LogoLogo
DiscordPanelPricing
  • TCPShield
  • FAQ
  • Commonly asked questions
  • Features
  • Contact
  • Billing
  • Vxlan
    • VXLAN Features
    • TCPSHIELD VXLAN General Setup
    • VXLAN Tunnel for rAthena/Ragnarok
    • VXLAN Tunnel for Bedrock/Geyser
    • VXLAN Tunnel for FiveM/GTA Online
    • Common issues and Debugging
  • Premium Features
    • Asia Network
    • Geyser
    • Panel Features
  • Panel
    • Setup Process
    • Panel Configuration
    • DNS Setup
    • TCPShield Plugin
  • Troubleshooting
    • Setup Checklist
    • Invalid Hostname
    • Disconnected on Login
    • High Latency and General Lag
    • How to Read a Traceroute
    • Connection Complaint Policy
  • Miscellaneous
    • TCPShield API
    • Protect a website
    • Wildcard DNS
    • Protect a home hosted server
    • Account sharing
    • Transfer Packets
  • Useful Links
  • TCPShield Panel
Powered by GitBook
LogoLogo

Useful links

  • Pricing
  • Twitter
  • Contact

Need help?

  • Discord
  • Network Status

Panel

  • Sign Up
  • Login
On this page
  • Why VXLAN for DDoS Mitigation?
  • 1. Optimized for Anycast and Scrubbing Efficiency
  • 2. Higher cost efficiency
  • 3. Minimal Overhead, Maximum Performance
  • 4. Protocol-Agnostic: Support More Games, More Applications
  • 5. Better than GRE: A Refined Solution for Modern Needs
  • What This Means for TCPShield Users
  • Ready to Deploy

Was this helpful?

  1. Vxlan

VXLAN Features

As TCPShield expands its infrastructure to support more diverse application traffic beyond Minecraft, from April 2025, we’re proud to introduce VXLAN TUNNEL as the next evolution of clean traffic delivery. Built for modern cloud-scale networking, VXLAN is a refined, high-performance solution that allows us to protect and forward any TCP/UDP traffic, with greater flexibility, speed, and compatibility than legacy tunneling protocols.

Why VXLAN for DDoS Mitigation?

1. Optimized for Anycast and Scrubbing Efficiency

VXLAN uses stateless UDP-based encapsulation, which fits perfectly with our anycast infrastructure. That means:

  • Traffic is always routed to the nearest DDoS protection/scrubbing center, keeping latency low.

  • Failover between locations is instant and seamless, no handshakes or reconnections needed.

  • We can run multi-point tunnel topologies, where multiple TCPShield nodes send clean traffic back to your origin—without managing dozens of individual tunnels.

2. Higher cost efficiency

Compared to our flagship Minecraft proxy product, tunnels allow for a higher number of tenants behind a single IP address, allowing you to not just protect many customers across different ports on the same machine, but also any assortment of protocols and services as well on the same protected IP.

  • For instance, you can protect a dozen Minecraft customers between ports 25565 to 25577, and 5 customers operating CS:GO servers on ports 27015 to 27020.

  • You can then use the firewall page to define layer 7 protocol filters for these port ranges which apply across our edge and ensure seamless protection and protocol conformity for these ports

  • Port ranges can be modified on existing rules at any time, in case further customers are added on the same IP. You can also automate this process via our API.

3. Minimal Overhead, Maximum Performance

VXLAN introduces only ~50 bytes of overhead per packet, yet it delivers major throughput advantages:

  • Hardware offload support on modern NICs allows VXLAN packets to be processed at line rate with minimal CPU usage.

  • UDP-based encapsulation leverages features like Large Receive Offload (LRO) and Generic Segmentation Offload (GSO) for enhanced performance.

  • VXLAN gives us the ability to move gigabits of cleaned traffic per second, efficiently and cost-effectively.

4. Protocol-Agnostic: Support More Games, More Applications

  • It supports any protocol that rides on Layer 2: IPv4, IPv6, ARP, multicast, and more.

  • VXLAN can tunnel exotic or legacy traffic used in non-standard game engines, custom UDP protocols, or multiplayer applications that rely on broadcast or L2 adjacency.

  • VXLAN also works seamlessly across NAT environments, making it suitable for home hosting setups as well as cloud platforms like AWS, Azure Cloud, and others where NAT is often unavoidable.

That flexibility means we can now support far more than just Minecraft. If your app uses UDP or TCP, VXLAN can carry it—no sweat.

5. Better than GRE: A Refined Solution for Modern Needs

While GRE has been a traditional choice for clean traffic tunnels, it shows its age in key areas:

  • No NAT traversal: GRE doesn’t play well with firewalls and NAT devices — VXLAN’s UDP base does.

  • No built-in segmentation: GRE lacks fine-grained identifiers. VXLAN supports up to 16 million VNIs to isolate tenants, services, or regions.

  • Lower performance: GRE generally lacks hardware offload support and suffers on multi-core platforms without UDP port hashing.

VXLAN delivers all the benefits of GRE — and then some — making it a natural upgrade for modern cloud-native protection.


What This Means for TCPShield Users

  1. Expanded Game Support: Any UDP or TCP-based game can now be protected — not just Minecraft.

  2. Lower Latency: Anycast tunnel endpoints ensure you always connect to the nearest scrubbing node.

  3. Scalable Protection: VXLAN’s design enables us to scale DDoS mitigation globally with multi-tenant separation and flexible routing.


Ready to Deploy

PreviousBillingNextTCPSHIELD VXLAN General Setup

Last updated 20 days ago

Was this helpful?

and many VPN-based tunnels (like WireGuard/IPsec) are often limited to point-to-point IP traffic. VXLAN, on the other hand, is Ethernet-over-IP — meaning:

Our VXLAN solution is now available for public access. If you're interested in enabling VXLAN-based clean traffic delivery for your service, contact us over at our support Discord or head to the to get started.

GRE
setup page