back to top
Sunday, February 2, 2025
spot_img
Gaming

Palworld Dedicated Server behind CGNAT.

By @bababhayanak

Share This Post

You have a Palworld dedicated server that you’d like to run from your home PC (behind a NAT) or you cannot do port forwarding for some reason. You also have an Oracle Cloud Infrastructure VPS (Virtual Machine) with a public IP address. By creating a secure WireGuard tunnel from your home server to the VPS and forwarding your game’s port, external players can connect to the Palworld server at your VPS’s IP, even though the actual game instance is running behind your home NAT.

Prerequisites

  1. Oracle Cloud account: You need a running Ubuntu/Debian (or any Linux distro) instance on OCI with a public IP.
  2. Home server (where Palworld runs): A Linux machine capable of installing WireGuard, with sudo privileges.
  3. Basic Linux command-line knowledge: You’ll edit config files, run iptables/ufw commands, etc.
  4. Palworld dedicated server installed or ready to run on your home PC.

Note: Even if your ISP uses NAT or you cannot port-forward on your home router, the WireGuard “client → server” approach typically works as long as you can initiate outbound UDP traffic.

Why Use WireGuard?

WireGuard is a modern, lightweight VPN solution known for:

  • High Performance: Minimal overhead and near-native network speeds.
  • Strong Security: Uses state-of-the-art cryptography.
  • Simplicity: Config files are relatively straightforward, and it “just works” once set up.

By leveraging WireGuard, you create a secure tunnel from your home server to the Oracle Cloud instance. You then forward traffic from the VPS’s public IP and port directly to your home machine. No more complicated NAT hairpin or running multiple tunnels.

Oracle Cloud Infrastructure Setup

Before diving into WireGuard, ensure your OCI instance has:

  1. A Public IP: Confirm in the OCI ConsoleInstancesAttached VNIC that you have a public IP (e.g., 144.24.xxx.xxx).
  2. A Properly Configured Virtual Cloud Network (VCN):
    • An Internet Gateway attached if you’re using a public subnet.
    • A Security List or Network Security Group that allows UDP/51820 (the default WireGuard port) and eventually TCP/UDP for your Palworld server’s port (e.g., 8211).
  3. Your instance can reach the internet (test ping 8.8.8.8 or apt update works).

Installing and Configuring WireGuard

Below is a step-by-step process for installing WireGuard on both your OCI VPS and your home server.

1. Generate WireGuard Keys

On each machine, you’ll create a private/public key pair. Keep private keys secret.

VPS

sudo apt update
sudo apt install wireguard -y

# Generate keys (on the VPS)
wg genkey | tee vps_private.key | wg pubkey > vps_public.key

# Show them if you need to copy somewhere
cat vps_private.key
cat vps_public.key

Home Server

sudo apt update
sudo apt install wireguard -y

# Generate keys (on the Home Server)
wg genkey | tee home_private.key | wg pubkey > home_public.key

cat home_private.key
cat home_public.key

Important: Store private keys securely. Use public keys in the [Peer] configuration blocks.

2. Configure the VPS (Server)

We’ll make the VPS the “server” side. Create /etc/wireguard/wg0.conf (or whichever interface name you prefer, e.g. wg1.conf).

[Interface]
# VPS Private Key
PrivateKey = <contents_of_vps_private.key>
Address = 10.8.0.1/24
ListenPort = 51820

# Optional iptables rules for forwarding
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT

[Peer]
# Home Server's Public Key
PublicKey = <contents_of_home_public.key>
AllowedIPs = 10.8.0.2/32

Enable IP Forwarding on the VPS

In /etc/sysctl.conf or /etc/sysctl.d/99-sysctl.conf, ensure:

net.ipv4.ip_forward=1

Apply it:

sudo sysctl -p

Start WireGuard

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

3. Configure the Home Machine (Client)

Create /etc/wireguard/wg0.conf on your home server:

[Interface]
# Home Private Key
PrivateKey = <contents_of_home_private.key>
Address = 10.8.0.2/24

[Peer]
PublicKey = <contents_of_vps_public.key>
Endpoint = <VPS_Public_IP>:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25

Notes:

  • Endpoint should be your OCI VPS public IP, e.g. 144.24.140.92:51820.
  • AllowedIPs = 10.8.0.0/24 ensures your home machine routes traffic for 10.8.0.x across the tunnel.
  • PersistentKeepalive = 25 helps keep NAT mappings open on your home router if you’re behind CGNAT.

Start WireGuard on the home server:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Firewall & Networking Considerations

Oracle Cloud Security Rules

  • In VCN Security Lists or Network Security Groups, allow UDP/51820 inbound from 0.0.0.0/0.
  • By default, egress is often unrestricted, but confirm you can send traffic back out.

VPS Firewall (UFW or iptables)

If you’re using UFW on Ubuntu:

sudo ufw allow 51820/udp
sudo ufw status

If using iptables directly:

sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
sudo iptables-save

Home Router

Since your home server is the “client” side, you typically do not need to forward port 51820. The home server’s outbound UDP traffic to the VPS is allowed by default in most NAT setups.

Testing the VPN Tunnel

Once WireGuard is up on both sides:

  1. On the home machine:ping 10.8.0.1 Should receive replies from the VPS’s WireGuard interface.
  2. On the VPS:ping 10.8.0.2 Should receive replies from the home server’s WireGuard interface.
  3. Check “wg show”:sudo wg show You should see a [Peer] section with a recent “latest handshake” time and nonzero transfer stats.

If pings succeed, your basic WireGuard VPN is operational.

Hosting Palworld: Setting Up Port Forwarding

With a working WireGuard tunnel, the next step is to let external players connect from 144.24.140.92:8211 (or whichever port Palworld listens on) to your home machine.

1. Know Which Port Palworld Uses

For demonstration, let’s say your Palworld dedicated server runs on port 8211. Check official Palworld docs or your server’s config to confirm if it uses UDP or TCP (or both). Many modern game servers rely on UDP, so we’ll assume UDP is required.

2. Add DNAT and MASQUERADE on the VPS

On the VPS, enable port forwarding:

# Enable IP forwarding (already done, but just in case):
sudo sysctl -w net.ipv4.ip_forward=1

# Forward inbound traffic from public IP:8211 to home server's WG IP:8211
sudo iptables -t nat -A PREROUTING -p udp --dport 8211 -j DNAT --to-destination 10.8.0.2:8211
# If TCP is needed, repeat for -p tcp

# Masquerade the traffic so that replies go back through the VPS:
sudo iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 8211 -j MASQUERADE
# Repeat for TCP if needed

# Save changes (Debian/Ubuntu):
sudo netfilter-persistent save
# or
sudo iptables-save | sudo tee /etc/iptables/rules.v4

3. Open Port 8211 on the VPS Firewall & OCI

  • OCI Security Lists: Add an Ingress rule for UDP/8211 from 0.0.0.0/0.
  • UFW on VPS**:tsudo ufw allow 8211/udp
  • iptables on VPS**:sudo iptables -A INPUT -p udp --dport 8211 -j ACCEPT sudo iptables-save

Verifying External Access to Your Palworld Server

  1. Run your Palworld server on the home machine. Ensure it’s listening on port 8211 (or your chosen port).
  2. From an external location (or a friend’s PC), attempt to connect to 144.24.140.92:8211.
  3. You can also do a simple netcat test if Palworld is UDP-based:bashCopyEditnc -u 144.24.140.92 8211 Check your server logs to see if the connection attempt shows up.

If the connection goes through, you’ve successfully forwarded public traffic through your WireGuard tunnel to your home server!

FzSNsOYagAAcK4F

Common Troubleshooting Tips

  1. Handshake Fails:
    • Double-check AllowedIPs in both configs.
    • Make sure your Oracle Cloud instance actually has a public IP and that you opened UDP/51820 inbound.
  2. Pings Work but Game Port Doesn’t:
    • Ensure the correct game port (UDP vs TCP) is forwarded.
    • Make sure you have an Ingress Rule for the game port in OCI’s security list.
    • Confirm your home server’s firewall allows the port (e.g., sudo ufw allow 8211/udp).
  3. Still No External Connectivity:
    • Check iptables -t nat -L -n -v to confirm NAT rules are in place.
    • Verify you used the correct port in the WireGuard MASQUERADE and DNAT rules.

FAQ & Best Practices

  1. Can I route all traffic from home through the VPS?
    • Yes. In the home [Peer] config, set AllowedIPs = 0.0.0.0/0. But be mindful this will route all your home server’s traffic over the VPN.
  2. What if my ISP blocks UDP?
    • Try a different UDP port or consider a solution like TCP tunneling. Some ISPs block certain ports by default.
  3. Do I need to open port 51820 on my home router?
    • Not usually, because your home server is the client initiating the tunnel. Only the server side (VPS) needs to open 51820.
  4. Is WireGuard secure enough to expose my home server?
    • Yes. WireGuard uses modern, robust encryption. Just keep your private keys secret.
  5. What about dynamic IP at home?
    • That doesn’t matter for the home side if it’s the client. The VPN is initiated outbound.

Conclusion

You’ve successfully set up a WireGuard VPN between an Oracle Cloud VPS and your home PC hosting a Palworld dedicated server. By using iptables DNAT and MASQUERADE on the VPS, you’ve effectively exposed port 8211 on the VPS’s public IP to forward traffic securely into your home. This solution bypasses complicated NAT restrictions and centralizes your server’s public address on a stable cloud instance.

Key Takeaways

  • WireGuard is a lightweight, powerful VPN that lets you seamlessly tunnel traffic from a public VPS to a home NATed server.
  • Oracle Cloud requires specific security list rules and a valid public IP to allow inbound UDP ports.
  • iptables DNAT and MASQUERADE transform your VPS into a “reverse proxy” or “forwarder,” ensuring game traffic routes directly to your home PC.

With your Palworld server now available at 144.24.140.92:8211, players can join from anywhere without the hassles of direct router port-forwarding on your home network. Enjoy your newly minted home-based game server with the ease of a cloud-based public IP!

Pro Tip: Keep your WireGuard configuration files safe, regularly update your system, and monitor your VPS firewall rules. With this setup, you can also host other services behind the same NAT by forwarding additional ports through the VPN tunnel.

The really needed can contact us and we will assign a IP:PORT for your private palworld server if you dont own a VPS.

Pilāni
clear sky
19.3 ° C
19.3 °
19.3 °
29 %
3.3kmh
0 %
Sun
20 °
Mon
24 °
Tue
26 °
Wed
24 °
Thu
24 °

Related Posts

Using Seeed Studio mmWave Module with ESPHome

In the ever-expanding universe of smart technology, the fusion...

Raspberry Pi Automatic Fans Using L298n PWM

Welcome, We all know Raspberry Pi SBC Likes to...

MotionEye on Raspberry Pi: Proper Surveillance Software?

Welcome to another Raspberry Pi Post, this time we...

DIY Home Automation: ESP Home & Home Assistant

ESPHome is a powerful tool that simplifies the process...

Raspberry Pi Zero Explained: Comparing the Zero Family

The Raspberry Pi Zero series, known for its compact...

Aliens Guide to Earth’s Solar System

Position 00 - The Sun. Position: #0. The gravitational...
- Advertisement -spot_img
Previous article
Penpot Install Guide Using Docker (Figma Alternative)