Sentry Tunnel for FiveM/GTA Online

VXLAN Setup for FiveM server

In this guide, I will walk you through the process of setting up a Sentry Tunnel for a FiveM server running on Windows 11, using the txAdmin panel. Since this setup is on Windows, I will also include instructions for setting up a Linux proxy in front of the server to enable VXLAN configuration.

Note: If you're already running your FiveM server on Linux, the setup process is the same. Simply skip the proxy creation step.

1. Verify that the server is running:

In my example, the server is running and reachable on 103.120.39.17:30120

2. Tunnel Creation

Go to your TCPShield Panel → Tunnels → New Tunnel.

This assigned port is NOT your service port (e.g., 30120), but the port VXLAN tunnel is using to foward your traffic.

Once the tunnel is created, you will see the Overview page for the tunnel:

Public IP: 104.234.6.128 - Dedicated IP your users will connect to
Private IP: 172.18.128.2 - Interface IP used by our anycast server
Port: 34251 - Assigned for VXLAN traffic
Setup Script:

grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;
ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200
ip link add vxlan_47 type vxlan id 47 remote 198.178.119.30 dstport 34251;
ip link set dev vxlan_47 address 12:cc:cb:ab:1f:e8;
ip neigh add 172.18.128.2 lladdr 12:dd:cb:ab:1f:e8 dev vxlan_47 nud permanent;
ip link set dev vxlan_47 mtu 1450;
ip addr add 172.18.128.3/24 dev vxlan_47;
ip link set vxlan_47 up
ip route add default via 172.18.128.2 dev vxlan_47 table 200
ip addr add dev lo 104.234.6.128/32
iptables -t mangle -I OUTPUT -s 104.234.6.128/32 -j MARK --set-xmark 0x9
iptables -t mangle -A POSTROUTING -s 104.234.6.128/32 -j MARK --set-mark 0

FOR LINUX SERVER:

Ensure both the backend port (30120) and the VXLAN port (34251) are open and accepting connections. You can refer to this guide for further instructions.

Copy and run the setup script located at the bottom of the page. Verify the tunnel creation by running the following command:

ip -s link show vxlan_<id>

If the tunnel was successfully created, you will see output similar to this:

root@admin:~# ip -s link show vxlan_47
418: vxlan_47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 12:cc:cb:ab:1f:e8 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped missed  mcast
    341644143  2036858  0       0       0      0
    TX: bytes  packets  errors  dropped carrier collsns
    53378176   387353   0       0       0      0

At this point, you should be able to ping the private IP address:

root@admin:~# ping 172.18.128.2
PING 172.18.128.2 (172.18.128.2) 56(84) bytes of data.
64 bytes from 172.18.128.2: icmp_seq=1 ttl=64 time=51.6 ms
64 bytes from 172.18.128.2: icmp_seq=2 ttl=64 time=50.9 ms
64 bytes from 172.18.128.2: icmp_seq=3 ttl=64 time=50.0 ms
64 bytes from 172.18.128.2: icmp_seq=4 ttl=64 time=50.0 ms

Finally, proceed to Step 4 to complete the setup.

FOR WINDOWS SERVER: Head to step 3 to create your NGINX Proxy.

3. NGNIX Proxy Creation

Skip this step if you already have a Linux server

Since the VXLAN tunnel can only be created on a Linux server, as a Windows user, you will need access to a Linux server. We recommend using a reputable hosting provider. In this example, the proxy IP address is 108.61.149.182.

Navigate to your nginx.conf file, which can be found at one of these locations:

/usr/local/nginx/conf/nginx.conf
/etc/nginx/nginx.conf n

Use your preferred editor (e.g., nano), and add the following configuration:

stream {
    upstream backend {
        server 108.61.149.182:30120; # your proxy IP address
    }
    server {
		listen 104.234.6.128:30120; # your VXLAN tunnel public IP
		proxy_pass 103.120.39.17:30120; # your backend IP address
	}
	server {
		listen 104.234.6.128:30120 udp reuseport;
		proxy_pass 103.120.39.17:30120;
	}
}

Reload your NGINX server: service nginx reload

Now, return to Step 2 and run the setup script. Follow the instructions for the Linux server.

4. Update the config file

In your server.cfg file, add the following:

set sv_forceIndirectListing true
set sv_proxyIPRanges "104.234.6.128/32" 
set sv_endpoints "104.234.6.128:30120"

If you have a domain for your server, make sure it's pointing to the VXLAN public IP address, which in this case is 104.234.6.128

And that should be pretty much everything you have to do.

PreviousSentry Tunnel for Bedrock/Geyser NextCommon issues and Debugging

Last updated 22 days ago

Was this helpful?