Nym VPN is a decentralized VPN (dVPN) with Mixnet capabilities. It uses cryptocurrency incentives to allow of decentralized VPN experience. The Mixnet has 5 hops per connection and mixes traffic with other nodes. Mixnets also provide cover traffic to ensure consistent packet sizes. This enhances anti-AI detection from network traffic. I am not an expert, please read more here: Noise Generating Mixnet I Nym
Nym does not offer wireguard configuration files by default, so the VPN APP is required to use Nym. To take advantage of mixnet, follow this guide below:
-
Create standalone VM. Use Debian for template (preferably Trixie). Check off box for
provides network -
Install Nym VPN:
Follow the instructions from the official site.
i.wget https://apt.nymtech.net/pool/main/n/nym-repo-setup/nym-repo-setup_[VERSIONNUMBER]_amd64.deb -O /tmp/nym-repo-setup_[VERSIONNUMBER]_amd64.deb
ii.sudo dpkg -i /tmp/nym-repo-setup_[VERSIONNUMBER]_amd64.deb
iii.sudo apt install nym-vpn -
Dns handling:
i. Create script:sudo nano /usr/local/bin/nym-dns.sh
ii. Insert the following into script:
#! /usr/bin/env bash
update_dns() {
nym_on=$([[ $(grep -v -c "nameserver \+10.139" /etc/resolv.conf) -gt 0 ]] && echo 1 || echo 0)
if [[ $nym_on -eq 1 ]]; then
echo "Nym is on"
nym_dns_ip=$(grep "nameserver" < /etc/resolv.conf | awk '{print $2}' | head -n 1)
sudo nft flush chain ip qubes dnat-dns
sudo nft add rule ip qubes dnat-dns meta l4proto {tcp, udp} ip daddr {10.139.1.1, 10.139.1.2} th dport 53 dnat to "$nym_dns_ip"
else
echo "Nym is off"
nameserver_ips=$(grep "nameserver" < /etc/resolv.conf | awk '{print $2}')
sudo nft flush chain ip qubes dnat-dns
for ip in $nameserver_ips; do
sudo nft add rule ip qubes dnat-dns ip daddr "$ip" udp dport 53 dnat to "$ip"
sudo nft add rule ip qubes dnat-dns ip daddr "$ip" tcp dport 53 dnat to "$ip"
done
fi
}
update_dns
inotifywait -m -q -e close_write /etc/resolv.conf | while read -r; do
update_dns
done
- Make script executable:
sudo chmod +x /usr/local/bin/nym-dns.sh - Run script at boot:
echo "/usr/local/bin/nym-dns.sh &" | sudo tee -a /rw/config/rc.local - MTU issues and killswitch:
i. Check app for killswitch setting
ii. disable ipv6
iii. add the following rule:sudo nano /rw/config/rc.local
#!/bin/sh
/usr/sbin/nft flush chain qubes dnat-dns
/usr/sbin/nft add rule ip qubes dnat-dns meta l4proto {tcp, udp} ip daddr {10.139.1.1, 10.139.1.2} th dport 53 dnat to 1.1.1.1
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu
- Make script executable if not already:
sudo chmod +x /rw/config/rc.local
EDIT: the mixnet is quite slow so be patient. If you are in a censored country, double vpn with QUIC setting turned on should work.