Securing the connection

The Jeak-Framework supports TLS connections in order to communicate with the TeamSpeak server via an encrypted connection.
By default, TeamSpeak 3 only supports unencrypted plaintext connections which will expose your query credentials when running over unsecured networks.
Since this is not acceptable for distributed environments (e.g. hosting on different servers), Jeak can connect to so called "TLS termination proxies" that run on the same machine as the TeamSpeak server.

While the setup of your specific TLS termination proxy might be different, many use NGINX and a (LetsEncrypt certificate](https://letsencrypt.org/) for this as the setup is rather easy. Below is an example configuration taken from our development systems.
The configuration will tell NGINX to accept TCP streams on port 8888, enable TLS encryption to the connecting party using the provided certificates and forward all packets via. an unsecured connection to the local port 9987 (which will be the TS3 query port in this scenario).

stream {
  server {
    listen <public-ip>:8888 ssl;
    ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;
    proxy_ssl off;
    proxy_pass 127.0.0.1:9987
  }
}

If you use TLS termination for your connection to the TS3 query interface, edit your bot.json like this:

{
  "host": "your-domain.com",
  "port": 8888,
  "ssl": true
}

🚧

A word on SSH.

Newer versions of TS3 support SSH tunneled query connections but many hosting companies did not enable them in their setups as of writing (18.02.2020). At the moment, Jeak does not support those connections either. With the low implementation rate and many other, more important features to implement, we just do not have the time to prioritize this now. Especially since TeamSpeak did not mention this would become a thing prior to releasing the SSH support.