Velocity icon indicating copy to clipboard operation
Velocity copied to clipboard
verified publisher icon PaperMC

prevent-client-proxy-connections blocks all connections from private IPs

Open MatthewCash opened this issue 1 year ago • 3 comments

Expected Behavior

The point of prevent-client-proxy-connections is to prevent connections where the client's IP address from the proxy's perspective is different from the IP address used to authenticate with Mojang's servers. This makes sense for most use cases, but not for connections across a private network because Mojang will never see the private IP address, and will always prevent the connection.

I think that an exemption should be made for connections from private networks so that this feature can still be used for players connecting from the public internet while not blocking players connecting over a private network (such as a VPN).

Actual Behavior

Player fails to authenticate with the usual "You are not logged into your Minecraft account..." message.

Steps to Reproduce

To reproduce this, the client must be attempting to connect to the Velocity server with a private IP (e.g. 10.0.0.1), but the client and proxy must have different public IPs when connecting to Mojang's servers. This is a common configuration when using a VPN.

Plugin List

None

Velocity Version

Velocity 3.3.0-SNAPSHOT (git-09f687e5-b413)

Additional Information

I've been running a patch with the change I mentioned above and can submit a PR if this is acceptable.

MatthewCash avatar Aug 30 '24 01:08 MatthewCash

Hype for this issue, it happed on k8s env, doesn't know if it's a bug or just a situation that this option should be turned off

lulu2002 avatar Mar 30 '25 10:03 lulu2002

We ran into the issue with a NeoForge Server. Disabling the Setting allowed our clients to join

MojangPlsFix avatar May 20 '25 20:05 MojangPlsFix

The setting enables sending the source IP address to mojang in order to validate that the IP the client is connecting from is the same IP as was authenticated; I'm not sure that there is much interest in this, the mechanism itself is somewhat flakey and I'm not sure I really wanna be carving a hole for private IP ranges, at the very least it would need a configuration option, just not sure of the worth/interest in this given that most cases people hit this their network is misconfigured or mojangs mechanism just isn't going to work for them anyways

electronicboy avatar May 21 '25 10:05 electronicboy