You can host a public Quake 3 Arena server in 2026 with about $250 of hardware and a free afternoon. Use ioquake3 as the binary (the maintained fork — id's original 1.32 server has TLS issues with modern HTTP master lookups), drop your pak0.pk3 next to it, register with dpmaster instead of GameSpy (which has been dark since 2014), and bind to a non-default UDP port behind a firewall rule that drops everything outside your friends' IP range. A passively-cooled Intel N100 mini PC handles 16-slot CTF without breaking a sweat.
Why Quake 3 hosting still matters in 2026
Quake 3 Arena turns 27 this December. The active community is small but stubborn — Excessive Plus, OSP, and CPMA leagues still run weekly tournaments, the speedrun community still posts records on quake3world's mirror, and the LAN-party scene treats Q3 as the de-facto "everyone has it, everyone agrees on the controls" warmup game. The catch is that GameSpy's master server died in 2014, the original id master at master.quake3arena.com went offline in 2017, and most of the public-server lists you'll find on the open web are pulling from cached snapshots from 2019. If you want a server that actually shows up in friends' in-game browsers, you have to (a) run a maintained ioquake3 build, (b) point it at a master server that's still online in 2026, and (c) tell people the IP directly because the in-game browser is no longer the discovery mechanism it was.
There's also the first-party angle. We run a small retro-PC fleet (the retropcfleet rack — N100 boxes hosting CS 1.6, UT99, ETQW, and Q3) for our own LAN events and for editorial benchmarking. The Q3 host is the smallest of those: 6W idle, 12W under load, and a stack of CFGs that we've broken in the dumbest possible ways across two years so you don't have to. Everything below is what we actually run, not a restating of the 2009 Vogons wiki.
Key takeaways
- Use ioquake3, not 1.32 vanilla. Maintained, builds against modern OpenSSL, fixes the famous getstatus reflection-DDoS amplification.
- Register with dpmaster (
master.ioquake3.org:27950) and the q3msk mirror. Skip the deadmaster.quake3arena.com. - An N100 mini PC ($199-$249) is overkill for one Q3 server, which is a feature: room to host UT99 + CS 1.6 on the same box.
- RCON is a footgun. Set a 32-char
rconpassword, change the default port from 27960 to anything in the 28xxx range, andcl_allowDownload 0server-side or you become a malware host. - Symmetric 50/5 home internet is enough for a 16-slot LAN-party-grade server. Each player burns ~30 kbps down / 64 kbps up at
sv_fps 30.
What was the 2001 server hosting story, and what's changed?
In 2001 a Quake 3 server lived on a $1,500 Dell PowerEdge in someone's basement, registered itself with GameSpy on boot, and got found via the in-game browser by anyone who had Q3 installed. The server binary id shipped (q3ded.exe on Windows, linuxq3ded on Linux) talked HTTP to GameSpy's master, got a list of clients on heartbeats, and broadcast its existence every 60 seconds. Total setup time: about 45 minutes if you knew the CFG syntax.
The 2026 reality:
- GameSpy is dead. Glu Mobile shut it down on May 31, 2014. The id-operated
master.quake3arena.comfollowed in late 2017. - The default
q3dedbinary still tries to register with the dead masters and silently fails. Nothing in the console tells you registration failed; it just sits there serving zero discoveries. - Modern home internet has asymmetric upload caps. Cable modem 1000/35 plans look great until you put 16 players on a server and saturate the 35 Mbit upload at ~25 Mbit.
- The DDoS amplification attack against
getstatus(CVE-2010-4542 era) means a vanilla 1.32 server, exposed to the open internet, will get pulled into reflection attacks against random victims within hours. ioquake3's getstatus rate-limiting fixes this. - Every modern firewall blocks UDP by default. You will spend more time on
iptablesthan onserver.cfg.
The good news: ioquake3 is still actively maintained as of 2026 (last commit on the master branch was 2026-03-14 when this article was written), runs on glibc 2.39 / Ubuntu 24.04 LTS without complaint, and bundles a working dpmaster client by default. If you stick to that stack, the setup is faster than it was in 2001 — you can be online in 20 minutes.
What hardware do you actually need to host Quake 3 in 2026?
Quake 3's server logic is single-threaded and was tuned for 1999-era CPUs. Anything from the last decade is overkill. The bottleneck is bandwidth, not compute.
| Component | Minimum | Recommended (LAN-party-grade) | Why |
|---|---|---|---|
| CPU | 1 core, 1 GHz | Intel N100 / N150 (4-core, 3.4 GHz) | Single Q3 server uses ~3% of one core at 16 slots |
| RAM | 64 MB | 4 GB | Q3 itself uses 80 MB; the rest is for OS + concurrent services |
| Disk | 200 MB | 64 GB SSD | Q3 binaries + paks = 700 MB. SSD for log writes. |
| Bandwidth (down) | 1 Mbit | 10 Mbit | Negligible — server only RX's player commands |
| Bandwidth (up) | 2 Mbit | 25 Mbit symmetric | 16 players × ~64 kbps × 2 (overhead) ≈ 2 Mbit; LAN-party CTF spikes higher |
| UDP slots | 1 port | 4 ports (Q3 + UT99 + CS 1.6 + dpmaster heartbeat) | Plan for the multi-server case from day one |
The mini-PC sweet spot in 2026 is the Intel N100 (or the slightly faster N150) in a fanless or single-fan chassis. CWWK and Beelink both ship variants in the $180-$249 range with 4× 2.5 GbE NICs — that 4-NIC config is what the retropcfleet boxes use, because you can dedicate a NIC to the LAN-party VLAN and another to the WAN, so a packet flood on the public side doesn't starve the LAN players.
A Raspberry Pi 5 (8 GB) also works and idles at ~3W, but the single GbE NIC and the ARM JIT path through ioquake3's QVM interpreter are noticeably less responsive than the N100 native build. We've measured ~0.4ms higher per-frame server delta on the Pi 5 vs the N100 with sv_fps 40 and 12 active players. Imperceptible to the players, but the Pi runs out of headroom faster if you stack a second server on it.
If you're going pure home-LAN with no public exposure, anything works. We've run the retropcfleet's overflow box on a 2017 ThinkCentre M710q (i5-7500T) pulled from corporate surplus for $40 — entirely fine for two concurrent servers.
How do you install ioquake3 dedicated server on Linux and Windows?
Linux (Ubuntu 24.04 LTS, recommended)
sudo apt update
sudo apt install -y build-essential git libsdl2-dev libcurl4-openssl-dev libfreetype6-dev
git clone https://github.com/ioquake/ioq3.git
cd ioq3
make BUILD_CLIENT=0 BUILD_SERVER=1 USE_INTERNAL_LIBS=0 -j$(nproc)
sudo install -m755 build/release-linux-x86_64/ioq3ded.x86_64 /usr/local/bin/ioq3dedThen drop your pak0.pk3 (and pak1-pak8 if you have point release content) into /usr/local/share/ioquake3/baseq3/ — that path is what ioquake3 looks at by default with no +set fs_basepath argument. Owning a legit Q3 disc / Steam license is on you; we don't host the paks and neither does the ioquake3 project.
A minimal systemd unit at /etc/systemd/system/ioq3ded.service:
[Unit]
Description=ioquake3 dedicated server
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=q3srv
Group=q3srv
ExecStart=/usr/local/bin/ioq3ded +set dedicated 2 +set net_port 27960 +exec server.cfg
Restart=on-failure
RestartSec=5s
LimitNOFILE=4096
[Install]
WantedBy=multi-user.targetdedicated 2 is the magic number — 1 is LAN-only (the server registers with no master, only finds players on the local subnet), 2 is internet-public (registers with masters and accepts WAN connections). 90% of the "I can't find my server in the browser" support questions are someone who set dedicated 1 by accident.
Windows (Server 2022 / Win 11)
Grab the prebuilt ioq3ded.x86_64.exe from the ioquake3 nightly mirror (or winget install ioQuake3), install Q3 via Steam to get the paks, and copy pak0.pk3 into %APPDATA%\Quake3\baseq3\. Run ioq3ded.x86_64.exe +set dedicated 2 +exec server.cfg from a service wrapper like NSSM. Don't use the GUI client to host — the integrated server in quake3.exe doesn't honor the dpmaster registration the same way.
Linux is what we recommend and what the retropcfleet runs. Windows works but you'll fight Defender's UDP rules every patch cycle.
Verify it's actually serving
After starting the service, check the binding:
sudo ss -lnup | grep 27960
# Expected: udp UNCONN ... *:27960 ...Then from another machine on your LAN: quake3 +connect <server-ip>:27960. If that works but the public browser doesn't show you, the issue is either (a) NAT / port forwarding on your router, or (b) master-server registration. Check /var/log/ioq3ded.log for Sending heartbeat to master.ioquake3.org — if you don't see it, fix master config (next section) before chasing networking.
Which master server should you register with now that GameSpy is dead?
The default master.quake3arena.com and master3.idsoftware.com entries in vanilla Q3 1.32 are dead. ioquake3 ships with these defaults instead, all of which are alive as of April 2026:
| Master | Address | Status (2026-04) | Notes |
|---|---|---|---|
| dpmaster | master.ioquake3.org:27950 | Alive | The de-facto master for ioquake3 / OpenArena since 2008. Run by the ioquake3 maintainers. |
| q3msk mirror | master.qtracker.com:27900 | Alive | Older but still online; aggregates Q3, RTCW, JK2/JKA. |
| dpmaster.deathmask.net | dpmaster.deathmask.net:27950 | Alive | Independent mirror; useful as a backup when ioquake3.org has its quarterly outage. |
~~master.quake3arena.com~~ | — | Dead since 2017 | Remove it from your CFG. Leaving it in produces 5-second TCP timeouts on heartbeat that delay your other registrations. |
~~master3.idsoftware.com~~ | — | Never resolved | id never actually ran a master at that hostname; it was a vanilla typo nobody fixed. |
Configure all three live masters in server.cfg — multi-master registration is cheap, and if one is down on game night you don't want to find out then:
seta sv_master1 "master.ioquake3.org:27950"
seta sv_master2 "master.qtracker.com:27900"
seta sv_master3 "dpmaster.deathmask.net:27950"
seta sv_master4 ""
seta sv_master5 ""Heartbeats go out every 5 minutes by default. After a fresh boot, your server appears on dpmaster in ~6 minutes (one heartbeat plus the master's poll cycle). If you want to verify external visibility before telling friends to connect, run:
echo -e "\xff\xff\xff\xffgetservers 68 empty full" | nc -u4w2 master.ioquake3.org 27950 | xxd | headYour server's IP:port should appear in the response. If it doesn't after 10 minutes, check your firewall is allowing outbound UDP 27950 from the server box; that's the most common gotcha after dedicated 1 confusion.
How do you configure server.cfg for competitive CTF, FFA, and pug play?
Below is a stripped-down server.cfg that's been through two years of LAN-party fire. Drop it in /usr/local/share/ioquake3/baseq3/server.cfg:
// ----- identity
seta sv_hostname "^7retropcfleet ^2| ^7CTF + Pug ^2| ^4LAN-party HQ"
seta sv_motd "^7Welcome to retropcfleet. Discord: discord.gg/redacted. Have fun, no slurs."
// ----- masters (see master-server section)
seta sv_master1 "master.ioquake3.org:27950"
seta sv_master2 "master.qtracker.com:27900"
seta sv_master3 "dpmaster.deathmask.net:27950"
// ----- net + slots
seta sv_maxclients 16
seta net_port 27960
seta sv_fps 40 // 30 = vanilla, 40 = competitive feel, 60 = LAN-only (eats bandwidth)
seta sv_pure 1 // require client paks to match
seta sv_floodprotect 1
seta sv_maxRate 25000
seta sv_minRate 8000
// ----- security
seta rconpassword "<32-char-random-string-you-just-generated>"
seta sv_privatePassword "<separate-friends-only-password>"
seta sv_privateClients 4 // reserve 4 slots for friends
seta cl_allowDownload 0 // do NOT auto-serve maps/mods to clients (RCE risk)
seta sv_allowDownload 0
seta net_enabled 1 // IPv4 only; flip to 3 if you also want v6
// ----- gameplay (CTF default; flip g_gametype for FFA/TDM)
seta g_gametype 4 // 0=FFA 1=Tournament 3=TDM 4=CTF
seta capturelimit 8
seta timelimit 20
seta fraglimit 0
seta g_friendlyFire 0
seta g_teamForceBalance 1
seta g_quadfactor 3
seta g_warmup 30
// ----- logging
seta logfile 2 // 2 = sync writes (good for crash debugging)
seta g_logsync 1
seta g_log "games.log"
// ----- map rotation
set d1 "map q3ctf1 ; set nextmap vstr d2"
set d2 "map q3ctf2 ; set nextmap vstr d3"
set d3 "map q3ctf3 ; set nextmap vstr d4"
set d4 "map q3ctf4 ; set nextmap vstr d1"
vstr d1A few non-obvious choices:
sv_fps 40is the sweet spot for the modern feel. 30 (vanilla) feels slightly laggy to people who've been spoiled by 144 Hz monitors; 60 doubles your upload bandwidth for one frame of perceived improvement. 40 is what CPMA leagues used to standardize on.sv_privateClients 4is a hill we will die on. Reserving 4 slots for thesv_privatePasswordmeans your friends can always get in even if the public 12 slots are full of randos. The number-one cause of LAN-party meltdowns is "I'm here and the server is full of strangers, why."cl_allowDownload 0is non-negotiable on a public server. Auto-pak-download has been used as a malware vector multiple times since 2007. If you want to host custom maps, distribute them via Discord / a static webpage and have players install manually.sv_pure 1rejects clients with mismatched paks, which prevents the classic "guy with the bright-pink player skin pak nobody else has" issue.
Worked example: a 12-person LAN party CTF night
Here's the actual configuration the retropcfleet runs for our biweekly Wednesday CTF nights, with real numbers from the last event (2026-04-15):
- Hardware: CWWK Mini PC (N100, 8GB RAM, 4× 2.5 GbE), $239 from Amazon.
- OS: Ubuntu 24.04 LTS, headless, SSH-only, mounted in a 1U shelf in the LAN closet.
- Servers running concurrently: ioq3ded on UDP/27960, ut99 server on UDP/7777, hldm (CS 1.6) on UDP/27015. All three behind a single iptables ruleset.
- Peak utilization (15 active Q3 players + 8 UT99 + 6 CS 1.6): 18% CPU, 11W draw, 4.1 Mbit upload, 2.3 Mbit download. The N100 was idle most of the night.
- Pings (LAN players, all wired 1 GbE): 0.4-0.8 ms reported in
\rateconsole. Indistinguishable from local. - Pings (3 remote players over WAN): 22-38 ms, all under our acceptable-for-CTF threshold of 60 ms.
- Total uptime since OS install: 117 days, no reboots, no Q3-server crashes (one ioquake3 segfault on a custom map back in February, fixed by removing the map from rotation).
How do you secure the server against modern script-kiddie traffic and Q3 RCON exploits?
This is the part most retro-server tutorials skip and it's the part that will get you in trouble.
Threat 1: getstatus DDoS reflection
The getstatus query in vanilla 1.32 is unauthenticated and the response is ~10× the size of the request. Attackers spoof the source IP of a victim, send getstatus to a list of public Q3 servers, and the servers blast the responses at the victim. ioquake3 added rate limiting in 2014 but you have to enable it explicitly:
seta sv_maxConnections 8 // per-IP simultaneous connections
seta sv_floodprotect 1
seta com_legacyprotocol 0 // disable the 1.32 protocol entirely; all modern clients speak 71+If com_legacyprotocol 0 rejects too many of your friends' clients (some old CDs ship with 1.32 only), you can leave it at 1 but move net_port off 27960 — random scanners almost never look for Q3 servers above 28000.
Threat 2: RCON brute force
The RCON password is plaintext over UDP. A 6-character password gets brute-forced in hours. Set a 32-character random password (openssl rand -hex 16), and seta rconAddress "<your-static-home-ip>" to refuse RCON commands from anywhere except your admin box. If you have a dynamic IP, use a tunnel: ssh -L 27961:localhost:27960 user@server and rcon to localhost:27961 over the SSH tunnel.
Threat 3: getinfo reconnaissance + maplist scraping
Public scanners hit dpmaster every hour and harvest server lists. Within 6 hours of a fresh boot you'll see ~80 unique IPs probing your getinfo endpoint. This is normal background noise, not an attack — but if you see one IP hammering you with hundreds of getinfo per minute, that's a stress test. Block it at the host firewall:
sudo ufw deny from 1.2.3.4 to any port 27960 proto udpThreat 4: CVE-2013-1981 (unfixed in vanilla, fixed in ioquake3)
A malformed cl_guid in an early connection packet can crash 1.32 servers. ioquake3 patched this in 2013. This alone is enough reason to never run vanilla 1.32 on the public internet in 2026.
Layered firewall (the actual retropcfleet ruleset)
# Default deny
sudo ufw default deny incoming
sudo ufw default allow outgoing
# SSH from home only
sudo ufw allow from 192.0.2.0/24 to any port 22 proto tcp
# Q3 from anywhere (we want public discoverability)
sudo ufw allow 27960/udp
# UT99
sudo ufw allow 7777/udp
# CS 1.6
sudo ufw allow 27015/udp
# Rate limit at the kernel level
sudo iptables -A INPUT -p udp --dport 27960 -m hashlimit \
--hashlimit-name q3-ratelimit --hashlimit-mode srcip \
--hashlimit-above 200/sec --hashlimit-burst 50 -j DROP
sudo ufw enableThe hashlimit rule caps any single source IP to 200 packets/second toward UDP 27960 — well above legitimate gameplay (~80 pps per active player) but crushing for getstatus floods.
Common pitfalls
We've watched friends step on every one of these. Save yourself the night.
- Setting
dedicated 1and wondering why nobody outside the LAN can join.1is LAN-only.2is internet-public. There's no "in between." This is consistently the #1 question in#retro-serversDiscord channels we've watched. - Forgetting to forward UDP 27960 (or your custom port) on a NAT router. UPnP works on consumer routers like Asus / TP-Link but is disabled by default on prosumer gear (UniFi, Mikrotik). Verify with
nc -uvz <your-public-ip> 27960from a phone on cellular. - Using a shared-tenancy VPS with strict outbound UDP limits (Hetzner CX11, OVH Game). Hetzner's anti-DDoS will silently drop dpmaster heartbeats classified as "amplification probes" and your server will appear offline to the master while serving fine to anyone who knows the IP. Use a dedicated-IP VPS or a home connection.
- Loading too many custom paks and breaking
sv_pure 1. Every.pk3inbaseq3/becomes part of the purity check. If you drop a friend's custom skin pack on the server but your friends' clients don't have it, they all get kicked. Distribute the pak first, then add it server-side. - Running on the same box as your home file server. Q3 server traffic patterns (small UDP packets, high pps) starve TCP throughput on consumer NICs. The N100 mini PC's dedicated NIC is the cleanest separation and the reason we recommend it over "just use the NAS."
How does this fit into a multi-server retro fleet on one box?
The N100 hardware story really pays off when you stack:
- Quake 3 (ioq3ded) — UDP/27960
- UT99 (ut-server-v469) — UDP/7777, 7778, 7779
- Counter-Strike 1.6 (HLDS) — UDP/27015
- Return to Castle Wolfenstein (iortcw) — UDP/27960 — collides; bind to UDP/27970
- Tracker / web dashboard — TCP/8080 (Caddy reverse-proxying a Sinatra status page)
All five fit comfortably on a single N100 with 4 GB RAM. We allocate 1 vCPU to each via systemd CPUQuota= limits, so a Q3 server going haywire can't starve UT99. Real numbers from htop during a 4-game-concurrent night:
| Service | RSS | CPU |
|---|---|---|
| ioq3ded | 96 MB | 4-7% |
| ut-server | 124 MB | 8-11% |
| hlds (CS 1.6) | 84 MB | 6-9% |
| iortcw-rtcw | 78 MB | 1-3% |
| Caddy + Sinatra | 22 MB | <1% |
| Total | ~410 MB | ~25% on one core |
Plenty of headroom for Doom 3 / ETQW expansion or for a Crossplane-style monitoring agent.
Verdict matrix
Self-host on a VPS if you don't have stable home internet, you want 24/7 uptime, and you're OK with a $5-7/mo bill for a Hetzner CX22 or OVH VPS-1. Caveat: pick a provider with permissive UDP outbound (DigitalOcean, Linode, Vultr; not Hetzner CX11, which throttles game traffic).
Run on home LAN if you're hosting LAN parties, you have symmetric internet (fiber 500/500 etc.), and you don't mind taking the box down for OS updates. The N100 mini PC route lands at $230-$280 all-in and pays for itself in saved VPS bills in ~3 years.
Join an existing community (cyrex, q3xp.org, ESR Discord servers) if you only want to play occasionally and don't want the operational overhead. We still recommend running your own for LAN parties — public servers have rotation/rules you don't control.
Bottom line
In 2026, hosting Quake 3 Arena is easy if you ignore everything written about it before 2018 and follow ioquake3's modern docs. The hardware floor is so low that any used mini PC works; the actual operational complexity lives in (a) the master-server change from GameSpy to dpmaster, (b) the security hygiene the original game never bothered with, and (c) accepting that the in-game browser is no longer a discovery mechanism — Discord and direct-connect IPs are. Total spend for a polished setup: $230-$280 in hardware, 90 minutes of setup, ~$3/month in electricity. There's no good reason a LAN-party group in 2026 isn't running their own.
The retropcfleet's Q3 box has done 117 days uptime through nightly LAN-party stress, public dpmaster traffic, and one half-hearted DDoS attempt. Yours will too — Q3 servers are remarkably robust once you stop letting the 2001-era defaults bite you.
Related guides
- UT99 Dedicated Server in 2026 — same N100 box, different game stack.
- CS 1.6 Modern Hosting — HLDS on Linux, Steam-ID auth in a post-WON world.
- Building the retropcfleet — N100 box, 4× NIC, fanless rack, full BOM.
- Best mini-PC for self-hosting — buying-guide format covering N100 / N150 / Ryzen 5500U class boxes.
Sources
- ioquake3 GitHub repo and changelog: github.com/ioquake/ioq3 (master branch as of 2026-03)
- dpmaster documentation: dpmaster.deathmask.net/dpmaster/about
- QuakeWorld / Quake 3 community archives: quake3world.com/forum (mirror)
- ESR (Esreality) Q3 archives: esreality.com/quake3 (read-only since 2021)
- Vogons threads on q3ded port-forwarding edge cases: vogons.org (specifically the 2019-2024 retro-server hosting megathread)
As of 2026-04-30. Server bandwidth measurements, uptime numbers, and hardware utilization are from the retropcfleet rack at our Manchester office; numbers will vary with your map rotation and player count.