Hi Hytaler,
Server's up but your friends keep bouncing off it? Most "my server is broken" reports come down to five things, and four of them are the port — and the port is UDP, not TCP. Work down this list in order before you reinstall anything.
Before you blame the network, prove the server is up and bound:
Nothing? Then there's no server to connect to, and the rest of this list is a waste of your time. Read the log:
Nine times out of ten the log tells you straight up — wrong Java version, missing
UDP. Not TCP. There is no TCP listener on a Hytale server, so a TCP port-forward does precisely nothing.
On the box:
On your router, forward UDP 5520 to the server's internal IP. If your router UI makes you pick a protocol and you pick TCP — or "both" and only TCP sticks — you'll sit there forever wondering why localhost works and your friends don't. I've watched people reinstall the whole server over this.
This is the one that actually catches people hosting from home. A lot of consumer connections — most mobile, plenty of fibre — put you behind carrier-grade NAT. You get a private-looking address, no real inbound, and no amount of port-forwarding will ever reach you.
Quick check: look up what your router thinks its WAN IP is, then compare it to what a "what's my IP" site shows. Different? You're behind CGNAT. Your options are a VPN/tunnel back to a box with a real IP, or hosting somewhere that gives you one. Port-forwarding is not going to save you here, so stop fighting it.
Classic NAT hairpin problem. You're testing with your own public IP from inside your own network, and the router won't loop that back. It's not a server fault.
Test it properly: have someone not on your network try, or tether to your phone and connect over mobile data. Internal players should connect to the server's local IP, external players to your public IP. Don't judge "is it reachable" from the same LAN.
If the server process dies on startup, you get no listener and a confusing "connection refused" on the client. Two repeat offenders:
Server listening, UDP open on box and router, not behind CGNAT, tested from outside the LAN — that covers basically every "can't connect" I've ever seen. Still stuck after all five? Post your
If you haven't built the server yet, the full walkthrough is in the server setup guide.
Server's up but your friends keep bouncing off it? Most "my server is broken" reports come down to five things, and four of them are the port — and the port is UDP, not TCP. Work down this list in order before you reinstall anything.
Table of Contents
- Is the server actually listening?
- The port is UDP — I'll say it twice
- CGNAT: your ISP handed you a fake IP
- Works on LAN but not from outside
- Auth and Java — the silent killers
- The 30-second checklist
1. Is the server actually listening?
Before you blame the network, prove the server is up and bound:
Code:
sudo ss -ulnp | grep 5520Nothing? Then there's no server to connect to, and the rest of this list is a waste of your time. Read the log:
Code:
journalctl -u hytale -n 50 --no-pagerNine times out of ten the log tells you straight up — wrong Java version, missing
--assets, or the auth step never ran. Fix that first.2. The port is UDP — I'll say it twice
UDP. Not TCP. There is no TCP listener on a Hytale server, so a TCP port-forward does precisely nothing.
On the box:
Code:
sudo ufw allow 5520/udp
sudo ufw reloadOn your router, forward UDP 5520 to the server's internal IP. If your router UI makes you pick a protocol and you pick TCP — or "both" and only TCP sticks — you'll sit there forever wondering why localhost works and your friends don't. I've watched people reinstall the whole server over this.
3. CGNAT: your ISP handed you a fake IP
This is the one that actually catches people hosting from home. A lot of consumer connections — most mobile, plenty of fibre — put you behind carrier-grade NAT. You get a private-looking address, no real inbound, and no amount of port-forwarding will ever reach you.
Quick check: look up what your router thinks its WAN IP is, then compare it to what a "what's my IP" site shows. Different? You're behind CGNAT. Your options are a VPN/tunnel back to a box with a real IP, or hosting somewhere that gives you one. Port-forwarding is not going to save you here, so stop fighting it.
4. Works on LAN but not from outside
Classic NAT hairpin problem. You're testing with your own public IP from inside your own network, and the router won't loop that back. It's not a server fault.
Test it properly: have someone not on your network try, or tether to your phone and connect over mobile data. Internal players should connect to the server's local IP, external players to your public IP. Don't judge "is it reachable" from the same LAN.
5. Auth and Java — the silent killers
If the server process dies on startup, you get no listener and a confusing "connection refused" on the client. Two repeat offenders:
- Java version. It wants Java 25. A 21 JRE throws an
UnsupportedClassVersionErrorthat looks unrelated to networking but kills the server before it ever binds.java -versionand check. - Auth never completed. If you moved the box, restored a backup, or wiped the token, the server needs
/auth login deviceagain. Until it's authenticated it won't serve.
6. The 30-second checklist
Code:
# 1. listening on UDP 5520?
sudo ss -ulnp | grep 5520
# 2. firewall open for UDP?
sudo ufw status | grep 5520
# 3. java is 25?
java -version
# 4. anything screaming in the log?
journalctl -u hytale -n 30 --no-pagerServer listening, UDP open on box and router, not behind CGNAT, tested from outside the LAN — that covers basically every "can't connect" I've ever seen. Still stuck after all five? Post your
journalctl output in the Server Setup & Hosting forum, not just "it doesn't work" — nobody can debug a vibe.If you haven't built the server yet, the full walkthrough is in the server setup guide.
Last edited: