My friend wants to run a Terraria server from their Windows laptop and the Terraria wiki suggests port forwarding to allow players to connect. Are there any security risks with them setting up port forwarding? Can they be mitigated or avoided?
The wiki mentions LogMeIn Hamatchi VPN as an alternative but it’s not open source and has questionable Linux support, but I don’t know of a better alternative.
@headphone There is Tailscale, which is better than Hamachi.
Port forwarding itself is quite safe. Security risks usually comes from either if your friend configures it poorly, or if there are any vulnerabilities in the application itself. In this case Terraria.
It’s better to use a VPN with their Terraria server instead of port forwarding it directly to reduce potential security risks
Yes, there are security risks with every port you open. I’d suggest you look into VPNs such as WireGuard. You can open the WireGuard port relatively safely in comparison to opening the Terraria port itself. This is what I’d do as of now, I think it’s a great option. You can host WireGuard on a PC or router.
Previously, I would’ve said just use tailscale, but it’s quite annoying, because it requires SSO with one of the big brother companies. I guess if you’re okay with that, tailscale could also be a good option that doesn’t require port forwarding.
Yes, there are risks, but they’re likely less severe than you might expect.
Opening port 7777 to the internet means that anyone connecting to your worldwide IP will be able to establish a connection to an application on your computer that is awaiting connections on port 7777.
The only situation in which you might be at risk is if there is a zero-day exploit in a Terraria server that allows an attacker to execute arbitrary code with the same privileges as the process, which by itself is pretty unlikely.
If you don’t want to bother using a VPN, running a Terraria server as an unprivileged user, especially one dedicated to Terraria, is fine. From that point forward, in the unlikely scenario that your Terraria server is compromised by a random online attacker, then damage on your computer would be confined to your Terraria user.
Less realistically, a clever attacker would be able to leverage user-privilege access to exploit the kernel to obtain admin access, but this level of attack is far too sophisticated for most threat agents if you have an up-to-date system. More realistically, a sophisticated attacker could probe other devices on your network for possible lateral movement.
All in all, compromise is very, very unlikely.
But if you want my personal recommendation, just go ahead and port-forward and run with a dedicated unprivileged user (or a non-administrator account on Windows). I’ve done that for most of my life personally, as a security researcher and a gamer. If you want peace of mind and really insist on using a VPN, ZeroTier is free and better than Hamachi.