Sentry Tunnel for rAthena/Ragnarok
Follow this guide to protect your gameserves with TCPShield
This guide explains how to create and configure a Sentry/VXLAN tunnel, using a Ragnarok Online server as an example (rAthena emulator running on 108.61.149.182:6900
).
1. Tunnel Creation
To begin, go to the Tunnel tab in your dashboard and click the New Tunnel button.

You’ll see the following fields:
Name: A custom label for your tunnel, use something descriptive.
Endpoint: The internal IP address of your backend server (e.g., your VPS or physical machine). This is where the tunnel will forward traffic.
Locations: The location will always be Anycast for optimal global routing.
Port: A port will be automatically assigned from the range 32768–60999. You don’t usually need to change this unless you have specific routing or firewall requirements.
2. Setup
Once the tunnel is created, you'll be redirected to the Overview page, which will show all of the necessary information:
Public IP: The dedicated IP your users will connect to (e.g., 104.234.6.128).
Private IP: An internal address (e.g., 172.18.128.2) used for routing within the overlay network.
VXLAN Port: The port assigned for connecting traffic (e.g., 34251).
Endpoint: The backend IP of your game or application server. You can change this value whenever you like, but make sure to also re-run the Setup Script when you do so.
At the bottom of the Overview page, you’ll find a Setup Script that looks similar to this:
grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;
ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200
ip link add vxlan_47 type vxlan id 47 remote 198.178.119.30 dstport 34251;
ip link set dev vxlan_47 address 12:cc:cb:ab:1f:e8;
ip neigh add 172.18.128.2 lladdr 12:dd:cb:ab:1f:e8 dev vxlan_47 nud permanent;
ip link set dev vxlan_47 mtu 1450;
ip addr add 172.18.128.3/24 dev vxlan_47;
ip link set vxlan_47 up
ip route add default via 172.18.128.2 dev vxlan_47 table 200
ip addr add dev lo 104.234.6.128/32
iptables -t mangle -I OUTPUT -s 104.234.6.128/32 -j MARK --set-xmark 0x9
iptables -t mangle -A POSTROUTING -s 104.234.6.128/32 -j MARK --set-mark 0
3. Whitelist VXLAN and Backend Ports
Your VPS/Dedicated server might have a firewall which is blocking outside connections by default (or a Security Group put in place by your Cloud Provider). In this case, it's important to make sure your server port and the VXLAN's port are both accepting connections. This can be achieved by using UFW
or iptables
.
Using UFW
ufw allow <port>/udp
ufw allow <port>/tcp
Then verify the status by running:
ufw status
Using iptables
iptables -A INPUT -p udp --dport <PORT> -j ACCEPT
iptables -A INPUT -p tcp --dport <PORT> -j ACCEPT
iptables -A OUTPUT -p tcp --sport <PORT> -j ACCEPT
iptables -A OUTPUT -p udp --sport <PORT> -j ACCEPT
Then verify your configuration by running:
iptables-save
4. Execution
Now you just need to run the provided script, once completed:
Your server will now be reachable via the assigned public IP (e.g., 104.234.6.128).
You can ping the private IP (e.g., 172.18.128.2) to verify connectivity.
The server latency depends on the Anycast region and distance from your users.
You can verify that the tunnel was created by running:
ip -s link show vxlan_<insert vxland ID>
You can find the VXLAN tunnel ID in your setup script, in my case the command is:
ip -s link show vxlan_47

As well as pinging the VXLAN local IP address and see a response, for example:
root@admin:~# ping 172.18.128.2
PING 172.18.128.2 (172.18.128.2) 56(84) bytes of data.
64 bytes from 172.18.128.2: icmp_seq=1 ttl=64 time=51.6 ms
64 bytes from 172.18.128.2: icmp_seq=2 ttl=64 time=50.9 ms
64 bytes from 172.18.128.2: icmp_seq=3 ttl=64 time=50.0 ms
64 bytes from 172.18.128.2: icmp_seq=4 ttl=64 time=50.0 ms
If you see anything bigger than 0 in the errors
or dropped
column, you might have a firewall, either on your hosting provider's side or on the server itself. You will need to make sure your port is open to accept connection.
Originally I have the Ragnarok server running on: 108.61.149.182:6900
After running the setup script, the players can now connect using: 104.234.6.128:6900

As you can see, only the IP changes — the service port remains the same. Only the address needs to be updated.
And that's it, your Sentry tunnel is now fully operational. Congratulations! You can now run your server with confidence, knowing that it's protected by TCPShield.
If you encounter any issues during setup or operation, please refer to our Debugging Guide for troubleshooting tips and common pitfalls.
Last updated
Was this helpful?