Sentry Tunnel Features

As TCPShield expands its infrastructure beyond Minecraft, we’re proud to introduce Sentry Tunnel – the next evolution in clean traffic delivery, launching from April 2025.

Sentry Tunnel is our high-performance, VXLAN-based tunneling solution built for modern cloud-scale networking. It allows us to protect and forward any TCP or UDP traffic with unmatched flexibility, speed, and compatibility. Whether you're running multiplayer game servers, real-time applications, or custom services, Sentry Tunnel delivers clean traffic with minimal latency and maximum reliability.

What is the Sentry Tunnel?

Sentry Tunnel leverages VXLAN (Virtual Extensible LAN) technology under the hood, but brings modern branding and engineering practices to offer you a refined and production-grade clean traffic solution.

1. Optimized for Anycast and Scrubbing Efficiency

Sentry Tunnel is stateless and UDP-based, making it a perfect match for our Anycast infrastructure:

  • Always connects to the nearest scrubbing center, minimizing latency and packet loss.

  • Instant failover between locations — no reconnections or handshakes required.\.

  • Supports multi-point tunnel topologies: multiple TCPShield nodes forward clean traffic to your origin without needing to manage dozens of individual tunnels.

2. Higher cost efficiency

Compared to traditional game-specific proxies (like our Minecraft protection), Sentry Tunnel supports many tenants on a single IP:

  • Protect diverse services and ports on the same machine — even if they’re using different protocols.

  • Example: protect Minecraft servers on ports 25565–25577, and FiveM servers on 30120–30127 — all behind one protected IP.

  • Define Layer 7 protocol filters per port range using our intuitive firewall panel, or automate the setup via API.

3. Minimal Overhead, Maximum Performance

Sentry Tunnel introduces only ~50 bytes of overhead per packet, while delivering major performance benefits:

  • Hardware offload support ensures packets are processed at line rate with minimal CPU load.

  • UDP encapsulation unlocks networking features like Large Receive Offload (LRO) and Generic Segmentation Offload (GSO).

  • Delivers multi-gigabit throughput with low operational cost.

4. Protocol-Agnostic – Beyond Just Minecraft

Sentry Tunnel is not limited to any single protocol or application. Thanks to VXLAN’s Ethernet-over-IP design, it supports:

  • IPv4, IPv6, ARP, multicast, and even broadcast-based protocols.

  • Exotic or legacy game engines, real-time UDP apps, or custom multiplayer protocols.

  • Works seamlessly behind NAT, supporting cloud platforms like AWS, GCP, and Azure, or home-hosted setups.

If your application uses TCP or UDP, Sentry Tunnel can protect it — no sweat.

5. Better than GRE: A Refined Solution for Modern Needs

GRE has long been used in clean traffic tunneling — but it’s showing its age. Sentry Tunnel improves on every front:

Feature
GRE
Sentry Tunnel (VXLAN-based)

NAT Traversal

❌ Poor

✅ Excellent (UDP)

Multi-Tenant Isolation

❌ Limited

✅ Up to 16M VNIs

Hardware Offload

❌ Rare

✅ Widely Supported

Performance on Multi-core

❌ Poor

✅ Optimized

Segmentation Support

❌ None

✅ Built-in

Sentry Tunnel delivers all the benefits of GRE — and far more.


6. Protocol‑Enforced Tunnel Firewall

Take your tunnel security to the next level with our ProtoGuard Firewall, a cutting‑edge, protocol‑aware layer that ensures port traffic strictly conforms to expected patterns.

  • Protocol‑aware filtering per port or range Admins can define specific protocols—e.g., FiveM, CS2, Minecraft, custom UDP/TCP-based services—on selected ports or ranges. Only traffic matching the configured protocol is allowed; everything else is automatically dropped. Example: Lock down port 30120–30125 exclusively to FiveM traffic—any non‑FiveM packets will be dropped immediately.

  • Built for user convenience Configure filters effortlessly through the panel or automate them via API. Set protocol rules as you define your tunnel or update them at any time—no advanced firewall scripting required.

  • Expandable protocol library Our supported‑protocol catalog is ever‑growing. Starting with popular services like FiveM, CS2, and standard TCP/UDP protocols, we’re continually adding more. Future releases will include additional game and application protocols—ensuring your tunnel stays locked down and future‑proof.


While VXLAN Sentry Tunnel already offers stateless, port‑agnostic forwarding and high‑performance features, adding ProtoGuard™ transforms it into a smart firewall that actively enforces layer‑compliant traffic—greatly reducing the attack surface and mitigating misconfiguration or abuse.

User scenario:

You're running both a FiveM server on 30120–30125 and a CS2 server on 27015–27020 using the same Sentry Tunnel. Set ProtoGuard™ to allow only FiveM on its ports and CS2 on its. Any unrelated packets are automatically dropped before reaching your origin, cutting off noise, scans, or malformed traffic.

What This Means for TCPShield Users

  1. Expanded Game & App Support: Protect any TCP/UDP-based service, not just Minecraft.

  2. Lower Latency: Our Anycast tunnel endpoints ensure traffic always routes through the nearest scrubbing node.

  3. Scalable Protection: Clean traffic is delivered efficiently across global tenants with flexible routing and isolation.


Ready to Deploy

Our Sentry Tunnel solution is now available for public access. If you're interested in enabling VXLAN-based clean traffic delivery for your service, contact us over at our support Discord or head to the setup page to get started.

Last updated

Was this helpful?