# Sentry Tunnel General Setup

The setup process does require the users to have some knowledge regard networking to effectively trouble shoot any issues that comes up. To help you better visualize the process, we have provided steps by steps guide on how to setup TCPShield VXLAN for Bedrock, FiveM and rAtherna (Ragnarok) servers, with other type of services coming soon.

[rAthena/Ragnarok](/vxlan/sentry-tunnel-for-rathena-ragnarok.md) 

[Bedrock/Geyser.](/vxlan/sentry-tunnel-for-bedrock-geyser-pocketmine-voicechat.md)

[FiveM/GTA Online.](/vxlan/sentry-tunnel-for-fivem-gta-online.md)\
\
Keep in mind that the setup process is pretty much the same across all applications. But if you run into issues along the way, please head to our Discord channel and open a ticket.

### Before you begin:

**a. Basic requirements**

* **Root access (or full sudo) on a Linux server** so you can create/manage network interfaces, routes, and firewall rules.
* A server environment where you’re allowed to use kernel networking features (VXLAN is a Linux networking feature, and Sentry Tunnel is UDP-based).

**b. Who likely can’t use it**

* **Shared hosting / managed game hosting** where you *don’t* have root access or are blocked from creating custom network interfaces. (In those setups, you typically can’t bring up a VXLAN interface at all.)

**c. What about Windows Server?**

* You *can* still protect a Windows-hosted service, but it’s usually **more complicated**: you’ll typically run a **Linux proxy in front** (VPS or dedicated) to terminate the VXLAN tunnel and then forward traffic to the Windows server. This adds an extra component/hop and extra routing rules compared to a direct Linux origin.

## 1. Tunnel Creation

Head to our dashboard and navigate to the Tunnels section on the left corner, then click on New Tunnel:

<figure><img src="/files/ngsaUZmdFYKxWR6O12PE" alt=""><figcaption></figcaption></figure>

You’ll see the following fields:

1. **Name**: A custom label for your tunnel, use something descriptive.
2. **Endpoint**: The external IP address of your backend server (e.g., your VPS or physical machine). This is where the VXLAN tunnel will forward traffic.

<details>

<summary>Protecting multiple ports</summary>

Since VXLAN tunnel doesn't care which port your service is running on (port-agnostic), the Endpoint should only contains your backend IPv4.

Hence you can have multiple services / gameserves being protected behind a single Tunnel instance, which is very useful for scalability.&#x20;

</details>

1. **Locations**: The location will always be Anycast for optimal global routing.
2. **Port**: A port will be automatically assigned from the range 32768–60999. This is the port our VXLAN tunnel will use to communicate with your backend. No need to change this unless you have specific routing or firewall requirements.&#x20;

<details>

<summary>VXLAN PORT</summary>

<mark style="color:purple;">This assigned port is</mark> <mark style="color:purple;"></mark><mark style="color:purple;">**NOT**</mark> <mark style="color:purple;"></mark><mark style="color:purple;">your service port (e.g.,</mark> <mark style="color:purple;"></mark><mark style="color:purple;">**6900**</mark> <mark style="color:purple;"></mark><mark style="color:purple;">for Ragnarok or</mark> <mark style="color:purple;"></mark><mark style="color:purple;">**25565**</mark> <mark style="color:purple;"></mark><mark style="color:purple;">for Minecraft). Your application will continue to listen on its usual port. The VXLAN tunnel just forwards traffic to that original port via the backend IP.</mark>&#x20;

</details>

<figure><img src="/files/2d7sSjy4KFeWFGddtikQ" alt=""><figcaption><p>Tunnel creation</p></figcaption></figure>

## 2. Tunnels Overview

Once the tunnel is created, you'll be redirected to the Overview page, which will show all of the necessary information:

<figure><img src="/files/cJIe3RtBdb8L3JSgPXBL" alt=""><figcaption></figcaption></figure>

* **Public IP**: The dedicated IP your users will connect to (e.g., 104.234.6.228).
* **VXLAN Port**: The port assigned for VXLAN traffic (e.g., 38378).
* **Endpoint**: The backend IP of your game or application server.  You can change this value whenever you like, but make sure to also re-run the Setup Script when you do so.&#x20;

<details>

<summary>Changing your Endpoint Settings:</summary>

Once you have updated your backend IPv4, the page should refresh and you will see a new Setup Script being generated.

</details>

* **Setup Scrip**t: At the bottom of the Overview page, you’ll find a Setup Script that looks like this.&#x20;

```
ip link add vxlan_2116 address 12:cc:6c:3d:95:b6 type vxlan id 2116 remote 198.178.119.30 dstport 38378 nolearning
ip addr add 104.234.6.228/16 dev vxlan_2116
ip link set dev vxlan_2116 mtu 1450 up
ip route add default via 104.234.253.228 dev vxlan_2116 table 1688
ip rule add from 104.234.6.228 lookup 1688
```

We'll include explanation for each line in the script for anyone interested:

{% tabs %}
{% tab title="1. Interface creation" %}

```bash
ip link add vxlan_2116 address 12:cc:6c:3d:95:b6 type vxlan id 2116 remote 198.178.119.30 dstport 38378 nolearning
```

* `vxlan_2116` : Interface name, named after the VXLAN ID
* `address 12:cc:6c:3d:95:b6` : assigned MAC address for the virtual interface
* `id 2116` : Unique tunnel identifier for this customer
* `remote 198.178.119.30`  : The other end of the tunnel (TCPShield's side)
* `dstport 38378` : VXLAN traffic is encapsulated over **UDP** on this port
* `nolearning` : Disables MAC learning — only uses static routes
  {% endtab %}

{% tab title="2. IP" %}

```bash
ip addr add 104.234.6.228/16 dev vxlan_2116
```

* Gives the tunnel interface a **TCPShield-owned IP** (`104.234.x.x` block)
* The `/16` means the customer's server is now part of TCPShield's `104.234.0.0/16` network
* This is the IP that **players connect to**, not the customer's backend IP
  {% endtab %}

{% tab title="3. MTU" %}

```bash
ip link set dev vxlan_2116 mtu 1450 up
```

* MTU set to **1450** (not standard 1500) to account for VXLAN encapsulation overhead (\~50 bytes of UDP/IP/VXLAN headers)
* `up` activates the interface
  {% endtab %}

{% tab title="4. Route " %}

```bash
ip route add default via 104.234.253.228 dev vxlan_2116 table 1688
```

* Adds a default route inside a **separate routing table (`1688`)** — not the main table
* `104.234.253.228` is TCPShield's gateway on the other end of the tunnel
* All traffic matching this table exits through the VXLAN tunnel back to TCPShield
  {% endtab %}

{% tab title="5. Policy" %}

```bash
ip rule add from 104.234.6.228 lookup 1688
```

* **Key line** — tells the kernel: *"if a packet's source IP is `104.234.6.228`, use routing table `1688`"*
* This ensures **reply traffic** goes back through the tunnel, not out the customer's regular internet connection
  {% endtab %}
  {% endtabs %}

## 3. Firewall configuration:

Most cloud providers have a firewall enabled by default. To make sure your backend works correctly, please follow the steps in our guide (linked below) to allow the necessary ports. If you’re not sure how to do this, you can also check your cloud provider’s help articles or look up guides for `ufw` or `iptables`.

<https://docs.tcpshield.com/vxlan/common-issues-and-debugging#id-1.3-firewall-configuration>

For customers using <mark style="color:blue;">Pterodactyl</mark>, ensure that you open the VXLAN port on the panel itself. This can be done by navigating to the **Network** tab and selecting **Create Allocation**. For more information, visit this [guide](https://knowledgebase.aquatis.host/books/pterodactyl-guides/page/how-do-i-addopen-a-server-port-on-pterodactyl).

## 4. Setting up Sentry Tunnel:

Copy and run your Setup Script. Pasting it directly in the terminal should be fine, or you can create a custom `.sh` script in case you need to re-run it later.&#x20;

You can verify that the tunnel was created by running:

```
ip -s link show vxlan_2116
```

Example output:

```
root@admin:~# ip -s link show vxlan_2116
472: vxlan_2116: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 12:cc:6c:3d:95:b6 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped missed  mcast   
    0          0        0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    648        7        0       0       0       0       
```

And with it:

* Your server will now be reachable via the assigned public IP. For example, your TeamSpeak server is reachable via `104.234.6.228:9987` or your Lineage server via `104.234.6.228:2160`  etc etc.
* You can also head to our [Setup Checklist](https://docs.tcpshield.com/vxlan/common-issues-and-debugging#id-1.-vxlan-setup-check-list) page to verify your setup. If  run into any issue along the way, either head to our [Debugging Page](/vxlan/common-issues-and-debugging.md) or make a ticket on our [Discord](https://discord.com/invite/tcpshield) channel.

### 5. Recommend: Configure our ProtoGuard Firewall:

On our Sentry tunnel we have developed strict mitigation for selected games and services,imply head to our Firewall Tab to enable them:

**Fitler Name**: You can select the desired protocol here. Traffic that does not conform to said protocol will be dropped. At the moment we offer ProtoGuard Firewall for:

* FiveM&#x20;
* Simple Voice Chat
* Minecraft Bedrock/Geyser
* ARK Survival Evolved
* Counterstrike: Global Offensive (including CS2)
* Rust
* TeamSpeak
* Valheim
* RAN Online

With more coming later.\
**Start Port/End Port**: You can insert port range where the filter would apply,&#x20;

<div data-full-width="true"><figure><img src="/files/S4asw7gCiSvDPHXayfy6" alt="" width="525"><figcaption><p>Firewall Selection Page</p></figcaption></figure></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tcpshield.com/vxlan/sentry-tunnel-general-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.