Panel Configuration
Configuring TCPShield for your network
Last updated
Was this helpful?
Configuring TCPShield for your network
Last updated
Was this helpful?
Some individuals may find it easier to follow a our video series we have created for configuring TCPShield. This guide will explain with more detail, but for simple configurations our series will cover most cases.
If you are having trouble with the setup process, please make sure to read through our Setup Checklist or use our Debug Tool to determine the issue. If all else fails, you reach out to us here.
The first step for using TCPShield is signing up for our panel. After you have registered, you will be greeted with our home page.
A "network" is the idea of a single Minecraft network. This could be as simple as a vanilla survival spigot server, or a 2000 player network multiple BungeeCord instances. A network can be named anything you'd like, this tutorial will be using CrunchyPVP as our fake minecraft server.
In TCPShield terminology, a backend is considered something TCPShield routes traffic too. For example, this could be a singular Spigot server, a BungeeCord instance, or a perhaps even multiple BungeeCords. Here, we need to add the IP's of our network we are trying to connect to TCPShield.
First, navigate to the backend sets page and click "Add Set."
We can name the group of backends we are about to add as whatever we'd like. In my case, I'm going to call this "Production" because these are the backends we will be using in our live environment for my server.
In the example of CrunchyPvP, I am running two BungeeCords I want to load balance between, so I'm going to add the IP/port combination for both of those instances (1.1.1.1:25565, 1.2.3.4:25565).
Click save.
Notice: I did not add anything related to my spigot servers here. ONLY the thing accepting the connection from the TCPShield network should be listed here. If you want to have just a single spigot instance, you would point directly to that.
First, navigate to the domains page and click "Add Domain".
My domain is CrunchyPvP.net, which I will insert into the modal. I will then click the dropdown for the backend set and use the one we just created.
Badlion Proxy is an optional step that is specific for users of Badlion AntiCheat. This is not something required for most networks.
Then, click "Begin verification"
Domain verification is the process we require for all domains on the TCPShield network. This confirms ownership of the domain using DNS and is required for security reasons. We recommend when you verify your domain, you use TXT records.
For this step, I will copy the TXT record and insert it on the root(required) of my domain on Cloudflare DNS manager.
Once my domain is saved, you can attempt to verify the domain on the TCPShield panel.
This process can unfortunately can take sometimes up to several hours for DNS to fully propagate to where Cloudflare (our internal resolver) will see it. This is why we highly recommend everyone use Cloudflare for DNS management. This process often trips up many people, so before contacting TCPShield staff, we would encourage to double check that the TXT record has properly propagated worldwide using https://www.whatsmydns.net.
As a general note, from our observations Namecheap DNS takes the longest with an average time of 5 hours.
Now that we have verified the domain with TCPShield, we need to decide how we want players to connect to our network. Often, owners want players to only join with a subdomain like play.crunchypvp.net. Other times, owners would like the ability for both players to join with play.crunchypvp.netor crunchypvp.net but still allow a website to exist with an A record.
I want my server to allow people to join through CrunchyPvP.net, so I will set this accordingly in the hostname field on the domain page. TCPShield domains are wildcarded, so we do not need to add another record for play.crunchypvp.net.
From here, we will need to configure DNS to point to the TCPShield network. Please follow our DNS guide and return here once you have completed the setup process.
On the domains page, you will be given downloads to the TCPShield plugin. This plugin must be installed while using TCPShield in order for players to have the correct IP addresses on your server. If you don't run these plugins, all players will look like they are originating from the same IP address.
These plugins are open source, and are available for modification and pull requests here.
Note: If you are running a BungeeCord server, you only need the Real IP plugin on your BungeeCord instances. Note: If you are running Lilypad (while not recommended), you will need to contact us for a way to get the correct IP addresses for your players. This is a limitation of Lilypad (No plugins), not TCPShield.
You can learn more about the plugin, its configuration, and why its important here.
If your server might already have plugins that authenticate players (antiBot, antiVPN or authMe) - then our plugin might be incompatible. In that case, to properly forward your player's IP addresses, you can setup Proxy Protocol:
Make sure TCPShield plugin is not installed.
Enable proxy-protocol (or haproxy-protocol if you are using Velocity) in your proxy's config.
Enable proxy-protocol in your backend set on the TCPShield Web panel.
For customers with eligible TCPShield Bedrock setup: Set enable-proxy-protocol and use-proxy-protocol to true in your Geyser config (Under Bedrock and Remote section respectively).
More information regarding Proxy Protocol can be found here. It's recommended at this step to also firewall your backend to not accept connection except from TCPShield sources.
Congratulations! 🎉 You have officially joined the TCPShield Network! If something didn't work quite right, don't hesitate to contact us using the ticket system on our discord. While you wait for help from our staff, we strongly encourage you triple check all the configuration steps we've made here. We also have a checklist that can assist you determining issues.
