Sentry Tunnel for Bedrock/Geyser/PocketMine/VoiceChat
For everything Bedrock related.
For customers using the Pterodactyl panel, you may need to contact us during the setup process, as Pterodactyl reserves all private IP addresses, which can prevent the creation of the tunnel. Refer to this debug section.
1. Ensure a working Geyser Instance
Before proceeding, make sure your Geyser instance is running. Follow the instructions in the Geyser documentation to set up your server. In this example, we have a Bedrock server up and running on 108.61.149.182:19132 :
Bedrock server using Geyser-Standalone
For TCPShield customers running PocketMine MP, please consult their official guide.
2. Create your Sentry Tunnel
Once your Geyser instance is up and running, create a Sentry Tunnel and enter the correct IP address of your Geyser server in the “Endpoint” field. You can leave the “Port” field blank—your application will continue listening on its default port. Sentry Tunnel simply forwards traffic to the original port over the backend IP.
Tunnel Creation
3. Run the VXLAN Creation Script
Tunnel Overwiew page
After creating the tunnel, navigate to the bottom of the Overview page, then copy and run your VXLAN creation script. If you encounter any errors, refer to the troubleshooting section. To verify that the tunnel was created successfully, run the following command:
Example output:
At this point you should also be able to ping the tunnel's local IP address:
4. Whitelist VXLAN and Backend Ports
Ensure both the VXLAN port and your backend port are properly whitelisted. You can achieve this using either UFW or iptables. This step might not be necessary, but worth mentioning nonetheless.
Using UFW
Then verify the status by running:
Using iptables
Then verify your configuration by running:
IMPORTANT: For customers using Pterodactyl, ensure that you open the VXLAN port on the panel itself. This can be done by navigating to the Network tab and selecting Create Allocation. For more information, visit this guide.
5. Update the config file
5.1 Geyser
Next, update the address (under the Bedrock section) in the Geyser configuration file to the public IP address of your VXLAN tunnel. For example, if your public IP is 104.234.6.128, make the necessary changes to the config. The port of the server stays the same, aka 19132.
Update Geyser's backend IP Address
Also make sure enable-proxy-connections: false . On newer Geyser version, this setting is also called haproxy-protocol, but make sure you only edit the one located inside the bedrock section.
After restarting the server, double-check that the service is running properly by running the following command:
The output should look similar to this:
5.2 PocketMine MP
By default PocketMine will always listen on 0.0.0.0 , hence you have to navigate to your server.properties and update server-ip to the tunnel Public IP Address. If not available, simply add it in the file. Example config:
Restart the server and you should see the MP server is listening on the correct interface:
6. Final Step
At this point, the connection to your Bedrock server will be using the public IP 104.234.6.128. Create an A record that points directly to this IP address on your preferred DNS manager:
The Geyser instance running on 104.234.6.128:19132
Your PocketMine MP instance running on 104.234.6.128:19132
Shout out to a very detailed documentation on their side.
To setup PlasmoVoice with VLXAN tunnel, you need to:
- Change the IP and port of [host] and [host.public] to match your VXLAN's public IP and your specific port .
- Example config:
root@admin:~# ip -s link show vxlan_47
418: vxlan_47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 12:cc:cb:ab:1f:e8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped missed mcast
341644143 2036858 0 0 0 0
TX: bytes packets errors dropped carrier collsns
53378176 387353 0 0 0 0
root@admin:~# ping 172.18.128.2
PING 172.18.128.2 (172.18.128.2) 56(84) bytes of data.
64 bytes from 172.18.128.2: icmp_seq=1 ttl=64 time=51.6 ms
64 bytes from 172.18.128.2: icmp_seq=2 ttl=64 time=50.9 ms
64 bytes from 172.18.128.2: icmp_seq=3 ttl=64 time=50.0 ms
64 bytes from 172.18.128.2: icmp_seq=4 ttl=64 time=50.0 ms
ufw allow <port>/udp
ufw allow <port>/tcp
ufw status
iptables -A INPUT -p udp --dport <PORT> -j ACCEPT
iptables -A INPUT -p tcp --dport <PORT> -j ACCEPT
iptables -A OUTPUT -p tcp --sport <PORT> -j ACCEPT
iptables -A OUTPUT -p udp --sport <PORT> -j ACCEPT
# Simple Voice Chat proxy config v2.6.4
# The port number to use for the voice chat communication.
# Audio packets are always transmitted via the UDP protocol on the port number
# specified here, independently of other networking used for the game server.
# Set this to '-1' to use the same port number as the one used by the proxy.
port=24454
# The proxy IP address to bind the voice chat to
# Leave blank to use the proxy bind address
# To bind to the wildcard IP address, use '*'
bind_address=104.234.6.128
# The hostname that clients should use to connect to the voice chat
# This may also include a port, e.g. 'example.com:24454' or just a port, e.g. '24454'
# Do NOT change this value if you don't know what you're doing
voice_host=104.234.6.128:24454
# If the voice chat proxy server should reply to external pings
allow_pings=true
[host] # The IP:PORT your voice chat instance is running on
ip = "104.234.6.128"
port = 25577
[host.public]
ip = "104.234.6.128" # The IP of the public voice chat server
port = 25577 # The port of the public voice chat server
