mojira.dev

FelixTECH_MSP

Assigned

No issues.

Reported

MC-253237 "Failed to verify username" error prevents playing on some servers and LAN Works As Intended

Comments

I was completely unable to find any information about IP validation or how to enable/disable it or find out what the current status is.
I would appreciate it if there would be any documentation available on this feature.

Server and client have different public IP addresses.

Both server and client are in a different private class B subnet which is connected via site-to-site OpenVPN with tunnel interface IPs in the private A range (constellation is server runs in datacenter and client runs at different location within the company's internal network).

Initially prevent-proxy-connections was true. Setting it to false solved the issue.
In older Minecraft versions this has never been a problem when enabled (I can't tell which version was the first that changed that). So I assume the behaviour of this feature has also been changed in the past.

Steps to reproduce:

  1. Start a Minecraft server on any OS with 1 network adapter that has a private IPv4 address.

  2. NAT a public IPv4 on the router to the private IP of the server.

  3. Connect a Minecraft client to the local network the server is in or any different local network as long as there are only hops with private IPv4 interface addresses between client and server.

  4. Connect in Minecraft to the server using the local IP of the server = does not work

  5. Connect in Minecraft to the server using the public IP of the server = does work

After a deeper check into the TLS traffic I found out there is an API call to https://sessionserver.mojang.com/session/minecraft/join containing JSON with fields accessToken, selectedProfile, serverId. The response to this request is a 204 No Content HTTP status with an empty body.

According to the API documentation (https://wiki.vg/Protocol_Encryption#Client) a 204 status is success and a 403 status is failure.

During testing in a network accepted by Minecraft and a network not accepted by Minecraft the selectedProfile and accessToken stayed the same. But the serverId has changed.

I have found that a network is not accepted when none of the hops between client and server have interface IP addresses outside the private ranges.

Workaround is therefore to have at least one hop with a public IP address between client and server.