SafeNET
  • Overview
  • Basic
    • Setup
    • Address whitelist
  • FAQ
    • Known issues
    • Is GeyserMC supported?
    • Passphrases
    • I have trouble connecting to the server.
    • What's the difference between SafeNET and BungeeGuard?
Powered by GitBook
On this page
  • Installation
  • Setup for BungeeCord-like proxies
  • IP forwarding
  • Passphrase
  • Setup for Velocity
  • Forwarding
  • Passphrase
  1. Basic

Setup

Setup instructions for the plugin.

PreviousOverviewNextAddress whitelist

Last updated 3 months ago

Installation

Download the latest version of the plugin from or . Install SafeNET on all your servers (proxy - BungeeCord/Waterfall/FlameCord..., backend - Bukkit/Spigot/Paper/Purpur...).

On your proxy: If you are running Velocity, do not put SafeNET there (but install it on all your backend servers) and continue with steps .

On your backend: If you are not running Paper (meaning native Bukkit/Spigot) servers, also install on all your backend servers. If you, for some reason, need to use other ProtocolLib releases, use SafeNET 3.9 (ProtocolLib 5.0.0-5.2.0) or SafeNET 3.8-LEGACY (previous ProtocolLib versions), all downloadable from .

Ensure the plugin's installed on all servers according to the information above, you are vulnerable to attacks otherwise!

Setup for BungeeCord-like proxies

This covers setup for generic (BungeeCord-like) proxy server implementations. For Velocity setup, see the steps below this section.

IP forwarding

For the plugin to function properly, please enable ip_forward at BungeeCord, if not already done so.

Passphrase

You need to generate a new passphrase (password; secret) which you will use for your network.

Open the console on the proxy server (if you have more proxies, do that only on one of them) and type /sn generate which will generate a passphrase of the default length - 1000 (you can specify a custom length to override it).

Passphrase guidelines:

  • Passphrases shorter than 50 characters are considered weak. If using such passphrase, the plugin will display a warning each time the server starts.

  • Never share it with anyone else.

  • Regenerate it once in a while, just in case.

  • Use the built-in generator or any other cryptographically secure string generator you trust.

After that's done, you should get a message informing you that the passphrase has been successfully generated. You can find the generated phrase in the config.yml (on the server where the command was used) under passphrase.

Copy the passphrase into all other SafeNET's configuration files under passphrase - on other proxy servers and on all the backend servers.

Setup for Velocity

Forwarding

Passphrase

Set the player-info-forwarding setting inside velocity.toml to bungeeguard and copy the contents of forwarding.secret to SafeNET's configuration files under passphrase.

Then, change property-name.handshake to bungeeguard-token (also in all SafeNET's configuration files). Finally, reload the plugin on all servers with /sn reload.

You may need to generate a new passphrase (password; secret) which you will use for your network. Use any generator you trust to generate a cryptographically secure string consisting ideally of only ASCII characters (recommended length: 1000 chars).

Unless configured properly, the plugin won't let anybody join.

Reload the plugin on all servers with /sn reload. (including ) is supported and does require any additional configuration.

If you are using modern Velocity , you do not need SafeNET. If you, however, need to use legacy mode, you can use SafeNET or .

Consult the official .

GeyserMC
Floodgate
forwarding
BungeeGuard
Velocity documentation about data forwarding
SpigotMC
GitHub
ProtocolLib 5.3.0 or newer
GitHub
below