Minecraft Bedrock Server with Twingate
Host a private Minecraft Bedrock Edition server for Windows, iOS, and Android players without port forwarding.
Console players
The Twingate Client currently does not support console platforms. This guide is tailored for Windows, iOS, Android, and ChromeOS players.
This guide uses Docker Compose and works on any OS. For a native install on a dedicated Linux server, see the Linux version. Running Java Edition instead? See all Minecraft guides or jump to the Java Edition guide.
Overview
Minecraft Bedrock Edition supports cross-platform play between Windows, mobile devices, and consoles. If you want to host your own Bedrock server for friends or family, the typical approach is port forwarding UDP 19132 through your router. That exposes the server to the internet, and scanners will find it.
This guide takes a different approach. You run both the Bedrock server and a Twingate Connector in Docker Compose. The Connector tunnels traffic through Twingate’s network so the port never needs to be public. Players install the Twingate Client and connect using the server’s private IP address.
Architecture
[Player's Device] ↓ Twingate Client[Twingate Cloud] ↓[Twingate Connector] ↓[Bedrock Server — UDP port 19132]The Connector opens an outbound connection to Twingate Cloud. Player traffic routes through this encrypted tunnel. Your router doesn’t need any inbound ports or forwarding rules.
Prerequisites
- A machine with at least 1 GB of RAM, 2 CPU cores, and 10 GB of free disk space. Linux, macOS, and Windows are all supported.
- Docker Engine and Docker Compose installed. If not yet installed, follow Docker’s official install guide.
- A Twingate account with access to the Admin Console. Sign up for free if you do not have one.
- Terminal access to the machine.
Hardware sizing
The Bedrock Dedicated Server is lighter than Java Edition. 1 GB of RAM handles 10 players comfortably. The Twingate Connector adds under 256 MB RAM and negligible CPU.
Step 1: Create a Remote Network and Generate Connector Tokens
- Sign in to the Twingate Admin Console.
- Navigate to Remote Networks.
- Click Add Remote Network. Select a location (e.g., On Premise for a home server). Give it a descriptive name (e.g., “Home Lab” or “Minecraft Network”). Click Add Remote Network.
- From your new Remote Network, click on the undeployed Connector (or click Add Connector to create one).
- Select Docker as the deployment method.
- Click Generate Tokens.
- Authenticate when prompted.
- Copy the Access Token and Refresh Token. You will use these in the next step.
Important
Each Connector requires its own unique Access Token and Refresh Token. Do not reuse token sets across Connectors.
Step 2: Deploy the Bedrock Server and Connector
Create the Docker Compose File
- Open a terminal on the machine.
- Create a project directory and navigate into it:
# macOS / Linuxmkdir -p ~/minecraft-bedrock && cd ~/minecraft-bedrock
# Windows (PowerShell)New-Item -ItemType Directory -Force ~\minecraft-bedrock; cd ~\minecraft-bedrock- Create a file named
docker-compose.yml:
services: bedrock: image: itzg/minecraft-bedrock-server:latest container_name: bedrock-server environment: EULA: "TRUE" SERVER_NAME: "Private Bedrock Server" GAMEMODE: "survival" DIFFICULTY: "normal" MAX_PLAYERS: "10" volumes: - ./data:/data networks: minecraft-net: ipv4_address: 172.30.0.10 restart: unless-stopped
twingate-connector: image: twingate/connector:1 container_name: twingate-connector environment: - TWINGATE_NETWORK=<YOUR_TWINGATE_NETWORK> - TWINGATE_ACCESS_TOKEN=<YOUR_ACCESS_TOKEN> - TWINGATE_REFRESH_TOKEN=<YOUR_REFRESH_TOKEN> networks: - minecraft-net restart: unless-stopped
networks: minecraft-net: ipam: config: - subnet: 172.30.0.0/24EULA
By setting EULA: "TRUE", you agree to the Minecraft End User License Agreement. Review it before proceeding.
Shared bridge network
The Bedrock server and Connector share a user-defined Docker bridge network (minecraft-net). The server is pinned to a fixed address (172.30.0.10) and no port is published to the host. The Connector reaches the server directly over the private bridge.
This approach works identically on Linux, macOS, and Windows. (network_mode: host, by contrast, does not work on Docker Desktop for macOS or Windows because the container joins the Docker VM’s network rather than the host’s.)
Bedrock uses UDP on port 19132. Configure the Twingate Resource as UDP when you reach Step 3.
Start the Containers
- Replace the three placeholder values in
docker-compose.ymlwith your Twingate Network name (e.g.,mynetwork), Access Token, and Refresh Token from Step 1. - Start both containers:
docker compose up -d- Verify both containers are running:
docker compose psBoth bedrock-server and twingate-connector should show status Up.
- Check that the Bedrock server started:
docker compose logs bedrock -fWait until you see Server started. in the logs. Press Ctrl+C to exit the log view.
Verify the Connector
- Return to the Twingate Admin Console.
- Navigate to Remote Networks and select your network.
- Click on the Connector. Verify that the Controller and Relay statuses both show Connected.
Step 3: Add the Bedrock Server as a Resource
Server Address
The Bedrock server is pinned to 172.30.0.10 on the minecraft-net bridge network. That is the address you register as the Twingate Resource. No host IP address lookup needed.
Create the Resource
- In the Twingate Admin Console, navigate to Resources and click Add Resource.
- Select the Remote Network you created in Step 1.
- Configure the Resource:
- Name:
Bedrock Server - Address:
172.30.0.10 - Protocols: UDP port
19132
- Name:
- Click Create Resource.
UDP, not TCP
Bedrock uses UDP on port 19132. If you configure the Resource with TCP by mistake, players will see “Unable to connect to world” even though everything else looks correct.
Assign Access
- After creating the Resource, Twingate prompts you to select which Groups can access it.
- Select the Group that contains your players (the default Everyone Group works for getting started) and click Grant Access.
To limit access to specific people, create a dedicated Group (e.g., “Minecraft Players”) instead. This is covered in Step 5.
Step 4: Connect Players
This section covers what each player needs to do on their device. Console players (Xbox, PlayStation, Switch) can’t use Twingate.
Install the Twingate Client
- Windows: twingate.com/download
- iOS: App Store, search “Twingate”
- Android: Play Store, search “Twingate”
- ChromeOS: Play Store, search “Twingate”
Sign In and Connect
- Open the Twingate Client.
- Enter your Twingate Network address (e.g.,
https://{network_name}.twingate.com). - Sign in with the account the server admin invited you with.
- The Client connects and the Bedrock Server Resource appears in the Resource list.
Add the Server in Minecraft
- Open Minecraft Bedrock Edition.
- Tap Play, then go to the Servers tab.
- Scroll to the bottom and tap Add Server.
- Enter
172.30.0.10as the Server Address and19132as the Port. - Tap Save, then tap the server to join.
You're in!
Players connect using 172.30.0.10 through the Twingate tunnel. The server is never exposed to the public internet.
Twingate must stay connected
The Twingate Client must be running and connected for the duration of the Minecraft session. If a player disconnects from Twingate, they lose access to the server.
Step 5: Manage Player Access
Instead of managing server-side allowlists, you can use Twingate Groups to control who can connect.
Invite Players to Twingate
- In the Admin Console, navigate to Team and click Add User.
- Enter the player’s email address. Repeat for each player.
- Each player receives an email invitation to create their Twingate account.
Create a Minecraft Players Group
- Navigate to Groups and click Add Group.
- Name it
Minecraft Players. - Add the users who should have access to the server.
Assign the Group to the Resource
- Navigate to Resources and select Bedrock Server.
- Under Access, remove the Everyone Group (if assigned) and add the Minecraft Players Group.
- Only users in the Minecraft Players Group can now reach the server.
Revoking access
To remove a player’s access, remove them from the Minecraft Players Group in the Admin Console. Their Twingate Client immediately loses the route to the server.
Customizing the Server
Common Configuration Options
Adjust the Bedrock server by changing environment variables in docker-compose.yml:
| Variable | Default | Description |
|---|---|---|
SERVER_NAME | Dedicated Server | Server name shown in the server list |
GAMEMODE | survival | survival, creative, adventure |
DIFFICULTY | easy | peaceful, easy, normal, hard |
MAX_PLAYERS | 10 | Maximum concurrent players |
ALLOW_CHEATS | false | Enable commands for players |
LEVEL_SEED | (random) | World seed for generation |
LEVEL_NAME | Bedrock level | World folder name |
SERVER_PORT | 19132 | UDP port the server listens on |
VERSION | LATEST | Bedrock server version (e.g., 1.21.30.03) |
After making changes, restart the containers:
docker compose down && docker compose up -dFor the full list of configuration options, see the itzg/minecraft-bedrock-server documentation.
Troubleshooting
“Unable to Connect to World”
This is the most common Bedrock error. Work through these checks:
- Is the Twingate Client showing Connected on the player’s device?
- Does the Bedrock Server Resource appear in the player’s Twingate Client Resource list? If not, check Group membership.
- Is the Resource configured for UDP port
19132? A TCP-only Resource will not work. Check the Resource settings in the Admin Console. - Is the server running?
docker compose psshould showbedrock-serverwith statusUp. - Does the IP address and port in Minecraft match
172.30.0.10and port19132?
Server Starts but Crashes
- Check the server logs:
docker compose logs bedrock. - The Bedrock Dedicated Server is an x86_64 (AMD64) binary, but the
itzg/minecraft-bedrock-serverimage is multi-architecture and bundles an emulation layer (box64), so it runs on ARM machines, including Apple Silicon Macs and the Raspberry Pi, without any extra setup. Emulation adds some CPU overhead, so on low-powered ARM hardware (e.g., a Raspberry Pi) keep the player count modest. If you do see architecture orexec formaterrors, make sure Docker pulled the image for your platform (docker pull itzg/minecraft-bedrock-server:latest) rather than a pinned x86-only tag. - If the server runs out of memory, increase the host machine’s available RAM. The Bedrock server itself does not have a configurable heap size like Java Edition.
Connector Shows Offline in Admin Console
- Are the
TWINGATE_NETWORK,TWINGATE_ACCESS_TOKEN, andTWINGATE_REFRESH_TOKENvalues correct indocker-compose.yml? - Does the host machine have outbound internet access? The Connector needs to reach Twingate Cloud.
- Check the Connector logs for errors:
docker compose logs twingate-connector.
Console Players Cannot Connect
Xbox, PlayStation, and Nintendo Switch do not have a Twingate Client. Players on those platforms cannot connect through Twingate. They can connect only if they are on the same local network as the server, without going through Twingate.
Next Steps
- Minecraft Java Edition guide: If some of your players use Java Edition, set up a Java server alongside this one.
- Resources: Learn more about configuring Twingate Resources, including wildcard DNS and CIDR-based Resources.
- Security Policies: Add multi-factor authentication or device trust requirements for players connecting to your server.
- Protect Your Home Lab: Extend Twingate to secure other services running on your home network.
Have questions or want to share your setup? Join us on the community subreddit.
Last updated 6 days ago