Sentry Tunnel General Setup

General Setup Guide

The setup process does require the users to have some knowledge regard networking to effectively trouble shoot any issues that comes up. To help you better visualize the process, we have provided steps by steps guide on how to setup TCPShield VXLAN for Bedrock, FiveM and rAtherna (Ragnarok) servers, with other type of services coming soon.

rAthena/Ragnarok

Bedrock/Geyser.

FiveM/GTA Online. Keep in mind that the setup process is pretty much the same across all applications. But if you run into issues along the way, please head to our Discord channel and open a ticket.

1. Tunnel Creation

Head to our dashboard and navigate to the Tunnels section on the left corner, then click on New Tunnel:

You’ll see the following fields:

Name: A custom label for your tunnel, use something descriptive.
Endpoint: The internal IP address of your backend server (e.g., your VPS or physical machine). This is where the VXLAN tunnel will forward traffic.

Protecting multiple ports

Since VXLAN tunnel doesn't care which port your service is running on (port-agnostic), the Endpoint should only contains your backend IPv4.

Hence you can have multiple services / gameserves being protected behind a single Tunnel instance, which is very useful for scalability.

Locations: The location will always be Anycast for optimal global routing.
Port: A port will be automatically assigned from the range 32768–60999. This is the port our VXLAN tunnel will use to communicate with your backend. No need to change this unless you have specific routing or firewall requirements.

VXLAN PORT

This assigned port is NOT your service port (e.g., 6900 for Ragnarok or 25565 for Minecraft). Your application will continue to listen on its usual port. The VXLAN tunnel just forwards traffic to that original port via the backend IP.

2. Tunnels Overview

Once the tunnel is created, you'll be redirected to the Overview page, which will show all of the necessary information:

Public IP: The dedicated IP your users will connect to (e.g., 104.234.6.152).
Private IP: An internal VXLAN address (e.g., 172.18.152.2) used for routing within the overlay network.

Why does VXLAN use private IPs like 172.18.x.x?

These are reserved for internal overlay communication, which keeps them isolated from the public internet while enabling full bidirectional routing between nodes in your VXLAN environment.

VXLAN Port: The port assigned for VXLAN traffic (e.g., 33154).
Endpoint: The backend IP of your game or application server. You can change this value whenever you like, but make sure to also re-run the Setup Script when you do so.

Changing your Endpoint Settings:

Once you have updated your backend IPv4, the page should refresh and you will see a new Setup Script being generated.

Setup Script: At the bottom of the Overview page, you’ll find a Setup Script that looks like this.

grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;
ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200
ip link add vxlan_214 type vxlan id 214 remote 198.178.119.30 dstport 33154;
ip link set dev vxlan_214 address 12:cc:6c:3d:95:b6;
ip neigh add 172.18.152.2 lladdr 12:dd:6c:3d:95:b6 dev vxlan_214 nud permanent;
ip link set dev vxlan_214 mtu 1450;
ip addr add 172.18.152.3/24 dev vxlan_214;
ip link set vxlan_214 up
ip route add default via 172.18.152.2 dev vxlan_214 table 200
sysctl -w net.ipv4.conf.vxlan_214.rp_filter=0
ip addr add dev lo 104.234.6.152/32
iptables -t mangle -I OUTPUT -s 104.234.6.152/32 -j MARK --set-xmark 0x9
iptables -t mangle -A POSTROUTING -s 104.234.6.152/32 -j MARK --set-mark 0

We'll include explanation for each line in the script for anyone interested:

grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;

Ensures that a custom routing table named tunnel_table with ID 200 exists in /etc/iproute2/rt_tables.

ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200

Adds rule to route packets marked with firewall mark 9 (fwmark 9) using the custom routing table 200. This allows selectively routing marked packets through the VXLAN tunnel

ip link add vxlan_214 type vxlan id 214 remote 198.178.119.30 dstport 33154;

Creates a VXLAN interface named vxlan_214 with:

VXLAN ID 214
Remote IP 198.178.119.30
Destination UDP port 33154 (VXLAN usually uses UDP)

ip link set dev vxlan_214 address 12:cc:6c:3d:95:b6;

Assigns a custom MAC address 12:cc:6c:3d:95:b6 to the VXLAN interface.

ip neigh add 172.18.152.2 lladdr 12:dd:6c:3d:95:b6 dev vxlan_214 nud permanent;

Adds a static (permanent) ARP entry: IP 172.18.152.2 → MAC 12:dd:6c:3d:95:b6 . This ensures the system knows how to reach the remote endpoint inside the tunnel, bypassing ARP resolution. You can use arping to verify interface traffic coming from VXLAN public & private IP address to confirm whether the virtual link is properly resolving IP-to-MAC.

ip link set dev vxlan_214 mtu 1450;

Sets the Maximum Transmission Unit of the VXLAN interface to 1450. VXLAN adds ~50 bytes of overhead; this avoids fragmentation (standard MTU is 1500).

ip addr add 172.18.152.3/24 dev vxlan_214;

Assigns the local tunnel IP address 172.18.152.3 to the VXLAN interface.

ip link set vxlan_214 up Brings up the VXLAN interface. You can replace up with down to shutdown the interface if needed.

ip route add default via 172.18.152.2 dev vxlan_214 table 200

In routing table 200, sets the default route to go through the remote endpoint 172.18.152.2 using vxlan_214.

sysctl -w net.ipv4.conf.vxlan_214.rp_filter=0

Validates incoming packets are arriving on vxlan_214 interface - by verifying their source address against the routing table.

ip addr add dev lo 104.234.6.152/32

Adds the public IP 104.234.6.152 as a loopback alias on the local system. This is why when pinging, you should see <1ms response time.

iptables -t mangle -I OUTPUT -s 104.234.6.152/32 -j MARK --set-xmark 0x9

Marks packets originating from 104.234.6.152 with mark 9 in the mangle table (fwmark 9). This mark is used by the earlier ip rule to route traffic through the VXLAN tunnel.

iptables -t mangle -A POSTROUTING -s 104.234.6.152/32 -j MARK --set-mark 0

After routing, unsets the firewall mark (reset to 0) in the POSTROUTING chain. Ensures that the mark doesn’t leak into other parts of the system or confuse other ip rules or NAT.

3. Firewall configuration:

Most cloud providers have a firewall enabled by default. To make sure your backend works correctly, please follow the steps in our guide (linked below) to allow the necessary ports. If you’re not sure how to do this, you can also check your cloud provider’s help articles or look up guides for ufw or iptables.

https://docs.tcpshield.com/vxlan/common-issues-and-debugging#id-1.3-firewall-configuration

For customers using Pterodactyl, ensure that you open the VXLAN port on the panel itself. This can be done by navigating to the Network tab and selecting Create Allocation. For more information, visit this guide.

4. Setting up Sentry Tunnel:

Copy and run your Setup Script. Pasting it directly in the terminal should be fine, or you can create a custom .sh script in case you need to re-run it later.

You can verify that the tunnel was created by running:

ip -s link show vxlan_214

Example output:

root@admin:~# ip -s link show vxlan_214
472: vxlan_214: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 12:cc:6c:3d:95:b6 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped missed  mcast   
    0          0        0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    648        7        0       0       0       0

And with it:

Your server will now be reachable via the assigned public IP. For example, your TeamSpeak server is reachable via 104.234.6.152:9987 or your Lineage server via 104.234.6.152:2160 etc etc.
You can also head to our Setup Checklist page to verify your setup. If run into any issue along the way, either head to our Debugging Page or make a ticket on our Discord channel.

PreviousSentry Tunnel Features NextSentry Tunnel for rAthena/Ragnarok

Last updated 16 days ago

Was this helpful?