Sentry Tunnel Features
Last updated
Was this helpful?
Last updated
Was this helpful?
As TCPShield expands its infrastructure beyond Minecraft, we’re proud to introduce Sentry Tunnel – the next evolution in clean traffic delivery, launching from April 2025.
Sentry Tunnel is our high-performance, tunneling solution built for modern cloud-scale networking. It allows us to protect and forward any TCP or UDP traffic with unmatched flexibility, speed, and compatibility. Whether you're running multiplayer game servers, real-time applications, or custom services, Sentry Tunnel delivers clean traffic with minimal latency and maximum reliability.
Sentry Tunnel leverages VXLAN (Virtual Extensible LAN) technology under the hood, but brings modern branding and engineering practices to offer you a refined and production-grade clean traffic solution.
Sentry Tunnel is stateless and UDP-based, making it a perfect match for our Anycast infrastructure:
Always connects to the nearest scrubbing center, minimizing latency and packet loss.
Instant failover between locations — no reconnections or handshakes required.\.
Supports multi-point tunnel topologies: multiple TCPShield nodes forward clean traffic to your origin without needing to manage dozens of individual tunnels.
Compared to traditional game-specific proxies (like our Minecraft protection), Sentry Tunnel supports many tenants on a single IP:
Protect diverse services and ports on the same machine — even if they’re using different protocols.
Example: protect Minecraft servers on ports 25565–25577
, and FiveM servers on 30120–30127
— all behind one protected IP.
Define Layer 7 protocol filters per port range using our intuitive firewall panel, or automate the setup via API.
Sentry Tunnel introduces only ~50 bytes of overhead per packet, while delivering major performance benefits:
Hardware offload support ensures packets are processed at line rate with minimal CPU load.
UDP encapsulation unlocks networking features like Large Receive Offload (LRO) and Generic Segmentation Offload (GSO).
Delivers multi-gigabit throughput with low operational cost.
Sentry Tunnel is not limited to any single protocol or application. Thanks to VXLAN’s Ethernet-over-IP design, it supports:
IPv4, IPv6, ARP, multicast, and even broadcast-based protocols.
Exotic or legacy game engines, real-time UDP apps, or custom multiplayer protocols.
Works seamlessly behind NAT, supporting cloud platforms like AWS, GCP, and Azure, or home-hosted setups.
If your application uses TCP or UDP, Sentry Tunnel can protect it — no sweat.
GRE has long been used in clean traffic tunneling — but it’s showing its age. Sentry Tunnel improves on every front:
NAT Traversal
❌ Poor
✅ Excellent (UDP)
Multi-Tenant Isolation
❌ Limited
✅ Up to 16M VNIs
Hardware Offload
❌ Rare
✅ Widely Supported
Performance on Multi-core
❌ Poor
✅ Optimized
Segmentation Support
❌ None
✅ Built-in
Sentry Tunnel delivers all the benefits of GRE — and far more.
Expanded Game & App Support: Protect any TCP/UDP-based service, not just Minecraft.
Lower Latency: Our Anycast tunnel endpoints ensure traffic always routes through the nearest scrubbing node.
Scalable Protection: Clean traffic is delivered efficiently across global tenants with flexible routing and isolation.
Our Sentry Tunnel solution is now available for public access. If you're interested in enabling VXLAN-based clean traffic delivery for your service, contact us over at our support Discord or head to the to get started.