Minecraft Server with Twingate
Host a private Minecraft server accessible only to invited players, with no port forwarding required.
This guide covers vanilla Java Edition using Docker Compose and works on any OS. For a native install on a dedicated Linux server, see the Linux version. See all Minecraft guides to compare editions, or jump to Bedrock or Forge (modded).
Overview
Running a Minecraft server for friends or family usually means port forwarding through your router. That works, but it exposes port 25565 to the entire internet. Automated scanners find open Minecraft ports within minutes, and your home IP address is visible to everyone who connects.
This guide takes a different approach. You run both the Minecraft server and a Twingate Connector in Docker Compose. The Connector creates an outbound-only encrypted tunnel to Twingate’s network, and players install the Twingate Client to connect using the server’s private IP address, as if they were on your local network. The port never touches the public internet.
Architecture
[Player's Device] ↓ Twingate Client[Twingate Cloud] ↓[Twingate Connector] ↓[Minecraft Server — port 25565]The Twingate Connector on your server opens an outbound connection to Twingate Cloud. When players connect, their traffic routes through this encrypted tunnel. Your router doesn’t need any inbound ports or forwarding rules.
Why not port forwarding?
Port forwarding makes your server discoverable by anyone on the internet. With Twingate, there are no listening ports for scanners to find. Players authenticate through Twingate before traffic ever reaches your network.
Prerequisites
- A machine with at least 2 GB of RAM, 2 CPU cores, and 10 GB of free disk space. Linux, macOS, and Windows are all supported.
- Docker Engine and Docker Compose installed. If not yet installed, follow Docker’s official install guide.
- A Twingate account with access to the Admin Console. Sign up for free if you do not have one.
- Terminal access to the machine.
Hardware sizing
A vanilla Minecraft server for up to 10 players runs comfortably on 2 GB of RAM. If you plan to add mods or host more players, allocate 4 GB or more. Modded setups vary widely. A heavy modpack can need 6-8 GB or more, so raise the MEMORY value to match the pack and make sure the host has that much RAM free. The Twingate Connector adds minimal overhead (under 256 MB RAM, negligible CPU).
Step 1: Create a Remote Network and Generate Connector Tokens
- Sign in to the Twingate Admin Console.
- Navigate to Remote Networks.
- Click Add Remote Network. Select a location (e.g., On Premise for a home server). Give it a descriptive name (e.g., “Home Lab” or “Minecraft Network”). Click Add Remote Network.
- From your new Remote Network, click on the undeployed Connector (or click Add Connector to create one).
- Select Docker as the deployment method.
- Click Generate Tokens.
- Authenticate when prompted.
- Copy the Access Token and Refresh Token. You will use these in the next step.
Important
Each Connector requires its own unique Access Token and Refresh Token. Do not reuse token sets across Connectors.
Step 2: Deploy the Minecraft Server and Connector
Create the Docker Compose File
- Open a terminal on the machine.
- Create a project directory and navigate into it:
# macOS / Linuxmkdir -p ~/minecraft-server && cd ~/minecraft-server
# Windows (PowerShell)New-Item -ItemType Directory -Force ~\minecraft-server; cd ~\minecraft-server- Create a file named
docker-compose.yml:
services: minecraft: image: itzg/minecraft-server:latest container_name: minecraft-server environment: EULA: "TRUE" MEMORY: "2G" TYPE: "VANILLA" VERSION: "LATEST" DIFFICULTY: "normal" MAX_PLAYERS: "10" MOTD: "Private Minecraft Server" volumes: - ./data:/data networks: minecraft-net: ipv4_address: 172.30.0.10 restart: unless-stopped
twingate-connector: image: twingate/connector:1 container_name: twingate-connector environment: - TWINGATE_NETWORK=<YOUR_TWINGATE_NETWORK> - TWINGATE_ACCESS_TOKEN=<YOUR_ACCESS_TOKEN> - TWINGATE_REFRESH_TOKEN=<YOUR_REFRESH_TOKEN> networks: - minecraft-net restart: unless-stopped
networks: minecraft-net: ipam: config: - subnet: 172.30.0.0/24EULA
By setting EULA: "TRUE", you agree to the Minecraft End User License Agreement. Review it before proceeding.
About itzg/minecraft-server
itzg/minecraft-server is a popular community Docker image. It installs Java, downloads the server JAR, and applies your configuration through environment variables. Supports Vanilla, Paper, Forge, and Fabric.
Start the Containers
- Replace the three placeholder values in
docker-compose.ymlwith your Twingate Network name (e.g.,mynetwork), Access Token, and Refresh Token from Step 1. - Start both containers:
docker compose up -d- Verify both containers are running:
docker compose psBoth minecraft-server and twingate-connector should show status Up.
- Check that the Minecraft server finished generating the world:
docker compose logs minecraft -fWait until you see a log line containing For help, type "help". The full line looks like Done (1.5s)! For help, type "help", though the exact startup time varies by version and hardware. Press Ctrl+C to exit the log view.
Verify the Connector
- Return to the Twingate Admin Console.
- Navigate to Remote Networks and select your network.
- Click on the Connector. Verify that the Controller and Relay statuses both show Connected.
How the Connector reaches Minecraft
Both containers share the private minecraft-net bridge network. The Minecraft server is fixed at 172.30.0.10 on that network, and the Connector reaches it there directly. No port is published to the host, so nothing is bound on your LAN or exposed to the internet.
This bridge-based setup works identically on Linux, macOS, and Windows. (network_mode: host is not used here because it does not work correctly on Docker Desktop for macOS or Windows.)
Step 3: Add the Minecraft Server as a Resource
Find Your Server’s Address
The Minecraft server is already assigned a fixed address on the Docker network: 172.30.0.10. You will use this address when creating the Twingate Resource. No host IP address lookup is required.
Create the Resource
- In the Twingate Admin Console, navigate to Resources and click Add Resource.
- Select the Remote Network you created in Step 1.
- Configure the Resource:
- Name:
Minecraft Server - Address:
172.30.0.10 - Protocols: TCP port
25565
- Name:
- Click Create Resource.
TCP only
Minecraft Java Edition uses TCP on port 25565. Unlike Bedrock Edition (which uses UDP on port 19132), no UDP ports need to be configured.
Assign Access
- After creating the Resource, Twingate prompts you to select which Groups can access it.
- Select the Group that contains your players (the default Everyone Group works for getting started) and click Grant Access.
To limit access to specific people, create a dedicated Group (e.g., “Minecraft Players”) instead. This is covered in Step 5.
Step 4: Connect Players
This section covers what each player needs to do on their own device.
Install the Twingate Client
Each player installs the Twingate Client on the device they play Minecraft from:
- Windows / macOS: twingate.com/download
- Linux: Linux Client install guide
- iOS: App Store, search “Twingate”
- Android: Play Store, search “Twingate”
- ChromeOS: Play Store, search “Twingate”
Sign In and Connect
- Open the Twingate Client.
- Enter your Twingate Network address (e.g.,
yournetwork.twingate.com). - Sign in with the account the server admin invited you with.
- The Client connects and the Minecraft Server Resource appears in the Resource list.
Add the Server in Minecraft
- Open Minecraft Java Edition.
- Click Multiplayer, then Add Server.
- Enter
172.30.0.10as the Server Address. - Click Done, then select the server and click Join Server.
You're in!
Players connect to 172.30.0.10 through the Twingate tunnel. That address is the server’s fixed location on the private Docker network, routed through the Connector. No public IP address or DNS setup is needed. Minecraft defaults to port 25565, so the address alone is enough.
Twingate must stay connected
The Twingate Client must be running and connected for the duration of the Minecraft session. If a player disconnects from Twingate, they lose access to the server.
Step 5: Manage Player Access
Instead of managing Minecraft allowlists or editing banned-players.json, you can use Twingate Groups to control who can connect.
Invite Players to Twingate
- In the Admin Console, navigate to Team and click Add User.
- Enter the player’s email address. Repeat for each player.
- Each player receives an email invitation to create their Twingate account.
Create a Minecraft Players Group
- Navigate to Groups and click Add Group.
- Name it
Minecraft Players. - Add the users who should have access to the server.
Assign the Group to the Resource
- Navigate to Resources and select Minecraft Server.
- Under Access, remove the Everyone Group (if assigned) and add the Minecraft Players Group.
- Only users in the Minecraft Players Group can now reach the server.
Revoking access
To remove a player’s access, remove them from the Minecraft Players Group in the Admin Console. Their Twingate Client immediately loses the route to the server.
Customizing the Server
Common Configuration Options
Adjust the Minecraft server by changing environment variables in docker-compose.yml:
| Variable | Default | Description |
|---|---|---|
MEMORY | 2G | Java heap size |
TYPE | VANILLA | Server type: VANILLA, PAPER, FORGE, FABRIC |
VERSION | LATEST | Minecraft version (e.g., 1.21.1) |
DIFFICULTY | normal | peaceful, easy, normal, hard |
MAX_PLAYERS | 10 | Maximum concurrent players |
MOTD | (none) | Message shown in the server browser |
OPS | (none) | Comma-separated player usernames to grant operator status |
SEED | (random) | World seed for generation |
After making changes, restart the containers:
docker compose down && docker compose up -dFor the full list of configuration options, see the itzg/minecraft-server documentation.
Troubleshooting
Players Cannot Connect to the Server
- Is the Twingate Client’s connection toggle green?
- Does the Minecraft Server Resource appear in the player’s Twingate Client Resource list? If not, check that the player’s user account is in the correct Group.
- Is the server running?
docker compose psshould show both containers with statusUp. - Does the address entered in Minecraft match the Resource address configured in Twingate (
172.30.0.10)? - Is the player using Minecraft Java Edition? Bedrock Edition uses a different protocol and port.
Server Starts but Crashes
- Check the server logs:
docker compose logs minecraft. - The most common cause is insufficient memory. Increase the
MEMORYenvironment variable indocker-compose.ymland ensure the host machine has enough free RAM. - If using mods (Forge/Fabric), verify mod compatibility with the server version.
Connector Shows Offline in Admin Console
- Verify the
TWINGATE_NETWORK,TWINGATE_ACCESS_TOKEN, andTWINGATE_REFRESH_TOKENvalues are correct indocker-compose.yml. - Check that the host machine has outbound internet access (the Connector needs to reach Twingate Cloud).
- Check Connector logs:
docker compose logs twingate-connector.
World Data or Configuration Lost
- The
volumes: ./data:/datamapping persists world data to the~/minecraft-server/datadirectory on the host. If this directory is deleted or the volume mount is removed from the compose file, data is lost. - Back up the
datadirectory periodically.
Next Steps
- Resources: Learn more about configuring Twingate Resources, including wildcard DNS and CIDR-based Resources.
- Security Policies: Add multi-factor authentication or device trust requirements for players connecting to your server.
- Protect Your Home Lab: Extend Twingate to secure other services running on your home network.
Have questions or want to share your setup? Join us on the community subreddit.
Last updated 6 days ago