How to Set Up an MTA:SA Server on a Windows VPS from Scratch
Set up a Multi Theft Auto: San Andreas server on a Windows VPS: official download, mtaserver.conf, firewall ports, ACL, and your first stable connection.
Standing up a Multi Theft Auto: San Andreas server on a Windows VPS does not require a complex stack, but a few details trip up beginners: UDP port 22126 closed and the server never appears on the public list, a bad ACL keeps admins from logging in, or a malformed tag in mtaserver.conf prevents the binary from booting at all. This tutorial walks through the full path from zero — official package download, minimum working configuration, firewall, ACL, and connectivity validation.
The target audience is anyone who has never run an MTA Server and wants a solid base to grow into freeroam, race, or a custom Lua gamemode later. Time to complete: about 30 minutes from the first RDP login until the server shows up in the client and accepts a real connection.
Picking Windows Server makes sense if you prefer a familiar environment, direct RDP for tweaking configs, and the .NET tooling ecosystem for automation. Linux runs the same binary with its own tarball, but that falls outside the scope of this guide.
Prerequisites
A Windows Server 2019 or 2022 VPS with at least 2 vCPUs, 4 GB of RAM, and 20 GB of SSD storage. Administrative access via RDP, the MTA:SA 1.6 client installed on your local machine for testing, and a legitimate copy of GTA: San Andreas (the MTA client is free; the base game is required by the client).
Windows Server 2022 1.6 (stable) 22003 UDP 22126 UDP 22005 TCP 4 GB When sizing capacity, the main bottleneck of an MTA Server is single-thread CPU performance — the main server loop does not spread work across cores. That’s why 2 vCPUs at a high clock rate deliver more than 4 slower vCPUs. SSD storage avoids stutter when the server hot-reloads resources.
Download the official MTA Server package
The MTA server is distributed as a ZIP by the MTA Team on the official site. Always download from the canonical source: third-party packages frequently ship with injected resources or patched binaries that compromise the entire VPS.
Connect to the VPS via RDP using the credentials from provisioning. Open PowerShell as administrator and create the folder structure:
New-Item -Path "C:\MTAServer" -ItemType Directory
Set-Location "C:\MTAServer"Keeping the server out of C:\Program Files\ avoids UAC permission issues when the process tries to write logs and script caches.
Download the stable 1.6 package straight from the official site using PowerShell:
Invoke-WebRequest -Uri "https://linux.mtasa.com/dl/multitheftauto_linux_x64.tar.gz" -OutFile "mta.tar.gz"For Windows, the official installer is at https://mtasa.com/. Download it via browser on the VPS itself and extract the contents into C:\MTAServer. The Windows installer adjusts environment variables and creates the server/, mods/deathmatch/, and MTA Server.exe layout.
Verify the expected final structure:
C:\MTAServer\
├── MTA Server.exe
├── server\
│ └── mods\
│ └── deathmatch\
│ ├── mtaserver.conf
│ ├── acl.xml
│ └── resources\
└── x64\If the resources folder is missing, the server boots but loads no gamemode — clients connect and stare at an empty map.
Configure mtaserver.conf
The mtaserver.conf file defines identity, ports, ACL, and which resources start at boot. It’s XML — any unclosed tag prevents the binary from starting.
Open C:\MTAServer\server\mods\deathmatch\mtaserver.conf in Notepad++ (do not use plain Notepad — it mangles encoding on files with non-ASCII characters). Adjust the essential blocks:
<servername>My Hostini Server</servername>
<serverip>auto</serverip>
<serverport>22003</serverport>
<httpport>22005</httpport>
<maxplayers>32</maxplayers>
<ase>1</ase>
<donotbroadcastlan>0</donotbroadcastlan><ase>1</ase> is what registers your server on the public list via UDP 22126. Without it, no one finds you even with everything else configured correctly.
Configure the resources that start at boot. Find the <resource ... /> block and adjust it for the standard freeroam setup:
<resource src="freeroam" startup="1" protected="0" />
<resource src="admin" startup="1" protected="0" />
<resource src="parachute" startup="1" protected="0" />These three cover the minimum functional setup: player spawn, the admin web panel on the HTTP port, and a parachute item. You can evolve later to race, official deathmatch, or a custom gamemode.
Before starting the server for the first time, set a strong password for the admin user in acl.xml or via the addaccount command in the console. An MTA server without an admin password exposed on the internet becomes a target within hours — bots sweep port 22003 looking for the default ACL.
Open ports in the Windows firewall
By default, Windows Server blocks every inbound port except RDP. You need to add explicit rules for the three MTA ports before the first boot.
Open PowerShell as administrator and create the firewall rules:
New-NetFirewallRule -DisplayName "MTA Server Game" -Direction Inbound `
-Protocol UDP -LocalPort 22003 -Action Allow
New-NetFirewallRule -DisplayName "MTA Server ASE" -Direction Inbound `
-Protocol UDP -LocalPort 22126 -Action Allow
New-NetFirewallRule -DisplayName "MTA Server HTTP" -Direction Inbound `
-Protocol TCP -LocalPort 22005 -Action AllowPort 22003 carries gameplay traffic (position sync, RPC calls between client and server). Port 22126 is the ASE — Anti-cheat Stats Exchange, used by the MTA master server to ping yours and list it publicly. Port 22005 TCP is the internal HTTP server that delivers downloadable client-side scripts during the handshake.
Confirm the rules are active:
Get-NetFirewallRule -DisplayName "MTA Server*" | Format-Table DisplayName, Enabled, Direction, ActionExpected output: three rows with Enabled True and Action Allow. If any show False, run Set-NetFirewallRule -DisplayName "MTA Server Game" -Enabled True.
First boot and validation
With everything configured, it’s time to bring the server up and confirm traffic is flowing.
Run the server for the first time directly through the binary:
Set-Location "C:\MTAServer"
.\"MTA Server.exe"You will see the console open with the boot log. The critical lines are Resource 'freeroam' loaded, Networking started on port 22003, and ASE service started. If you see WARNING: Resource failed to load, note the name — a file is corrupt or missing.
Create the admin account directly in the server console. Type:
addaccount admin StrongPassHere123
aclrequest list adminThe first command creates the user; the second binds it to the Admin group defined in acl.xml. Without this, even after logging in you cannot run privileged in-game commands.
From your local machine, open the MTA:SA client and try connecting directly by IP. In the main menu, go to Quick Connect and enter:
your-vps-ip:22003If you connect and spawn, the server is operational. In parallel, wait 5–10 minutes and look for the server name under the Internet tab — that’s the typical lag for the master server to propagate.
For production, register MTA Server.exe as a Windows service using NSSM. This guarantees auto-start on VPS boot, automatic restart on crash, and separate log files. NSSM is open source and takes about 5 minutes to configure — well worth it compared to running inside an RDP session that disappears when you disconnect.
Verification
The technical way to confirm everything works across 3 layers:
# 1. Process running
Get-Process "MTA Server"
# 2. Ports listening
netstat -an | Select-String "22003|22005|22126"
# 3. Firewall allowing traffic
Test-NetConnection -ComputerName your-vps-ip -Port 22003 -InformationLevel DetailedThe expected netstat output shows UDP 0.0.0.0:22003, TCP 0.0.0.0:22005 LISTENING, and UDP 0.0.0.0:22126. If any are missing, mtaserver.conf was saved with a malformed tag or the binary lacks permission to bind the port.
Troubleshooting common issues
Server doesn’t appear on the public list
Check in this order: <ase>1</ase> is in mtaserver.conf, UDP port 22126 is open in the firewall, and the VPS IP is public (not RFC 1918). Wait 10 minutes after boot — the master server polls at long intervals.
”Connection timeout” on the client even though the server is running
Almost always a firewall issue: either Windows is blocking UDP 22003, or the VPS provider has a network firewall above the OS. Test with Test-NetConnection from an external machine to confirm where the packet dies.
Resources don’t load after editing mtaserver.conf
Malformed XML is the cause in 90% of cases. Open the file in an online XML validator or in Notepad++ with the XML Tools plugin — any unclosed tag breaks the parse and the server ignores every resource defined after the error.
In a production environment, create a dedicated user (MTAService or similar) with permissions limited to the C:\MTAServer folder and run the service as that user. An MTA Server running as SYSTEM means any exploit in a custom resource grants full access to the VPS.
Next steps
With the base server running, the natural paths forward are:
- Install a complete gamemode (Race, custom Freeroam, MTA RPG) from the Community MTA
- Set up MySQL to persist accounts, stats, and player inventory
- Enable HTTPS on the resource server with a Let’s Encrypt certificate
- Register
MTA Server.exeas a Windows service via NSSM for auto-start - Configure automatic backups for the
resources/folder andacl.xml
If you’re putting this into production and need low latency for Brazil, a Hostini VPS in São Paulo delivers 10–25 ms pings to the metro area and includes DDoS protection — relevant because an MTA server with an exposed IP is a recurring target of UDP floods on port 22003.
Frequently asked questions
What's the difference between MTA Server 1.5 and 1.6?
Version 1.6 is the current stable line, with protocol fixes, better compatibility with modern clients, and HTTPS support on the resource HTTP server. 1.5 still runs, but new community resources already assume 1.6 as the baseline. For a fresh server, always start on 1.6.
Do I need to open TCP or UDP ports?
MTA:SA uses UDP on ports 22003 (game) and 22126 (ASE/public listing). Port 22005 is TCP, used by the internal HTTP server for resources. Opening only TCP blocks players from connecting; opening only UDP blocks the download of client-side scripts.
Why doesn't my server show up on the official MTA list?
The usual causes are: ase=1 missing from mtaserver.conf, UDP port 22126 blocked at the firewall, the server running behind NAT without port forwarding, or the IP being a private RFC 1918 address. The MTA master server polls UDP 22126 — no response, no listing.
How many slots can 4 GB of RAM and 2 vCPUs handle?
A vanilla freeroam server with 5 to 10 resources runs 64 slots comfortably on that spec. With a heavy gamemode like competitive MTA Race or a roleplay setup using MySQL and 40+ resources, expect 32 stable slots. The bottleneck is single-thread CPU: MTA does not scale well across multiple cores.
Do I need Windows Server or is regular Windows 10 enough?
Windows Server 2019 or 2022 is the technical pick: better scheduler for long-lived processes, no 20 inbound connection cap like the desktop editions, and official support to run as a service via NSSM. Windows 10/11 works for local dev, but in production you hit the connection ceiling at peak hours.
How do I make the server restart on its own if it crashes?
The clean approach is registering MTA Server as a Windows service using NSSM (Non-Sucking Service Manager) with automatic restart on failure. A quick alternative is a .bat file with a loop, but you lose control over the restart policy. NSSM supports dependencies, separate log files, and configurable recovery.