"Come in, come in, and know me better Man."

It's been a bit since I have posted. Life is always going and there is so much to learn. I have been learning more about AI and infrastructure surrounding it for work. I have been using it a bit more both there and at home. I have even played with coding some apps and my own agent harness and interface.

There are ups and downs. It is certainly an interesting (and often frustrating) process. There are some things it can be very helpful with though. One of them is planning and documentation. This walkthrough is a testament to that. I had to guide it and steer it, and double check it and I believe I got it to what I needed.

I am a gamer, and I have several I have always wanted to host in a more persistent way. With my homelab setup, I finally have a chance to do that. In this case 7 games I play semi regularly and a couple of demo hosts I am able to take advantage of that I destroy and rebuild n a regular basis. This wasn't all done at once for me, but I have enough documented steps now from various places to make it work. And I thought this would be a good chance to share a walkthrough here.

Prerequisites

  • You need an OCI VPS (it can be small its just going to run a couple of things)
  • You Need NGINX acting as a reverse Proxy for your on prem stuff
  • You need some place to run your self hosted infrastructure (this can be in the cloud as well, but I am set up at home)
  • You need a domain, and you need a DNS Provider. I use Cloudflare for these.

Steps

  1. The first step is to follow Thomas Wildes guide here It's very thorough, and easy to follow. It was the first step for me in creating a way to securely serve internal apps to the outside world.
  2. You may want to set up some vLANs on network segregation to keep your Game server(s) separated from the rest of your network. I am also using a Proxmox cluster and virtualization for even further separation.
  3. You will want AMP server for this walkthrough. Yes I use this and paid for it. You will also see I have 4 instances of the amp server running. One runs in Hybrid mode and acts as the ADS(AMP Deployment Server) and as a game host, and the other three act as target hosts. This lets me control all of my game instances and hosts from a single AMP instance that can be passed through my tunnel.
  4. I also use VSCode to do most of my editing. Particularly for my OCI VPS as it give me a nice visual picture of the file structure. But feel free to just SSH using a key and VIM or NANO if you are more comfortable there.

What is this?

Below is the outline and steps the LLM and I cam up with to ensure the games I wanted to run would work. You would of course modify this for whatever games you want to run, but the general idea is a good solid guide with all the right steps in place to show a clear picture of how to do this. When set up correctly you have security, multiple layers of segregation and isolation. A single management panel and TLS security for access to that. And a game or game cluster to share with your friends and family.

πŸ“‹ HybridCloudHQ β€” Game Server Master Reference

Cluster Summary

4-node Proxmox VE hyper-converged cluster Β· Ceph Β· AMP + Docker game hosting Β· Pangolin/OCI tunnel Β· NGINX + TLS Ceph raw: 3.88 TiB Β· Usable (rep-3): ~1.13 TiB Β· Utilization target: ≀ 50% per node

1 β€” Cluster Hardware

Property Value
Nodes 4Γ— (PVE1–PVE4)
CPU (per node) AMD Ryzen 5 β€” 6C/12T, up to 4.0 GHz
Usable host threads (per node) 10 (2 reserved for Proxmox)
RAM (per node) 64 GB DDR4
Ceph raw total 3.88 TiB (4 OSDs, one per node)
Ceph usable (rep-2) ~1.13 TiB
Proxmox version
External tunnel OCI VPS β†’ Pangolin + Traefik + Gerbil + Crowdsec
TLS NGINX reverse proxy β€” already configured

2 β€” Node Role Map

Node Primary Role VMs Hosted
PVE1 Heavy game (isolated) amp-conan (102)
PVE2 Heavy game + demo/conditional amp-enshrouded (104) Β· dune-awakening (107) Β· openshift-sno (300) Β· azure-local-demo (301)
PVE3 Medium games + services amp-medium (105) Β· containers-a (100)
PVE4 Light games + ADS + services + primary failover amp-node4 (106) Β· containers-b (103)

3 β€” Master VM Table

VMID VM Name Node vCPUs RAM Max Balloon Min Disk onboot Purpose
100 containers-a PVE3 3 8 GB 3 GB 60 GB 1 Container services A
102 amp-conan PVE1 6 28 GB 6 GB 100 GB 1 AMP Β· Docker: Conan Exiles Enhanced
103 containers-b PVE4 2 8 GB 3 GB 60 GB 1 Container services B
104 amp-enshrouded PVE2 6 26 GB 6 GB 80 GB 1 AMP Β· Docker: Enshrouded
105 amp-medium PVE3 5 20 GB 6 GB 80 GB 1 AMP Β· Docker: Valheim Β· V Rising Β· Return to Moria
106 amp-node4 PVE4 6 16 GB 6 GB 100 GB 1 AMP ADS (hybrid) Β· Docker: Minecraft Β· Dragonwilds
107 dune-awakening PVE2 8 24 GB 8 GB 120 GB 0 AMP Β· Docker: Dune Awakening β€” CONDITIONAL
300 openshift-sno PVE2 8 32 GB β€” 120 GB thin 0 RHCOS SNO β€” EPHEMERAL
301 azure-local-demo PVE2 6 32 GB β€” 128 GB thin 0 Azure Local β€” EPHEMERAL

Node Resource Summary

Node vCPUs Allocated RAM Max RAM Balloon Min Failover Headroom
PVE1 6 / 10 28 GB 6 GB ~36 GB free
PVE2 6 / 10 (base) 26 GB 6 GB ~52 GB free at balloon min
PVE3 8 / 10 28 GB 9 GB ~36 GB free
PVE4 8 / 10 24 GB 9 GB ~40 GB free β€” primary failover target

4 β€” Master Port Reference

AMP SFTP β€” LAN/VPN Only, Never Internet Exposed

AMP assigns a unique SFTP port per game instance for admin file management (mods, configs, world saves). Players never use SFTP β€” do not add these ports to OCI, iptables, Traefik, or Pangolin. Access SFTP via your local LAN or VPN when remote. Each instance on amp-medium gets its own port so they don't collide on the same VM.

This Table Is the Single Source of Truth

OCI Security List, iptables, traefik_config.yml, docker-compose.yml, Pangolin UI, and AMP instance config must all match the Internet ports in this table exactly.

4.1 β€” Game Ports (Internet Exposed via Pangolin)

Service VM (VMID) Proto Port Notes
Conan Exiles Game amp-conan (102) TCP 7777 Both TCP and UDP required
Conan Exiles Game amp-conan (102) UDP 7777 Must match end-to-end β€” NO remap ever
Conan Pinger amp-conan (102) UDP 7778 Must match end-to-end
Conan Steam Query amp-conan (102) UDP 27015 Must match end-to-end
Enshrouded Query amp-enshrouded (104) TCP 15637 AMP-confirmed port
Enshrouded Query amp-enshrouded (104) UDP 15637 AMP-confirmed port
Valheim Game amp-medium (105) UDP 2456
Valheim Query amp-medium (105) UDP 2457
V Rising Game amp-medium (105) UDP 9876
V Rising Query amp-medium (105) UDP 9877
Return to Moria Game amp-medium (105) UDP 7780 Remapped from default 7777 inside AMP
Minecraft Java amp-node4 (106) TCP 25565
Minecraft Java amp-node4 (106) UDP 25565
RuneScape: Dragonwilds amp-node4 (106) UDP 7779 Remapped from default 7777 via AMP launch flag
Dune: Awakening dune-awakening (107) β€” β€” Server browser discovery only (PTC) β€” no Pangolin needed

4.2 β€” Admin Ports (LAN/VPN Only β€” never through Pangolin)

Service VM (VMID) Proto Port Notes
Conan SFTP amp-conan (102) TCP 2224 Admin file access β€” LAN/VPN only
Conan RCON amp-conan (102) TCP 25575 LAN/VPN only
Enshrouded SFTP amp-enshrouded (104) TCP 2224 Admin file access β€” LAN/VPN only
Enshrouded RCON amp-enshrouded (104) TCP 25575 LAN/VPN only
Valheim SFTP amp-medium (105) TCP 2224 Per-instance port β€” LAN/VPN only
Valheim RCON amp-medium (105) TCP 25575 LAN/VPN only
V Rising SFTP amp-medium (105) TCP 2225 Per-instance port β€” LAN/VPN only
V Rising RCON amp-medium (105) TCP 25575 LAN/VPN only
Return to Moria SFTP amp-medium (105) TCP 2226 Per-instance port β€” LAN/VPN only
Moria RCON amp-medium (105) TCP 25577 LAN/VPN only
Minecraft SFTP amp-node4 (106) TCP 2224 Admin file access β€” LAN/VPN only
Minecraft RCON amp-node4 (106) TCP 25575 LAN/VPN only
Dragonwilds SFTP amp-node4 (106) TCP 2225 Admin file access β€” LAN/VPN only
Dragonwilds RCON amp-node4 (106) TCP 25578 LAN/VPN only

Conan Exiles β€” TCP+UDP 7777 Cannot Be Remapped. Ever.

Conan Exiles uses UE4 networking which hardwires the advertised port to the bound port. BattlEye validates port consistency on both TCP and UDP 7777 during the authentication handshake. A remap was attempted and confirmed broken. TCP 7777, UDP 7777, UDP 7778, and UDP 27015 must pass end-to-end with zero translation through iptables, Traefik, Pangolin, and AMP. Do not revisit this.

Return to Moria β€” Default 7777 Fixed by Internal Remap

Moria defaults to UDP 7777, conflicting with Conan at the Pangolin layer. Moria has no BattlEye β€” safe to remap. Fix inside AMP β†’ Moria01 β†’ Configuration:

  • ListenPort = 7780
  • AdvertisePort = 7780

Pangolin exposes 7780 β†’ 7780 with no translation. Restart instance after saving.

RuneScape: Dragonwilds β€” Default 7777 Fixed by Launch Flag Follow a pattern. 7777, 7778, 7779, etc...

Dragonwilds defaults to UDP 7777 β€” no BattlEye, safe to remap. Fix inside AMP β†’ Dragonwilds01 β†’ GenericModule β†’ Launch Parameters: add -port=7779. Pangolin exposes 7779 β†’ 7779. Restart instance after saving.

Enshrouded β€” Verify Additional Ports if Needed

AMP confirms TCP+UDP 15637. If players report connection issues, also test opening 15636 (game) and 15638 (stream) β€” add to OCI, iptables, and Pangolin if required.

TCP and UDP 7777 Are Different Sockets

Conan requires both. Traefik treats tcp-7777 and udp-7777 as completely independent entryPoints β€” both must be defined in traefik_config.yml and mapped in docker-compose.yml.

Pangolin β€” One Backend Per External Port + Protocol

Traefik binds one OS socket per entryPoint. A second Pangolin target on the same port+protocol crashes Traefik on next restart. All game ports in this cluster are unique per protocol β€” do not reuse them.

5 β€” OCI VPS Setup

5.1 Security List Ingress Rules

Navigate: Networking β†’ VCN β†’ Security Lists β†’ Default Security List Source CIDR: 0.0.0.0/0 for all game ports. Do not add SFTP or RCON ports.

  • [ ] TCP 7777 β€” Conan game (TCP required alongside UDP)
  • [ ] UDP 7777 β€” Conan game
  • [ ] UDP 7778 β€” Conan pinger
  • [ ] UDP 27015 β€” Conan Steam query
  • [ ] TCP 15637 β€” Enshrouded query
  • [ ] UDP 15637 β€” Enshrouded query
  • [ ] UDP 2456 β€” Valheim game
  • [ ] UDP 2457 β€” Valheim query
  • [ ] UDP 9876 β€” V Rising game
  • [ ] UDP 9877 β€” V Rising query
  • [ ] UDP 7780 β€” Return to Moria game
  • [ ] TCP 25565 β€” Minecraft Java
  • [ ] UDP 25565 β€” Minecraft Java
  • [ ] UDP 7779 β€” RuneScape: Dragonwilds
  • [ ] TCP 443 β€” Pangolin HTTPS
  • [ ] TCP 80 β€” Pangolin HTTP redirect

5.2 OCI VPS iptables

# TCP game ports
sudo iptables -I INPUT 6 -p tcp -m multiport \
  --dports 80,443,7777,15637,25565 -j ACCEPT

# UDP game ports
sudo iptables -I INPUT 6 -p udp -m multiport \
  --dports 7777,7778,7779, 7780,2456,2457,9876,9877,15637,25565,27015 -j ACCEPT

# Persist
sudo netfilter-persistent save

# Verify
sudo iptables -L INPUT -n -v --line-numbers

6 β€” Pangolin Setup

NGINX + TLS Is Already In Place

HTTP resources (AMP ADS, Portainer, Forgejo, Stirling PDF) are handled by your existing NGINX reverse proxy. Only Raw TCP/UDP game server ports need Pangolin entryPoints. SFTP and RCON are never added here.

6.1 traefik_config.yml β€” Add Under entryPoints:

File: /opt/pangolin/config/traefik/traefik_config.yml

entryPoints:
  # Pangolin system β€” do not modify existing entries
  websecure:
    address: :443
  web:
    address: :80

  # Conan Exiles β€” TCP AND UDP 7777, no remapping ever
  tcp-7777:
    address: :7777/tcp
  udp-7777:
    address: :7777/udp
  udp-7778:
    address: :7778/udp
  udp-27015:
    address: :27015/udp

  # Enshrouded β€” query port TCP + UDP
  tcp-15637:
    address: :15637/tcp
  udp-15637:
    address: :15637/udp

  # Valheim
  udp-2456:
    address: :2456/udp
  udp-2457:
    address: :2457/udp

  # V Rising
  udp-9876:
    address: :9876/udp
  udp-9877:
    address: :9877/udp

  # Return to Moria β€” internal port also 7780 (changed in AMP)
  udp-7780:
    address: :7780/udp
  tcp-7780:
    address: :7780/tcp

  # Minecraft
  udp-25565:
    address: :25565/udp

  # RuneScape: Dragonwilds β€” internal port also 7785 (AMP launch flag)
  udp-7779:
    address: :7779/udp

  # SFTP ports β€” NOT added here (LAN/VPN access only)
  # Dune: Awakening β€” NOT added here (PTC server-list discovery only)

6.2 docker-compose.yml β€” Add Under services: gerbil: ports:

File: /opt/pangolin/docker-compose.yml

    ports:

      - 443:443
      - 80:80
      # Conan Exiles β€” both TCP and UDP 7777 required
      - 7777:7777/tcp
      - 7777:7777/udp
      - 7778:7778/udp
      - 27015:27015/udp
      # Enshrouded
      - 15637:15637/tcp
      - 15637:15637/udp
      # Valheim
      - 2456:2456/udp
      - 2457:2457/udp
      # V Rising
      - 9876:9876/udp
      - 9877:9877/udp
      # Return to Moria
      - 7780:7780/udp
      - 7780:7780/tcp
      # Minecraft
      - 25565:25565/udp
      # RuneScape: Dragonwilds
      - 7779:7779/udp
      # SFTP NOT mapped here β€” LAN/VPN only
      # Dune: Awakening NOT mapped here β€” server-list only

This is what I mean by easy for me to visualize the editing here

VS Code view of configuring the yaml files

6.3 Apply and Verify

cd /opt/pangolin
docker compose up -d
docker compose restart traefik

# Check UDP listeners
ss -lunp | grep -E '7777|7778|7779|7780|2456|2457|9876|9877|15637|25565|27015'

# Check TCP listeners β€” 7777 and 15637 are both TCP now
ss -ltnp | grep -E '7777|15637|443|80'

# Check Traefik β€” no crash loops, no "address already in use"
docker ps
docker logs traefik --tail=50

6.4 Pangolin Raw TCP/UDP Resources

Create one resource per row. Do not create resources for SFTP or RCON ports.

Resource Name Protocol External Port Target Address Target Port VM
conan-game-tcp TCP 7777 amp-conan LAN IP 7777 102
conan-game-udp UDP 7777 amp-conan LAN IP 7777 102
conan-pinger UDP 7778 amp-conan LAN IP 7778 102
conan-query UDP 27015 amp-conan LAN IP 27015 102
enshrouded-query-tcp TCP 15637 amp-enshrouded LAN IP 15637 104
enshrouded-query-udp UDP 15637 amp-enshrouded LAN IP 15637 104
valheim-game UDP 2456 amp-medium LAN IP 2456 105
valheim-query UDP 2457 amp-medium LAN IP 2457 105
vrising-game UDP 9876 amp-medium LAN IP 9876 105
vrising-query UDP 9877 amp-medium LAN IP 9877 105
moria-game UDP 7780 amp-medium LAN IP 7780 105
minecraft-tcp TCP 25565 amp-node4 LAN IP 25565 106
minecraft-udp UDP 25565 amp-node4 LAN IP 25565 106
dragonwilds UDP 7779 amp-node4 LAN IP 7785 106

7 β€” AMP Installation & Configuration

AMP Architecture

AMP is installed bare metal on the VM OS. During install, answer YES to Docker isolation. AMP then manages each game server as a Docker container internally β€” handling Wine, SteamCMD, and dependencies per-container automatically.

7.1 AMP Install Command (all AMP VMs)

sudo su
bash <(wget -qO- getamp.sh)
# Prompts:
#   Username / password β†’ set strong credentials
#   Docker isolation    β†’ YES  ← critical
#   HTTPS               β†’ No  (NGINX handles TLS)

Apply licence key in the web UI at http://<vm-ip>:xxxx β†’ restart when prompted.

7.2 AMP Instance Registry

AMP Instance VMID VM Name Node AMP Role Game Internet Port(s) SFTP Port
ADS01 106 amp-node4 PVE4 ADS Controller β€” TCP xxxx (UI) β€”
Conan01 102 amp-conan PVE1 Target Conan Exiles Enhanced TCP+UDP 7777 Β· UDP 7778 Β· UDP 27015 TCP 2224
Enshrouded01 104 amp-enshrouded PVE2 Target Enshrouded TCP+UDP 15637 TCP 2224
Valheim01 105 amp-medium PVE3 Target Valheim UDP 2456 Β· UDP 2457 TCP 2224
VRising01 105 amp-medium PVE3 Target V Rising UDP 9876 Β· UDP 9877 TCP 2225
Moria01 105 amp-medium PVE3 Target Return to Moria UDP 7780 TCP 2226
Minecraft01 106 amp-node4 PVE4 Via ADS Minecraft Java TCP+UDP 25565 TCP 2224
Dragonwilds01 106 amp-node4 PVE4 Via ADS RuneScape: Dragonwilds UDP 7779 TCP 2225
Dune01 107 dune-awakening PVE2 Target Dune: Awakening Server list (PTC) TCP 2224

amp-medium Hosts Three Game Servers

Valheim01, VRising01, and Moria01 all run as separate Docker containers inside VMID 105. AMP assigns each its own SFTP port (2224, 2225, 2226) so they don't collide. Manage all three through ADS01.

amp-node4 Is a Hybrid VM

VMID 106 runs AMP ADS and hosts Minecraft and Dragonwilds via that same ADS instance. No network hop needed β€” ADS and its instances communicate internally on the same VM.

7.3 Critical AMP Port Configurations

Return to Moria β€” Must Remap From Default 7777

AMP β†’ Moria01 β†’ Configuration β†’ Network:

ListenPort    = 7780
AdvertisePort = 7780

Restart instance after saving. Verify in instance logs that it reports binding to 7780.

There was also a challenge here getting everything to apply 100% correctly so I edited the MoriaServerConfig.ini directly and imported the config to AMP to ensure it grabbed all of the settings (advertise address and advertise port were the most important here as it was hitting my home internet public IP and I needed it to hit the IP of the AMP host.)

[Host]
ListenAddress=0.0.0.0
ListenPort=7780
AdvertiseAddress=[your.host.ip.address]
AdvertisePort=7780
InitialConnectionRetryTime=60
AfterDisconnectionRetryTime=600

If the instance ever resets to defaults: re-apply the above and restart.

RuneScape: Dragonwilds β€” Must Remap From Default 7777

AMP β†’ Dragonwilds01 β†’ GenericModule β†’ Launch Parameters, add:

-port=7779

Restart instance after saving.

If the instance ever resets to defaults: re-apply the above and restart.

Minecraft Java β€” JVM Heap & GC Flags

AMP β†’ Minecraft01 β†’ Java Settings β†’ Memory: Min 4 GB / Max 10 GB

JVM Arguments:

-XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1

8 β€” Demo & Conditional VMs (PVE2)

PVE2 One-at-a-Time Rule

VMIDs 107, 300, and 301 all live on PVE2 alongside amp-enshrouded (104). amp-enshrouded balloon min = 6 GB Β· host reserve = 6 GB Β· free at idle = ~52 GB Any two ephemeral/conditional VMs together consume 48–64 GB β€” exceeds node capacity. Run only ONE of 107, 300, or 301 at any time.

VMID 300 β€” openshift-sno (Ephemeral)

qm start 300    # verify 107 and 301 are stopped first
qm shutdown 300

VMID 301 β€” azure-local-demo (Ephemeral)

qm start 301    # verify 107 and 300 are stopped first
qm shutdown 301

VMID 107 β€” dune-awakening (Conditional)

Property Value
OS Ubuntu Server 24.04 LTS
AMP Bare metal + Docker isolation
CPU requirement AVX2 β€” satisfied by cpu: host on Ryzen 5
Specs 8 vCPU Β· 24 GB / 8 GB balloon Β· 120 GB CephPool
onboot 0 β€” start manually only
Connection method In-game server browser only (PTC phase)
Pangolin resources None needed

Dune: Awakening β€” Token Required Before First Start

  1. Own Dune: Awakening on Steam
  2. Install and run the PTC client at least once
  3. Get your token: https://account-pts.duneawakening.com/ (sign in with Steam)
  4. AMP β†’ Dune01 β†’ Configuration β†’ Dune Awakening β†’ Identity β†’ Self-Host Service Token β†’ paste β†’ save
  5. Do NOT touch "FLS World Name" unless Funcom has specifically issued you one

Dune: Awakening Known Issues (PTC β€” May 2026)

Confirmed bugs β€” not setup errors:

  • Resource monitoring shows 0 β€” server is running, ignore it
  • Player tracking broken β€” AMP cannot detect player joins/leaves
  • "Missing Configuration" on first update β€” run the update a second time, it will succeed
  • Several minutes to appear in server browser after startup β€” wait patiently
  • PTC world data not guaranteed to persist after full release
qm start 107    # verify 300 and 301 are stopped first
# Stop the instance in AMP first for graceful world save, then:
qm shutdown 107

9 β€” Operational Gotchas & Tips

Conan Exiles β€” TCP AND UDP 7777. No Remap. Ever.

TCP 7777, UDP 7777, UDP 7778, and UDP 27015 must be identical at OCI, iptables, Traefik, Pangolin, and AMP. BattlEye + UE4 hardwire port advertising across both protocols. Remap = broken auth = zero players. Confirmed by prior failed attempt.

PVE2 β€” Never Run Multiple Ephemeral/Conditional VMs Simultaneously

107 + 300 = 56 GB Β· 107 + 301 = 56 GB Β· 300 + 301 = 64 GB. All exceed available headroom when amp-enshrouded is at its balloon minimum. Check PVE2 free RAM before starting any of 107, 300, 301.

Pangolin β€” One Port+Protocol = One Backend

Traefik crashes on next restart if two resources share an external port+protocol. Change the internal port of the conflicting service first.

SFTP Ports β€” LAN/VPN Only, Always

Never add SFTP ports (2224, 2225, 2226) to OCI Security List, iptables, Traefik, or Pangolin. Access via WireGuard/Tailscale when remote. Players do not need SFTP.

Moria Remap β€” If Instance Resets to Defaults

Re-apply: AMP β†’ Moria01 β†’ Configuration β†’ ListenPort=7780, AdvertisePort=7780 β†’ restart.

Dragonwilds Remap β€” If Instance Resets to Defaults

Re-apply: AMP β†’ Dragonwilds01 β†’ GenericModule β†’ Launch Parameters β†’ -port=7779 β†’ restart.

Enshrouded β€” Confirm Port Coverage if Players Can't Connect

AMP confirms TCP+UDP 15637. If players have issues, also test 15636 (game) and 15638 (stream) β€” add to OCI, iptables, and Pangolin if needed.

Dune: Awakening β€” Token Is Per-Instance

Each separate Dune server instance needs its own unique self-host token from https://account-pts.duneawakening.com/.

cpu: host on Every VM β€” Always

Passes AVX2, AES-NI, SHA, and vmx/svm. AVX2 is specifically required by Dune: Awakening. Never use kvm64.

Balloon Min Is Intentionally Low

Game containers idle at 2–6 GB. The balloon driver reclaims unused RAM for live migrations. Raise balloon min only if swap is observed after 72 hours of real load:

ssh <vm-ip> 'vmstat -s | grep swap'

AMP Docker Isolation β€” Why It Was Chosen

Docker isolation (YES during install) means AMP handles Wine, SteamCMD, and per-game dependencies automatically. Return to Moria's Wine layer and Dune's dependencies are both managed this way. Changing it requires a full AMP reinstall.

Crowdsec on OCI VPS

High UDP packet rates from game clients can trigger false-positive bans. Whitelist game server IPs and port ranges in Crowdsec rules or add custom scenario exclusions.

10 β€” Quick Reference Commands

Verify Game Ports (OCI VPS)

# UDP game ports
ss -lunp | grep -E '7777|7778|7779|7780|2456|2457|9876|9877|15637|25565|27015'

# TCP game ports β€” 7777 and 15637 are both TCP
ss -ltnp | grep -E '7777|15637|25565|443|80'

Pangolin

cd /opt/pangolin
docker compose up -d
docker compose restart traefik
docker logs traefik --tail=50    # Check for errors
ss -lunp | grep <port>           # Verify a specific port

VM Lifecycle

qm start <VMID>
qm shutdown <VMID>
qm status <VMID>
qm migrate <VMID> <target-node> --online
qm snapshot <VMID> <name> "<description>"
qm listsnapshot <VMID>
qm rollback <VMID> <snapname>

AMP

ampinstmgr status
ampinstmgr startall
ampinstmgr stopall
journalctl -u ampinstmgr -f

11 β€” Game Server Status Summary

Game VM (VMID) AMP Internet Port(s) SFTP Status
Conan Exiles Enhanced amp-conan (102) βœ… Docker TCP+UDP 7777 Β· UDP 7778 Β· UDP 27015 2224 LAN 🟒 Active β€” no remap ever
Enshrouded amp-enshrouded (104) βœ… Docker TCP+UDP 15637 2224 LAN 🟒 Active
Valheim amp-medium (105) βœ… Docker UDP 2456 Β· UDP 2457 2224 LAN 🟒 Active
V Rising amp-medium (105) βœ… Docker UDP 9876 Β· UDP 9877 2225 LAN 🟒 Active
Return to Moria amp-medium (105) βœ… Docker + Wine UDP 7780 2226 LAN 🟒 Active β€” remapped from 7777
Minecraft Java amp-node4 (106) βœ… Docker via ADS TCP+UDP 25565 2224 LAN 🟒 Active
RuneScape: Dragonwilds amp-node4 (106) βœ… Docker via ADS UDP 7779 2225 LAN 🟒 Active β€” remapped from 7777
Dune: Awakening dune-awakening (107) βœ… Docker Server list (PTC) 2224 LAN 🟠 Conditional Β· token required Β· onboot: 0
OpenShift SNO openshift-sno (300) ❌ β€” β€” βšͺ Ephemeral Β· onboot: 0
Azure Local azure-local-demo (301) ❌ β€” β€” βšͺ Ephemeral Β· onboot: 0

Here is what you wind up with. I think it's fantastic.

vies of the setup dashboard

Anyway, I hope it help someone, and as always wishing you all the best.