Shield Tunnel: IPIP DDoS protection for external servers
Protect a server hosted elsewhere by tunneling its traffic through WingNode Shield — a simple IPIP setup with real-time DDoS filtering.
Shield Tunnel extends WingNode DDoS protection to servers hosted on other providers (your own box, a cloud VM, a dedi). Traffic comes in to a WingNode protected IP, is filtered, and then forwarded to your origin over an IPIP tunnel.
When to use it
- Your game server is on a provider without adequate DDoS mitigation.
- You want one protected IP in front of multiple backend machines.
- You need the same protected-IP endpoint to persist while you migrate hosts.
How it works
- We assign you a WingNode protected IP.
- You configure an IPIP tunnel on your origin to our endpoint.
- Player connections arrive at the protected IP, pass through the filter and emerge at your origin via the tunnel.
- Outbound traffic returns through the same tunnel (or optionally asymmetric).
Setup on Linux (summary)
ip tunnel add tun0 mode ipip remote <wn-endpoint> local <your-ip> ttl 255\nip link set tun0 up\nip addr add 10.x.x.2/30 dev tun0\nip route add <protected-ip> via 10.x.x.1We send exact values and a setup script tailored to your OS (Ubuntu, Debian, AlmaLinux, CentOS) when the tunnel is provisioned.
Latency
Expect +3–8 ms over direct — the hop adds minimal overhead. Still far faster than sitting through a DDoS outage.