Minecraft Bedrock Server with Twingate (Linux)

Host a private Bedrock Edition server on bare-metal Linux for Windows, iOS, and Android players.

Console players

The Twingate Client currently does not support console platforms. This guide is tailored for Windows, iOS, Android, and ChromeOS players.

Prefer Docker? See the Docker-based Bedrock guide. Running Java Edition instead? See all Minecraft guides or jump to the Java Edition guide.

Overview

Minecraft Bedrock Edition supports cross-platform play between Windows, mobile devices, and consoles. If you want to host your own Bedrock server for friends or family, the typical approach is port forwarding UDP 19132 through your router. That exposes the server to the internet, and scanners will find it.

This guide takes a different approach. You install the Bedrock Dedicated Server directly on Linux and run the Twingate Connector alongside it. The Connector tunnels traffic through Twingate’s network so the port never needs to be public. Players install the Twingate Client and connect using the server’s private IP address.

Architecture

[Player's Device]
     ↓ Twingate Client
[Twingate Cloud]
     ↓
[Twingate Connector]
     ↓
[Bedrock Server — UDP port 19132]

The Connector opens an outbound connection to Twingate Cloud. Player traffic routes through this encrypted tunnel. Your router doesn’t need any inbound ports or forwarding rules.

Prerequisites

A Linux machine (physical or virtual) with at least 1 GB of RAM, 2 CPU cores, and 10 GB of free disk space. Ubuntu 22.04, Ubuntu 24.04, and Debian 12 are tested.
The machine must be x86_64 (AMD64) architecture. The Bedrock Dedicated Server is an x86_64-only binary and does not run natively on ARM processors (Raspberry Pi, Apple Silicon).
A Twingate account with access to the Admin Console. Sign up for free if you do not have one.
SSH or terminal access to the Linux machine.

Hardware sizing

The Bedrock Dedicated Server is lighter than Java Edition. 1 GB of RAM handles 10 players comfortably. The Twingate Connector adds under 256 MB RAM and negligible CPU.

Running on ARM (Raspberry Pi, Apple Silicon)?

This native install needs x86_64 hardware. If your server is ARM-based, use the Docker-based Bedrock guide instead. Its container image bundles an emulation layer (box64) that runs the x86_64 Bedrock binary transparently on ARM, with some CPU overhead.

Step 1: Create a Remote Network and Generate Connector Tokens

Sign in to the Twingate Admin Console.
Navigate to Remote Networks.
Click Add Remote Network. Select a location (e.g., On Premise for a home server). Give it a descriptive name (e.g., “Home Lab” or “Minecraft Network”). Click Add Remote Network.
From your new Remote Network, click on the undeployed Connector (or click Add Connector to create one).
Select Linux as the deployment method.
Click Generate Tokens.
Authenticate when prompted.
Copy the Access Token and Refresh Token. You will use these in Step 2.

Important

Each Connector requires its own unique Access Token and Refresh Token. Do not reuse token sets across Connectors.

Step 2: Install and Configure the Bedrock Server

Create the Minecraft User and Directory

SSH into the Linux machine.
Create a dedicated system user and directory for the Bedrock server:

sudo useradd -r -m -d /opt/minecraft-bedrock -s /bin/bash minecraft
sudo mkdir -p /opt/minecraft-bedrock/server
sudo chown -R minecraft:minecraft /opt/minecraft-bedrock

Install Dependencies

Update the package list and install required libraries:

sudo apt update
sudo apt install -y curl unzip libcurl4 openssl

Download the Bedrock Dedicated Server

Visit the Bedrock server download page to find the current Ubuntu download link. The URL changes with each release. Copy the link labeled “Ubuntu (Linux)“.
Download and extract the server binary (replace DOWNLOAD_URL_FROM_MINECRAFT_NET with the link you copied):

sudo -u minecraft bash -c 'cd /opt/minecraft-bedrock/server && \
  curl -L -o bedrock-server.zip "DOWNLOAD_URL_FROM_MINECRAFT_NET" && \
  unzip -o bedrock-server.zip && \
  rm bedrock-server.zip'

EULA

By downloading the Bedrock Dedicated Server, you agree to the Minecraft End User License Agreement. Review it before proceeding.

Configure the Server

The extraction creates a file named server.properties. Open it for editing:

sudo -u minecraft nano /opt/minecraft-bedrock/server/server.properties

Adjust these settings as needed:
- server-name: The name shown in the server list (e.g., Private Bedrock Server)
- gamemode: survival, creative, or adventure
- difficulty: peaceful, easy, normal, or hard
- max-players: Maximum concurrent players (default is 10)
- server-port: Leave as 19132
Save and exit (press Ctrl+X, then Y, then Enter).

Create a systemd Service

Create a systemd service file to run the server automatically:

sudo nano /etc/systemd/system/minecraft-bedrock.service

Paste the following content:

[Unit]
Description=Minecraft Bedrock Edition Server
After=network.target

[Service]
User=minecraft
Group=minecraft
WorkingDirectory=/opt/minecraft-bedrock/server
ExecStart=/opt/minecraft-bedrock/server/bedrock_server
Restart=on-failure
RestartSec=10
StandardOutput=journal
StandardError=journal
SyslogIdentifier=minecraft-bedrock
Environment=LD_LIBRARY_PATH=/opt/minecraft-bedrock/server

[Install]
WantedBy=multi-user.target

Save and exit.

Start the Server

Reload systemd, enable the service to start on boot, and start the server:

sudo systemctl daemon-reload
sudo systemctl enable --now minecraft-bedrock

Verify the server started:

sudo journalctl -u minecraft-bedrock -f

Wait until you see Server started. in the logs. Press Ctrl+C to exit the log view.

Install the Twingate Connector

Run the Twingate Connector installation script. Replace <YOUR_ACCESS_TOKEN>, <YOUR_REFRESH_TOKEN>, and <YOUR_TWINGATE_NETWORK> with the values from Step 1:

curl "https://binaries.twingate.com/connector/setup.sh" | \
  sudo TWINGATE_ACCESS_TOKEN="<YOUR_ACCESS_TOKEN>" \
  TWINGATE_REFRESH_TOKEN="<YOUR_REFRESH_TOKEN>" \
  TWINGATE_NETWORK="<YOUR_TWINGATE_NETWORK>" \
  bash

Verify the Connector is running:

sudo systemctl status twingate-connector

The output should show active (running).

Verify the Connector

Return to the Twingate Admin Console.
Navigate to Remote Networks and select your network.
Click on the Connector. Verify that the Controller and Relay statuses both show Connected.

Step 3: Add the Bedrock Server as a Resource

Find Your Server’s Private IP Address

On the Linux machine, run:

hostname -I | awk '{print $1}'

Note the IP address (e.g., 192.168.1.50).

Create the Resource

In the Twingate Admin Console, navigate to Resources and click Add Resource.
Select the Remote Network you created in Step 1.
Configure the Resource:
- Name: Bedrock Server
- Address: Your server’s private IP address (e.g., 192.168.1.50)
- Protocols: UDP port 19132
Click Create Resource.

UDP, not TCP

Bedrock uses UDP on port 19132. If you configure the Resource with TCP by mistake, players will see “Unable to connect to world” even though everything else looks correct.

Assign Access

After creating the Resource, Twingate prompts you to select which Groups can access it.
Select the Group that contains your players (the default Everyone Group works for getting started) and click Grant Access.

To limit access to specific people, create a dedicated Group (e.g., “Minecraft Players”) instead. This is covered in Step 5.

Step 4: Connect Players

This section covers what each player needs to do on their device. Console players (Xbox, PlayStation, Switch) can’t use Twingate.

Install the Twingate Client

Windows: twingate.com/download
iOS: App Store, search “Twingate”
Android: Play Store, search “Twingate”
ChromeOS: Play Store, search “Twingate”

Open the Twingate Client.
Enter your Twingate Network address (e.g., yournetwork.twingate.com).
Sign in with the account the server admin invited you with.
The Client connects and the Bedrock Server Resource appears in the Resource list.

Add the Server in Minecraft

Open Minecraft Bedrock Edition.
Tap Play, then go to the Servers tab.
Scroll to the bottom and tap Add Server.
Enter the server’s private IP address as the Server Address (e.g., 192.168.1.50) and 19132 as the Port.
Tap Save, then tap the server to join.

You're in!

Players connect using the server’s private IP address as if they were on the same local network. The server stays off the public internet.

Twingate must stay connected

The Twingate Client must be running and connected for the duration of the Minecraft session. If a player disconnects from Twingate, they lose access to the server.

Step 5: Manage Player Access

Instead of managing server-side allowlists, you can use Twingate Groups to control who can connect.

Invite Players to Twingate

In the Admin Console, navigate to Team and click Add User.
Enter the player’s email address. Repeat for each player.
Each player receives an email invitation to create their Twingate account.

Create a Minecraft Players Group

Navigate to Groups and click Add Group.
Name it Minecraft Players.
Add the users who should have access to the server.

Assign the Group to the Resource

Navigate to Resources and select Bedrock Server.
Under Access, remove the Everyone Group (if assigned) and add the Minecraft Players Group.
Only users in the Minecraft Players Group can now reach the server.

Revoking access

To remove a player’s access, remove them from the Minecraft Players Group in the Admin Console. Their Twingate Client immediately loses the route to the server.

Customizing the Server

Common Configuration Options

Adjust the Bedrock server by editing /opt/minecraft-bedrock/server/server.properties:

Property	Default	Description
`server-name`	`Dedicated Server`	Server name shown in the server list
`server-port`	`19132`	UDP port the server listens on
`gamemode`	`survival`	`survival`, `creative`, `adventure`
`difficulty`	`easy`	`peaceful`, `easy`, `normal`, `hard`
`max-players`	`10`	Maximum concurrent players
`allow-cheats`	`false`	Enable commands for players
`level-seed`	(empty)	World seed for generation
`level-name`	`Bedrock level`	World folder name
`view-distance`	`32`	Max render distance in chunks
`tick-distance`	`4`	Simulation distance (4-12)
`online-mode`	`true`	Validate Xbox Live accounts

After making changes, restart the server:

sudo systemctl restart minecraft-bedrock

For additional options, see the Official Bedrock Dedicated Server Wiki.

Troubleshooting

“Unable to Connect to World”

This is the most common Bedrock error. Work through these checks:

Is the Twingate Client showing Connected on the player’s device?
Does the Bedrock Server Resource appear in the player’s Twingate Client Resource list? If not, check Group membership.
Is the Resource configured for UDP port 19132? A TCP-only Resource will not work. Check the Resource settings in the Admin Console.
Is the server running? sudo systemctl status minecraft-bedrock should show active (running).
Does the IP address and port in Minecraft match the server’s actual private IP address and port 19132?

Server Fails to Start

Check the service status: sudo systemctl status minecraft-bedrock.
View detailed logs: sudo journalctl -u minecraft-bedrock -n 100.
If the logs mention architecture errors or missing libraries, confirm the server is running on x86_64 (AMD64). The native binary does not run on ARM-based machines (Raspberry Pi, Apple Silicon). On ARM hardware, use the Docker-based Bedrock guide instead. Its image bundles box64 emulation to run the x86_64 binary.
If the server complains about missing .so files, reinstall dependencies: sudo apt install --reinstall libcurl4 openssl.

Port Already in Use

If you see “Cannot bind to port” in the logs:

Another process is using UDP 19132. Find it with:

sudo ss -ulpn | grep 19132

Stop the conflicting process or change the Bedrock server port in server.properties and the Twingate Resource.

Permission Errors

If the server fails to write world data:

Verify ownership: ls -ld /opt/minecraft-bedrock/server
The directory and all files inside should be owned by minecraft:minecraft. Fix with:

sudo chown -R minecraft:minecraft /opt/minecraft-bedrock

Connector Shows Offline in Admin Console

Are the TWINGATE_NETWORK, TWINGATE_ACCESS_TOKEN, and TWINGATE_REFRESH_TOKEN values correct?
Does the host machine have outbound internet access? The Connector needs to reach Twingate Cloud.
Check the Connector logs: sudo journalctl -u twingate-connector -n 100.

Console Players Cannot Connect

Xbox, PlayStation, and Nintendo Switch do not have a Twingate Client. Players on those platforms cannot connect through Twingate. They can connect only if they are on the same local network as the server, without going through Twingate.

Next Steps

Minecraft Java Edition guide: If some of your players use Java Edition, set up a Java server alongside this one.
Docker-based Bedrock guide: If you prefer containerized deployments, use the Docker version.
Resources: Learn more about configuring Twingate Resources, including wildcard DNS and CIDR-based Resources.
Security Policies: Add multi-factor authentication or device trust requirements for players connecting to your server.
Deploy a Second Connector: Add a second Connector for high availability.
Protect Your Home Lab: Extend Twingate to secure other services running on your home network.

Have questions or want to share your setup? Join us on the community subreddit.

Last updated 7 days ago