DiscordPanelPricing

Sentry Tunnel for rAthena/Ragnarok

Follow this guide to protect your gameserves with TCPShield

This guide explains how to create and configure a Sentry/VXLAN tunnel, using a Ragnarok Online server as an example (rAthena emulator running on 108.61.149.182:6900).

1. Tunnel Creation

To begin, go to the Tunnel tab in your dashboard and click the New Tunnel button.

You’ll see the following fields:

  • Name: A custom label for your tunnel, use something descriptive.

  • Endpoint: The internal IP address of your backend server (e.g., your VPS or physical machine). This is where the tunnel will forward traffic.

  • Locations: The location will always be Anycast for optimal global routing.

  • Port: A port will be automatically assigned from the range 32768–60999. You don’t usually need to change this unless you have specific routing or firewall requirements.

Tunnel creation

2. Setup

Once the tunnel is created, you'll be redirected to the Overview page, which will show all of the necessary information:

Overview page example

  • Public IP: The dedicated IP your users will connect to (e.g., 104.234.6.128).

  • Private IP: An internal address (e.g., 172.18.128.2) used for routing within the overlay network.

  • VXLAN Port: The port assigned for connecting traffic (e.g., 34251).

  • Endpoint: The backend IP of your game or application server. You can change this value whenever you like, but make sure to also re-run the Setup Script when you do so.

At the bottom of the Overview page, you’ll find a Setup Script that looks similar to this:

grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;
ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200
ip link add vxlan_47 type vxlan id 47 remote 198.178.119.30 dstport 34251;
ip link set dev vxlan_47 address 12:cc:cb:ab:1f:e8;
ip neigh add 172.18.128.2 lladdr 12:dd:cb:ab:1f:e8 dev vxlan_47 nud permanent;
ip link set dev vxlan_47 mtu 1450;
ip addr add 172.18.128.3/24 dev vxlan_47;
ip link set vxlan_47 up
ip route add default via 172.18.128.2 dev vxlan_47 table 200
ip addr add dev lo 104.234.6.128/32
iptables -t mangle -I OUTPUT -s 104.234.6.128/32 -j MARK --set-xmark 0x9
iptables -t mangle -A POSTROUTING -s 104.234.6.128/32 -j MARK --set-mark 0

3. Whitelist VXLAN and Backend Ports

Your VPS/Dedicated server might have a firewall which is blocking outside connections by default (or a Security Group put in place by your Cloud Provider). In this case, it's important to make sure your server port and the VXLAN's port are both accepting connections. This can be achieved by using UFW or iptables.

Using UFW

ufw allow <port>/udp
ufw allow <port>/tcp

Then verify the status by running:

ufw status

Using iptables

iptables -A INPUT -p udp --dport <PORT> -j ACCEPT
iptables -A INPUT -p tcp --dport <PORT> -j ACCEPT
iptables -A OUTPUT -p tcp --sport <PORT> -j ACCEPT
iptables -A OUTPUT -p udp --sport <PORT> -j ACCEPT

Then verify your configuration by running:

iptables-save

4. Execution

Now you just need to run the provided script, once completed:

  • Your server will now be reachable via the assigned public IP (e.g., 104.234.6.128).

  • You can ping the private IP (e.g., 172.18.128.2) to verify connectivity.

  • The server latency depends on the Anycast region and distance from your users.

You can verify that the tunnel was created by running:

ip -s link show vxlan_<insert vxland ID>

You can find the VXLAN tunnel ID in your setup script, in my case the command is:

ip -s link show vxlan_47

Example output

As well as pinging the VXLAN local IP address and see a response, for example:

root@admin:~# ping 172.18.128.2
PING 172.18.128.2 (172.18.128.2) 56(84) bytes of data.
64 bytes from 172.18.128.2: icmp_seq=1 ttl=64 time=51.6 ms
64 bytes from 172.18.128.2: icmp_seq=2 ttl=64 time=50.9 ms
64 bytes from 172.18.128.2: icmp_seq=3 ttl=64 time=50.0 ms
64 bytes from 172.18.128.2: icmp_seq=4 ttl=64 time=50.0 ms

If you see anything bigger than 0 in the errors or dropped column, you might have a firewall, either on your hosting provider's side or on the server itself. You will need to make sure your port is open to accept connection.

Originally I have the Ragnarok server running on: 108.61.149.182:6900

After running the setup script, the players can now connect using: 104.234.6.128:6900

Example on the client's side connection

As you can see, only the IP changes — the service port remains the same. Only the address needs to be updated.

Final result

And that's it, your Sentry tunnel is now fully operational. Congratulations! You can now run your server with confidence, knowing that it's protected by TCPShield.

If you encounter any issues during setup or operation, please refer to our Debugging Guide for troubleshooting tips and common pitfalls.

PreviousSentry Tunnel General SetupNextSentry Tunnel for Bedrock/Geyser

Last updated

Was this helpful?