Safe RCon with RSA Cryptosystem

INTRODUCTION
Every seasoned server owner is likely already familiar with “RCon”, which stands for “Remote Console”. RCon enables a client or an external tool like IW4M to send commands that the server executes. Traditionally, to prevent abuse, the user needs to “log in” using a password set by the server administrator and saved in a config file in “clear text”. This system was adequate by 90s standards when it was devised. However, by today’s standards, sending passwords over the internet in “clear text” format is not advisable.

SAFE RCON
The latest version of IW4x introduces an alternative called “safe RCon”.
It is recommended to use this new system if your game server and the machine running IW4M are not the same. You can also use this system as a client via the rconSafe console command.
It uses Public-key cryptography to authenticate any client that wants to send a remote command.
To get started you will need to have already configured a server and you must make sure it is running and is accessible via the UDP port (specified by the net_port dvar).
For the next step, you will be using the program called OpenSSL to generate a key pair using the RSA algorithm.
You may use any other tutorial you find over the internet for generating an RSA key pair, but this tutorial will contain some additional steps for converting the public key from PEM format to DER format, this step is necessary for IW4x as it can only read RSA keys in DER format.
This tutorial assumes you are familiar with things such as “public key” and “private key”. If you think this is too complicated for you, feel free to ask for help in the support section or stick to the old password-based system which is easier to set up.

KEY GENERATION
Open the terminal, and type the following command to generate a private key (Example taken from Wikipedia, July 2023)

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096

This generates a private key and saves it to a file called private_key.pem.

Next, generate a public key, which you will place alongside iw4x.exe, in the game folder. In the terminal, type the following command:

In the terminal type the following command

openssl rsa -pubout -in private_key.pem -out public_key.pem

This generates a public key in PEM format. However, you will also need to convert the key to DER format, then move it to the game folder:

openssl rsa -pubin -inform PEM -in public_key.pem -outform DER -out rsa-public.key

IMPORTANT
The file containing the key in DER format must be named rsa-public.key; no other name will be accepted.

IW4M SETUP
Open the JSON file containing the IW4M settings and copy the private key in PEM format into the Password field.

Here’s an example:

{
    "Password": "-----BEGIN PRIVATE KEY-----\n<private key goes here>\n-----END PRIVATE KEY-----"
}

IW4M will now use the new system to send RCon packets securely. This new system strives to adhere to the latest conventions regarding online security and cryptography.

DISCLAIMER
The actual contents of the “safe RCon” packet are not encrypted as they are not deemed to contain sensitive data. The RSA key is used only to establish the user’s identity and accept packets solely from a trusted source.

If you do not have OpenSSL installed on your computer, you will not be able to generate an RSA key pair using the method illustrated in the tutorial above.

However, there is a workaround. You can join our Discord to request help with this issue.

In short, you can use IW4x itself to generate a key pair. However, you will still need to convert the private key to PEM format.