ARK Private Server Port Forward Setup

I've dug this forum six ways to Sunday trying to get it figured out. A dozen half/badly written wiki pages, various people with seemly random success stories, and etc. I've finally got it nailed down, working, and repeatable. Here's the scoop on how to have the ARK server running on your PC, along with a game session connected to it (from the same PC), and allowing external connections from both LAN and internet.

HOW TO: (version 171.74)

STEP 1

As other people have referenced around the web, having a server startup .bat file is helpful/essential. Here's mine, executed from:

$STEAM_INSTALL_DIR$\steamapps\common\ARK\ShooterGame\Binaries\Win64\ARKServerStart.bat

[code]
start ShooterGameServer.exe TheIsland?QueryPort=27015?SessionName=GenericSessionName?MaxPlayers=10?listen?ServerPassword=ConnectPass?ServerAdminPassword=AdminPass? -nosteamclient -game -server -log
exit
[/code]

Sadly, I do NOT know what good the extra command options at the end mean, since they don't seem to have made much impact in previous attempts (-nosteamclient, -game, -server, -log). But for right now they don't make the setup fail so I'm leaving them in.

STEP 2 - Windows firewall

Accept it if prompted by windows to allow traffic through the firewall for 'shootergameserver.exe'. Full disclosure - I'm not sure if this next step makes an impact but it certainly can't hurt, as mentioned earlier this is how I'm setup and it's functional for both LAN connections and internet.

Open windows firewall in the control panel and click 'Advanced settings' near the bottom of the left-side pane. Click on 'Inbound Rules' and then 'New Rule' on the right pane, select Port -> UDP -> Specific local ports (enter '7777, 7778, 27015') -> Allow the connection -> (check in all boxes) -> name it what you want (I did 'ARK: Server Ports' just so it gets grouped with the other game entries) ->FINISH

This much configuration allowed LAN connections to join my sessions just fine. So if all you want is LAN, you're done with configuration.

STEP 3 - Internet connection

This will vary depending on your equipment. I personally run a Linux server in my closet with iptables and masquerading/NAT, but the ports are still entirely relevant if not the exact instructions. ANYWAY..

While I was trying to figure out why my LAN connections worked but internet did not, I went through the trouble of doing tcpdump captures on the firewall box and wireshark on my windows system. What I found is that it seems like the game client does a port-knocking technique before the server answers. Ever time my LAN client would look for the server it would hit things in the following order :

[code]
$CLIENT QUERY SERVER$ -> 27015, 26900, 27016, 26901, 27017, 26902, 27018, 26903, 27019, 26904, 27020, 26905, 4242, 27215 -> $SERVER FINALLY RESPONDS$
[/code]

After that last magical '27215' my server would talk back via 27015 and they'd negotiate the password/auth and login. Long story short - I enabled/forwarded these ports to my PC running the server (ALL UDP)

4242
7777-7778
26900-26905
27015-27020
27215

For a point/click interface on your average internet gateway device this should be fairly simple - read your manuals. For my fellow Linux admins out there, here's my iptables ruleset:

NOTE-1 - eth2 is my internet facing device, eth0 is my private network device. Obviously change whatever your own PC IP is out for the 192.168.1.15 down below.

NOTE-2 - my firewall is white-list only, so I have default traffic drop rule at the end. If yours is the other way around (accept all, black list specific things like http and telnet), make sure you don't have these ports blocked by one of your rules, modify accordingly.

[code]
iptables -A INPUT -i eth2 -p udp -m udp --dport 4242 -j ACCEPT
iptables -A INPUT -i eth2 -p udp -m udp --dport 7777:7778 -j ACCEPT
iptables -A INPUT -i eth2 -p udp -m udp --dport 26900:26905 -j ACCEPT
iptables -A INPUT -i eth2 -p udp -m udp --dport 27015:27020 -j ACCEPT
iptables -A INPUT -i eth2 -p udp -m udp --dport 27215 -j ACCEPT
[/code]

NOTE-3 - the above just allows the traffic to hit your world-facing IP without getting dropped. Now we need to allow it to traverse networks with these 'FORWARD' rules (again, because I have a white-list only firewall, any traffic not explicitly allowed is dropped):

[code]
iptables -A FORWARD -i eth2 -p udp --destination-port 4242 -d 192.168.1.15 -j ACCEPT
iptables -A FORWARD -i eth2 -p udp --destination-port 7777:7778 -d 192.168.1.15 -j ACCEPT
iptables -A FORWARD -i eth2 -p udp --destination-port 26900:26905 -d 192.168.1.15 -j ACCEPT
iptables -A FORWARD -i eth2 -p udp --destination-port 27015:27020 -d 192.168.1.15 -j ACCEPT
iptables -A FORWARD -i eth2 -p udp --destination-port 27215 -d 192.168.1.15 -j ACCEPT
[/code]

NOTE-4 - and finally - you need to setup NAT rules to mangle packets so they now how to travel properly to and then have a legitimate return path once they are done. Replace aa.bb.cc.dd  with whatever your world-facing IP is.

[code]
iptables -t nat -A PREROUTING -p udp -d aa.bb.cc.dd --dport 4242 -j DNAT --to-destination 192.168.1.15
iptables -t nat -A PREROUTING -p udp -d aa.bb.cc.dd --dport 7777:7778 -j DNAT --to-destination 192.168.1.15
iptables -t nat -A PREROUTING -p udp -d aa.bb.cc.dd --dport 26900:26905 -j DNAT --to-destination 192.168.1.15
iptables -t nat -A PREROUTING -p udp -d aa.bb.cc.dd --dport 27015:27020 -j DNAT --to-destination 192.168.1.15
iptables -t nat -A PREROUTING -p udp -d aa.bb.cc.dd --dport 27215 -j DNAT --to-destination 192.168.1.15
[/code]

ALMOST THERE!!!

Now - before you try to fire up a server and go to town, you'll want to do a couple things:

1 - start the game client, pick 'host/local' and set the server options how you want (difficulty, hardcore, PvE, map, etc). Then instead of picking 'local' you pick 'host' and your client will close and the server will start up. This is important because if you haven't done it before the game will spawn ini files and etc. Give it about 10 minutes (check task manager for 'shootergameserver.exe' and make sure it's got about 4-5gb memory taken up) and then just close the window.

2 - NOW is when you can kick off that .bat file from way back at the beginning. Shortcut it to your desktop or something to save you digging through the folders to find it.

3 - For yourself and LAN folk, you should be able to just start the game client and choose 'Join ARK' and then find the little drop down in the lower left (official, unofficial, etc) and choose 'LAN'. Bingo, you're in. For internet it's a bit more fussy because the public server lists are horrid to search through. Give a link like this to your friends:

steam://connect/aa.bb.cc.dd:27015

This will target them directly to your system. If they are using normal settings (not low memory) they can login and play immediately. If using one of the alternate bootstrap options is needed - have them login via the URL and create a throw-away character (just hit 'create' for the default caveman), then once they're in the game quit out completely and start through the steam interface and pick the necessary low mem/alt option.

When they want to get back to your system, pick 'My Survivors' rather than 'LAN' from the drop down and their session should be found - once they login just have them get eaten by a dino and they can create a new character on the spot.

I hope this helps a bunch of folk, because it's had me banging my head on the desk for nearly a week and cussing the devs out for not providing documentation. I am a sysadmin for a living so I wasn't going to let this shit defeat skills I've been honing for the past 15 years - :]

DEVS: If you're reading this - I STILL WANT PROPER DOCUMENTATION but hopefully this will prove useful for getting other people up and running.