Tailscale Authentication For Minecraft

Dale Dahl

4 min read
Tailscale Authentication For Minecraft


Computers can do many things. Some are more productive than others. My latest blog post will show how to authenticate to any service, like Grafana. Some people thought of Tailscale being used to authenticate to any service as a fascinating fact. Others saw it as an opportunity to explore new possibilities for Tailscale authentication. This is the story of one the latter instances. This is how you make your Minecraft server join your tailnet and authenticate to it via Tailscale.



Tailscale is committed to this idea.



Putting your Minecraft server on your tailnet with Tailscale to authenticate gives you these advantages:



- You can lock down your Minecraft server to just your tailnet to ensure that only those who are trusted can access it. You can also use ACLs to lock down access even further (if you wish to allow anyone other than the known griefer to connect). You can assign Minecraft users to Tailscale users to allow you to keep a better record of who is using the server. It is not necessary to modify your Minecraft server with Forge, Bukkit, Paper or Spigot mods, this allows you to use an all-natural setup with minimal configuration. You can utilize Node Sharing to add your friends, fellow citizens in blood, and squadmates to your Minecraft server without having to reveal it to the internet's frightful glare. You can also share it with your more sane friends who are already on your tailnet. Your Minecraft server will be visible on your tailnet just like any other computer.



There are also a lot of disadvantages to this product:



- This will not work with the Bedrock version of Minecraft (the one that is compatible with phones, consoles tablets and phones). If you're not sure which version of Minecraft you have, check here to learn how to discern the difference between the two. It is necessary to disable the Minecraft server's authentication stack. - If your server is listening to the internet public, it will allow anyone to join it. This is exactly what we want.



- You may be able to work around this by using server side mods, however, they are not in the scope of this article since we're focusing on using unmodded Minecraft clients and servers.



You can use a different email address to work around this issue in the event of.



This is accomplished by creating an authentication proxy like the one we created previously with Grafana. The proxy will monitor traffic on your tailnet , and forward it to the Minecraft server with one significant difference. When you start the Minecraft session the client will send the server a packet containing the username of the user trying to log in.



Normally the server is supposed to examine the contents of the packet and verify it against Mojang authentication servers to ensure that you are actually registered as that username in your Minecraft launcher. Based on the result the server will either accept or deny connections. Instead of relying on Mojang for authentication, by using Tailscale we can use Tailscale to authenticate. If we also used Mojang for authentication, the proxy will search for Tailscale identity information for that Minecraft session and replace the Minecraft username the client gave you with the user information from Tailscale - but Mojang's authentication servers will have no idea what to do about this. We just bypass them with offline mode in Minecraft that doesn't require any authentication.



After the authentication process, the proxy will forward Minecraft traffic like any other proxy. Then you can create and mine to your heart's content with people you trust. You'll be able to communicate with your colleagues and create great things together.



Setup



This patched infrared will allow you to configure this on your tailnet. Infrared is normally used by Minecraft server networks to host huge Minecraft servers that can accommodate up to thousands of players simultaneously, but it's also generic enough that it can be used to make a proxy connection to a vanilla Minecraft server.



You can set up everything exactly the same way as with infrared. But, be sure you change the environment variable TS_AUTHKEY in order to set a new authkey. If you have the key tagged, your Minecraft server's key for node will never expire, so it stays connected to your tailnet and allows you to create and mine for as long as you want!



One thing to remember is that infrared will want you to connect to the full domain name of the Minecraft server. This is vital. We will utilize the MagicDNS domain that every tailnet receives for free. Assuming your Minecraft server is on port 25565, copy the following into configs/tailscale.json:



This domain can be located by visiting the DNS settings page. Look for the domain that ends in.beta.tailscale.net.  Letrastraducidas  is your account's name followed by.beta.tailscale.net. Add minecraft-proxy. To get your full domain name, add minecraft-proxy at the end of this line.



Be sure to change server-ip's value to 127.0.0.1 and server-port to 25565 within your server.properties file so that it isn't listening to the public internet:



If you have more creative ideas of things we could do with computers, reach out to us on Twitter @Tailscale , or head to our forum to share the horrors that go beyond description that you have created.



TJ Horner was instrumental in the creation of this amazing creation. I hope you found this interesting.

Sign up for more like this.

Enter your email
Subscribe