# Sentry Tunnel for Bedrock/Geyser/PocketMine/VoiceChat {% hint style="danger" %} For customers using the Pterodactyl panel, you may need to contact us during the setup process, as Pterodactyl reserves all private IP addresses, which can prevent the creation of the tunnel. Refer to this [debug section](https://docs.tcpshield.com/common-issues-and-debugging#id-2.-error-nexthop-has-invalid-gateway). {% endhint %} ## 1. Ensure a working Geyser Instance Before proceeding, make sure your Geyser instance is running. Follow the instructions in the [Geyser documentation](https://geysermc.org/wiki/geyser/setup/) to set up your server. In this example, we have a Bedrock server up and running on `108.61.149.182:19132` :

For TCPShield customers running PocketMine MP, please consult their [official guide](https://doc.pmmp.io/en/rtfd/installation.html). ## 2. Create your Sentry Tunnel Once your Geyser instance is up and running, create a Sentry Tunnel and enter the correct IP address of your Geyser server in the “Endpoint” field. You can leave the “Port” field blank—your application will continue listening on its default port. Sentry Tunnel simply forwards traffic to the original port over the backend IP.

## 3. Run the VXLAN Creation Script

After creating the tunnel, navigate to the bottom of the Overview page, then copy and run your VXLAN creation script. If you encounter any errors, refer to the [troubleshooting section](https://docs.tcpshield.com/vxlan/common-issues-and-debugging). To verify that the tunnel was created successfully, run the following command: ``` ip -s link show vxlan_ ``` Example output: ``` root@admin:~# ip -s link show vxlan_47 418: vxlan_47: mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 12:cc:cb:ab:1f:e8 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped missed mcast 341644143 2036858 0 0 0 0 TX: bytes packets errors dropped carrier collsns 53378176 387353 0 0 0 0 ``` At this point you should also be able to ping the tunnel's local IP address: ``` root@admin:~# ping 172.18.128.2 PING 172.18.128.2 (172.18.128.2) 56(84) bytes of data. 64 bytes from 172.18.128.2: icmp_seq=1 ttl=64 time=51.6 ms 64 bytes from 172.18.128.2: icmp_seq=2 ttl=64 time=50.9 ms 64 bytes from 172.18.128.2: icmp_seq=3 ttl=64 time=50.0 ms 64 bytes from 172.18.128.2: icmp_seq=4 ttl=64 time=50.0 ms ``` ## 4. Whitelist VXLAN and Backend Ports Ensure both the VXLAN port and your backend port are properly whitelisted. You can achieve this using either UFW or iptables. This step might not be necessary, but worth mentioning nonetheless. ### Using UFW ``` ufw allow /udp ufw allow /tcp ``` Then verify the status by running: ``` ufw status ``` ### Using iptables ``` iptables -A INPUT -p udp --dport -j ACCEPT iptables -A INPUT -p tcp --dport -j ACCEPT iptables -A OUTPUT -p tcp --sport -j ACCEPT iptables -A OUTPUT -p udp --sport -j ACCEPT ``` Then verify your configuration by running: ``` iptables-save ``` {% hint style="warning" %} IMPORTANT: For customers using Pterodactyl, ensure that you open the VXLAN port on the panel itself. This can be done by navigating to the **Network** tab and selecting **Create Allocation**. For more information, visit this [guide](https://knowledgebase.aquatis.host/books/pterodactyl-guides/page/how-do-i-addopen-a-server-port-on-pterodactyl). {% endhint %} ## 5. Update the config file ### 5.1 Geyser Next, update the `address` (under the `Bedrock` section) in the Geyser configuration file to the public IP address of your VXLAN tunnel. For example, if your public IP is `104.234.6.128`, make the necessary changes to the config. The port of the server stays the same, aka `19132`.

Also make sure `enable-proxy-connections: false` . On newer Geyser version, this setting is also called `haproxy-protocol`, but make sure you only edit the one located inside the `bedrock` section. After restarting the server, double-check that the service is running properly by running the following command: ``` netstat -plunt | grep 104.234.6.128 ``` The output should look similar to this: ``` root@admin:~# netstat -plunt | grep 104.234.6.128 udp 0 0 104.234.6.128:19132 0.0.0.0:* 1546258/java udp 0 0 104.234.6.128:19132 0.0.0.0:* 1546258/java ``` ### 5.2 PocketMine MP By default PocketMine will always listen on `0.0.0.0` , hence you have to navigate to your `server.properties` and update `server-ip` to the tunnel Public IP Address. If not available, simply add it in the file. Example config: ``` #Properties Config file #Tue Jul 8 11:04:48 UTC 2025 language=eng motd=TCPShield Test server-port=19132 server-ip=104.234.6.128 server-portv6=19133 gamemode=SURVIVAL ... ``` Restart the server and you should see the MP server is listening on the correct interface: ``` root@admin:~# netstat -plunt | grep 104.234.6.128 udp 0 0 104.234.6.128:19132 0.0.0.0:* 1095804/PocketMine- ``` ## 6. Final Step At this point, the connection to your Bedrock server will be using the public IP `104.234.6.128`. Create an A record that points directly to this IP address on your preferred DNS manager:

The Geyser instance running on 104.234.6.128:19132

Your PocketMine MP instance running on 104.234.6.128:19132

And that's it, happy gaming! ## 7. Voice chat setup: {% hint style="info" icon="square-exclamation" %} **I****MPORTANT**: Since VXLAN is fairly complicated for most users, if you just require voice chat support and nothing else, please contact our support staffs on Discord to have it deployed. {% endhint %} ### 7.1 [Simple Voice Chat](https://modrinth.com/plugin/simple-voice-chat/versions) There are 2 values to update:\ \- To make sure SVC's listening on the correct IP address, `bind_address` should be using the tunnel `public IP` . \- You would then specifiy the `voice_host` to `tunnel_IP:port` so the clients can connect to it.\ Example config file: ``` # Simple Voice Chat proxy config v2.6.4 # The port number to use for the voice chat communication. # Audio packets are always transmitted via the UDP protocol on the port number # specified here, independently of other networking used for the game server. # Set this to '-1' to use the same port number as the one used by the proxy. port=24454 # The proxy IP address to bind the voice chat to # Leave blank to use the proxy bind address # To bind to the wildcard IP address, use '*' bind_address=104.234.6.128 # The hostname that clients should use to connect to the voice chat # This may also include a port, e.g. 'example.com:24454' or just a port, e.g. '24454' # Do NOT change this value if you don't know what you're doing voice_host=104.234.6.128:24454 # If the voice chat proxy server should reply to external pings allow_pings=true ``` ### 7.2 [Plasmo Voice](https://plasmovoice.com/) Shout out to a very detailed [documentation](https://plasmovoice.com/docs/server/advanced/) on their side. To setup PlasmoVoice with VLXAN tunnel, you need to:\ \- Change the IP and port of \[host] and \[host.public] to match your VXLAN's `public IP` and your specific `port` .\ \- Example config: ``` [host] # The IP:PORT your voice chat instance is running on ip = "104.234.6.128" port = 25577 [host.public] ip = "104.234.6.128" # The IP of the public voice chat server port = 25577 # The port of the public voice chat server ```