VXLAN Tunnel Setup Guide
Follow this guide to protect your gameserves with TCPShield
Last updated
Was this helpful?
Follow this guide to protect your gameserves with TCPShield
Last updated
Was this helpful?
This guide explains how to create and configure a VXLAN tunnel, using a Ragnarok Online server as an example (rAthena emulator running on 108.61.149.182:6900). This setup allows you to route traffic through a dedicated public IP using VXLAN overlay networking. The process is pretty much the same for all other games and applications.
To begin, go to the Tunnel tab in your dashboard and click the Add Tunnel button.
You’ll see the following fields:
Name: A custom label for your tunnel, use something descriptive.
Endpoint: The internal IP address of your backend server (e.g., your VPS or physical machine). This is where the VXLAN tunnel will forward traffic.
Locations: The location will always be Anycast for optimal global routing.
Port: A port will be automatically assigned from the range 32768–60999. You don’t usually need to change this unless you have specific routing or firewall requirements.
This assigned port is NOT your service port (e.g., 6900 for Ragnarok or 25565 for Minecraft). Your application will continue to listen on its usual port. The VXLAN tunnel just forwards traffic to that original port via the backend IP.
Once the tunnel is created, you'll be redirected to the Overview page, which will show all of the necessary information:
Public IP: The dedicated IP your users will connect to (e.g., 104.234.6.128).
Private IP: An internal VXLAN address (e.g., 172.18.128.2) used for routing within the overlay network.
VXLAN Port: The port assigned for VXLAN traffic (e.g., 34251).
Endpoint: The backend IP of your game or application server. You can change this value whenever you like, but make sure to also re-run the Setup Script when you do so.
Why does VXLAN use private IPs like 172.18.x.x? These are reserved for internal overlay communication, which keeps them isolated from the public internet while enabling full bidirectional routing between nodes in your VXLAN environment.
At the bottom of the Overview page, you’ll find a Setup Script that looks similar to this:
Simply run the provided script, once completed:
Your server will now be reachable via the assigned public IP (e.g., 104.234.6.128).
You can ping the VXLAN private IP (e.g., 172.18.128.2) to verify connectivity.
The server latency depends on the Anycast region and distance from your users.
You can verify that the tunnel was created by running:
You can find the VXLAN tunnel ID in your setup script, in my case the command is:
ip -s link show vxlan_47
If you see anything bigger than 0 in the errors or dropped column, you might have a firewall, either on your hosting provider's side or on the server itself. You will need t make sure your port is open to accept connection.
Originally I have the Ragnarok server running on: 108.61.149.182:6900
After running the setup script, the players can now connect using: 104.234.6.128:6900
As you can see, only the IP changes — the service port remains the same. Only the address needs to be updated.
And that's it, your VXLAN tunnel is now fully operational. Congratulations! You can now run your server with confidence, knowing that it's protected by TCPShield.
If you encounter any issues during setup or operation, please refer to our for troubleshooting tips and common pitfalls.
