Managed Bedrock Support for Minekube Connect and Gate
Minecraft has two huge player worlds: Java Edition on PC, and Bedrock Edition on mobile, console, and Windows. Server owners have usually had to pick one, or run extra infrastructure to bridge them.
Today, Minekube Connect starts making that split feel a lot smaller.
If your server is connected through the Connect Plugin or through the Gate Connector, Bedrock players can join through the same Connect network entry points your Java players already use. Your endpoint name still works. Your play.minekube.net subdomain still works. Your custom domains still work. The tunnel still works. The difference is that the Connect edge can now speak Bedrock too.
That distinction matters: when players arrive through Minekube Connect, Bedrock translation happens in the Connect proxy network before traffic reaches your server or self-hosted Gate connector. You do not need to enable local Bedrock support in your own Gate instance just to receive Bedrock players from Connect.
No Geyser plugin to install. No extra proxy to run. No separate Bedrock hosting box to keep updated.
Connect has always been a global Minecraft edge network: players connect to a nearby edge, Connect proposes a session to your Connector, and your Connector opens an outbound tunnel back into the network. That is why servers can be reachable without port forwarding, without exposing their real IP, and without losing the domains and endpoint names that make them discoverable.
Now that edge is protocol-aware for both Java and Bedrock.
For server owners using the Connect Plugin, this means the same plugin already available for PaperMC/Spigot, Velocity, and BungeeCord can expose the server to Bedrock players through Connect. For server owners using Gate as a Connect connector, the same applies: Connect handles the Bedrock edge path for players coming through the Connect network.
Separately, standard Gate can also enable Bedrock support in its own configuration for players who connect directly to that Gate instance. That is useful for self-hosted networks that want Gate itself to translate Bedrock locally, independent of the managed Connect edge.
The practical result is simple:
Java players continue joining as before.
Bedrock players can join the same endpoint.
Connect domains and custom domains route the same way.
Connect-managed Bedrock translation is handled at the edge.
Updates to the Connect Bedrock translation layer are managed for you.
The Minecraft community has used GeyserMC for years to translate between Bedrock and Java protocols. It is an impressive project, but the operational shape has usually been very Java-shaped too: run another JVM process, keep it updated, wire it to your proxy, configure Floodgate, and make sure Bedrock protocol updates land before players start seeing "outdated proxy" messages.
That is a lot to ask from someone who just wants mobile players to join their server.
So we changed the shape of the problem.
Instead of asking every server owner to operate their own Bedrock translation stack, Connect can run it as part of the network. If you are using Connect, the translation layer becomes another managed capability of the edge, like routing, tunneling, ping handling, endpoint domains, and protection.
The engine behind this is geyserlite, our open source project that takes GeyserMC's Bedrock-Java translation and compiles it into a small native artifact.
That sentence hides a lot of fun machinery.
Geyserlite does not maintain a long-lived fork of GeyserMC. Instead, its build pipeline checks out the official upstream GeyserMC/Geyser repository at a pinned commit, applies a small build overlay, and compiles Geyser Standalone with GraalVM native-image. The result is a native binary and shared library that can be embedded into Go and Rust programs.
In other words: Geyser's protocol work stays upstream, while the Minekube side focuses on packaging it into a form that fits modern proxy infrastructure.
The resource profile is the part we are especially proud of:
How Gate Lite adds an extra layer of security to your Minecraft server or network
Compared to classic Gate, Velocity or BungeeCord - Gate Lite, a mode of the Minekube Gate proxy, acts as a lightweight reverse proxy for Minecraft Java. Unlike Gate, Velocity, or Bungeecord, it doesn't offer features like combining multiple Minecraft servers to a network or implementing network-wide features. Gate Lite sits in front of these proxies and simply forwards incoming connections to them. In addition, it offers features like an offline MOTD, several security enhancements, and the ability to handle multiple Minecraft networks behind one port.
Gate is an excellent alternative to Velocity, and the Connect network is actually based on it. Trust us, you won't regret it! You'll love the benefits of using Gate and Gate Lite, as it can help protect your server or network.
Gate Lite detects the hostname you join with and uses it to determine the appropriate route. This allows you to use multiple domains for different backends while only requiring one port.
Gate Lite searches the list of routes from top to bottom. It also supports wildcards with * (which matches any number of characters) and ? (which matches any single character). Multiple hostnames per backend are also allowed with [ "abc.example.com", "def.example.com" ].
Gate Lite ensures that the configured backend is online before forwarding the connection. This approach guarantees that the user's request is always directed to an available backend. In case multiple backends are configured for the route, Gate Lite randomly selects one and checks if it is online. If the selected backend is offline, Gate Lite repeats this process until an online backend is found or every backend has been tested.
Example of Gate Lite Routing:
The configuration for this might look something like this:
When Minecraft Java sends its handshake packet, it includes the server address, protocol version, and port. Gate Lite is able to decode this packet and extract the server address field, which it then uses to locate the corresponding route in the configuration. This process is made simple and efficient thanks to Gate Lite's architecture.
Gate Lite's unique approach is that it ensures that the connection speaks the Minecraft protocol before forwarding it. This adds an extra layer of security, as it prevents malicious traffic from reaching the backend server.
In addition, Gate Lite is significantly faster than other proxies when piping the connection through. This is because it operates on the application layer of the network, and it only forwards connections that adhere to the Minecraft protocol. This results in a more efficient and streamlined process for the users. Gate Lite reduces the number of TCP connections required for ping requests by caching the motd and server icon. By caching the motd and server icon, only one TCP connection to the backend is needed every X minutes to provide the motd for thousands of ping requests. This approach optimizes the performance of the backend by reducing the load on it.
As I mentioned earlier, this technique can help prevent layer 7 flooding attacks, such as motd-spam.
How Gate Lite protects you from unknown hostnames
To achieve this, it is crucial to avoid having a route with * in your configuration.
Rest assured that Gate Lite prevents connections from unconfigured hostnames or domains, and only allows connections if a suitable route is found in the configuration. Gate Lite ensures that only connections from explicitly allowed hostnames and domains are allowed, protecting you from offensive ones. Don't give the competition a chance to make you look bad with strange domains.
What can Gate Lite do against DoS and DDoS attacks?
Gate Lite can do several things to reduce the impact of an attack. In addition to the extremely low resource usage, which I will discuss later, Gate Lite offers the following features:
Gate provides two rate limits, a connection rate limit and a login rate limit.
Connection limit: The connection limit is triggered for every new connection, regardless of whether a route is found. When the rate limit is reached, the /24 subnet of the IP is blocked for a short time.
The login limit is the same as the connection limit, but it is placed just before the player authenticates to Mojang to prevent flooding the Mojang API.
In Lite mode, only the Connection limit works since authentication is handled by the backend.
Gate Lite caches the MOTD and server icon of the backends for a configured time. When you request a MOTD, Gate Lite will respond from its cache, which reduces the load on the backend. This feature helps prevent attacks that aim to make your server unavailable through mass MOTD requests.
Technical explanation:
This results in a more efficient and streamlined process for the users. Gate Lite reduces the number of TCP connections required for ping requests by caching the motd and server icon. By caching the motd and server icon, only one TCP connection to the backend is needed every X minutes to provide the motd for thousands of ping requests. This approach optimizes the performance of the backend by reducing the load on it.
As I mentioned earlier, this technique can help prevent layer 7 flooding attacks, such as motd-spam.
Gate Lite operates on the application layer of the network, providing protection for the backend server against attacks on the network and transport layers. Gate Lite operates on the application layer of the network, providing protection for the backend server against attacks on the network and transport layers. This ensures that your server is secure.
Attacks against Minecraft servers and networks are most commonly aimed at layers 3 and 4, as they are relatively simple to execute and can be used against almost any other internet service. These attacks aim to consume the server's bandwidth. However, if the server running Gate Lite has sufficient bandwidth and a functional layer 3 and 4 DDoS protection, it becomes challenging to attack the backend server. More information will be provided later.
To ensure security, we recommend that access to the backend server be limited to Gate Lite only.
Technical explanation:
Gate Lite operates on layer 7 of the OSI model and routes connections based on the hostname or domain in the handshake packet. If the incoming connection is only on layer 4 and the handshake packet doesn't exist, Gate Lite will drop the connection because it doesn't follow the Minecraft protocol. This ensures that only valid connections reach the backend, improving security and efficiency.
As I mentioned earlier, the most common attacks are aimed at layers 3 and 4, with the goal of overwhelming the victim's bandwidth. However, if the server running Gate Lite has functional layer 3 and 4 attack protection, it can reduce incoming bandwidth and prevent it from filling up the server's available bandwidth. This means that your backend servers will be well protected against such attacks, even if they lack adequate protection. Gate Lite is an excellent choice for servers with limited resources. You can rest assured that it will perform effectively, even on less powerful servers. We will provide more information on this later.
To effectively prevent network capacity attacks on your server, it is essential to have a reliable DDoS protection service. Fortunately, there are many providers to choose from. In this section, we will provide a brief comparison of some well-known providers, including Minekube Connect.
Please keep in mind that this is a basic comparison and for more technical details, we recommend visiting the provider's websites.
Gate is written in Go, a modern programming language designed for cloud development. It requires only a few megabytes of RAM and some CPU resources to run. Gate Lite requires even fewer resources because it only pipes bytes.
Technical explanation:
Gate is a great choice for those who want to optimize their resource usage. Thanks to its Go-based architecture, Go compiles programs into executable files, similar to C or Rust, which can be run directly. This means that Gate uses fewer resources than Java, which compiles its programs to run on the Java Virtual Machine (JVM). While the JVM makes it easier to develop software that can run on any machine that supports it, it also requires more resources. By choosing Gate, you can ensure that your software runs efficiently without sacrificing functionality.
Minekube's Connect Network is based on a modified version of Gate. During a layer 7 bot attack against one of the endpoints, the memory and CPU usage wasn't much higher than normal:
Compared to other proxies such as Velocity, which are already well optimized, Gate uses fewer resources even with many players. This not only reduces server costs but also improves the user experience by eliminating lag during scaling.
Gate and Gate Lite can run on a wide range of systems due to their low resource usage. They are available as an executable file, Docker image, and Kubernetes-ready, making them suitable for small VPS instances as well as large servers that support thousands of players.
How to get the benefits of Gate Lite without having to worry about it
If you're not interested in hosting Gate Lite yourself or lack experience, don't worry! You can use Minekube Connect instead. Connect offers all the benefits of Gate Lite, plus DDoS protection, and it's completely free. Integrating Connect into your existing server/network is straightforward and easy.
Connect is a global edge network behind which anyone can connect their Minecraft server or network for free. Every server gets its own anycast domain. Connect uses tunnels to connect players to each server. There is no need for port forwarding.
If you are interested in any of the positions below, send us a message on Discord with your short bio and what you would like to build for the Minekube community.
Lead and execute marketing strategies across channels to increase brand awareness and drive customer acquisition. Collaborate with cross-functional teams on campaigns.
Build and maintain customer relationships, ensuring value from platform. Collaborate with cross-functional teams to address customer needs and drive success.
