Hey there, welcome to the Nomad Documentation! 🌟 Nomad is like your best buddy for setting up a secure and low-latency VPN server. But that’s not all—you can also use it in a bunch of other creative ways. Let’s dive in together and see what makes Nomad awesome! 🚀
Here’s a quick list of what Nomad can do for you:
- Server Setup: Automates the configuration of two servers—one inside the network (internal) and one outside (external).
- OS Hardening: Implements solid security practices to keep your operating system safe and sound.
- SSH Hardening: Locks down SSH settings for better security.
- Firewall Configuration: Sets up firewall rules to protect servers and secure network traffic.
- Xray Core: Installs and configures the Xray core for advanced VPN capabilities.
- 3x-UI Panel Installation: Makes VPN management a breeze with the 3x-UI panel.
- Tunnel Configuration: Sets up a VPN tunnel using supported methods to optimize performance.
- Tunneling between 2 servers:
- EasyTier
- SIT (6to4)
- IP6GRE
- Xray Core
- 3x-UI
Alright, let’s roll and get started with Nomad! 🛠️
We recommend changing the default SSH port for better security when setting up your servers.
To change the SSH port, connect to your server and run the following command:
sed -i 's/#Port 22/Port 3122/g' /etc/ssh/sshd_config && systemctl restart sshdThis one-liner will update the SSH configuration to use port 3122 and restart the SSH service to apply the changes.
Note
Make sure to update your firewall rules to allow the new SSH port before running this command, so you don't accidentally lock yourself out.
By default, the firewall blocks all traffic except the ports and IP ranges you specify in inventory/group_vars/all/preparing.yml. Wanna open or close a port? Easy, just edit the firewall_config section like this:
# firewall configuration
firewall_config:
network_adapter_access:
- lo
tcp_port_access:
- 8084
- 8082
udp_port_access:
- 8084
- 8082
trusted_range:
- 10.44.44.0/24
- "{{ hostvars['external-network'].ansible_host }}/32"
- "{{ hostvars['internal-network'].ansible_host }}/32"After editing, run the following command to update the firewall rules:
ansible-playbook -i inventory/hosts.yml vpn.yml --tags firewallHeads up! Tunneling needs two servers—one in the internal network and one in the external network. Let’s set up EasyTier with the reverse tunneling method, which we recommend.
If you’re using 3x-UI, you’ll need to configure the .env file first:
cp .env.example .env
<your-favorite-editor> .envExport variables in your current shell
set -o allexport
source .env
set +o allexportSet your username and password for 3x-UI. If you’re not using it, skip this step.
Tell Ansible where to work by creating the hosts.yml file:
all:
hosts:
internal-network:
ansible_host: <your-internal-server-ip>
ansible_port: 3122
ansible_user: root
external-network:
ansible_host: <your-external-server-ip>
ansible_port: 3122
ansible_user: rootEdit the following files to match your requirements:
<your-favorite-editor> inventory/group_vars/all/all.yml
<your-favorite-editor> inventory/group_vars/all/ip6gre.yml
<your-favorite-editor> inventory/group_vars/all/sit.yml
<your-favorite-editor> inventory/group_vars/all/preparing.yml
<your-favorite-editor> inventory/group_vars/all/easytier.yml
<your-favorite-editor> inventory/group_vars/all/xray.yml
<your-favorite-editor> inventory/group_vars/all/xui.ymlSet enable_easytier to true in all.yml:
## Set to true to enable the EasyTier service
enable_easytier: trueBy default tunneling method is reversed in easytier.yml
## Tunneling
easytier_reverse: trueThen configure EasyTier in easytier.yml. For example:
easytier_multithread: trueFor optimal performance, keep multithreading enabled (it reduces ping by spreading tasks across multiple threads).
Generate a new secret using:
openssl rand -hex 6Replace the default secret with your custom one in easytier.yml.
You’re ready! Execute this command:
ansible-playbook -i inventory/hosts.yml vpn.ymlNomad will handle OS hardening, kernel optimization, and firewall configuration. Errors? No worries, read the error message and rerun the command. 😂
Verify the setup:
systemctl status easytierip addrExpected output:
3: easytier: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1380 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.44.44.1/24 scope global easytier
valid_lft forever preferred_lft foreverIf you’re skipping tunneling, use a single server:
all:
hosts:
vpn:
ansible_host: <server-ip>
ansible_port: 3122
ansible_user: rootWarning
Xray is supported only on x86_64 or amd64 architectures.
For installing Xray Core:
- Set
enable_xraytotrueinall.yml:
enable_xray: true- Use the default config or replace it with your custom Xray config:
Warning
The name of config files for internal-network must be: internal.json for external-network: external.json
For one server only use default.json
cp /path/internal.json roles/xray/files/internal.json
cp /path/external.json roles/xray/files/external.jsonRun the playbook:
ansible-playbook -i inventory/hosts.yml vpn.ymlVerify:
systemctl status xrayss -tulpnYou’ll need to configure the .env file first:
cp .env.example .env
<your-favorite-editor> .envExport variables in your current shell
set -o allexport
source .env
set +o allexportEnable 3x-UI by setting enable_xui to true in all.yml:
enable_xui: trueConfigure options in xui.yml. Default settings:
xui_listen: 127.0.0.1
xui_port: 2053
xui_web_path: /Warning
For the security reasons, we blocked all public traffic to panels
After installation, access the panel by creating an SSH tunnel:
ssh -L 8080:127.0.0.1:2053 user@ipNote
To be able to do SSH port forwarding, you must allow tcp forwarding AllowTcpForwarding yes in /etc/ssh/sshd_config
By default we enabled it in the preparing tasks
Then open in your browser:
http://localhost:8080