# Sentry Tunnel for FiveM/GTA Online
In this guide, I will walk you through the process of setting up a Sentry Tunnel for a FiveM server running on Windows 11, using the txAdmin panel. **Notes**: **Sentry Tunnel/VXLAN requires a Linux Server.** Hence, I will also include instructions for setting up a Linux proxy in front of the Windows server.
If you're already running your FiveM server on a Linux OS, simply skip the proxy creation step.
## 1. Verify that the server is running:
In my example, the server is running and reachable on `103.120.39.17:30120`
## 2. Tunnel Creation
Go to your TCPShield Panel → **Tunnels** → **New Tunnel**.
Creating Tunnel
{% hint style="warning" %}
This assigned port is **NOT** your service port (e.g., 30120), but the port VXLAN tunnel is using to foward your traffic.
{% endhint %}
VXLAN Tunnel Overview
Once the tunnel is created, you will see the **Overview** page for the tunnel. **In this example**:
* Public IP: **104.234.6.128** - The dedicated IP your users will connect to
* Private IP: **172.18.128.2** - Interface IP used by our anycast server
* Port: 34251 - Assigned for VXLAN traffic
* Setup Script:
```python
grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;
ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200
ip link add vxlan_47 type vxlan id 47 remote 198.178.119.30 dstport 34251;
ip link set dev vxlan_47 address 12:cc:cb:ab:1f:e8;
ip neigh add 172.18.128.2 lladdr 12:dd:cb:ab:1f:e8 dev vxlan_47 nud permanent;
ip link set dev vxlan_47 mtu 1450;
ip addr add 172.18.128.3/24 dev vxlan_47;
ip link set vxlan_47 up
ip route add default via 172.18.128.2 dev vxlan_47 table 200
ip addr add dev lo 104.234.6.128/32
iptables -t mangle -I OUTPUT -s 104.234.6.128/32 -j MARK --set-xmark 0x9
iptables -t mangle -A POSTROUTING -s 104.234.6.128/32 -j MARK --set-mark 0
```
**FOR LINUX SERVER**:
Ensure both the backend port (`30120`) and the VXLAN port (`34251`) are open and accepting connections. You can refer to this [guide](https://docs.tcpshield.com/vxlan/pages/tNANL6U2oTTO0aX4rw6H#id-4.-whitelist-vxlan-and-backend-ports) for further instructions.
Copy and run the setup script located at the bottom of the page. Verify the tunnel creation by running the following command:
```
ip -s link show vxlan_
```
If the tunnel was successfully created, you will see output similar to this:
```python
root@admin:~# ip -s link show vxlan_47
418: vxlan_47: mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 12:cc:cb:ab:1f:e8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped missed mcast
341644143 2036858 0 0 0 0
TX: bytes packets errors dropped carrier collsns
53378176 387353 0 0 0 0
```
At this point, you should be able to ping the private IP address:
```python
root@admin:~# ping 172.18.128.2
PING 172.18.128.2 (172.18.128.2) 56(84) bytes of data.
64 bytes from 172.18.128.2: icmp_seq=1 ttl=64 time=51.6 ms
64 bytes from 172.18.128.2: icmp_seq=2 ttl=64 time=50.9 ms
64 bytes from 172.18.128.2: icmp_seq=3 ttl=64 time=50.0 ms
64 bytes from 172.18.128.2: icmp_seq=4 ttl=64 time=50.0 ms
```
Finally, proceed to **Step 4** to complete the setup.
**FOR WINDOWS SERVER**: Head to step 3 to create your NGINX Proxy.
## 3. NGNIX Proxy Creation
{% hint style="warning" %}
Skip this step if you already have a Linux server
{% endhint %}
Since the VXLAN tunnel can only be created on a Linux server, as a Windows user, you will need access to a Linux server. We recommend using a reputable hosting provider. In this example, the proxy IP address is **`108.61.149.182`**.
Navigate to your `nginx.conf` file, which can be found at one of these locations:
* `/usr/local/nginx/conf/nginx.conf`
* `/etc/nginx/nginx.conf` n
Use your preferred editor (e.g., `nano`), and add the following configuration:
(*It goes without saying that you should replace the corresponding IP addresses to match your own*).
```python
stream {
upstream backend {
server 108.61.149.182:30120; # your proxy IP address
}
server {
listen 104.234.6.128:30120; # your VXLAN tunnel public IP
proxy_pass 103.120.39.17:30120; # your backend IP address
}
server {
listen 104.234.6.128:30120 udp reuseport;
proxy_pass 103.120.39.17:30120;
}
}
```
Reload your NGINX server: `service nginx reload`
Now, return to **Step 2** and run the setup script. Follow the instructions for the Linux server.
## 4. Update the config file
In your server.cfg file, change it to something similar to **this example**:
```python
set sv_forceIndirectListing true
set sv_proxyIPRanges "104.234.6.128/32"
set sv_endpoints "104.234.6.128:30120"
```
{% hint style="danger" %}
For Pterodactyl user you might need to have `set sv_forceIndirectListing false` to avoid an issue with serverlist query:
{% code overflow="wrap" expandable="true" %}
```
Server list query returned an error … The SSL connection could not be established … Connection reset by peer
```
{% endcode %}
{% endhint %}
You might want to also specify the UDP endpoint for your server:
```coffee
endpoint_add_udp 104.234.6.128:30120
```
{% hint style="warning" %}
If you are using a domain, make sure it's pointing to the VXLAN public IP address, which in this case is `104.234.6.128`
{% endhint %}
And that should be pretty much everything you have to do.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.tcpshield.com/vxlan/sentry-tunnel-for-fivem-gta-online.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.