Cheap, easy DDoS protection, via GRE tunnel
Note: This works best for dedicated servers rented in companies like Hetzner, OVH, etc.. Use at home hosted servers is subject if your ISP allows GRE traffic, contact them beforehand.
Last year I was running a DDoS protection service, and I will unveil one of the cheapest ways to get reliable DDoS protection very easily.
For the purpose of this guide you will need a linux vps, at a provider that has decent DDoS protection, like Path.net or Cosmic Guard. I will be using EUGameHost as I've been using it for my PvP cluster recently, and it's yielded very good results for the price paid. Also we will configure the tunnel between this VPS and a Windows machine. It can also be configured in a Linux machine, you can search for some tutorials on the internet.
VPS is using debian.
Also, you will need a program to access the server via SSH, I will use PuTTy.
If you are in linux, or in Windows 11, you can use CLI based ssh.
Any VPS that has 2 cores or more should be valid, depends on how many people and traffic your servers use, however.
When you buy the VPS, you will have to download a private key, which is used instead of a password. Private keys are way better than a password in terms of security.
To use the private key to log in trough SSH with PuTTy, you will need to convert it to the putty format. When you installed Putty, it should have also installed a program called PuTTyGen, open it.
Important!
Many hosts put a "Deny all" rule by default, you will need to open ports in the firewall for SSH (22), and after finishing this guide you will also need to open ports for ARK server, and other software you run trough the VPN
Load the private key you downloaded, and click "Save Private Key". You can use a passphrase or not, I usually do not use it. Save the .ppk file somewhere, and remember where it is.
After converting the private key to Putty format, select your newly saved .ppk file in the following section
And fill in the user and the server ip like this, where XXX.XXX.XXX.XXX is your vps' ip:
You can save the default settings so you don't need to repeat these 2 steps every time.
Once you are ready to go, click "Open", it should open a console window.
When you are connected and, if you haven't, update and upgrade all of your packages using your package manager. For example, for apt you can put
Bash:
apt update && apt upgradeNow, open your favourite text editor. I will use nano (if it says command is not found, execute apt install nano), and open a new .sh file. I will open gre.sh
Bash:
nano gre.shAnd paste this script:
Bash:
#!/bin/bash
# ./gre_tunnel.sh gre1 192.0.2.1 198.51.100.2 10.0.0.1 10.0.0.2 203.0.113.0
INTERFAZ=$1
IP_LOCAL=$2
IP_REMOTA=$3
IP_PRIVADA_LOCAL=$4
IP_PRIVADA_REMOTA=$5
IP_PUBLICA=$6
ip tunnel add $INTERFAZ mode gre remote $IP_REMOTA local $IP_LOCAL ttl 255
ip addr add $IP_PRIVADA_LOCAL peer $IP_PRIVADA_REMOTA dev $INTERFAZ
ip link set $INTERFAZ up
echo "net.ipv4.ip_forward = 1" | tee /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
iptables -t nat -A POSTROUTING -o $INTERFAZ -p tcp --dport 22 -j RETURN
iptables -t nat -A POSTROUTING -o $INTERFAZ -j MASQUERADE
iptables -A FORWARD -i $INTERFAZ -j ACCEPT
iptables -t nat -A PREROUTING -d $IP_PUBLICA -j DNAT --to-destination $IP_PRIVADA_REMOTA
iptables -t nat -A POSTROUTING -s $IP_PRIVADA_REMOTA -j SNAT --to-source $IP_PUBLICAThis script will set up all the necessary rules and configurations to set up a basic GRE tunnel.
Now give it execution permission:
Bash:
chmod +x gre.shThen, we need some data to keep going:
- VPS ip: Is the IP of the vps server we just bought. Let's assume it's 192.168.1.2
- Dedicated Server IP: It's the original IP of the machine running the game servers. This IP should be kept secret, otherwise attacks can be easily done to this IP. Let's assume it's 192.168.1.10
- Internal IPs for the VPS. If you just bought this VPS, and don't have any more GRE tunnels running, you can use 10.10.0.1 and 10.10.0.2 as I will show later. These will be the IPs where the GRE traffic will be routed back and forth
- A unique name for the network interface. You will need to give the interface a name. I will call it "gre1" for this guide.
Bash:
./gre.sh gre1 192.168.1.2 192.168.1.10 10.10.0.1 10.10.0.2 192.168.1.2On the Windows machine, download a copy of this open-source software: https://github.com/wow0000/GRE_Tunnel/releases/latest
Unzip it and create a new file, start.bat for example:
Bash:
@echo off
:start
.\GRETunnel.exe 192.168.1.10 19.168.1.2 10.10.0.2 10.10.0.1
timeout /t 5
goto startOnce you start that bat script, it should be working already if everything is correctly configured!
To test this, open a cmd window and try "ping 10.10.0.1". If you can ping 10.10.0.1 means the GRE tunnel is healthy.
To make the game servers go trough the GRE tunnel we just set up, you will have to set multihome IP in Ark. In ASM you can find the IP in this section:
For ASA, you can write in the launch args -multihome=10.10.0.2 and -ServerIP=192.168.1.2 (change this with your actual IPs from the VPS)
Now, this is different for each VPS provider, but you should open ports for your ark server ports. Game port, Query, Peer, Rcon, etc...
Also, when available, filters are super necessary!. Filters examine the network packets based on game/software type and discard the malicious packets allowing your server to continue operating without noticing any kind of attack. If you miss filters, you will likely get affected if someone sends a DDoS attack against you.
In my case, since I'm using EUGameHost, they have a nice firewall panel (you have to open a ticket in their discord to get access to it currently), but you can set up each game server with the presets for ARK: SE and ARK: SA:
This firewall presets will take care of everything for you, including firewall and filters.
Hope you find this guide interesting! Like if you liked!
© Pelayori. Unauthorized distribution of this work, or any derived versions, is strictly prohibited.
Attachments
Last edited:
