(pre v0.5.0‐alpha update) Quick‐Start Guide for Drawbridge and Emissary ‐ Minecraft Server
🎥 View the tutorial video here:
How to use Drawbridge and Emissary to protect your self-hosted applications in 5 minutes or less 🔒
— Dawson Hensel (@dawsohen) March 18, 2024
This was recorded using Drawbridge v0.4.2-alpha and Emissary v0.2.2-alpha. pic.twitter.com/xK3jLrsWz8
Drawbridge reverse proxy and the Emissary client are designed to simplify serving networked applications, securely, across networks. In practice, Drawbridge sits in front of your self-hosted networked application, and only allows authorized Emissary clients to access protected services.
For this tutorial, we will have a Minecraft server be our networked application we want to protect.
I am running the Minecraft Server on a computer on my network, with an IP of 192.168.1.2 on port 25565. My router's public IP is 50.146.228.20, which we will need to give to people later to connect to Drawbridge.
I download the latest version of Drawbridge and install it on the same machine as my Minecraft server. When I run Drawbridge, it tries to open my default browser to access the admin page if I am on a Windows machine. Note that by default the Drawbridge admin panel is only accessible from the machine it is installed on.
Since this is my first time using the Drawbridge Dashboard, a prompt will appear, asking for the server IP or domain name that an Emissary client will use to connect from another network. I'm going to set my IP to 0.0.0.0 so Drawbridge can listen on all interfaces. I don't want to set up a hostname and DNS records, but a hostname is also valid here.
A Protected Service is a server that you want to allow Drawbridge to expose to Emissary clients via a proxy. Creating a Protected Service in Drawbridge tells Drawbridge where to route an Emissary client's traffic. In this case, we want to expose a Minecraft server to our Emissary clients.
I now need to tell Drawbridge about my Minecraft Server so it can route our Emissary clients to it. Under the Protect new Service section, I'll Name my service "My Minecraft Server", enter 127.0.0.1 for the IP, and enter 25565 for the port. If you are running your Minecraft server on a different machine, you should enter that IP here instead of 127.0.0.1.
I click Submit, and we now can see our service in the Protected Services section of the dashboard!
Now, we need to generate some files Emissary will need to securely talk to Drawbridge. Click the Generate button next to the Generate Certificates and Key for an Emissary client section. If it works, you should see a message saying Successfully saved Emissary Certificates and Key to "emissary_certs_and_key_here" to local filesystem. Keep this in mind as we will need the files saved to this folder later.
Now, go into your router settings page and forward the port 3100, and make sure to set the protocol to TCP. This is so Emissary can talk to Drawbridge later.
Drawbridge should now be successfully configured! Now Drawbridge knows where to send traffic when an Emissary client connects to it!
Next, we will connect to our Minecraft server using Emissary.
Now, I want to have my friend Matthew join my Minecraft server. He can't connect to the Minecraft server directly, since we have configured it to go through Drawbridge.
Matthew downloads the latest version of Emissary and runs it on his machine. On its first run, it says that the Drawbridge admin needs to send him a key and some certificate files as pictured below:
If you remember the Drawbridge Continued: Generate mTLS Keys step we did earlier, we will send those mTLS files to Matthew now.
Matthew takes the ca.crt, emissary-mtls-tcp.crt, and emissary-mtls-tcp.key files and places them in the "put_certificates_and_key_from_drawbridge_here" folder that Emissary created.
Now, when he launches Emissary he is greeted with a prompt to connect to the Drawbridge server! This is the IP or hostname we used earlier when we first visited the Drawbridge page. This IP or hostname is also shown in the header of the Drawbridge Dashboard, in case you forgot.
Once Matthew enters the Drawbridge IP, our router's public ip from earlier (50.146.228.20) and port and connects, he can see our Minecraft Protected Service is available on his machine now at localhost:3200!
Now, Matthew launches Minecraft and enters the address for the Minecraft Server address and port as it was listed in Emissary:
Congratulations! If you made it this far, you hopefully are able to access your Drawbridge Protected Service from an authorized Emissary client!