VelocityGuard 1.0 | Secure your < 1.13 Velocity setups!

VelocityGuard

This plugin is a port of the plugin BungeeGuard by lucko and functions nearly identically to his version. The aim of the plugin is to verify that the incoming connections to your Spigot (backend) servers are actually coming from your Velocity instance.

Velocity has a neat feature called modern forwarding but that feature isn’t available in server versions below 1.13 putting those who either don’t know how to properly set up firewalls or those who are prone to proxy impersonation attacks at risk of attack. Because of the VelocityGuard system, these attacks are rendered useless or impractical.

Common issues (read this before continuing)

  • Please don’t confuse VelocityGuard with Velocity’s built in modern forwarding, VelocityGuard is meant to solve a completely different problem

  • The best way to have VelocityGuard set up is to have your Velocity instance have it’s forwarding mode set to legacy and have your backend server’s bungeecord mode enabled.

  • If you’re using PaperSpigot please do NOT use the paper.yml velocity-support configuration entry as it’s not the same thing as VelocityGuard.

Installation

On your Velocity proxies

  1. Copy the velocityguard-proxy.jar file to the Velocity plugins folder
    and then proceed to restart the proxy.

  2. Inside the plugins folder there should be a new folder called
    velocityguard. Open the file called token.json inside the
    velocityguard folder and copy down the value of token (Your token
    should be 64 characters long).

On each of your servers

  1. Copy the velocityguard-backend.jar file into your plugins folder and
    restart the server.

  2. Inside the plugins (or the config directory for the Sponge users)
    folder there should be a new folder called velocityguard. Open
    the file config.yml inside the velocityguard folder.

  3. Add the token(s) generated by your proxy(-ies) to the allowed-tokens list.

    e.g.

    # Put the allowed authentication tokens in the list below
    
    allowed-tokens:
      - "gpZCEOe9u0p4KKV8Tgf1TxDrE5ZzcOCfs3JunDi82CvRuHQgeCoxKUladkYDTyBb"
    
  4. Restart the server.

Support

Feel free to contact me on discord at KuNet#0001 for any feature request or support request. Feature requests can be replied here. Please don’t ask the Velocity Discord for help, this is not an official velocity-made plugin so they cannot offer the same level of support

Download Links

Direct download links hosted on file sharing websites will not be posted here due to risks such as:

  • They could possibly be faked or backdoored
  • It may not have the latest version which may contain possible security risks

As VelocityGuard is a security plugin, it’s vital that the downloads are in a maintained, safe and publicly monitored location. As such, the download instructions will be below.

Head over to the Actions tab at the top of VelocityGuard’s repository and open the latest one with a check mark. From there there should be an Artifacts section with a link to download the zip file containing the jars.

Open Source

1 Like

Can we get a sponge version of the backend plugin please?

Sponge should now be supported in the plugin! Let me know if you have any problems, questions or requests!

does this support for Paper 1.13 and above? Why not ?

You don’t need to use this plugin if you’re using anything above 1.13 (Paper) because Velocity has an option named Modern Forwarding which basically has the same effect as using VelocityGuard. This plugin was built with the intention of supporting versions below 1.13 paper so that those servers would be more secure.

There are scenarios where a network could be running a 1.13+ server in addition to 1.12 or lower, and in which case their proxy would need to run in legacy mode. Just because a server can run modern doesn’t mean you should assume that it will.

1 Like

To answer the question though, just tested it out on a newer version and it does seem to work OK on 1.14.4!