TCPShield Plugin

Documentation regarding the TCPShield Plugin

As of February 2022, we now support Proxy Protocol v2. The TCPShield plugin is incompatible with this feature, as well as it's no longer a requirement for our service. Please check out this page for further details.

TCPShield requires our plugin installed to allow access to the TCPShield Network. The plugin should only be run on your "Frontend machines" such as your BungeeCord(s) or Spigot, but never both. Historically, this plugin was referred to as RealIP, but now we simply call it the TCPShield plugin.


Our configuration is very simple, and often requires zero change on your part. only-allow-proxy-connections

It is very important you keep the only-allow-proxy-connections to true when in production. If this isn't set to true, you are NOT protected by TCPShield and are vulnerable to scanners which can find your backend IP address.


Can be picked between available modes:

  • htpdate: uses a synchronized date

  • system: uses the system time

  • off: deactivates timestamp validation


For your own safety it is crucial that you do only set this to true if you are using TCPShield's Geyser tunnel. If you do not follow our advice, your backend is not only easily scannable but your IP is easily queryable by DNS and thus prune to attacks. We do not provide support in case you do this anyways.


Can be turn on to true to gather useful information that can help diagnosing your issues


This option can be toggle either true/false to fix Velocity pre-login issue


This defaults to true so users with ProtocolLib will use that over the regular Paper integration, this is due to that implementation exposing MOTDs to direct connect users, this however does require version 5.x.x of ProtocolLib or it will throw an error, disable that config option if you're using Paper with an unsupported version of ProtocolLib.

IP Whitelist:

How to use this feature:

  1. Create a file with a .list extension

  2. Add each entry using a CIDR format, separated by a new line. Example:

Supported Versions

If you are running Spigot standalone (i.e. no proxy in front) you will need to install ProtocolLib for the plugin to work

The plugin is a Bungee/Spigot hybrid. We have tested against the following versions:

  • BungeeCord 1.16.1

  • Spigot 1.12.2 (Requires ProtocolLib)

  • Paper 1.8.8 to 1.20.2 (Requires ProtocolLib)

  • Velocity 1.20.2

  • FlameCord 1.20.2

  • Waterfall 1.20.2

  • Many more!

This does not mean your version of Bungee/Spigot won't work, we just cannot guarantee it at this time. If you find a version in which it doesn't work against, please contact our support. We also ensure the plugin will work on Java 8 and 11.

We do have the ability to support LilyPad, however for many reasons we do NOT recommend you use it. If you need LilyPad support, please reach out to our staff.

Plugin Conflicts

There are some plugins we know of that conflict with the TCPShield plugin. This list is not exhaustive, but at this time the following plugins conflict. If you must use a plugin that is known to have conflicts with TCPShield, please refer to our section regarding proxy-protocol.

  • ServerMOTDPlus

  • TBD

Please consider reaching out to these authors and asking them to adjust the event priority of their plugins

A General Debugging Tip

If your server is having issues, and you suspect TCPShield may be the issue, you can disable the only-allow-proxy-connections option. You, or a player you trust can be then given the backend IP to directly connect to see if the problem persists. By doing this, you will bypass TCPShield and perhaps find it easier to find the root cause of the issue. However, do not do this for long periods of time. This is risky to leave disabled as a scanner could pickup your MOTD and DDoS your backend directly.

Source Code

The source code to our plugin can be found on GitHub. Pull requests are welcome!

Last updated


Need help?