TCPSHIELD VXLAN General Setup
General Setup Guide
Last updated
Was this helpful?
General Setup Guide
Last updated
Was this helpful?
VXLAN setup, while simple, does require the users to have some knowledge regard networking to effectively trouble shoot any issues that comes up. To help you better visualize the process, we have provided steps by steps guide on how to setup TCPShield VXLAN for Bedrock, FiveM and rAtherna (Ragnarok) servers, with other type of services coming soon.
.
.
. Keep in mind that the setup process is pretty much the same across all applications. But if you run into issues along the way, please head to our Discord channel and open a ticket.
Head to our dashboard and navigate to the Tunnels section on the left corner, then click on New Tunnel:
You’ll see the following fields:
Name: A custom label for your tunnel, use something descriptive.
Endpoint: The internal IP address of your backend server (e.g., your VPS or physical machine). This is where the VXLAN tunnel will forward traffic.
Locations: The location will always be Anycast for optimal global routing.
Port: A port will be automatically assigned from the range 32768–60999. This is the port our VXLAN tunnel will use to communicate with your backend. No need to change this unless you have specific routing or firewall requirements.
Once the tunnel is created, you'll be redirected to the Overview page, which will show all of the necessary information:
Public IP: The dedicated IP your users will connect to (e.g., 104.234.6.152).
Private IP: An internal VXLAN address (e.g., 172.18.152.2) used for routing within the overlay network.
VXLAN Port: The port assigned for VXLAN traffic (e.g., 33154).
Endpoint: The backend IP of your game or application server. You can change this value whenever you like, but make sure to also re-run the Setup Script when you do so.
Setup Script: At the bottom of the Overview page, you’ll find a Setup Script that looks like this.
We'll include explanation for each line in the script for anyone interested:
grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables;
Ensures that a custom routing table named tunnel_table with ID 200 exists in /etc/iproute2/rt_tables.
ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200
Adds rule to route packets marked with firewall mark 9 (fwmark 9) using the custom routing table 200. This allows selectively routing marked packets through the VXLAN tunnel
Most cloud providers have a firewall enabled by default. To make sure your backend works correctly, please follow the steps in our guide (linked below) to allow the necessary ports. If you’re not sure how to do this, you can also check your cloud provider’s help articles or look up guides for ufw or iptables.
Copy and run your Setup Script. Pasting it directly in the terminal should be fine, or you can create a custom .sh script in case you need to re-run it later.
You can verify that the tunnel was created by running:
Example output:
And with it:
Your server will now be reachable via the assigned public IP. For example, your TeamSpeak server is reachable via 104.234.6.152:9987 or your Lineage server via 104.234.6.152:2160 etc etc.
Adds a static (permanent) ARP entry: IP 172.18.152.2 → MAC 12:dd:6c:3d:95:b6 . This ensures the system knows how to reach the remote endpoint inside the tunnel, bypassing ARP resolution. You can use to verify interface traffic coming from VXLAN public & private IP address to confirm whether the virtual link is properly resolving IP-to-MAC.
For customers using Pterodactyl, ensure that you open the VXLAN port on the panel itself. This can be done by navigating to the Network tab and selecting Create Allocation. For more information, visit this .
You can also head to our page to verify your setup. If run into any issue along the way, either head to our or make a ticket on our channel.
