Garden / ◐ budding

The cloud box is a bouncer, not a server

planted July 2, 2026 last tended July 2, 2026 networkingsecurityhomelab

I wanted friends to reach a Minecraft server that lives on my LAN. The usual answers are all some flavor of bad: port-forward and publish my home IP to everyone who runs a scanner; rent a VPS big enough to run the modpack itself (8 GB of JVM heap is real money); or hand the traffic to a third-party tunnel service and hope they stay in business and out of my packets.

The pattern I landed on instead: the cheap cloud box doesn’t run the game at all. It’s a bouncer. Players connect to play.briggsbastian.com on the Linode, nftables DNATs the flow down a WireGuard tunnel, and the actual server runs at home on the box with the RAM. The part that makes it work behind NAT is the direction of the handshake — the home side dials out and keeps the tunnel alive with keepalives, so nothing ever needs to reach in. No inbound rule on the home firewall, the home IP never appears in DNS, and every drive-by scan on the internet lands on a $5 box that runs nothing but a kernel and a tunnel. WireGuard won’t even answer a probe without a valid peer key, so the one open UDP port leaks nothing.

What it costs, honestly. The masquerade on the cloud side means every player arrives at the server wearing the tunnel’s address — IP bans and IP whitelists are meaningless, and username-level moderation is the only lever left. And the bounce adds latency: I measured it, and players pay roughly 10–25 ms over connecting directly. For a modded co-op server that’s nothing; for a twitch shooter it might not be.

The part I keep chewing on: this took two small Nix files and a terraform apply — the cloud box had actually been torn down for weeks, and it came back because it was code. Now that the pattern exists, it wants to become the front door for everything else I self-host, and I’m not sure where that ends. Follow it far enough and I’ve built myself a tiny, worse Cloudflare, one DNAT rule at a time. The site-to-site mesh from the original plan is still the more general answer; this tunnel is a single-purpose special case that shipped first because it had a deadline shaped like a friend asking “can we play tonight?”

A budding note, taking form, still being tended.