# Sentry Tunnel for rAthena/Ragnarok

This guide explains how to create and configure a Sentry/VXLAN tunnel, using a Ragnarok Online server as an example (rAthena emulator running on `108.61.149.182:6900`). 

## 1. Tunnel Creation <a href="#docs-internal-guid-8a813119-7fff-08c8-b892-71a4e884cf61" id="docs-internal-guid-8a813119-7fff-08c8-b892-71a4e884cf61"></a>

To begin, go to the Tunnel tab in your dashboard and click the New Tunnel button.&#x20;

<figure><img src="/files/W6hM5GsQHTeSbFa8nTUS" alt=""><figcaption></figcaption></figure>

You’ll see the following fields:

* **Name**:\
  A custom label for your tunnel, use something descriptive.
* **Endpoint**:\
  The internal IP address of your backend server (e.g., your VPS or physical machine). This is where the tunnel will forward traffic.
* **Locations**:\
  The location will always be Anycast for optimal global routing.
* **Port**: \
  A port will be automatically assigned from the range 32768–60999. You don’t usually need to change this unless you have specific routing or firewall requirements.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXc09asgmzDMm_s931Y0EVfKTyu6x4DLkgkE7lAl8F9d6LC7cpDkE4npLtn8b4oex9AcekBHx9CDQBhfpvFJ1gS4s5RtfdMhq5dFzXzfIiceyBO76x9uV4M3X2_NNP8aSQfePCM9LQ?key=YL1mFWFPSqgKGf9wt7fI0V67" alt=""><figcaption><p>Tunnel creation</p></figcaption></figure>

## 2. Setup  <a href="#docs-internal-guid-482d80b6-7fff-88aa-23cb-464e847898da" id="docs-internal-guid-482d80b6-7fff-88aa-23cb-464e847898da"></a>

Once the tunnel is created, you'll be redirected to the Overview page, which will show all of the necessary information:

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXe0qAR46NKMzRxOHTzKbijwJnIyrOjXL_ZGmve1UBV0vWbLlfWk56WV7PfeF8PAooN97VOwkJEPb18B3MgP5oqTTm9lJKRoR-IGZCxumUlCjTu2AnWe7YG2juJLZxT1oAlskB-0Tg?key=YL1mFWFPSqgKGf9wt7fI0V67" alt=""><figcaption><p>Overview page example</p></figcaption></figure>

* **Public IP**:\
  The dedicated IP your users will connect to (e.g., 104.234.6.128).
* **Private IP**:\
  An internal address (e.g., 172.18.128.2) used for routing within the overlay network.
* **VXLAN Port**:\
  The port assigned for connecting traffic (e.g., 34251).
* **Endpoint**:\
  The backend IP of your game or application server. You can change this value whenever you like, but make sure to also re-run the Setup Script when you do so.

At the bottom of the Overview page, you’ll find a Setup Script that looks similar to this:

```
grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;
ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200
ip link add vxlan_47 type vxlan id 47 remote 198.178.119.30 dstport 34251;
ip link set dev vxlan_47 address 12:cc:cb:ab:1f:e8;
ip neigh add 172.18.128.2 lladdr 12:dd:cb:ab:1f:e8 dev vxlan_47 nud permanent;
ip link set dev vxlan_47 mtu 1450;
ip addr add 172.18.128.3/24 dev vxlan_47;
ip link set vxlan_47 up
ip route add default via 172.18.128.2 dev vxlan_47 table 200
ip addr add dev lo 104.234.6.128/32
iptables -t mangle -I OUTPUT -s 104.234.6.128/32 -j MARK --set-xmark 0x9
iptables -t mangle -A POSTROUTING -s 104.234.6.128/32 -j MARK --set-mark 0
```

## 3. Whitelist VXLAN and Backend Ports

Your VPS/Dedicated server might have a firewall which is blocking outside connections by default (or a [Security Group](https://docs.tcpshield.com/vxlan/pages/631Mayag431M2l0f1dAD#id-1.2-firewall) put in place by your Cloud Provider). In this case, it's important to make sure your server port and the VXLAN's port are both accepting connections. This can be achieved by using `UFW` or `iptables`.&#x20;

#### Using UFW <a href="#using-ufw" id="using-ufw"></a>

```
ufw allow <port>/udp
ufw allow <port>/tcp
```

Then verify the status by running:

```
ufw status
```

#### Using iptables <a href="#using-iptables" id="using-iptables"></a>

```
iptables -A INPUT -p udp --dport <PORT> -j ACCEPT
iptables -A INPUT -p tcp --dport <PORT> -j ACCEPT
iptables -A OUTPUT -p tcp --sport <PORT> -j ACCEPT
iptables -A OUTPUT -p udp --sport <PORT> -j ACCEPT
```

Then verify your configuration by running:

```
iptables-save
```

## 4. Execution <a href="#docs-internal-guid-01454216-7fff-023d-1756-215a6f207bb2" id="docs-internal-guid-01454216-7fff-023d-1756-215a6f207bb2"></a>

Now you just need to run the provided script, once completed:

* Your server will now be reachable via the assigned public IP (e.g., 104.234.6.128).
* You can ping the private IP (e.g., 172.18.128.2) to verify connectivity.
* The server latency depends on the Anycast region and distance from your users.

You can verify that the tunnel was created by running:

```
ip -s link show vxlan_<insert vxland ID>
```

You can find the VXLAN tunnel ID in your setup script, in my case the command is:

&#x20;`ip -s link show vxlan_47`

<figure><img src="/files/UuDpf1wafOy2SZmk0lmc" alt=""><figcaption><p>Example output</p></figcaption></figure>

As well as pinging the VXLAN local IP address and see a response, for example:

```
root@admin:~# ping 172.18.128.2
PING 172.18.128.2 (172.18.128.2) 56(84) bytes of data.
64 bytes from 172.18.128.2: icmp_seq=1 ttl=64 time=51.6 ms
64 bytes from 172.18.128.2: icmp_seq=2 ttl=64 time=50.9 ms
64 bytes from 172.18.128.2: icmp_seq=3 ttl=64 time=50.0 ms
64 bytes from 172.18.128.2: icmp_seq=4 ttl=64 time=50.0 ms
```

{% hint style="danger" %} <mark style="color:red;">If you see anything bigger than 0 in the</mark> <mark style="color:red;"></mark><mark style="color:red;">`errors`</mark> <mark style="color:red;"></mark><mark style="color:red;">or</mark> <mark style="color:red;"></mark><mark style="color:red;">`dropped`</mark> <mark style="color:red;"></mark><mark style="color:red;">column, you might have a firewall, either on your hosting provider's side or on the server itself. You will need to make sure your port is open to accept connection.</mark>
{% endhint %}

Originally I have the Ragnarok server running on: `108.61.149.182:6900`

After running the setup script, the players can now connect using: `104.234.6.128:6900`

<figure><img src="/files/cYI4dT01GR7WEq2KWD3L" alt=""><figcaption><p>Example on the client's side connection</p></figcaption></figure>

As you can see, only the IP changes — <mark style="color:purple;">the service port remains the same</mark>. Only the address needs to be updated.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfpVrcJ2HBmyhYCaeJl66LgPFPoEKPgoel9joN-i-UU7kHxrKjqoku-ZljqV86akHfbeMroX00tEl-1o3afG9SrxYHxozDI62mJ6pVQDuA1bPTUqnxS81vkQkZbzZ2KxlG25wjbmA?key=YL1mFWFPSqgKGf9wt7fI0V67" alt=""><figcaption><p>Final result</p></figcaption></figure>

And that's it, your Sentry tunnel is now fully operational. Congratulations! You can now run your server with confidence, knowing that it's protected by TCPShield.

If you encounter any issues during setup or operation, please refer to our [Debugging Guide](/vxlan/common-issues-and-debugging.md) for troubleshooting tips and common pitfalls.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tcpshield.com/vxlan/sentry-tunnel-for-rathena-ragnarok.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.