Skip to Content
OpsNetworking

Networking

Configure networking properly for your FiveM server.

Network Architecture

The following diagram shows how traffic flows through a typical FiveM server setup with a reverse proxy:

Network Flow:

  • Player Client → Port 30120 TCP/UDP → FXServer
  • Admin Browser → HTTPS 443 → Reverse Proxy (Nginx/Caddy)
  • Reverse Proxy → HTTP 40120 → txAdmin
  • txAdmin → Local → FXServer
  • FXServer → Database (MariaDB/MySQL)

Key Points:

  • Players connect directly to FXServer on port 30120 (game traffic)
  • Admin web interface (txAdmin) is accessed through a reverse proxy for SSL and security
  • Reverse proxy shields txAdmin from direct internet exposure

Required Ports

PortProtocolPurposeRequired For
30120TCP/UDPGame serverPlayers to join
40120TCPtxAdmin web interfaceAdmin access (can be proxied)

Firewall Configuration

Linux (UFW - Ubuntu/Debian)

UFW (Uncomplicated Firewall) is the default firewall manager on Ubuntu and Debian:

# Allow game server traffic
sudo ufw allow 30120/tcp comment 'FiveM game server TCP'
sudo ufw allow 30120/udp comment 'FiveM game server UDP'
 
# Allow txAdmin (if not using reverse proxy)
sudo ufw allow 40120/tcp comment 'txAdmin web interface'
 
# Enable firewall
sudo ufw enable
 
# Verify rules
sudo ufw status numbered

Expected Output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 30120/tcp                 ALLOW IN    Anywhere
[ 2] 30120/udp                 ALLOW IN    Anywhere
[ 3] 40120/tcp                 ALLOW IN    Anywhere

Linux (firewalld - CentOS/RHEL)

For CentOS, RHEL, and Fedora systems using firewalld:

# Allow game server traffic
sudo firewall-cmd --permanent --add-port=30120/tcp
sudo firewall-cmd --permanent --add-port=30120/udp
sudo firewall-cmd --permanent --add-port=40120/tcp
 
# Reload firewall
sudo firewall-cmd --reload
 
# Verify rules
sudo firewall-cmd --list-ports

Expected Output:

30120/tcp 30120/udp 40120/tcp

Windows

Configure Windows Firewall using PowerShell (run as Administrator):

# Allow FiveM game server
New-NetFirewallRule -DisplayName "FiveM Game Server" -Direction Inbound -LocalPort 30120 -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "FiveM Game Server UDP" -Direction Inbound -LocalPort 30120 -Protocol UDP -Action Allow
 
# Allow txAdmin
New-NetFirewallRule -DisplayName "txAdmin Web Interface" -Direction Inbound -LocalPort 40120 -Protocol TCP -Action Allow
 
# Verify rules
Get-NetFirewallRule -DisplayName "*FiveM*","*txAdmin*" | Format-Table DisplayName, Enabled, Direction, Action

Reverse Proxy

A reverse proxy sits between the internet and your txAdmin interface, providing:

  • SSL/TLS encryption (HTTPS) without exposing port 40120
  • DDoS protection by hiding the actual server port
  • Domain names instead of IP:port URLs
  • Rate limiting and access control

Nginx Configuration

Complete Nginx configuration with SSL termination, WebSocket support, and security headers:

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name your-domain.com;
    return 301 https://$server_name$request_uri;
}
 
# HTTPS server
server {
    listen 443 ssl http2;
    server_name your-domain.com;
 
    # SSL certificates (use Certbot for Let's Encrypt)
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
    
    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
 
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
 
    # Proxy to txAdmin
    location / {
        proxy_pass http://127.0.0.1:40120;
        
        # Essential proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # WebSocket support (for txAdmin real-time features)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

Setting up SSL with Certbot:

# Install Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx
 
# Obtain certificate (Nginx will auto-configure)
sudo certbot --nginx -d your-domain.com
 
# Test auto-renewal
sudo certbot renew --dry-run

Caddy Configuration

Caddy automatically handles SSL certificates via Let’s Encrypt:

your-domain.com {
    # Reverse proxy to txAdmin
    reverse_proxy localhost:40120 {
        # WebSocket support
        header_up Connection {>Connection}
        header_up Upgrade {>Upgrade}
    }
    
    # Security headers
    header {
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
    }
}

Why Caddy?

  • Automatic HTTPS (no manual certificate management)
  • Simpler configuration syntax
  • Built-in rate limiting and DDoS protection
  • Great for beginners

Installing Caddy:

# Ubuntu/Debian
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
 
# Start and enable
sudo systemctl enable --now caddy

DDoS Protection

  1. Add your domain to Cloudflare
  2. Point DNS records to Cloudflare
  3. Enable “Proxy” (orange cloud) for your domain
  4. Configure rate limiting rules in Cloudflare dashboard

Benefits:

  • Free DDoS protection
  • CDN acceleration
  • Bot management
  • Analytics

Server Provider Protection

Most VPS providers offer DDoS protection:

  • Hetzner: Included on most plans
  • OVH: Anti-DDoS included
  • DigitalOcean: Available as add-on

Rate Limiting in Nginx

Add rate limiting to prevent abuse:

# Define rate limit zone
limit_req_zone $binary_remote_addr zone=txadmin_limit:10m rate=10r/m;
 
server {
    # ... existing config ...
    
    location / {
        limit_req zone=txadmin_limit burst=5 nodelay;
        # ... proxy config ...
    }
}

Troubleshooting

Testing Port Connectivity

From local machine:

# Test TCP port
nc -zv your-server-ip 30120
 
# Test UDP port (requires netcat with UDP support)
nc -u -zv your-server-ip 30120

Expected Output (success):

Connection to your-server-ip 30120 port [tcp/*] succeeded!

From server itself:

# Check if port is listening
sudo netstat -tulpn | grep 30120
# or
sudo ss -tulpn | grep 30120

Expected Output:

tcp  0  0 0.0.0.0:30120  0.0.0.0:*  LISTEN  12345/fxserver
udp  0  0 0.0.0.0:30120  0.0.0.0:*          12345/fxserver

Testing Reverse Proxy

Test local connectivity:

# Should return txAdmin HTML
curl -I http://127.0.0.1:40120
 
# Test through proxy
curl -I https://your-domain.com

Common Issues:

  1. 502 Bad Gateway

    • Check if txAdmin is running: systemctl status txadmin
    • Verify proxy_pass URL is correct
    • Check firewall allows localhost connections

  2. SSL Certificate Errors

    • Verify certificate files exist and are readable
    • Check certificate expiration: sudo certbot certificates
    • Ensure DNS points to your server IP

  3. WebSocket Connection Failed

    • Verify Upgrade and Connection headers in Nginx config
    • Check txAdmin logs for WebSocket errors
    • Test with browser developer tools (Network tab)

Validation

After configuring networking:

  1. Test game server connection:

    • Open FiveM client
    • Connect to your-server-ip:30120
    • Should connect successfully

  2. Test admin interface:

    • Open browser to https://your-domain.com (or http://your-server-ip:40120 if no proxy)
    • Should see txAdmin login page
    • SSL certificate should be valid (green lock icon)

  3. Verify firewall:

    # UFW
sudo ufw status verbose
 
# firewalld
sudo firewall-cmd --list-all

Rollback

If networking changes break connectivity:

  1. Disable firewall temporarily:

    # UFW
sudo ufw disable
 
# firewalld
sudo systemctl stop firewalld

  2. Restore Nginx/Caddy config:

    # Nginx
sudo cp /etc/nginx/sites-available/backup.conf /etc/nginx/sites-enabled/default
sudo nginx -t && sudo systemctl reload nginx
 
# Caddy
sudo cp /etc/caddy/Caddyfile.backup /etc/caddy/Caddyfile
sudo systemctl reload caddy

  3. Check server logs:

    # FXServer logs
tail -f /opt/fivem/logs/server.log
 
# Nginx logs
sudo tail -f /var/log/nginx/error.log
Last updated on
LoggingOneSync