FiveM Server with zero trust security

If you're running a FiveM server, you know how important it is to secure it from potential threats. One way to do this is using a zero-trust security model, where you can only access the server through a secure channel.

This guide isn't for beginners. I assume you know "how to operate a FiveM server," and you have a Cloudflare account and access to the Cloudflare ZTNA.

What is Cloudflared Tunnel?

Cloudflared Tunnel is a secure, encrypted tunnel between your server and Cloudflare's network. It allows you to securely access your server from anywhere without exposing it to the internet. Cloudflared Tunnel is part of the Cloudflare Workers family of products, using the same security and privacy features as Cloudflare Workers.

Setting up Cloudflared Tunnel

To set up Cloudflared Tunnel, you'll need a Cloudflare account and access to the server you want to secure.

  1. Install Cloudflared on your server. You can find instructions on installing Cloudflared on the ZTNA Dashboard or here.

  2. Create a new Tunnel in the Cloudflare ZTNA dashboard.
    Give it a name and select the server that you want to secure.

Integrating with FiveM

We'll use a reverse proxy to integrate your FiveM server with Cloudflared Tunnel.

  1. Create a route for your FiveM server using the HTTP protocol in the Cloudflare ZTNA dashboard. The route should look something like this: http://localhost:30120. 

Sometimes I needed to change the settings on the cloudflared tunnel to do the SLL work with the cre.fx server listing ping/API. It's recommended to change the proxy type to socks

  1. Set up a reverse proxy for your FiveM server. The reverse proxy should listen on port 443 and forward requests to the connecting endpoint specified in the route.

    // prevents the server list from advertising your server using its actual IP
    set sv_forceIndirectListing true

    // makes the server list backend request `https://server1.example.com/` instead of the default
    set sv_listingHostOverride "server1.example.com"

    // a space-separated list of IPv4 networks in CIDR notation to allow 'X-Real-IP'
    // from, as well as bypass the rate limiter
    set sv_proxyIPRanges "100.64.1.1/32"

    // the actual endpoint your server is hosted on, or one
    // or multiple server endpoint proxies, as noted below
    set sv_endpoints "100.64.1.2:30120"

    // Some guides also mention `sv_listingIpOverride.` This value is only needed
    // if the server list backend can't guess the IP to query itself and is not provided to any front-end connection.
    // This is usually the case for systems with multiple IPs or if the server is firewalled off for all hosts except
    // a server proxy.
  2. Make sure to configure your reverse proxy to use SSL encryption. You can obtain an SSL certificate from Cloudflare or a trusted certificate authority.

  3. Test your connection!

It's important to note that some regions may experience higher ping when using Cloudflared Tunnel because it was not built explicitly for game servers. Instead, it was designed to securely expose websites or other networks that don't require a low ping to operate, such as websites or web applications.

Fun Fact

we are using Cloudflare tunnel to secure more than 150+ applications and websites! 

Conclusion

Using Cloudflared Tunnel, you can create a secure, encrypted connection between your FiveM server and Cloudflare's network. This will help protect your server from potential threats and give you peace of mind knowing that your server is secure. Contact the Cloudflare support team if you have any questions or need help setting up Cloudflared Tunnel.