Panel Configuration
Configuring TCPShield for your network
Last updated
Was this helpful?
Configuring TCPShield for your network
Last updated
Was this helpful?
Some individuals may find it easier to follow a we have created for configuring TCPShield. This guide will explain with more detail, but for simple configurations our series will cover most cases.
A "network" is the idea of a single Minecraft network. This could be as simple as a vanilla survival spigot server, or a 2000 player network multiple BungeeCord instances. A network can be named anything you'd like, this tutorial will be using CrunchyPVP as our fake minecraft server.
In TCPShield terminology, a backend is considered something TCPShield routes traffic too. For example, this could be a singular Spigot server, a BungeeCord instance, or a perhaps even multiple BungeeCords. Here, we need to add the IP's of our network we are trying to connect to TCPShield.
We can name the group of backends we are about to add as whatever we'd like. In my case, I'm going to call this "Production" because these are the backends we will be using in our live environment for my server.
In the example of CrunchyPvP, I am running two BungeeCords I want to load balance between, so I'm going to add the IP/port combination for both of those instances (1.1.1.1:25565, 1.2.3.4:25565).
Click save.
Notice: I did not add anything related to my spigot servers here. ONLY the thing accepting the connection from the TCPShield network should be listed here. If you want to have just a single spigot instance, you would point directly to that.
When adding multiple servers behind the same backend set, you can choose suitable load balacing mode as follow:
Least connection (Default): Players are directed to the backend server with the fewest active connections.
Random: Players are assigned to a backend server at random.
Latency: Our latest addition—connections are now balanced based on latency, ensuring players join the server with the lowest available latency for the best experience.
First, navigate to the domains page and click "Add Domain".
My domain is CrunchyPvP.net, which I will insert into the modal. I will then click the dropdown for the backend set and use the one we just created.
Badlion Proxy is an optional step that is specific for users of Badlion AntiCheat. This is not something required for most networks.
Then, click "Begin verification"
Domain verification is the process we require for all domains on the TCPShield network. This confirms ownership of the domain using DNS and is required for security reasons. We recommend when you verify your domain, you use TXT records.
For this step, I will copy the TXT record and insert it on the root(required) of my domain on Cloudflare DNS manager.
Once my domain is saved, you can attempt to verify the domain on the TCPShield panel.
As a general note, from our observations Namecheap DNS takes the longest with an average time of 5 hours.
Now that we have verified the domain with TCPShield, we need to decide how we want players to connect to our network. Often, owners want players to only join with a subdomain like play.crunchypvp.net. Other times, owners would like the ability for both players to join with play.crunchypvp.netor crunchypvp.net but still allow a website to exist with an A record.
I want my server to allow people to join through CrunchyPvP.net, so I will set this accordingly in the hostname field on the domain page. TCPShield domains are wildcarded, so we do not need to add another record for play.crunchypvp.net.
On the domains page, you will be given downloads to the TCPShield plugin. This plugin must be installed while using TCPShield in order for players to have the correct IP addresses on your server. If you don't run these plugins, all players will look like they are originating from the same IP address.
Note: If you are running a BungeeCord server, you only need the Real IP plugin on your BungeeCord instances. Note: If you are running Lilypad (while not recommended), you will need to contact us for a way to get the correct IP addresses for your players. This is a limitation of Lilypad (No plugins), not TCPShield.
If your server might already have plugins that authenticate players (antiBot, antiVPN or authMe) - then our plugin might be incompatible. In that case, to properly forward your player's IP addresses, you can setup Proxy Protocol:
Make sure TCPShield plugin is not installed.
Enable proxy-protocol (or haproxy-protocol if you are using Velocity) in your proxy's config.
Enable proxy-protocol in your backend set on the TCPShield Web panel.
If you are having trouble with the setup process, please make sure to read through our Setup Checklist or use our to determine the issue. If all else fails, you reach out to us .
The first step for using TCPShield is signing up for . After you have registered, you will be greeted with our home page.
First, navigate to the page and click "Add Set."
For customers using : There's now an option in your backend that, when enabled, ensures your server is fully compatible with the plugin.
This process can unfortunately can take sometimes up to several hours for DNS to fully propagate to where Cloudflare (our internal resolver) will see it. This is why we highly recommend everyone use Cloudflare for DNS management. This process often trips up many people, so before contacting TCPShield staff, we would encourage to double check that the TXT record has properly propagated worldwide using .
From here, we will need to configure DNS to point to the TCPShield network. Please follow our and return here once you have completed the setup process.
These plugins are open source, and are available for modification and pull requests .
You can learn more about the plugin, its configuration, and why its important .
For customers with eligible TCPShield setup: Set enable-proxy-protocol and use-proxy-protocol to true in your Geyser config (Under Bedrock and Remote section respectively).
More information regarding Proxy Protocol can be found . It's recommended at this step to also firewall your backend to not accept connection except from TCPShield sources.
Congratulations! 🎉 You have officially joined the TCPShield Network! If something didn't work quite right, don't hesitate to contact us using the ticket system on our . While you wait for help from our staff, we strongly encourage you triple check all the configuration steps we've made here. We also have a that can assist you determining issues.
