Nym VPN Mixnet Guide (GUI)

Nym VPN is a decentralized VPN (dVPN) with Mixnet capabilities. It uses cryptocurrency incentives to allow of decentralized VPN experience. The Mixnet has 5 hops per connection and mixes traffic with other nodes. Mixnets also provide cover traffic to ensure consistent packet sizes. This enhances anti-AI detection from network traffic. I am not an expert, please read more here: Noise Generating Mixnet I Nym

Nym does not offer wireguard configuration files by default, so the VPN APP is required to use Nym. To take advantage of mixnet, follow this guide below:

1. Create standalone VM. Use Debian for template (preferably Trixie). Check off box for provides network

2. Install Nym VPN:
   Follow the instructions from the official site.
   i. wget https://apt.nymtech.net/pool/main/n/nym-repo-setup/nym-repo-setup_[VERSIONNUMBER]_amd64.deb -O /tmp/nym-repo-setup_[VERSIONNUMBER]_amd64.deb
   ii. sudo dpkg -i /tmp/nym-repo-setup_[VERSIONNUMBER]_amd64.deb
   iii. sudo apt install nym-vpn

3. Dns handling:
   i. Create script: sudo nano /usr/local/bin/nym-dns.sh
   ii. Insert the following into script:

#! /usr/bin/env bash
update_dns() {
  nym_on=$([[ $(grep -v -c "nameserver \+10.139" /etc/resolv.conf) -gt 0 ]] && echo 1 || echo 0)

  if [[ $nym_on -eq 1 ]]; then
    echo "Nym is on"
    nym_dns_ip=$(grep "nameserver" < /etc/resolv.conf | awk '{print $2}' | head -n 1)

    sudo nft flush chain ip qubes dnat-dns
    sudo nft add rule ip qubes dnat-dns meta l4proto {tcp, udp} ip daddr {10.139.1.1, 10.139.1.2} th dport 53 dnat to "$nym_dns_ip"
  else
    echo "Nym is off"
    nameserver_ips=$(grep "nameserver" < /etc/resolv.conf | awk '{print $2}')
    sudo nft flush chain ip qubes dnat-dns

    for ip in $nameserver_ips; do
      sudo nft add rule ip qubes dnat-dns ip daddr "$ip" udp dport 53 dnat to "$ip"
      sudo nft add rule ip qubes dnat-dns ip daddr "$ip" tcp dport 53 dnat to "$ip"
    done
  fi
}

update_dns
inotifywait -m -q -e close_write /etc/resolv.conf | while read -r; do
  update_dns
done

4. Make script executable: sudo chmod +x /usr/local/bin/nym-dns.sh
5. Run script at boot: echo "/usr/local/bin/nym-dns.sh &" | sudo tee -a /rw/config/rc.local
6. MTU issues and killswitch:
   i. Check app for killswitch setting
   ii. disable ipv6
   iii. add the following rule: sudo nano /rw/config/rc.local

#!/bin/sh

/usr/sbin/nft flush chain qubes dnat-dns
/usr/sbin/nft add rule ip qubes dnat-dns meta l4proto {tcp, udp} ip daddr {10.139.1.1, 10.139.1.2} th dport 53 dnat to 1.1.1.1
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu

7. Make script executable if not already: sudo chmod +x /rw/config/rc.local

EDIT: the mixnet is quite slow so be patient. If you are in a censored country, double vpn with QUIC setting turned on should work.

For all the people excited by “Swiss-made security tools” it’s worth mentioning this:

And as people on this forum argue that “QubesOS {is,can be} a Honeypot” … well, the exact same goes for Nym.

it could be a honeypot just as anything can. If you are interested, the code is open source for both running a node and a client. Most nodes are run by businesses running web3 infrastructure. The founder has an interesting background.

I am just messenger

Don’t take it personally! I tried to show some healthy doubt, while “liking” your original post. “Critical thinking” is good in InfoSec.

I wonder if anyone has tried to route this inside tor yet? And what the result is.

no offense taken!

Always great questions to ask. I often see these type of posts on qubes forums