1. Server
Install the control-plane API and UDP discovery edge on Ubuntu.
Installation guide
This page explains the practical flow for installing VeloraMesh v1.0.0-rc1 packages, starting services, joining a network, and verifying the tunnel.
The packaged defaults are api.veloramesh.com:2053 and edge.veloramesh.com:3478. Replace domains and ports during setup for self-hosted deployments.
Install the control-plane API and UDP discovery edge on Ubuntu.
Create a network name and join secret with the local server manager.
Join Windows, macOS, Linux, and Android clients to the same network.
Check peers, doctor output, ping, RDP, and LAN discovery.
Self-hosted deployment model
Use one Ubuntu host for lab installs, or split API and edge across hosts for hardened self-hosting.
The edge does not carry user data, is not a relay, and must not store sensitive network state.
The installer menu All-in-one option runs the API and UDP discovery edge services on one Ubuntu server. This is the fastest starting point for testing and personal use.
Run API-only on the API machine and Edge-only on the edge machine. The edge remains DNS-only while the API origin can be better protected.
API runs behind Cloudflare/WAF or a similar proxy, while edge runs on an isolated VPS with only the selected UDP discovery port exposed.
The v1.0.0-rc1 server package supports all-in-one, API-only, and Edge-only install roles. Lab deployments can run both systemd services on the same Ubuntu host; hardened deployments copy the edge ticket key to a separate edge machine.
https://api.example.com:2053
Manages networks, devices, memberships, policies, sessions, membership tickets, and peer lists.
edge.example.com:3478/udp
Observes client public UDP endpoints. It carries no DB, admin endpoint, join secret, or peer list.
| Record | Proxy | Reason |
|---|---|---|
| www / apex site | Proxied | The product site is normal HTTPS traffic and can use cache, WAF, and TLS protection. |
| api.example.com | Proxied or controlled DNS-only | The control plane is HTTPS. Proxy mode should be enabled only after TLS/SPKI and client behavior are tested. |
| edge.example.com | DNS-only | UDP discovery does not pass through the normal Cloudflare HTTP proxy. Use a separate VPS/IP for higher security. |
RC status
After installation, the OS firewall and any cloud provider security group must expose the same ports. If API and edge are split, do not open unnecessary ports on the other host.
For lab installs on one host, open the selected API TCP port and selected edge UDP port. The values below are packaged default examples.
sudo ufw allow 2053/tcp comment "VeloraMesh API"
sudo ufw allow 3478/udp comment "VeloraMesh edge discovery"
sudo ufw status numbered
On RHEL, CentOS, or Fedora based systems, define the same allowlist with permanent firewalld rules.
sudo firewall-cmd --permanent --add-port=2053/tcp
sudo firewall-cmd --permanent --add-port=3478/udp
sudo firewall-cmd --reload
If your VPS panel or cloud provider has a security group, open the same ports there too. In split deployments, each host should expose only its own required port.
API host: allow inbound TCP 2053
Edge host: allow inbound UDP 3478
Admin SSH: restrict TCP 22 to your IP
The server package is one package with three install roles: all-in-one, API-only, and Edge-only. Lab setups may run API and edge on one Ubuntu host; high-security deployments should run the API and UDP discovery edge on separate machines.
unzip -o veloramesh-v1.0.0-rc1-linux-amd64-server.zip -d veloramesh-server
cd veloramesh-server
sudo bash ./manage-veloramesh-server.sh
# API host
sudo bash ./manage-veloramesh-server.sh --setup --role api
sudo install -m 0600 -o "$USER" -g "$USER" /var/lib/veloramesh/edge-ticket.key ./edge-ticket.key
scp ./edge-ticket.key user@edge-host:/tmp/edge-ticket.key
# Edge host
# If prompted: Edge ticket key source path = /tmp/edge-ticket.key
sudo bash ./manage-veloramesh-server.sh --setup --role edge
sudo rm -f /tmp/edge-ticket.key
sudo ufw allow 2053/tcp comment "VeloraMesh API"
sudo ufw allow 3478/udp comment "VeloraMesh edge discovery"
sudo ufw status numbered
/opt/veloramesh/veloramesh-server version
/opt/veloramesh/veloramesh-edge version
sudo systemctl status veloramesh-server --no-pager
sudo systemctl status veloramesh-edge --no-pager
sudo ss -ltnp | grep ":2053"
sudo ss -lunp | grep ":3478"
getent hosts edge.example.com
curl -i https://api.example.com:2053/v1/me
sudo bash ./manage-veloramesh-server.sh --fresh
Extract the package that matches the device CPU architecture: Windows x86_64 or Windows ARM64. Use an elevated PowerShell session and answer yes to the background service prompt if the tunnel must run before user login.
Install
cd "C:\Path\To\veloramesh-v1.0.0-rc1-windows-<amd64-or-arm64>-client"
powershell -NoProfile -ExecutionPolicy Bypass -File .\install-windows-client.ps1
Verify
$Client = "C:\Program Files\VeloraMesh\veloramesh-client.exe"
$Config = "C:\ProgramData\VeloraMesh\client.json"
& $Client network status -config $Config
& $Client network peers -config $Config
& $Client doctor -config $Config -network "network-name"
Clear quarantine, make the files executable, and let the guided installer create the LaunchDaemon.
Install
cd ~/Desktop/veloramesh || exit
xattr -dr com.apple.quarantine .
chmod +x ./veloramesh-client ./install-macos-client.sh
sudo bash ./install-macos-client.sh --source-client ./veloramesh-client
Verify
sudo launchctl print system/com.veloramesh.client
sudo tail -n 80 /var/log/veloramesh-client.log
sudo /opt/veloramesh/veloramesh-client doctor -config "/Library/Application Support/VeloraMesh/client.json" -network "network-name"
The Linux client runs through TUN and systemd. Use linux-amd64-client on x86_64 systems and linux-arm64-client on ARM64 devices. The guided installer asks for API host/port, network name, join secret, and edge host/port as separate fields.
Install
unzip -o veloramesh-v1.0.0-rc1-linux-amd64-client.zip -d veloramesh-client
cd veloramesh-client
chmod +x ./veloramesh-client ./install-linux-client.sh
sudo bash ./install-linux-client.sh --source-client ./veloramesh-client
Verify
sudo systemctl status veloramesh-client --no-pager
sudo journalctl -u veloramesh-client -n 80 --no-pager
sudo /opt/veloramesh/veloramesh-client doctor -config /etc/veloramesh/client.json -network "network-name"
Install the APK, enter API host/port, network name, join secret, and edge host/port. Trust the server identity, join the network, then prepare the VPN.
Install
API host/domain: api.example.com
API HTTPS port: 2053
Network name: your-network
Edge discovery host/domain: edge.example.com
Edge UDP port: 3478
Join secret: the secret from the server operator
Verify
Confirm the virtual IP in the app.
Check the notification peer count.
Ping or RDP to a Windows/Mac/Linux peer private IP.
sudo bash ./manage-veloramesh-server.sh
/opt/veloramesh/veloramesh-server admin --env /etc/veloramesh/veloramesh.env networks show -network network-name
/opt/veloramesh/veloramesh-server admin --env /etc/veloramesh/veloramesh.env networks rotate-secret -network network-name
/opt/veloramesh/veloramesh-server admin --env /etc/veloramesh/veloramesh.env networks broadcast -network network-name -mode all
/opt/veloramesh/veloramesh-server admin --env /etc/veloramesh/veloramesh.env networks underlay -network network-name -mode ipv4-only
The join secret may be wrong, membership may have been removed, or the device must rejoin the network. Stealth mode returns some unauthorized cases as silent 404.
A valid client request was repeated too quickly. Wait briefly and retry; unauthorized or proof-invalid requests receive a silent 404 instead of 429 for privacy.
Check the veloramesh-edge service, selected UDP listener, UFW/cloud firewall rule, and that the edge domain resolves DNS-only to the correct IP.
The Windows package was not extracted fully. wintun.dll must be beside veloramesh-client.exe.
The package may be quarantined. Enter the package directory first, then clear quarantine and make the files executable.
cd ~/Desktop/veloramesh || exit
xattr -dr com.apple.quarantine .
chmod +x ./veloramesh-client ./install-macos-client.sh
Windows ICMP firewall may be closed. Test real services such as RDP or HTTP as well.
If server broadcast mode is filtered, some discovery flows may not show. In trusted game rooms, try mode all.