Sentry Tunnel Features

As TCPShield expands its infrastructure beyond Minecraft, we’re proud to introduce Sentry Tunnel – the next evolution in clean traffic delivery, launching from April 2025.

Sentry Tunnel is our high-performance, VXLAN-based tunneling solution built for modern cloud-scale networking. It allows us to protect and forward any TCP or UDP traffic with unmatched flexibility, speed, and compatibility. Whether you're running multiplayer game servers, real-time applications, or custom services, Sentry Tunnel delivers clean traffic with minimal latency and maximum reliability.

What is the Sentry Tunnel?

Sentry Tunnel leverages VXLAN (Virtual Extensible LAN) technology under the hood, but brings modern branding and engineering practices to offer you a refined and production-grade clean traffic solution.

1. Optimized for Anycast and Scrubbing Efficiency

Sentry Tunnel is stateless and UDP-based, making it a perfect match for our Anycast infrastructure:

  • Always connects to the nearest scrubbing center, minimizing latency and packet loss.

  • Instant failover between locations — no reconnections or handshakes required.\.

  • Supports multi-point tunnel topologies: multiple TCPShield nodes forward clean traffic to your origin without needing to manage dozens of individual tunnels.

2. Higher cost efficiency

Compared to traditional game-specific proxies (like our Minecraft protection), Sentry Tunnel supports many tenants on a single IP:

  • Protect diverse services and ports on the same machine — even if they’re using different protocols.

  • Example: protect Minecraft servers on ports 25565–25577, and FiveM servers on 30120–30127 — all behind one protected IP.

  • Define Layer 7 protocol filters per port range using our intuitive firewall panel, or automate the setup via API.

3. Minimal Overhead, Maximum Performance

Sentry Tunnel introduces only ~50 bytes of overhead per packet, while delivering major performance benefits:

  • Hardware offload support ensures packets are processed at line rate with minimal CPU load.

  • UDP encapsulation unlocks networking features like Large Receive Offload (LRO) and Generic Segmentation Offload (GSO).

  • Delivers multi-gigabit throughput with low operational cost.

4. Protocol-Agnostic – Beyond Just Minecraft

Sentry Tunnel is not limited to any single protocol or application. Thanks to VXLAN’s Ethernet-over-IP design, it supports:

  • IPv4, IPv6, ARP, multicast, and even broadcast-based protocols.

  • Exotic or legacy game engines, real-time UDP apps, or custom multiplayer protocols.

  • Works seamlessly behind NAT, supporting cloud platforms like AWS, GCP, and Azure, or home-hosted setups.

If your application uses TCP or UDP, Sentry Tunnel can protect it — no sweat.

5. Better than GRE: A Refined Solution for Modern Needs

GRE has long been used in clean traffic tunneling — but it’s showing its age. Sentry Tunnel improves on every front:

Feature
GRE
Sentry Tunnel (VXLAN-based)

NAT Traversal

❌ Poor

✅ Excellent (UDP)

Multi-Tenant Isolation

❌ Limited

✅ Up to 16M VNIs

Hardware Offload

❌ Rare

✅ Widely Supported

Performance on Multi-core

❌ Poor

✅ Optimized

Segmentation Support

❌ None

✅ Built-in

Sentry Tunnel delivers all the benefits of GRE — and far more.


What This Means for TCPShield Users

  1. Expanded Game & App Support: Protect any TCP/UDP-based service, not just Minecraft.

  2. Lower Latency: Our Anycast tunnel endpoints ensure traffic always routes through the nearest scrubbing node.

  3. Scalable Protection: Clean traffic is delivered efficiently across global tenants with flexible routing and isolation.


Ready to Deploy

Our Sentry Tunnel solution is now available for public access. If you're interested in enabling VXLAN-based clean traffic delivery for your service, contact us over at our support Discord or head to the setup page to get started.

Last updated

Was this helpful?