Sentry Tunnel for FiveM/GTA Online

In this guide, I will walk you through the process of setting up a Sentry Tunnel for a FiveM server running on Windows 11, using the txAdmin panel. Since this setup is on Windows, I will also include instructions for setting up a Linux proxy in front of the server to enable VXLAN configuration.

Note: If you're already running your FiveM server on Linux, the setup process is the same. Simply skip the proxy creation step.

1. Verify that the server is running:

In my example, the server is running and reachable on 103.120.39.17:30120

2. Tunnel Creation

Go to your TCPShield Panel → Tunnels → New Tunnel.

Once the tunnel is created, you will see the Overview page for the tunnel:

• Public IP: 104.234.6.128 - Dedicated IP your users will connect to

• Private IP: 172.18.128.2 - Interface IP used by our anycast server

• Port: 34251 - Assigned for VXLAN traffic

• Setup Script:

grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;
ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200
ip link add vxlan_47 type vxlan id 47 remote 198.178.119.30 dstport 34251;
ip link set dev vxlan_47 address 12:cc:cb:ab:1f:e8;
ip neigh add 172.18.128.2 lladdr 12:dd:cb:ab:1f:e8 dev vxlan_47 nud permanent;
ip link set dev vxlan_47 mtu 1450;
ip addr add 172.18.128.3/24 dev vxlan_47;
ip link set vxlan_47 up
ip route add default via 172.18.128.2 dev vxlan_47 table 200
ip addr add dev lo 104.234.6.128/32
iptables -t mangle -I OUTPUT -s 104.234.6.128/32 -j MARK --set-xmark 0x9
iptables -t mangle -A POSTROUTING -s 104.234.6.128/32 -j MARK --set-mark 0

FOR LINUX SERVER:

Copy and run the setup script located at the bottom of the page. Verify the tunnel creation by running the following command:

ip -s link show vxlan_<id> 

If the tunnel was successfully created, you will see output similar to this:

root@admin:~# ip -s link show vxlan_47
418: vxlan_47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 12:cc:cb:ab:1f:e8 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped missed  mcast
    341644143  2036858  0       0       0      0
    TX: bytes  packets  errors  dropped carrier collsns
    53378176   387353   0       0       0      0

At this point, you should be able to ping the private IP address:

root@admin:~# ping 172.18.128.2
PING 172.18.128.2 (172.18.128.2) 56(84) bytes of data.
64 bytes from 172.18.128.2: icmp_seq=1 ttl=64 time=51.6 ms
64 bytes from 172.18.128.2: icmp_seq=2 ttl=64 time=50.9 ms
64 bytes from 172.18.128.2: icmp_seq=3 ttl=64 time=50.0 ms
64 bytes from 172.18.128.2: icmp_seq=4 ttl=64 time=50.0 ms

Finally, proceed to Step 4 to complete the setup.

FOR WINDOWS SERVER: Head to step 3 to create your NGINX Proxy.

3. NGNIX Proxy Creation

Since the VXLAN tunnel can only be created on a Linux server, as a Windows user, you will need access to a Linux server. We recommend using a reputable hosting provider. In this example, the proxy IP address is 108.61.149.182.

Navigate to your nginx.conf file, which can be found at one of these locations:

• /usr/local/nginx/conf/nginx.conf

• /etc/nginx/nginx.conf n

Use your preferred editor (e.g., nano), and add the following configuration:

stream {
    upstream backend {
        server 108.61.149.182:30120; # your proxy IP address
    }
    server {
		listen 104.234.6.128:30120; # your VXLAN tunnel public IP
		proxy_pass 103.120.39.17:30120; # your backend IP address
	}
	server {
		listen 104.234.6.128:30120 udp reuseport;
		proxy_pass 103.120.39.17:30120;
	}
}

Reload your NGINX server: service nginx reload

Now, return to Step 2 and run the setup script. Follow the instructions for the Linux server.

4. Update the config file

In your server.cfg file, add the following:

set sv_forceIndirectListing true
set sv_proxyIPRanges "104.234.6.128/32" 
set sv_endpoints "104.234.6.128:30120"

And that should be pretty much everything you have to do.