Setup

Setup instructions for the plugin.

Installation

Download the latest version of the plugin from SpigotMC or GitHub. Install SafeNET on all your servers (proxy - BungeeCord/Waterfall/FlameCord..., backend - Bukkit/Spigot/Paper/Purpur...).

On your proxy: If you are running Velocity, do not put SafeNET there (but install it on all your backend servers) and continue with steps below.

On your backend: If you are not running Paper (meaning native Bukkit/Spigot) servers, also install ProtocolLib 5.3.0 or newer on all your backend servers. If you, for some reason, need to use other ProtocolLib releases, use SafeNET 3.9 (ProtocolLib 5.0.0-5.2.0) or SafeNET 3.8-LEGACY (previous ProtocolLib versions), all downloadable from GitHub.

Ensure the plugin's installed on all servers according to the information above, you are vulnerable to attacks otherwise!

Setup for BungeeCord-like proxies

This covers setup for generic (BungeeCord-like) proxy server implementations. For Velocity setup, see the steps below this section.

IP forwarding

For the plugin to function properly, please enable ip_forward at BungeeCord, if not already done so.

Passphrase

You need to generate a new passphrase (password; secret) which you will use for your network.

Open the console on the proxy server (if you have more proxies, do that only on one of them) and type /sn generate which will generate a passphrase of the default length - 1000 (you can specify a custom length to override it).

Passphrase guidelines:

• Passphrases shorter than 50 characters are considered weak. If using such passphrase, the plugin will display a warning each time the server starts.

• Never share it with anyone else.

• Regenerate it once in a while, just in case.

• Use the built-in generator or any other cryptographically secure string generator you trust.

After that's done, you should get a message informing you that the passphrase has been successfully generated. You can find the generated phrase in the config.yml (on the server where the command was used) under passphrase.

Copy the passphrase into all other SafeNET's configuration files under passphrase - on other proxy servers and on all the backend servers.

Reload the plugin on all servers with /sn reload. GeyserMC (including Floodgate) is supported and does require any additional configuration.

Setup for Velocity

Forwarding

If you are using modern Velocity forwarding, you do not need SafeNET. If you, however, need to use legacy mode, you can use SafeNET or BungeeGuard.

Passphrase

Set the player-info-forwarding setting inside velocity.toml to bungeeguard and copy the contents of forwarding.secret to SafeNET's configuration files under passphrase.

Then, change property-name.handshake to bungeeguard-token (also in all SafeNET's configuration files). Finally, reload the plugin on all servers with /sn reload.

You may need to generate a new passphrase (password; secret) which you will use for your network. Use any generator you trust to generate a cryptographically secure string consisting ideally of only ASCII characters (recommended length: 1000 chars).

Consult the official Velocity documentation about data forwarding.

Unless configured properly, the plugin won't let anybody join.