Tailscale Authentication For Minecraft

You can accomplish a lot with computers. Some are more productive than others. My blog post explains how to authenticate to Grafana. Some people saw the idea of Tailscale being used to authenticate to any service as an interesting fact. Worst lies saw it as an opportunity to study new ways to use Tailscale authentication. This is the story of one the cases. This is how you make your Minecraft server join your tailnet and authenticate to it using Tailscale.

One of the most important questions you could be asking is "Why why would you do this?" I would like to respond with a different question: "Why not?" A great man has stated, "Science isn't about 'why?' it's about "why not?"" We take this philosophy seriously at Tailscale.

Connecting your Minecraft server into your tailnet using Tailscale for authentication offers these advantages:

- You can lock down your Minecraft server to only your tailnet, so only those who are trusted can access it. If you don't want anyone except for the known griefer be connected to your server, you can make use of ACLs. - You can attribute Minecraft users to Tailscale users, allowing you to keep a more accurate track of who is on the server. - You do not have to modify your Minecraft server with Forge, Bukkit, Paper or Spigot mods. This lets you use an entirely vanilla server with minimal configuration. You can utilize Node Sharing to add your friends, compatriots in blood, and even squadmates to your Minecraft server without having to reveal it to the internet's frightful glare. You could also share it with your less likely terrifying friends on your tailnet already. The Minecraft server will appear on your tailnet just like any other computer.

There are also a lot of drawbacks to this product:

It is not compatible with the Bedrock version of Minecraft (the one that is compatible with phones, consoles tablets, and consoles). If you're unsure of which version of Minecraft you have, look here to find out how you can distinguish between the two. - You have to disable the Minecraft server's authentication stack. If your server is listening on the internet it allows anyone to join it. This is exactly what we want.

- You may be able to circumvent this using server side mods, but those are out of the scope of this article since we are focused on using unmodified Minecraft clients and servers.

To get around this, use a different email address.

This is done by creating an authentication proxy similar to Grafana. The proxy will monitor the traffic on your tailnet and forward it to the Minecraft server with one significant exception. At the start of a Minecraft session, the client will send the server a packet containing the username of the user trying to log in.

Normally, the server is expected to read the contents of that packet and verify it against Mojang authentication servers to ensure that you are actually registered as that username in your Minecraft launcher. Based on the result the server will either accept or deny connections. Instead of relying on Mojang for authentication by using Tailscale we can use Tailscale for authentication. If we also used Mojang for authentication, the proxy will look up Tailscale identity information for that Minecraft session and replace the Minecraft username the client gave you with the user's information from Tailscale however Mojang's authentication servers will have no idea what to do with this. We bypass them using offline mode in Minecraft which doesn't require any authentication.

After the authentication process, the proxy will forward Minecraft traffic as a normal proxy. You can then mine and create the content you want with those you trust. You will be able to talk to your colleagues and make amazing things together.

Setup

If you want to make this available on your tailnet, you'll have to use the patched version of the proxy infrared. Infrared is normally utilized by Minecraft servers to host huge Minecraft servers that can scale up to thousands of players at a time however, it's also universal enough that it can be used to connect to a basic vanilla Minecraft server.

Set up everything the same way you would normally do using infrared. However, make sure to set the environment variable TS_AUTHKEY so that it is set to the latest authkey. If you tag the key you want to use, your Minecraft server's key for node will never expire, which means it remains connected to your tailnet which allows you to craft and mine for the rest of your life!

One thing to remember is that infrared will want you to connect using the full domain name of the Minecraft server. It is very picky about this. We will use the MagicDNS domain that every tailnet receives for free. Assuming your Minecraft server is on port 25565, copy the following into configs/tailscale.json:

You can find this domain by going to the DNS settings page and searching for the domain that ends in .beta.tailscale.net - it should be your account's domain followed by .beta.tailscale.net. Add minecraft-proxy. To get your full domain name, add minecraft-proxy at the end of this line.

Make sure that you set server-ip to 127.0.0.1 and server-port to 25565 in your server.properties file to ensure that it's not listening on the internet for public access:

We can be reached on Twitter @Tailscale in case you have any other ideas or inventive ways to make use of computers.

TJ Horner was a key player in the development of this amazing creation. I hope this article was informative.