[GUIDE] Configure a Cloudflare Proxy For Your FiveM Server

ItsAndromeda · July 30, 2023, 7:53pm

Securing Your FiveM Server with Cloudflare Tunnel

If you operate a FiveM server, safeguarding it from potential threats is of utmost importance. One effective way to achieve this is by implementing a zero-trust security model, where server access is only allowed through a secure channel. I am sharing this with other communities as we all need to come together againts the attackers in helping mitigate downtime.

Note: This guide assumes you are familiar with operating a FiveM server and have both a Cloudflare account and access to Cloudflare ZTNA (Zero Trust Network Access). If you do not know what you are doing, you will face challenges. Do your research and always configure this in a development environment first.

What is Cloudflared Tunnel?

Cloudflared Tunnel establishes a secure, encrypted connection between your server and Cloudflare’s network. By utilizing this tunnel, you can access your server securely from anywhere without exposing it directly to the internet. Cloudflared Tunnel is a part of the Cloudflare Workers family, leveraging the same robust security and privacy features.

Setting Up Cloudflared Tunnel

To set up Cloudflared Tunnel, you will require a Cloudflare account and access to the server you wish to secure. Follow these steps:

Install Cloudflared on your server. Instructions for installing Cloudflared can be found on the ZTNA Dashboard or here.
Create a new Tunnel in the Cloudflare ZTNA dashboard.
Give the Tunnel a descriptive name and select the server you want to secure.

Integrating with FiveM

To integrate your FiveM server with Cloudflared Tunnel, we will use a reverse proxy. Follow these steps:

Create a route for your FiveM server using the HTTP protocol in the Cloudflare ZTNA dashboard. The route should resolve to: http://localhost:30120 or what ever port you use for your server.
Tip: Sometimes adjustments are necessary in the Cloudflared tunnel settings to ensure SSL works with the cre.fx server listing ping/API. It’s recommended to change the proxy type to socks5.
Set up a reverse proxy for your FiveM server. The reverse proxy should listen on port 443 and forward requests to the connecting endpoint specified in the route.

// prevents the server list from advertising your server using its actual IP
set sv_forceIndirectListing true

// makes the server list backend request `https://server1.example.com/` instead of the default
set sv_listingHostOverride "server1.example.com"

// a space-separated list of IPv4 networks in CIDR notation to allow 'X-Real-IP'
// from, as well as bypass the rate limiter. The below IP Spaces are Cloudlfare addresses.
set sv_proxyIPRanges "173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/13, 104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22"

// the actual endpoint your server is hosted on, or one
// or multiple server endpoint proxies, as noted below
set sv_endpoints "100.64.1.2:30120"

// Some guides also mention `sv_listingIpOverride.` This value is only needed
// if the server list backend can't guess the IP to query itself and is not provided to any front-end connection.
// This is usually the case for systems with multiple IPs or if the server is firewalled off for all hosts except
// a server proxy.

Ensure your reverse proxy is configured to use SSL encryption. You can obtain an SSL certificate from Cloudflare or a trusted certificate authority.

Testing Your Connection

It’s essential to test your connection after setting up the Cloudflared Tunnel. Keep in mind that some regions might experience slightly higher ping due to Cloudflared Tunnel being primarily designed for secure exposure of websites and networks, rather than low-latency game servers.

Conclusion

By leveraging Cloudflared Tunnel, you can establish a secure and encrypted connection between your FiveM server and Cloudflare’s network. This significantly enhances your server’s protection against potential threats, offering you peace of mind. If you encounter any questions or need assistance in setting up Cloudflared Tunnel, do not hesitate to reach out to the Cloudflare support team for help.

Markow · August 1, 2023, 7:09pm

a video will be better

Tuncion · August 5, 2023, 10:40am

Nice Work

This is a good step for all server owners who always have to fight because of DDoS attacks etc. and even servers are sometimes offline for hours.

Snowcheck · August 6, 2023, 11:08pm

amazing

ItsAndromeda · August 9, 2023, 2:34pm

Agreed. There are other methods like GRE Tunnels which provide Layer 7 protection but this should be perfect to fight against attacks.

ItsAndromeda · August 9, 2023, 2:34pm

Thank you! <3

ItsAndromeda · August 9, 2023, 2:41pm

Thanks for the feedback - This guide should be good enough so long as you know what you’re doing.

zeddosx · August 11, 2023, 10:19pm

Hey, how much does this actualy cost?
Which one of the “options” should I pick?
Do I understand that I have to pay 7$ for each player every month?

Justin2211 · August 12, 2023, 4:52pm

I think that is a price for every member of your team when they should have access to the Cloudflare system. As far as I know, Cloudflare doesn’t know if you are running a FiveM server and how many players are on the server.
Sincerely

ItsAndromeda · August 14, 2023, 12:47am

This is correct. You can use the free version or any of the other plans.

Justin2211 · August 16, 2023, 7:31am

This guide is working fine.
My only “problem” is that I get multiple “Server list query returned an error:” messages and sometimes the following message:

Server list query returned an error: System.Net.Sockets.SocketException: Broken pipe ← System.IO.IOException: Unable to write data to the transport connection: Broken pipe. ← System.Net.Http.HttpRequestException: An error occurred while sending the request. ← System.Exception: Could not query via https://fivem.MYDOMAIN.com/ - check if your sv_listingHostOverride is correct

This is my configuration:

set sv_forceIndirectListing true
set sv_listingHostOverride “fivem.MYDOMAIN.com”
set sv_proxyIPRanges “173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/13, 104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22”
set sv_endpoints “SERVERIP:30120”
set adhesive_cdnKey “RANDOMKEY”
#Only change the IP if you’re using a server with multiple network interfaces, otherwise change the port only.
endpoint_add_tcp “0.0.0.0:30120”
endpoint_add_udp “0.0.0.0:30120”
#Endpoints Privacy
sv_endpointPrivacy true

I’ve replaced “MYDOMAIN”, “SERVERIP” and “RANDOMKEY” with the correct values.
It’s all working, I can connect to the server and I have no problems. Is there a way I can solve the problem with the messages?

Sincerely

WVRP · August 29, 2023, 9:03pm

very confused guide

Justin2211 · August 30, 2023, 11:35am

I get constantly the following message

[ citizen-server-impl] Server list query returned an error:

in the server console.

Is there currently a way to fix it?

Sincerely

BigBearBeastTV · August 30, 2023, 8:10pm

Hello there! I’ve been attempting to configure a Cloudflare tunnel to function with FiveM, but I’m encountering a problem when trying to connect to the server. I meticulously followed your provided guide, and I can confirm that the reverse proxy is operational – I can retrieve the player.json and similar data using the domain name. However, I’m encountering a roadblock during the phase of requesting server variables. Do you have any insights into the potential reasons behind this issue? Your assistance would be greatly appreciated!

ItsAndromeda · September 6, 2023, 10:24pm

I’m sorry you feel that way…

What is it that’s confusing to you so I can maybe help?

ItsAndromeda · September 6, 2023, 10:29pm

This is a common error people get unfortunately… Best way to troubleshoot this issue is see if you see any errors in the Tunnel logs and go from there.

Additionally, make sure you set up your reverse proxy correctly to use 443 and forward requests to the connecting endpoint specified in the route.

Lastly, this is obvious but make sure the ports you have that need to be used are opened and just for good measures, I would find a way to ensure that you allow all of the Cloudflare address on your firewall.

ItsAndromeda · September 6, 2023, 10:29pm

Hey there! Show me the error you’re getting and I can see if I can help.

BigBearBeastTV · September 12, 2023, 6:45am

I can retrieve the player.json and similar data using the domain name so I know the tunnel works for that. However, when I try and connect I get stuck on requesting server variables.

gr.zzy · September 27, 2023, 3:09am

“Additionally, make sure you set up your reverse proxy correctly to use 443 and forward requests to the connecting endpoint specified in the route.”

Do you have input on the proper way to do this? I’ve spent 9+ hours following the cfx docs and I haven’t been able to get it to work. The way I’m going about it is using nginx…

tr1ckz · October 31, 2023, 7:03am

Hey man, so I’m not exactly a noob at reverse proxying and I have several cloudflared tunnels. I got this to work using the sv_endpoints as an external IP that points to the server and have the port forwarded. But that’s not entirely what I was looking for.
Were you able to forward UDP traffic through the public hostnames on cloudflare?