{"id":22927446,"url":"https://github.com/0xafz/nomad","last_synced_at":"2026-06-19T06:32:55.297Z","repository":{"id":266869352,"uuid":"899595100","full_name":"0xAFz/nomad","owner":"0xAFz","description":"Low Latency VPN Setup Automation","archived":false,"fork":false,"pushed_at":"2025-03-29T21:19:13.000Z","size":2227,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-29T22:24:18.216Z","etag":null,"topics":["ansible","bash"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xAFz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-06T15:38:14.000Z","updated_at":"2025-03-29T21:19:17.000Z","dependencies_parsed_at":"2024-12-06T17:22:46.000Z","dependency_job_id":"6cca6871-eea9-4f8e-b3ba-7af8ec57c542","html_url":"https://github.com/0xAFz/nomad","commit_stats":null,"previous_names":["0xafz/nomad"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xAFz%2Fnomad","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xAFz%2Fnomad/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xAFz%2Fnomad/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xAFz%2Fnomad/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xAFz","download_url":"https://codeload.github.com/0xAFz/nomad/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246666663,"owners_count":20814546,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","bash"],"created_at":"2024-12-14T09:14:34.653Z","updated_at":"2025-04-01T15:43:14.596Z","avatar_url":"https://github.com/0xAFz.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Nomad\n\nHey there, welcome to the **Nomad Documentation**! 🌟 Nomad is like your best buddy for setting up a secure and low-latency VPN server. But that’s not all—you can also use it in a bunch of other creative ways. Let’s dive in together and see what makes Nomad awesome! 🚀\n\n---\n\n### Key Features:\n\nHere’s a quick list of what Nomad can do for you:\n\n- **Server Setup:** Automates the configuration of two servers—one inside the network (internal) and one outside (external).\n- **SSH Hardening:** Locks down SSH settings for better security.\n- **Firewall Configuration:** Sets up firewall rules to protect servers and secure network traffic.\n- **Xray Core:** Installs and configures the Xray core for advanced VPN capabilities.\n- **Tunnel Configuration:** Sets up a VPN tunnel using supported methods to optimize performance.\n\n---\n\n### Supported Methods:\n- **Tunneling between 2 servers:**\n  - EasyTier\n  - SIT (6to4)\n- **Xray Core**\n\nAlright, let’s roll and get started with Nomad! 🛠️\n\n---\n\n### SSH Port Configuration  \nWe recommend changing the default SSH port for better security when setting up your servers.  \n\nTo change the SSH port, connect to your server and run the following command:  \n\n```bash\nsed -i 's/#Port 22/Port 3122/g' /etc/ssh/sshd_config \u0026\u0026 systemctl restart sshd\n```  \n\nThis one-liner will update the SSH configuration to use port `3122` and restart the SSH service to apply the changes.  \n\n\u003e [!NOTE]\n\u003e Make sure to update your firewall rules to allow the new SSH port before running this command, so you don't accidentally lock yourself out.  \n\n---\n\n## Firewall Configuration\n\nBy default, the firewall blocks all traffic except the ports and IP ranges you specify in `inventory/group_vars/all/firewall.yml`. Wanna open or close a port? Easy, just edit the `firewall_config` section like this:\n\n```yml\n# firewall configuration\nfirewall_config:\n  network_adapter_access:\n    - lo\n  tcp_port_access:\n    - 80\n    - 443\n  udp_port_access:\n    - 8082\n    - 8084\n  trusted_range:\n    - 10.44.44.0/24\n    - \"{{ hostvars['external-network'].ansible_host }}/32\"\n    - \"{{ hostvars['internal-network'].ansible_host }}/32\"\n```\n\nAfter editing, run the following command to update the firewall rules:\n\n```bash\nansible-playbook -i inventory/hosts.yml vpn.yml --tags nftables\n```\n\n---\n\n## Tunneling\n\n### EasyTier\n\n**Heads up!** Tunneling needs two servers—one in the internal network and one in the external network. Let’s set up EasyTier with the reverse tunneling method, which we recommend.\n\n#### Step 1: Create the Inventory File\n\nTell Ansible where to work by creating the `hosts.yml` file:\n\n```yml\nall:\n  hosts:\n    internal-network:\n      ansible_host: \u003cyour-internal-server-ip\u003e\n      ansible_port: 3122\n      ansible_user: root\n    external-network:\n      ansible_host: \u003cyour-external-server-ip\u003e\n      ansible_port: 3122\n      ansible_user: root\n```\n\n#### Step 3: Update the Config Files\n\nEdit the following files to match your requirements:\n\n```bash\n\u003cyour-favorite-editor\u003e inventory/group_vars/all/*.yml\n```\n\n#### Step 4: Enable EasyTier\n\nSet `enable_easytier` to `true` in `all.yml`:\n\n```yml\n## Set to true to enable the EasyTier service\nenable_easytier: true\n```\n\nBy default tunneling method is reversed in `easytier.yml`\n```yml\n## Tunneling\neasytier_reverse: true\n```\n\nThen configure EasyTier in `easytier.yml`. For example:\n\n```yml\neasytier_multithread: true\n```\n\nFor optimal performance, keep multithreading enabled (it reduces ping by spreading tasks across multiple threads).\n\n#### Step 5: Set a Network Secret\n\nGenerate a new secret using:\n\n```bash\nopenssl rand -hex 6\n```\n\nReplace the default secret with your custom one in `easytier.yml`.\n\n#### Step 6: Run the Playbook\n\nYou’re ready! Execute this command:\n\n```bash\nansible-playbook -i inventory/hosts.yml vpn.yml\n```\n\nNomad will handle OS hardening, kernel optimization, and firewall configuration. Errors? No worries, read the error message and rerun the command. 😂\n\nVerify the setup:\n\n```bash\nsystemctl status easytier\n```\n\n```bash\nip addr\n```\nExpected output:\n\n```bash\n3: easytier: \u003cPOINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP\u003e mtu 1380 qdisc fq_codel state UNKNOWN group default qlen 500\n    link/none \n    inet 10.44.44.1/24 scope global easytier\n       valid_lft forever preferred_lft forever\n```\n\n---\n\n## Without Tunneling Inventory\n\nIf you’re skipping tunneling, use a single server:\n\n```yml\nall:\n  hosts:\n    vpn:\n      ansible_host: \u003cserver-ip\u003e\n      ansible_port: 3122\n      ansible_user: root\n```\n\n---\n\n## Xray Core\n\n\u003e [!WARNING]\n\u003e Xray is supported only on x86\\_64 or amd64 architectures.\u0026#x20;\n\nFor installing Xray Core:\n\n1. Set `enable_xray` to `true` in `all.yml`:\n\n```yml\nenable_xray: true\n```\n\n2. Use the default config or replace it with your custom Xray config:\n\n\u003e [!WARNING]\n\u003e The name of config files for internal-network must be: `internal.json` for external-network: `external.json`\n\u003e For one server only use `default.json`\n```bash\ncp /path/internal.json roles/xray/files/internal.json\ncp /path/external.json roles/xray/files/external.json\n```\n\nRun the playbook:\n\n```bash\nansible-playbook -i inventory/hosts.yml vpn.yml\n```\n\nVerify:\n\n```bash\nsystemctl status xray\n```\n\n```bash\nss -tulpn\n```\n\n---\n\n# Credits\n\n- [EasyTier](https://github.com/EasyTier/EasyTier)\n- [Xray](https://github.com/XTLS/Xray-core)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xafz%2Fnomad","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xafz%2Fnomad","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xafz%2Fnomad/lists"}