Search code examples
nginxudpportfirewallubuntu-22.04

Connection to backend cannot be established when firewall is up. Need help setting up Nginx to allow UDP

I'm building a multiplayer game using Geckos.io which runs on UDP.

I have deployed the server on a Ubuntu droplet from digital ocean. I have setup and configured nginx, added TLS using certbot. Everything seems to be working fine until I enable the firewall.

OpenSSH                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)

I'm sharing a deployment instruction found on the Readme of geckos framework.

You have to make sure you deploy it to a server which forwards all traffic on ports 9208/tcp (or another port you define) and 0-65535/udp to your application.

Port 9208/tcp (or another port you define) is used for the peer signaling. The peer connection itself will be on a random port between 0-65535/udp.

Here's the nginx config for the game backend server (actual domain name changed to my_domain)

server {
    server_name my_domain;

    location / {
        proxy_pass http://localhost:3000;  #port should be same as the one the app is listening on
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';

        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/my_domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my_domain/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = my_domain) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name my_domain;
    return 404; # managed by Certbot

}

The peer connection itself will be on a random port between 0-65535/udp. I don't know how to forward all the UDP ports needed by the framework. Should I enable the ports on firewall? If so how? What changes should I make on nginx to make it work

Solution

  • Previously I tried to open the firewall using UFW

    sudo ufw allow 0:65535/udp

    This always resulted in Bad Port error. Upon further study, I found out that we can't use port 0 as it is considered a virtual port. Hence changing the command to the following solved the issue for me.

    sudo ufw allow 1025:65535/udp

    It is not safe to use port ranging from 0-1023 as it is intended for system use. Hence updated the answer to allow ports from 1025:65535