Review Teamspeak3 Proxy

[XRV-Webix]

Hello @maxst,
I had more than 3000 connected at the same time on the "backend" server.
Hard to tell how many were passing thru each of the "frontend" because i wasn't monitoring the connections.
About informing the teamspeak on the weblist, is not a such good idea... You'll have duplicates on the weblist, or, you will force all clients connecting from the weblist to use the same "frontend" server. In my case, i didn't advertised the server at all.
But, the good thing of using the iptables to redirect the traffic, is that you can analyse the traffic on each "frontend" server and "re-analyse" it again on the "backend", like i did.
With the "frontend" servers with no anti-ddos protection from the provider, the attacks targeted to the TS server just maked crash 1 or 2 "frontends" where some TS users are dropped and get back online right away using another "frontend" server.

Note: To do a setup like this, you will always need the "frontends" have 2 network cards

 

[XRV-Webix]

I remember last year, asking on the TeamSpeak forums for a way to get the teamspeak read the database for any changes.
If they could do that, i would have successfully setup a high-availability teamspeak service with several servers (if 1 crashes, the other takes over right away).

 

[maxst]

About informing the teamspeak on the weblist, is not a such good idea... You'll have duplicates on the weblist, or, you will force all clients connecting from the weblist to use the same "frontend" server. In my case, i didn't advertised the server at all.

Nope not neccessary. This weblist feature is currently only for having one proxy at all (and can be enabled or disabled easily). Was suggested by another user and easy to implement. I'm planning on having a reverse engineered tsdns that can easily give every user a specific gateway (one or multiple for guests, for members, for admins, ...). So if someone want to take down a teamspeak he wouldnt even know all IP addresses of all gateways.

Your Idea with the high-availability teamspeak service sounds good. Should be doable with only a little downtime. Maybe it would be a good idea to use some mysql cluster as backend and have multiple teamspeak3 servers for a failover. If one ts3 server will shutdown another instance will start asap. So actual outtage would only be 1 or 2 seconds. That's definately short enough - as long as you can't run multiple instances with the same shared database that would be a quite good solution.

 

[denka]

If someone wants to test what DDoS would do to this send me a PM

 

[Nýuu™]

If someone wants to test what DDoS would do to this send me a PM

Hit me up with result would love to know if this is doing anythink.

 

[HardRevo]

I have tried it out and It works really well.

I first tried with python34 which is the one that is available on CentOS repos. It showed some warnings but the redirect worked but the it my server wasn't showing up on the list.
After upgrading to Python36 this issue was solved.

but I have noticed that the proxy in the server list is there but it shows as an Empty server.

 

[denka]

Really wanna test this out to see if something can be done on the ddos protection side or not someone please contact me so we can test it

 

[HardRevo]

Really wanna test this out to see if something can be done on the ddos protection side or not someone please contact me so we can test it

Sure PM me (can't find a way to PM you) we can try something out on my server. If you have discord add me Hard#1187
My posts need to be approved and takes a long time.

 

[denka]

Just finished testing this will work fine as long no one finds your backend IP (real server IP) the teamspeak will stay up but you will still have to get a server with a great DDoS protection or your proxy ip drops and everyone will drop pretty much also the ban system seems a bit bad.

 

[User_2995]

Ello.
Works for me only when run python3 -m ts3proxy

What do I have to do to be able to redirect several virtual servers eg 9988, 9989 with ftp and query port?

 

[maxst]

@denka thank you for testing this. Whats bad about the ban system? It's not very good maintainable of course because that would need some interaction with the teamspeak server itself. Also it's not the best to only run "one" proxy to protect your server. Just use a few and all clients will use an available one via DNS automatically. There will be a short disconnect because of the attacked server but Teamspeak should automatically requery the DNS server after connection lost and choose another one. With DNS round robin or similiar stuff you could make sure that people wouldn't use the same server for the first try everytime. And DDoS-protected virtual server are cheap so 5 to 10 servers in hopefully different data centers (or server segments) are not that big deal.

@karkow that is currently not possible but thanks for the idea. I will add some functionality for this soon.

@HardRevo there is no query to the original teamspeak server. The proxy only shows the connected users via this proxy. And teamspeak has limited the serverlist query so you have to wait at least 10 minutes or otherwise you won't recognize any changes. Turn on debugging to see when ts3proxy does send anything to the teamspeak weblist.

 

[maxst]

@karkow feature is added. But not well tested. Feel free to test and report.

 

[Sharc]

hi all.
I have a question, tell me.
if I put this proxy server, then all people will have one IP address?

 

[MrWolf]

hi all.
I have a question, tell me.
if I put this proxy server, then all people will have one IP address?

Yes, correctly!
I mean you will be able to see only one IP address, but every guy on internet have different IP.

 

[HardRevo]

This also mean if you ban someone by right clicking and selecting Ban client you will be banning everyone one the server. In order to ban you have to go to the ban list and add a rule manually with their unique ID

 

[Sharc]

This also mean if you ban someone by right clicking and selecting Ban client you will be banning everyone one the server. In order to ban you have to go to the ban list and add a rule manually with their unique ID

Yes, I understand, thank you very much. But this is a very big drawback of this method.

 

[iElevateX]

The system itself is pretty cool. I would change and modify the code a little bit for performance purposes, but other than that, good job.

 

[maxst]

The system itself is pretty cool. I would change and modify the code a little bit for performance purposes, but other than that, good job.

Thanks!
Feel free to submit a pull request or tell me what to modify pls

 

[Some_body]

Hello everyone
If my country block TeamSpeak3 and i want to join it and let my server clients (same country) join
I could let them use this script from my machine so they won't go to another proxy service but also if someone didn't use my proxy and his country allow TeamSpeak3 i want him to join my server without useing my proxy

- Could i do that with this script ?

Sorry for bad english

 

[maxst]

Hey Some_body,
it depends on different things:

• your country may block specific IP ranges and may not detect "teamspeak packets" with some kind of packet sniffer
• your PC may have a not blocked connection to this specific teamspeak server

You may read the the first post of the thread where I tried to explain what this tool does. I think you haven't understand it completely because your second question (join without proxy) wouldn't exist then.
Let me give you a short summary: The proxy actually behaves like a "normal" teamspeak client. Therefore it needs a connection to a "real" teamspeak3 server (or another instance of my proxy that has a connection to a "real" teamspeak3 server). Nevermind everyone can either connect directly to the teamspeak server or use the proxy. Both is possible.
I hope things are clearer for you now