Tunnels

If you want to host a Minecraft server that others can access but don’t want to or cannot forward ports due to reasons such as security implications or restrictions imposed by your host or Internet service provider, look no further than using tunnels.

Simply put, these are proxies that run on your host and connect your server to a public network without opening a port on your router/firewall.

This page aims to look at a variety of software used to open tunnels, their pros and cons and a bottom line:

---

Ngrok

A single-binary application that exposes local TCP ports to the internet through secure tunnelling: to set up ngrok on your server…

• Create an ngrok.com account
• Download the ngrok binary for your system
• Copy and paste your authtoken command into the terminal, typically

...

/path/to/ngrok config set-authtoken <token>

...

• Run the ngrok agent to expose a port

...

/path/to/ngrok tcp 25565 # or the port you want to expose

...

Pros

• Relatively quick to set up (single binary)
• Open-source integrations

Cons

The free version of Ngrok is very limited:

• Server address changes every time the ngrok agent is restarted (static URLs are only available for HTTP sites)
• Extremely limited bandwidth (1GB/month)

Additionally, ngrok does not support UDP tunnelling and therefore Geyser cannot be tunnelled for Bedrock Edition players

Bottom Line

Ngrok is best suited to development servers that should be able to be accessed from anywhere, as well as smaller servers run by those who cannot forward ports on their network equipment.

Website

---

Playit

A global proxy that exposes your game server to the Internet, securely tunneled through Playit’s servers. To set up Playit on your Minecraft server… (assuming you use Bukkit or a fork)

• Create an account on playit.gg and verify your email address
• Download the Playit agent plugin from here to your server’s plugins folder
• Restart your server
• Click on the URL that the plugin outputs to the console or chat and log in to Playit
• Add the agent to your account and wait for the tunnel to be created

Your tunnel should then be active! Share the address given by Playit with your players and you should be good to go!

Pros

• Generous free plan (4 TCP and 4 UDP ports, 6 firewall rules to block IPs and ranges etc.)
• Premium plan only $3 per month, offers good upgrades such as extra ports and firewall rules, up to 6 external domains and even 3 dedicated IPv6 addresses (provided your network uses IPv6)
• Static domain name for servers
• Server plugin allows integration with Playit without running the agent as a separate process

Cons

• Playit only allows for external domains to be used on its premium plan: the free plan assigns a randomly-generated subdomain in the format name.ply.gg

Bottom Line

Playit is the most common and recommended option when it comes to Minecraft server tunnelling, with a vast community on its forums and Discord server and knowledgebase for common guides and issues.

Website

---

Connect

Minekube’s Connect is a plugin that links Minecraft servers to a global network in a similar practice to Minehut

Pros

• Plug and play: just drop the plugin into your server’s plugins directory and copy the generated address
• Brandable with free custom domains / sub-domains
• Passive advertising on the Connect network allows for extra player traffic

Cons

• A paid plan is required to provide an ad-free experience

Bottom Line

Out of the options listed on this page, Connect has the easiest setup: just install the plugin and Connect will generate a domain for you! This option is best suited for public server owners who want simple setup with organic growth from other players joining from the Connect global network.

Caution

Players joining your server through the Connect network will not be able to join if secure chat is enforced. To disable this:

• On your backend server(s), make sure enforce-secure-profile is set to false in server.properties
• If using BungeeCord, set enforce_secure_profile to false in config.yml
• If using Velocity, set force-key-authentication to false in velocity.toml

This can be a downside for those who want signed chat to be enforced on their servers but want to advertise and grow their playerbase on the network.

Website

---

Cloudflared

Cloudflared is a server-side daemon that allows the tunnelling of network traffic through Cloudflare’s secure network

Here are some resources on how to run and tunnel Minecraft servers using cloudflared:

Cloudflare Community

Cyb3r Jak3

Pros

• Traffic is proxied through Cloudflare’s network, renowned for its terabit-capacity DDoS mitigation.

Cons

• Setup is very complicated
• Individual tunnels must be created using cloudflared for each port that you wish to be open
• All players must have cloudflared installed and running on their computers to access the server

Bottom Line

This option is best for server owners and players who are willing to take on the more complicated setup and requirements, allowing for rock-solid security without the need for DDoS protected proxy

Developer Docs