Proxy Setup Guide (Hide VPS IP)

[Foob]

Hello there,

Some of you might know this already and maybe have read the original guide for it. But for those who doesn't know it yet, see below.

Note: I’m sharing the steps on how to do it using CentOS7 for the proxy server/VM while the main server/VM will be anything you like as long as rAthena supports it.

Before everything else, I would like you to know that this guide will only work on CentOS7 and this doesn’t guarantee that it will provide low latency to your players since its main function is to HIDE the IP of your MAIN VPS to avoid being bombarded with unwanted traffic. In the event, you received lots of traffic on your proxy, you can just reject it on your main VPS via firewall rules/iptables.

Requirements

1. Spare VPS to configure the proxy
2. Patch your client using updated "Enable Proxy Support" patch provided by 4144's NEMO & Functor
3. DO NOT patch "Skip Service Select" since you need it to choose from the multiple connections.
4. Add multiple connection on your clientinfo.xml/sclientinfo.xml
5. Configure subnet_athena.conf to prevent sending real IP in network packets from login and char servers. (Functor)
6. (Optional) Enable "Cancel to Select Service" Patch

VPS Configuration (IMPORTANT)

Note: Again, make sure that your VPS is using CentOS7 since this was tested under the said OS and working 100%

Follow the commands provided below.

/* Port Forwarding CentOS 7 FirewallD */
// ========================================================================
// Please read the comments per line it is self-explanatory.
// Important Parameters:
// INSERT_ZONE = output of the get default zone
// INSERT_IP = is the public IP of your main VPS or server
// If you like the guide give it a thumbs up!
// ========================================================================

// This command is to get the default zone being used by your VM.
firewall-cmd --get-default-zone

// This command is to check all rules applied to your VM by the current active zone.
firewall-cmd --zone=INSERT_ZONE --list-all

// Enabling Masquerade Status (IP Forwarding). 
// This is the important configuration else below won't work
firewall-cmd --zone=INSERT_ZONE --add-masquerade --permanent

// IP/Traffic forwarding
// Make sure you have configured masquerade
firewall-cmd --zone="INSERT_ZONE" --add-forward-port=port=6900:proto=tcp:toport=6900:toaddr=INSERT_IP --permanent
firewall-cmd --zone="INSERT_ZONE" --add-forward-port=port=6121:proto=tcp:toport=6121:toaddr=INSERT_IP --permanent
firewall-cmd --zone="INSERT_ZONE" --add-forward-port=port=5121:proto=tcp:toport=5121:toaddr=INSERT_IP --permanent

// Add rules for ro-ports (assuming that you didn't change the port)
firewall-cmd --zone=INSERT_ZONE --add-port=6900/tcp --permanent
firewall-cmd --zone=INSERT_ZONE --add-port=6121/tcp --permanent
firewall-cmd --zone=INSERT_ZONE --add-port=5121/tcp --permanent

// Reload rules to take effect
firewall-cmd --reload

clientinfo.xml/sclientinfo.xml Configuration (IMPORTANT)

The example below shows how to configure multiple connections/tunnel to your VPS. (P.S. I'm not quite sure how many connection is the limit that can be defined on the xml)

<?xml version="1.0" encoding="euc-kr" ?>
<clientinfo>
	<desc>Ragnarok Online Client Information</desc>
	<servicetype>america</servicetype>
	<servertype>primary</servertype>
	<connection>
		<display>^FF0000[ SE Asia ]^000000 - Connection Tunnel</display>
		<balloon>This server is dedicated to SEA Region to possibly reduce latency.</balloon>
      		<address>INSERT_IP_HERE</address>
      		<port>6900</port>
      		<version>46</version>
      		<langtype>1</langtype>
		<registrationweb>https://rathena.org/board</registrationweb>
		<loading>
			<image>loading00.jpg</image>
			<image>loading01.jpg</image>
		</loading>
		<yellow>
			<admin>2000000</admin>
		</yellow>
   	</connection>
	<connection>
		<display>^FF0000[ US Central ]^000000 - Connection Tunnel</display>
		<balloon>This server is dedicated to US Central Region to possibly reduce latency.</balloon>
      		<address>INSERT_IP_HERE</address>
      		<port>6900</port>
      		<version>46</version>
      		<langtype>1</langtype>
		<registrationweb>https://rathena.org/board</registrationweb>
		<loading>
			<image>loading00.jpg</image>
			<image>loading01.jpg</image>
		</loading>
		<yellow>
			<admin>2000000</admin>
		</yellow>
   	</connection>
	<connection>
		<display>^FF0000[ US West ]^000000 - Connection Tunnel</display>
		<balloon>This server is dedicated to US West Region to possibly reduce latency.</balloon>
      		<address>INSERT_IP_HERE</address>
      		<port>6900</port>
      		<version>46</version>
      		<langtype>1</langtype>
		<registrationweb>https://rathena.org/board</registrationweb>
		<loading>
			<image>loading00.jpg</image>
			<image>loading01.jpg</image>
		</loading>
		<yellow>
			<admin>2000000</admin>
		</yellow>
   	</connection>
</clientinfo>

subnet_athena.conf (IMPORTANT)

Change the default value (shown below)

subnet: 255.0.0.0:127.0.0.1:127.0.0.1

TO

subnet: 0.0.0.0:127.0.0.1:127.0.0.1

As per Functor, "If you will just apply the patch of EXE - game client will not use these IPs from network packets. But players will be able to find real IP by using any network sniffer.".

That's it. If you have question, drop by a comment. ROK On!

Original Links: Ragnarok Proxy Setup (Hide your VPS IP)
Other: Setting up 2020 rAthena Server | Setting up 2020 Client - rAthena based

Edited July 13, 2020 by Foob

[Ukiram]

WHAT IS ZONE MEAN?

[LearningRO]

On 2/22/2020 at 8:50 PM, Vy Low said:

 but inorder to check that the proxy is working as intended you need to check from login > char > map, the best way to do it is try logging in to login server and check the ip connected to the login port, then proceed to char ip, then check again on the char server if proxy ip is connected to the char server port as well as the map server, this is one way to ensure that proxy is working properly, otherwise it will only read the proxy ip on the login server, but then uses players ip when connecting to char and map.

Hi, Vy low can you explain more detail about your step to check it that?

what config do you use to make scenario like this

Quote

but then uses players ip when connecting to char and map.

 

[Vy Low]

33 minutes ago, LearningRO said:

Hi, Vy low can you explain more detail about your step to check it that?

what config do you use to make scenario like this

 

use wireshark or netstat

[AngelRO]

  

On 4/30/2019 at 3:59 PM, Foob said:

subnet_athena.conf (IMPORTANT)

Change the default value (shown below)

subnet: 255.0.0.0:127.0.0.1:127.0.0.1

TO

subnet: 0.0.0.0:127.0.0.1:127.0.0.1

As per Functor, "If you will just apply the patch of EXE - game client will not use these IPs from network packets. But players will be able to find real IP by using any network sniffer.".

That's it. If you have question, drop by a comment. ROK On!

Original Links: Ragnarok Proxy Setup (Hide your VPS IP)
Other: rAthena via GCP (In a nutshell)

I cant connect to the server if the subnet is:

subnet: 0.0.0.0:127.0.0.1:127.0.0.1

The char sever doesn't respond. How can I solve this problem?

Edit: never mind. It was a problem with the hexed not being correctly patched. It's all good now. Thanks!

 

On 5/23/2019 at 3:49 PM, CrescentSaga said:

It won't solve your problem if a DDOS attack goes directly into your server,
Since you're still using the same network interface, getting that pipe saturated will prevent you from restarting/changing your server IP.
And as far as renting a server goes, changing your IP can take quite a while.

Whoever if you hide your server IP behind a proxy, let's say a Google VM or Amazon, you can instantly change your VM IP into something else and repatch your client.
This is quickly stop the attack since they are now targetting an unused IP. More-over, if you can setup multiple proxy for your server, you can set the Amazon/Google VM to instantly shutdown itself if it's under attack,
This will save you a lot of trouble from having to change your IP, and DDOS, as common as it is, cost money.

The more proxy they have to shut down to stop you, the more expensive it gets for them.
And there's always the limitation of resources your attacker has to keep DDOS-ing you, at some point, they won't be able to keep stricking you.

At a better level, you can also set load balancing for your VM.
Which will help tremendously in reducing the strain of DDOS attack on your proxy.

And as an added bonus, some provider does provide with a basic anti-ddos.
It is not as powerful, but it will stop some basic attacks.

If I setup a proxy server behind load balancers, won't they all share the same IP?

What happens if someone attacks the load balance servers? Only one of the VMs will be knocked down, right?

What's better: to maintain a few *persistent* machines serving as proxies or to setup a single load balancer?

I know that hosting a server on a DDoS protected host would be a much better option, but unfortunately I don't know any good hosting company in Brazil. I would love to use ovh and save time, money and headache, but I don't see any good alternative.

Edited April 6, 2020 by AngelRO

[rmon]

Thanks

Edited July 11, 2020 by rmon

[saggys]

already succes impelement proxy server. but when user type wrong pass, and ip proxy get ban from main server....
how to solve this problem? bcz all player cant login using proxy bcz banned

 

[shatowolf]

4 hours ago, saggys said:

already succes impelement proxy server. but when user type wrong pass, and ip proxy get ban from main server....
how to solve this problem? bcz all player cant login using proxy bcz banned

 

you can disable the

(login_athena.conf)

// Ipban features
ipban_enable: yes (set to no)

Edited July 18, 2020 by shatowolf

[saggys]

14 hours ago, shatowolf said:

you can disable the

(login_athena.conf)

// Ipban features
ipban_enable: yes (set to no)

thx man already solved yasterday

[Gouki]

Can someone please expound this further? 

what would be the value of this? thank you!

INSERT_ZONE = output of the get default zone

[Foob]

On 8/28/2020 at 2:41 AM, Almond Snicker said:

Can someone please expound this further? 

what would be the value of this? thank you!

INSERT_ZONE = output of the get default zone

The answer is in post #1. Just read it carefully.

[mazvi]

Can we show real ip user in log? Because if use proxy server. Ip on log is ip proxy.. not ip real user. How show real ip user on log?

[masterzeus]

On 5/18/2021 at 11:02 AM, Foob said:

The answer is in post #1. Just read it carefully.

ty

Edited February 15, 2022 by masterzeus