setup with very little extra configuration. You can utilize Node Sharing to add your friends, fellow citizens in blood, and even squadmates to your Minecraft server without having to expose your server to the internet's scary whimsies. You can also share it with more sane friends who are already on your tailnet. Your Minecraft server will appear on your tailnet just like any other computer.



There are also a lot of negatives with this product:



- This will not work with the Bedrock version of Minecraft (the one that is compatible with phones, consoles tablets and phones). If you are unsure what version of Minecraft you have, check here to learn how to discern the difference between the two. - You have to disable the Minecraft server's authentication stack. If your server is to the internet publically it will allow anyone to join the server without proving who they are. This is not what we are looking for here.



You might be able to work around this by making server-side mods, but those are out of the scope of this article since we're focusing on using unmodified Minecraft clients and servers.



To avoid this, you can use a different email address.



This is accomplished by creating an authentication proxy much like Grafana. The proxy will be able to monitor traffic on your tailnet , and forward it to the Minecraft server, with one important exception. At the start of the Minecraft session, the client will send the server a packet with the username of the user trying to log in.



Normally, the server is supposed to take the contents of that packet and verify it against Mojang's authentication servers to verify that you're actually registered as that username in your Minecraft launcher. Based on the results the server will either accept or deny connections. Instead of relying on Mojang for authentication by using Tailscale we can rely on Tailscale to authenticate. If we also used Mojang for authentication the proxy will search for Tailscale identity information for the Minecraft session and replace the Minecraft username the client gave you with the user information from Tailscale however Mojang's authentication servers would have no idea what to do about this. We bypass them using offline mode in Minecraft that doesn't require any authentication.



After the authentication process, the proxy will forward Minecraft traffic just like any other proxy. You can then mine and craft the content you want with those whom you trust. You'll be able to communicate with your coworkers, and come up with amazing things together.



Setup



If you're planning to set up this on your tailnet, then you'll have to use the patched version proxy infrared. Infrared is normally utilized by Minecraft server networks to host giant Minecraft servers that can accommodate up to thousands of players simultaneously however, it's also universal enough that it can be used to make a proxy connection to a vanilla Minecraft server.



You can configure everything the same way you would with infrared. However, you must be sure you change the environment variable TS_AUTHKEY for a new authkey. If you label the key you want to use, your Minecraft server's key for node will never expire, and it will remain connected to your tailnet and allows you to create and mine for as long as you want!



Something to be aware of is that infrared requires you to connect to the full domain name of the Minecraft server. It is very picky about this. We will use the MagicDNS domain that every tailnet has for free. Assuming your Minecraft server is on port 25565, copy the following into configs/tailscale.json:



This domain can be located by visiting the DNS settings page. Look for the domain ending in.beta.tailscale.net. It must be the name of your account followed by.beta.tailscale.net. Add minecraft-proxy. To get your domain's full name, add minecraft-proxy at the end of this line.



Make sure you set server-ip at 127.0.0.1 and port to 25565 in the server.properties file to ensure that it isn't listening on the public internet.



If you have more creative ideas of things we could create using computers, contact us via Twitter @Tailscale or head to our forum to share with us the horrors that go beyond description that you've created.



The forging of this gorgeous creation was thanks to the efforts of TJ Horner. I hope this article was informative.

Retrieved from "https://valetinowiki.racing/index.php?title=Tailscale_Authentication_For_Minecraft&oldid=2333152"