Multi-player Mode
Multiplayer mode allows multiple operators to connect to the same Sliver server and collaborate on engagements. The easiest way to set up a server for multiplayer is to use the Linux install script, which configures the server as a systemd service. However, any sliver-server binary supports multiplayer mode.
Sliver exposes the operator-facing multiplayer listener directly over gRPC/mTLS by default. You can opt into a dedicated WireGuard wrapper with --enable-wg; the gRPC/mTLS authentication stack still runs inside that tunnel.
ββββββββββββββββββββ C2
β β Protocol βββββββββββ
β Sliver C2 Server βββββββββββββββΊβ Implant β
β β βββββββββββ
ββββββββββββββββββββ
β²
β
UDP/WireGuard (default) β
gRPC/mTLS inside β
ββββββββββββββ¬βββββββββ΄ββββββ¬ββββββββββββ
β β β β
βββββββ΄βββ β β ββββ΄ββββββ
βWindows β ββββββ΄ββββ ββββββ΄ββββ βWindows β
βOperatorβ βLinux β βMacOS β βOperatorβ
ββββββββββ βOperatorβ βOperatorβ ββββββββββ
ββββββββββ ββββββββββ
Default WireGuard-Protected Mode
Operators will need to download their preferred platform's client software from the releases page. Clients can connect to servers of differing platforms (e.g. a Windows client can connect to a Linux server). Operators and servers authenticate using Mutual TLS, however all the certificates are managed automatically for you.
- If you did not install the server as a systemd service, be sure to leave the server console running in screen or tmux after starting the multiplayer listener.
- If you did install the server as a systemd service, see the CLI section below for an alternative to the console commands for generating operator configs.
Operators need a configuration file generated by the Sliver server to connect in multiplayer mode. The Sliver client can support multiple configuration files, but you can only be connected to one server at a time (per process).
In the default mode:
multiplayerexposes a WireGuard listener on--lport(default31337) over UDP.- The authenticated gRPC/mTLS server only listens inside that WireGuard tunnel.
new-operatorgenerates a per-operator WireGuard keypair and tunnel IP, then embeds that information in the operator config'swgblock.- The multiplayer listener uses WireGuard keys that are separate from Sliver's implant
wgC2 listener. sliver-clientautomatically uses the WireGuard wrapper when the imported config contains thatwgblock.
From the server, start the multiplayer listener and generate an operator config with the server's public address or hostname in --lhost. Use --permissions all for a standard interactive operator profile:
Note: The new-operator and multiplayer commands are only available from the server console.
[server] sliver > multiplayer
[*] Multiplayer mode enabled!
[server] sliver > new-operator --name moloch --lhost 1.2.3.4 --permissions all
[*] Generating new client certificate, please wait ...
[*] Saved new client config to: /Users/moloch/Desktop/moloch_example.com.cfg
IMPORTANT: Before clients can connect to a server you must start a multiplayer listener with the multiplayer command. By default multiplayer is exposed directly on TCP/31337. If you enable the wrapper, the outer listener becomes UDP/31337 and the gRPC/mTLS service stays inside the tunnel.
You can now give this configuration file moloch_example.com.cfg to the operator and they can connect to the server using the sliver-client binary. The Sliver client will look for configuration files in ~/.sliver-client/configs/ or you can import configs using the import CLI. The configs directory can contain multiple configs for different servers.
$ ./sliver-client import ./moloch_example.com.cfg
$ ./sliver-client
? Select a server: [Use arrows to move, type to filter]
> example.com
localhost
Direct mTLS Mode
If you want the old behavior, or you need compatibility with third-party gRPC clients that do not implement the multiplayer WireGuard wrapper, disable it on both the listener and the generated operator profile:
[server] sliver > multiplayer
[*] Multiplayer mode enabled!
[server] sliver > new-operator --name tester --lhost 1.2.3.4 --permissions all
[*] Generating new client certificate, please wait ...
[*] Saved new client config to: /Users/tester/Desktop/tester_example.com.cfg
In direct mode:
- Multiplayer is exposed directly over TCP on
--lport(default31337). - Generated operator configs omit the
wgblock. sliver-client --enable-wgopts into the multiplayer WireGuard wrapper when the operator config includes awgblock.
The listener mode, operator config, and client flag need to match. A WireGuard-wrapped listener needs a wg block in the operator profile plus sliver-client --enable-wg. Direct multiplayer works without the wg block and without the flag.
Server CLI / Daemon Mode Multiplayer
If the server is running in daemon mode, the multiplayer listener is started for you without an interactive console. By default the daemon uses direct multiplayer mTLS. You can opt into the WireGuard wrapper with sliver-server daemon --enable-wg or daemon.enable_wg: true in server.yaml.
Use the server CLI to generate operator configuration files:
./sliver-server operator --name zer0cool --lhost 1.2.3.4 --permissions all --save zer0cool.cfg
Operator profiles omit the multiplayer wg block by default. Add --enable-wg when the listener is wrapped in WireGuard.
The installation script places the sliver-server binary in /root by default.
Tailscale Integration
Sliver supports multiplayer integration with Tailscale, which is an excellent option when you want to keep the multiplayer listener off the public Internet.
Tailscale mode is separate from the default multiplayer WireGuard wrapper. When you use multiplayer -T, Sliver exposes the listener only through Tailscale instead of layering its own multiplayer WireGuard tunnel on top.
$ export TS_AUTHKEY=<tailscale authkey>
$ ./sliver-server
sliver > multiplayer -T
You should now see a new Tailscale host named sliver-server-<machine>. Use that hostname as --lhost when generating operator configs for other hosts on the same tailnet. Tailscale multiplayer does not use the multiplayer WireGuard wrapper, so operator profiles should be generated without --enable-wg.