demos second pass
This commit is contained in:
@@ -195,7 +195,7 @@ export function EnsDemo() {
|
||||
<div style={legend}>ENS lookup</div>
|
||||
<div style={row}>
|
||||
<Button onClick={verifyIp} disabled={!connected || busy}>Verify IP routing</Button>
|
||||
<span style={sub}>Confirm traffic exits through Nym before resolving.</span>
|
||||
<span style={sub}>Confirms traffic exits through Nym. The comparison makes one direct (clearnet) call to ipinfo.io, so you will see a single ipinfo.io row in the Network tab.</span>
|
||||
</div>
|
||||
|
||||
<div style={row}>
|
||||
|
||||
@@ -292,6 +292,7 @@ export function RailgunDemo() {
|
||||
<Button onClick={verifyIp} disabled={!connected || busy}>Verify IP routing</Button>
|
||||
<span style={sub}>{balance}</span>
|
||||
</div>
|
||||
<div style={sub}>Verify IP makes one direct (clearnet) call to ipinfo.io for the comparison, so you will see a single ipinfo.io row in the Network tab.</div>
|
||||
</div>
|
||||
|
||||
<div style={box}>
|
||||
|
||||
@@ -0,0 +1,50 @@
|
||||
// Shared mixnet glossary for the demo pages, with links to the relevant docs.
|
||||
// Raw <a> inside a React component does not pick up Nextra's MDX link styling,
|
||||
// so the links are styled explicitly via the L helper.
|
||||
import React from 'react';
|
||||
|
||||
function L({ href, children }: { href: string; children: React.ReactNode }) {
|
||||
return (
|
||||
<a href={href} style={{ color: '#3b82f6', textDecoration: 'underline' }}>
|
||||
{children}
|
||||
</a>
|
||||
);
|
||||
}
|
||||
|
||||
export function MixnetGlossary() {
|
||||
return (
|
||||
<ul>
|
||||
<li>
|
||||
<strong>Mixnet.</strong> An overlay network that routes your traffic through several relays
|
||||
and mixes it with other people's, hiding who is talking to whom. Nym operates one. See{' '}
|
||||
<L href="/network/mixnet-mode">mixnet mode</L>.
|
||||
</li>
|
||||
<li>
|
||||
<strong>Entry gateway.</strong> Your first hop into the mixnet. Your browser holds one
|
||||
WebSocket to it; all tunnelled traffic rides that connection as opaque frames. See{' '}
|
||||
<L href="/network/infrastructure/nym-nodes">Nym nodes</L>.
|
||||
</li>
|
||||
<li>
|
||||
<strong>IPR (IP Packet Router), the exit.</strong> The mixnet's exit point onto the normal
|
||||
internet. The RPC node and gateway see the IPR's IP address, never yours. See{' '}
|
||||
<L href="/network/infrastructure/exit-services#ip-packet-router">exit services</L>.
|
||||
</li>
|
||||
<li>
|
||||
<strong>SURB (single-use reply block).</strong> A prepaid, single-use return envelope. It
|
||||
lets the exit send a reply back through the mixnet without learning your address. See{' '}
|
||||
<L href="/network/mixnet-mode/anonymous-replies">anonymous replies</L>.
|
||||
</li>
|
||||
<li>
|
||||
<strong>Cover traffic / Poisson timing.</strong> Decoy packets and randomised send timing.
|
||||
Together they keep your real traffic statistically hard to pick out. See{' '}
|
||||
<L href="/network/mixnet-mode/cover-traffic">cover traffic</L>.
|
||||
</li>
|
||||
<li>
|
||||
<strong>mixFetch.</strong> The{' '}
|
||||
<L href="/developers/mix-fetch"><code>@nymproject/mix-fetch</code></L> package's{' '}
|
||||
<code>fetch()</code>-shaped function. It runs the mixnet client (smolmix) in a Web Worker and
|
||||
sends your request through the mixnet instead of the browser's network stack.
|
||||
</li>
|
||||
</ul>
|
||||
);
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
// Shared "Watch the Network tab" callout, used on the playground and the demo
|
||||
// pages. Generic wording so it reads correctly wherever a single mixnet tunnel
|
||||
// carries the page's traffic.
|
||||
import React from 'react';
|
||||
import { Callout } from 'nextra/components';
|
||||
|
||||
export function NetworkTabCallout() {
|
||||
return (
|
||||
<Callout type="info">
|
||||
<strong>Watch the Network tab.</strong> Open DevTools → Network before you connect. Once the
|
||||
tunnel reports ready, every operation you run here adds <strong>no new request</strong> to that
|
||||
tab: it is multiplexed inside the single WebSocket to the entry gateway. Only the clearnet
|
||||
comparison buttons add rows. (Setup also fetches the network topology over HTTPS and refreshes
|
||||
it periodically, so those nym-api calls and the gateway WebSocket are the only clearnet requests
|
||||
you will see.) Your real traffic never leaves the browser as an identifiable, per-destination
|
||||
request.
|
||||
</Callout>
|
||||
);
|
||||
}
|
||||
@@ -95,30 +95,44 @@ export function MixTunnelSetup({
|
||||
try {
|
||||
const m = mods ?? (await loadMixFetch());
|
||||
if (!mods) setMods(m);
|
||||
await m.setupMixTunnel({
|
||||
...(useRandomIpr ? {} : { preferredIpr: iprAddress.trim() }),
|
||||
clientId,
|
||||
forceTls,
|
||||
disablePoissonTraffic: disablePoisson,
|
||||
disableCoverTraffic: disableCover,
|
||||
openReplySurbs: clampSurbs(openSurbs, 1),
|
||||
dataReplySurbs: clampSurbs(dataSurbs, 0),
|
||||
primaryDns: optStr(primaryDns),
|
||||
fallbackDns: optStr(fallbackDns),
|
||||
dnsTimeoutMs: optInt(dnsTimeout),
|
||||
connectTimeoutMs: optInt(connectTimeout),
|
||||
maxRedirects: optInt(maxRedirects),
|
||||
storagePassphrase: storagePassphrase || undefined,
|
||||
debug,
|
||||
});
|
||||
// One WASM instance per browser tab, shared across demo pages by the
|
||||
// bundler. If another page already brought the tunnel up, reuse it rather
|
||||
// than calling setupMixTunnel again (which throws "already initialised").
|
||||
const existing = await m.getTunnelState().catch(() => null);
|
||||
if (existing && existing.state === 'ready') {
|
||||
log('tunnel', 'Tunnel already up from another page; reusing it (its original options apply).', 'green');
|
||||
} else {
|
||||
await m.setupMixTunnel({
|
||||
...(useRandomIpr ? {} : { preferredIpr: iprAddress.trim() }),
|
||||
clientId,
|
||||
forceTls,
|
||||
disablePoissonTraffic: disablePoisson,
|
||||
disableCoverTraffic: disableCover,
|
||||
openReplySurbs: clampSurbs(openSurbs, 1),
|
||||
dataReplySurbs: clampSurbs(dataSurbs, 0),
|
||||
primaryDns: optStr(primaryDns),
|
||||
fallbackDns: optStr(fallbackDns),
|
||||
dnsTimeoutMs: optInt(dnsTimeout),
|
||||
connectTimeoutMs: optInt(connectTimeout),
|
||||
maxRedirects: optInt(maxRedirects),
|
||||
storagePassphrase: storagePassphrase || undefined,
|
||||
debug,
|
||||
});
|
||||
log('tunnel', 'Tunnel ready', 'green');
|
||||
}
|
||||
setConnected(true);
|
||||
setStatus({ text: 'Connected', colour: 'green' });
|
||||
log('tunnel', 'Tunnel ready', 'green');
|
||||
onReady(m.mixFetch);
|
||||
} catch (e) {
|
||||
setStatus({ text: 'Failed', colour: 'red' });
|
||||
log('tunnel', `Connection failed: ${e}`, 'red');
|
||||
log('tunnel', "Timeouts and IPR rate-limits are common. Try again, or tick 'Use random IPR' and reload.", 'orange');
|
||||
const msg = String((e as any)?.message ?? e);
|
||||
if (/already initialised/i.test(msg)) {
|
||||
log('tunnel', 'Tunnel already initialised in this tab; reload the page if it does not connect.', 'orange');
|
||||
setStatus({ text: 'Failed (already initialised, reload)', colour: 'red' });
|
||||
} else {
|
||||
setStatus({ text: 'Failed', colour: 'red' });
|
||||
log('tunnel', `Connection failed: ${msg}`, 'red');
|
||||
log('tunnel', "Timeouts and IPR rate-limits are common. Try again, or tick 'Use random IPR' and reload.", 'orange');
|
||||
}
|
||||
} finally {
|
||||
setBusy(false);
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"nodes": 679,
|
||||
"nodes": 685,
|
||||
"locations": 75,
|
||||
"mixnodes": 240,
|
||||
"exit_gateways": 431
|
||||
"exit_gateways": 437
|
||||
}
|
||||
|
||||
@@ -1 +1 @@
|
||||
Tuesday, June 9th 2026, 15:17:20 UTC
|
||||
Tuesday, June 9th 2026, 16:06:04 UTC
|
||||
|
||||
@@ -9,8 +9,7 @@ Commands:
|
||||
|
||||
Options:
|
||||
-c, --config-env-file <CONFIG_ENV_FILE> Path pointing to an env file that configures the Nym API [env: NYMAPI_CONFIG_ENV_FILE_ARG=]
|
||||
--no-banner A no-op flag included for consistency with other binaries (and compatibility with nymvisor, oops) [env:
|
||||
NYMAPI_NO_BANNER_ARG=]
|
||||
--no-banner A no-op flag included for consistency with other binaries (and compatibility with nymvisor, oops) [env: NYMAPI_NO_BANNER_ARG=]
|
||||
-h, --help Print help
|
||||
-V, --version Print version
|
||||
```
|
||||
|
||||
@@ -12,8 +12,7 @@ Commands:
|
||||
help Print this message or the help of the given subcommand(s)
|
||||
|
||||
Options:
|
||||
-c, --config-env-file <CONFIG_ENV_FILE> Path pointing to an env file that configures the nym-node and overrides any preconfigured values [env:
|
||||
NYMNODE_CONFIG_ENV_FILE_ARG=]
|
||||
-c, --config-env-file <CONFIG_ENV_FILE> Path pointing to an env file that configures the nym-node and overrides any preconfigured values [env: NYMNODE_CONFIG_ENV_FILE_ARG=]
|
||||
--no-banner Flag used for disabling the printed banner in tty [env: NYMNODE_NO_BANNER=]
|
||||
-h, --help Print help
|
||||
-V, --version Print version
|
||||
|
||||
@@ -4,127 +4,95 @@ Start this nym-node
|
||||
Usage: nym-node run [OPTIONS]
|
||||
|
||||
Options:
|
||||
--id <ID>
|
||||
Id of the nym-node to use [env: NYMNODE_ID=] [default: default-nym-node]
|
||||
--config-file <CONFIG_FILE>
|
||||
Path to a configuration file of this node [env: NYMNODE_CONFIG=]
|
||||
--accept-operator-terms-and-conditions
|
||||
Explicitly specify whether you agree with the terms and conditions of a nym node operator as defined at
|
||||
<https://nymtech.net/terms-and-conditions/operators/v1.0.0> [env: NYMNODE_ACCEPT_OPERATOR_TERMS=]
|
||||
--deny-init
|
||||
Forbid a new node from being initialised if configuration file for the provided specification doesn't already exist [env: NYMNODE_DENY_INIT=]
|
||||
--init-only
|
||||
If this is a brand new nym-node, specify whether it should only be initialised without actually running the subprocesses [env: NYMNODE_INIT_ONLY=]
|
||||
--local
|
||||
Flag specifying this node will be running in a local setting [env: NYMNODE_LOCAL=]
|
||||
--mode [<MODE>...]
|
||||
Specifies the current mode(s) of this nym-node [env: NYMNODE_MODE=] [possible values: mixnode, entry-gateway, exit-gateway, exit-providers-only]
|
||||
--modes <MODES>
|
||||
Specifies the current mode(s) of this nym-node as a single flag [env: NYMNODE_MODES=] [possible values: mixnode, entry-gateway, exit-gateway,
|
||||
exit-providers-only]
|
||||
-w, --write-changes
|
||||
If this node has been initialised before, specify whether to write any new changes to the config file [env: NYMNODE_WRITE_CONFIG_CHANGES=]
|
||||
--bonding-information-output <BONDING_INFORMATION_OUTPUT>
|
||||
Specify output file for bonding information of this nym-node, i.e. its encoded keys. NOTE: the required bonding information is still a subject to change and
|
||||
this argument should be treated only as a preview of future features [env: NYMNODE_BONDING_INFORMATION_OUTPUT=]
|
||||
-o, --output <OUTPUT>
|
||||
Specify the output format of the bonding information (`text` or `json`) [env: NYMNODE_OUTPUT=] [default: text] [possible values: text, json]
|
||||
--public-ips <PUBLIC_IPS>
|
||||
Comma separated list of public ip addresses that will be announced to the nym-api and subsequently to the clients. In nearly all circumstances, it's going
|
||||
to be identical to the address you're going to use for bonding [env: NYMNODE_PUBLIC_IPS=]
|
||||
--hostname <HOSTNAME>
|
||||
Optional hostname associated with this gateway that will be announced to the nym-api and subsequently to the clients [env: NYMNODE_HOSTNAME=]
|
||||
--location <LOCATION>
|
||||
Optional **physical** location of this node's server. Either full country name (e.g. 'Poland'), two-letter alpha2 (e.g. 'PL'), three-letter alpha3 (e.g.
|
||||
'POL') or three-digit numeric-3 (e.g. '616') can be provided [env: NYMNODE_LOCATION=]
|
||||
--http-bind-address <HTTP_BIND_ADDRESS>
|
||||
Socket address this node will use for binding its http API. default: `[::]:8080` [env: NYMNODE_HTTP_BIND_ADDRESS=]
|
||||
--landing-page-assets-path <LANDING_PAGE_ASSETS_PATH>
|
||||
Path to assets directory of custom landing page of this node [env: NYMNODE_HTTP_LANDING_ASSETS=]
|
||||
--http-access-token <HTTP_ACCESS_TOKEN>
|
||||
An optional bearer token for accessing certain http endpoints. Currently only used for prometheus metrics [env: NYMNODE_HTTP_ACCESS_TOKEN=]
|
||||
--expose-system-info <EXPOSE_SYSTEM_INFO>
|
||||
Specify whether basic system information should be exposed. default: true [env: NYMNODE_HTTP_EXPOSE_SYSTEM_INFO=] [possible values: true, false]
|
||||
--expose-system-hardware <EXPOSE_SYSTEM_HARDWARE>
|
||||
Specify whether basic system hardware information should be exposed. default: true [env: NYMNODE_HTTP_EXPOSE_SYSTEM_HARDWARE=] [possible values: true,
|
||||
false]
|
||||
--expose-crypto-hardware <EXPOSE_CRYPTO_HARDWARE>
|
||||
Specify whether detailed system crypto hardware information should be exposed. default: true [env: NYMNODE_HTTP_EXPOSE_CRYPTO_HARDWARE=] [possible values:
|
||||
true, false]
|
||||
--nyxd-urls <NYXD_URLS>
|
||||
Addresses to nyxd chain endpoint which the node will use for chain interactions [env: NYMNODE_NYXD=]
|
||||
--nyxd-websocket-url <NYXD_WEBSOCKET_URL>
|
||||
Url to the websocket endpoint of a nyx validator, for example `wss://rpc.nymtech.net/websocket`. It is used for subscribing to new block events [env:
|
||||
NYMNODE_NYXD_WEBSOCKET=]
|
||||
--mixnet-bind-address <MIXNET_BIND_ADDRESS>
|
||||
Address this node will bind to for listening for mixnet packets default: `[::]:1789` [env: NYMNODE_MIXNET_BIND_ADDRESS=]
|
||||
--mixnet-announce-port <MIXNET_ANNOUNCE_PORT>
|
||||
If applicable, custom port announced in the self-described API that other clients and nodes will use. Useful when the node is behind a proxy [env:
|
||||
NYMNODE_MIXNET_ANNOUNCE_PORT=]
|
||||
--nym-api-urls <NYM_API_URLS>
|
||||
Addresses to nym APIs from which the node gets the view of the network [env: NYMNODE_NYM_APIS=]
|
||||
--enable-console-logging <ENABLE_CONSOLE_LOGGING>
|
||||
Specify whether running statistics of this node should be logged to the console [env: NYMNODE_ENABLE_CONSOLE_LOGGING=] [possible values: true, false]
|
||||
--wireguard-enabled <WIREGUARD_ENABLED>
|
||||
Specifies whether the wireguard service is enabled on this node [env: NYMNODE_WG_ENABLED=] [possible values: true, false]
|
||||
--wireguard-bind-address <WIREGUARD_BIND_ADDRESS>
|
||||
Socket address this node will use for binding its wireguard interface. default: `[::]:51822` [env: NYMNODE_WG_BIND_ADDRESS=]
|
||||
--wireguard-tunnel-announced-port <WIREGUARD_TUNNEL_ANNOUNCED_PORT>
|
||||
Tunnel port announced to external clients wishing to connect to the wireguard interface. Useful in the instances where the node is behind a proxy [env:
|
||||
NYMNODE_WG_ANNOUNCED_PORT=]
|
||||
--wireguard-private-network-prefix <WIREGUARD_PRIVATE_NETWORK_PREFIX>
|
||||
The prefix denoting the maximum number of the clients that can be connected via Wireguard. The maximum value for IPv4 is 32 and for IPv6 is 128 [env:
|
||||
NYMNODE_WG_PRIVATE_NETWORK_PREFIX=]
|
||||
--wireguard-userspace <WIREGUARD_USERSPACE>
|
||||
Use userspace implementation of WireGuard (wireguard-go) instead of kernel module. Useful in containerized environments without kernel WireGuard support
|
||||
[env: NYMNODE_WG_USERSPACE=] [possible values: true, false]
|
||||
--verloc-bind-address <VERLOC_BIND_ADDRESS>
|
||||
Socket address this node will use for binding its verloc API. default: `[::]:1790` [env: NYMNODE_VERLOC_BIND_ADDRESS=]
|
||||
--verloc-announce-port <VERLOC_ANNOUNCE_PORT>
|
||||
If applicable, custom port announced in the self-described API that other clients and nodes will use. Useful when the node is behind a proxy [env:
|
||||
NYMNODE_VERLOC_ANNOUNCE_PORT=]
|
||||
--entry-bind-address <ENTRY_BIND_ADDRESS>
|
||||
Socket address this node will use for binding its client websocket API. default: `[::]:9000` [env: NYMNODE_ENTRY_BIND_ADDRESS=]
|
||||
--announce-ws-port <ANNOUNCE_WS_PORT>
|
||||
Custom announced port for listening for websocket client traffic. If unspecified, the value from the `bind_address` will be used instead [env:
|
||||
NYMNODE_ENTRY_ANNOUNCE_WS_PORT=]
|
||||
--announce-wss-port <ANNOUNCE_WSS_PORT>
|
||||
If applicable, announced port for listening for secure websocket client traffic [env: NYMNODE_ENTRY_ANNOUNCE_WSS_PORT=]
|
||||
--enforce-zk-nyms <ENFORCE_ZK_NYMS>
|
||||
Indicates whether this gateway is accepting only coconut credentials for accessing the mixnet or if it also accepts non-paying clients [env:
|
||||
NYMNODE_ENFORCE_ZK_NYMS=] [possible values: true, false]
|
||||
--mnemonic <MNEMONIC>
|
||||
Custom cosmos wallet mnemonic used for zk-nym redemption. If no value is provided, a fresh mnemonic is going to be generated [env: NYMNODE_MNEMONIC=]
|
||||
--upgrade-mode-attestation-url <UPGRADE_MODE_ATTESTATION_URL>
|
||||
Endpoint to query to retrieve current upgrade mode attestation. This argument should never be set outside testnets and local networks [env:
|
||||
NYMNODE_UPGRADE_MODE_ATTESTATION_URL=]
|
||||
--upgrade-mode-attester-public-key <UPGRADE_MODE_ATTESTER_PUBLIC_KEY>
|
||||
Expected public key of the entity signing the published attestation. This argument should never be set outside testnets and local networks [env:
|
||||
NYMNODE_UPGRADE_MODE_ATTESTER_PUBKEY=]
|
||||
--upstream-exit-policy-url <UPSTREAM_EXIT_POLICY_URL>
|
||||
Specifies the url for an upstream source of the exit policy used by this node [env: NYMNODE_UPSTREAM_EXIT_POLICY=]
|
||||
--open-proxy <OPEN_PROXY>
|
||||
Specifies whether this exit node should run in 'open-proxy' mode and thus would attempt to resolve **ANY** request it receives [env: NYMNODE_OPEN_PROXY=]
|
||||
[possible values: true, false]
|
||||
--nr-allow-local-ips <NR_ALLOW_LOCAL_IPS>
|
||||
Allow the network requester to forward traffic to non-globally-routable addresses. Intended for local development, private-network deployments, and testnet
|
||||
scenarios. Not recommended on production exit gateway unless you know what you're doing [env: NYMNODE_NR_ALLOW_LOCAL_IPS=] [possible values: true, false]
|
||||
--ipr-allow-local-ips <IPR_ALLOW_LOCAL_IPS>
|
||||
Allow the IP packet router to forward traffic to non-globally-routable addresses. Intended for local development, private-network deployments, and testnet
|
||||
scenarios. Not recommended on production exit gateway unless you know what you're doing [env: NYMNODE_IPR_ALLOW_LOCAL_IPS=] [possible values: true, false]
|
||||
--lp-control-bind-address <LP_CONTROL_BIND_ADDRESS>
|
||||
Bind address for the TCP LP control traffic. default: `[::]:41264` [env: NYMNODE_LP_CONTROL_BIND_ADDRESS=]
|
||||
--lp-control-announce-port <LP_CONTROL_ANNOUNCE_PORT>
|
||||
Custom announced port for listening for the TCP LP control traffic. If unspecified, the value from the `lp_control_bind_address` will be used instead [env:
|
||||
NYMNODE_LP_CONTROL_ANNOUNCE_PORT=]
|
||||
--lp-data-bind-address <LP_DATA_BIND_ADDRESS>
|
||||
Bind address for the UDP LP data traffic. default: `[::]:51264` [env: NYMNODE_LP_DATA_BIND_ADDRESS=]
|
||||
--lp-data-announce-port <LP_DATA_ANNOUNCE_PORT>
|
||||
Custom announced port for listening for the UDP LP data traffic. If unspecified, the value from the `lp_data_bind_address` will be used instead [env:
|
||||
NYMNODE_LP_DATA_ANNOUNCE_PORT=]
|
||||
--lp-use-mock-ecash <LP_USE_MOCK_ECASH>
|
||||
Use mock ecash manager for LP testing. WARNING: Only use this for local testing! Never enable in production. When enabled, the LP listener will accept any
|
||||
credential without blockchain verification [env: NYMNODE_LP_USE_MOCK_ECASH=] [possible values: true, false]
|
||||
-h, --help
|
||||
Print help
|
||||
--id <ID> Id of the nym-node to use [env: NYMNODE_ID=] [default: default-nym-node]
|
||||
--config-file <CONFIG_FILE> Path to a configuration file of this node [env: NYMNODE_CONFIG=]
|
||||
--accept-operator-terms-and-conditions Explicitly specify whether you agree with the terms and conditions of a nym node operator as defined at
|
||||
<https://nymtech.net/terms-and-conditions/operators/v1.0.0> [env: NYMNODE_ACCEPT_OPERATOR_TERMS=]
|
||||
--deny-init Forbid a new node from being initialised if configuration file for the provided specification doesn't already exist
|
||||
[env: NYMNODE_DENY_INIT=]
|
||||
--init-only If this is a brand new nym-node, specify whether it should only be initialised without actually running the subprocesses
|
||||
[env: NYMNODE_INIT_ONLY=]
|
||||
--local Flag specifying this node will be running in a local setting [env: NYMNODE_LOCAL=]
|
||||
--mode [<MODE>...] Specifies the current mode(s) of this nym-node [env: NYMNODE_MODE=] [possible values: mixnode, entry-gateway,
|
||||
exit-gateway, exit-providers-only]
|
||||
--modes <MODES> Specifies the current mode(s) of this nym-node as a single flag [env: NYMNODE_MODES=] [possible values: mixnode,
|
||||
entry-gateway, exit-gateway, exit-providers-only]
|
||||
-w, --write-changes If this node has been initialised before, specify whether to write any new changes to the config file [env:
|
||||
NYMNODE_WRITE_CONFIG_CHANGES=]
|
||||
--bonding-information-output <BONDING_INFORMATION_OUTPUT> Specify output file for bonding information of this nym-node, i.e. its encoded keys. NOTE: the required bonding
|
||||
information is still a subject to change and this argument should be treated only as a preview of future features [env:
|
||||
NYMNODE_BONDING_INFORMATION_OUTPUT=]
|
||||
-o, --output <OUTPUT> Specify the output format of the bonding information (`text` or `json`) [env: NYMNODE_OUTPUT=] [default: text] [possible
|
||||
values: text, json]
|
||||
--public-ips <PUBLIC_IPS> Comma separated list of public ip addresses that will be announced to the nym-api and subsequently to the clients. In
|
||||
nearly all circumstances, it's going to be identical to the address you're going to use for bonding [env:
|
||||
NYMNODE_PUBLIC_IPS=]
|
||||
--hostname <HOSTNAME> Optional hostname associated with this gateway that will be announced to the nym-api and subsequently to the clients
|
||||
[env: NYMNODE_HOSTNAME=]
|
||||
--location <LOCATION> Optional **physical** location of this node's server. Either full country name (e.g. 'Poland'), two-letter alpha2 (e.g.
|
||||
'PL'), three-letter alpha3 (e.g. 'POL') or three-digit numeric-3 (e.g. '616') can be provided [env: NYMNODE_LOCATION=]
|
||||
--http-bind-address <HTTP_BIND_ADDRESS> Socket address this node will use for binding its http API. default: `[::]:8080` [env: NYMNODE_HTTP_BIND_ADDRESS=]
|
||||
--landing-page-assets-path <LANDING_PAGE_ASSETS_PATH> Path to assets directory of custom landing page of this node [env: NYMNODE_HTTP_LANDING_ASSETS=]
|
||||
--http-access-token <HTTP_ACCESS_TOKEN> An optional bearer token for accessing certain http endpoints. Currently only used for prometheus metrics [env:
|
||||
NYMNODE_HTTP_ACCESS_TOKEN=]
|
||||
--expose-system-info <EXPOSE_SYSTEM_INFO> Specify whether basic system information should be exposed. default: true [env: NYMNODE_HTTP_EXPOSE_SYSTEM_INFO=]
|
||||
[possible values: true, false]
|
||||
--expose-system-hardware <EXPOSE_SYSTEM_HARDWARE> Specify whether basic system hardware information should be exposed. default: true [env:
|
||||
NYMNODE_HTTP_EXPOSE_SYSTEM_HARDWARE=] [possible values: true, false]
|
||||
--expose-crypto-hardware <EXPOSE_CRYPTO_HARDWARE> Specify whether detailed system crypto hardware information should be exposed. default: true [env:
|
||||
NYMNODE_HTTP_EXPOSE_CRYPTO_HARDWARE=] [possible values: true, false]
|
||||
--nyxd-urls <NYXD_URLS> Addresses to nyxd chain endpoint which the node will use for chain interactions [env: NYMNODE_NYXD=]
|
||||
--nyxd-websocket-url <NYXD_WEBSOCKET_URL> Url to the websocket endpoint of a nyx validator, for example `wss://rpc.nymtech.net/websocket`. It is used for
|
||||
subscribing to new block events [env: NYMNODE_NYXD_WEBSOCKET=]
|
||||
--mixnet-bind-address <MIXNET_BIND_ADDRESS> Address this node will bind to for listening for mixnet packets default: `[::]:1789` [env: NYMNODE_MIXNET_BIND_ADDRESS=]
|
||||
--mixnet-announce-port <MIXNET_ANNOUNCE_PORT> If applicable, custom port announced in the self-described API that other clients and nodes will use. Useful when the
|
||||
node is behind a proxy [env: NYMNODE_MIXNET_ANNOUNCE_PORT=]
|
||||
--nym-api-urls <NYM_API_URLS> Addresses to nym APIs from which the node gets the view of the network [env: NYMNODE_NYM_APIS=]
|
||||
--enable-console-logging <ENABLE_CONSOLE_LOGGING> Specify whether running statistics of this node should be logged to the console [env: NYMNODE_ENABLE_CONSOLE_LOGGING=]
|
||||
[possible values: true, false]
|
||||
--wireguard-enabled <WIREGUARD_ENABLED> Specifies whether the wireguard service is enabled on this node [env: NYMNODE_WG_ENABLED=] [possible values: true,
|
||||
false]
|
||||
--wireguard-bind-address <WIREGUARD_BIND_ADDRESS> Socket address this node will use for binding its wireguard interface. default: `[::]:51822` [env:
|
||||
NYMNODE_WG_BIND_ADDRESS=]
|
||||
--wireguard-tunnel-announced-port <WIREGUARD_TUNNEL_ANNOUNCED_PORT> Tunnel port announced to external clients wishing to connect to the wireguard interface. Useful in the instances where
|
||||
the node is behind a proxy [env: NYMNODE_WG_ANNOUNCED_PORT=]
|
||||
--wireguard-private-network-prefix <WIREGUARD_PRIVATE_NETWORK_PREFIX> The prefix denoting the maximum number of the clients that can be connected via Wireguard. The maximum value for IPv4 is
|
||||
32 and for IPv6 is 128 [env: NYMNODE_WG_PRIVATE_NETWORK_PREFIX=]
|
||||
--wireguard-userspace <WIREGUARD_USERSPACE> Use userspace implementation of WireGuard (wireguard-go) instead of kernel module. Useful in containerized environments
|
||||
without kernel WireGuard support [env: NYMNODE_WG_USERSPACE=] [possible values: true, false]
|
||||
--verloc-bind-address <VERLOC_BIND_ADDRESS> Socket address this node will use for binding its verloc API. default: `[::]:1790` [env: NYMNODE_VERLOC_BIND_ADDRESS=]
|
||||
--verloc-announce-port <VERLOC_ANNOUNCE_PORT> If applicable, custom port announced in the self-described API that other clients and nodes will use. Useful when the
|
||||
node is behind a proxy [env: NYMNODE_VERLOC_ANNOUNCE_PORT=]
|
||||
--entry-bind-address <ENTRY_BIND_ADDRESS> Socket address this node will use for binding its client websocket API. default: `[::]:9000` [env:
|
||||
NYMNODE_ENTRY_BIND_ADDRESS=]
|
||||
--announce-ws-port <ANNOUNCE_WS_PORT> Custom announced port for listening for websocket client traffic. If unspecified, the value from the `bind_address` will
|
||||
be used instead [env: NYMNODE_ENTRY_ANNOUNCE_WS_PORT=]
|
||||
--announce-wss-port <ANNOUNCE_WSS_PORT> If applicable, announced port for listening for secure websocket client traffic [env: NYMNODE_ENTRY_ANNOUNCE_WSS_PORT=]
|
||||
--enforce-zk-nyms <ENFORCE_ZK_NYMS> Indicates whether this gateway is accepting only coconut credentials for accessing the mixnet or if it also accepts
|
||||
non-paying clients [env: NYMNODE_ENFORCE_ZK_NYMS=] [possible values: true, false]
|
||||
--mnemonic <MNEMONIC> Custom cosmos wallet mnemonic used for zk-nym redemption. If no value is provided, a fresh mnemonic is going to be
|
||||
generated [env: NYMNODE_MNEMONIC=]
|
||||
--upgrade-mode-attestation-url <UPGRADE_MODE_ATTESTATION_URL> Endpoint to query to retrieve current upgrade mode attestation. This argument should never be set outside testnets and
|
||||
local networks [env: NYMNODE_UPGRADE_MODE_ATTESTATION_URL=]
|
||||
--upgrade-mode-attester-public-key <UPGRADE_MODE_ATTESTER_PUBLIC_KEY> Expected public key of the entity signing the published attestation. This argument should never be set outside testnets
|
||||
and local networks [env: NYMNODE_UPGRADE_MODE_ATTESTER_PUBKEY=]
|
||||
--upstream-exit-policy-url <UPSTREAM_EXIT_POLICY_URL> Specifies the url for an upstream source of the exit policy used by this node [env: NYMNODE_UPSTREAM_EXIT_POLICY=]
|
||||
--open-proxy <OPEN_PROXY> Specifies whether this exit node should run in 'open-proxy' mode and thus would attempt to resolve **ANY** request it
|
||||
receives [env: NYMNODE_OPEN_PROXY=] [possible values: true, false]
|
||||
--nr-allow-local-ips <NR_ALLOW_LOCAL_IPS> Allow the network requester to forward traffic to non-globally-routable addresses. Intended for local development,
|
||||
private-network deployments, and testnet scenarios. Not recommended on production exit gateway unless you know what
|
||||
you're doing [env: NYMNODE_NR_ALLOW_LOCAL_IPS=] [possible values: true, false]
|
||||
--ipr-allow-local-ips <IPR_ALLOW_LOCAL_IPS> Allow the IP packet router to forward traffic to non-globally-routable addresses. Intended for local development,
|
||||
private-network deployments, and testnet scenarios. Not recommended on production exit gateway unless you know what
|
||||
you're doing [env: NYMNODE_IPR_ALLOW_LOCAL_IPS=] [possible values: true, false]
|
||||
--lp-control-bind-address <LP_CONTROL_BIND_ADDRESS> Bind address for the TCP LP control traffic. default: `[::]:41264` [env: NYMNODE_LP_CONTROL_BIND_ADDRESS=]
|
||||
--lp-control-announce-port <LP_CONTROL_ANNOUNCE_PORT> Custom announced port for listening for the TCP LP control traffic. If unspecified, the value from the
|
||||
`lp_control_bind_address` will be used instead [env: NYMNODE_LP_CONTROL_ANNOUNCE_PORT=]
|
||||
--lp-data-bind-address <LP_DATA_BIND_ADDRESS> Bind address for the UDP LP data traffic. default: `[::]:51264` [env: NYMNODE_LP_DATA_BIND_ADDRESS=]
|
||||
--lp-data-announce-port <LP_DATA_ANNOUNCE_PORT> Custom announced port for listening for the UDP LP data traffic. If unspecified, the value from the
|
||||
`lp_data_bind_address` will be used instead [env: NYMNODE_LP_DATA_ANNOUNCE_PORT=]
|
||||
--lp-use-mock-ecash <LP_USE_MOCK_ECASH> Use mock ecash manager for LP testing. WARNING: Only use this for local testing! Never enable in production. When
|
||||
enabled, the LP listener will accept any credential without blockchain verification [env: NYMNODE_LP_USE_MOCK_ECASH=]
|
||||
[possible values: true, false]
|
||||
-h, --help Print help
|
||||
```
|
||||
|
||||
@@ -1526,7 +1526,7 @@ const config = {
|
||||
form-action 'self';
|
||||
frame-ancestors 'none';
|
||||
upgrade-insecure-requests;
|
||||
connect-src 'self' wss://nym-node-cli.devrel.nymte.ch:9001 https://github.com *.vercel.app *.nymtech.net *.nymvpn.com *.nymte.ch *.nyx.network *.nym.com https://nym.com nymvpn.com https://nymvpn.com *.nymtech.cc;
|
||||
connect-src 'self' wss://nym-node-cli.devrel.nymte.ch:9001 https://github.com *.vercel.app *.nymtech.net *.nymvpn.com *.nymte.ch *.nyx.network *.nym.com https://nym.com nymvpn.com https://nymvpn.com *.nymtech.cc https://ipinfo.io;
|
||||
frame-src 'self' https://vercel.live *.vercel.app *.nym.com https://nym.com;
|
||||
worker-src 'self' blob: https://vercel.live *.vercel.app *.nym.com https://nym.com;
|
||||
`;
|
||||
|
||||
@@ -13,6 +13,9 @@ export const EnsDemo = dynamic(
|
||||
{ ssr: false },
|
||||
)
|
||||
|
||||
import { NetworkTabCallout } from '../../../components/demos/shared/NetworkTabCallout'
|
||||
import { MixnetGlossary } from '../../../components/demos/shared/MixnetGlossary'
|
||||
|
||||
# ENS over the mixnet
|
||||
|
||||
A normal ENS lookup (name to address to IPFS website) built with
|
||||
@@ -64,6 +67,8 @@ not, so the demo adds a `DecompressionStream` step after each response (Cloudfla
|
||||
gzips RPC replies). The full version with decompression and per-call logging is in
|
||||
[`components/demos/ens/lib.ts`](https://github.com/nymtech/nym/tree/develop/documentation/docs/components/demos/ens).
|
||||
|
||||
On npm: [`@nymproject/mix-fetch`](https://www.npmjs.com/package/@nymproject/mix-fetch) and [`ethers`](https://www.npmjs.com/package/ethers).
|
||||
|
||||
The lookup itself is three steps, each an Ethereum call or HTTPS GET over the same
|
||||
tunnel:
|
||||
|
||||
@@ -83,6 +88,8 @@ Connect to bring the tunnel up (a default IPR exit is pinned; tick **Use random
|
||||
IPR** for auto-discovery), click **Verify IP routing** to confirm traffic exits
|
||||
through Nym, then run the three steps.
|
||||
|
||||
<NetworkTabCallout />
|
||||
|
||||
<EnsDemo />
|
||||
|
||||
## What to expect
|
||||
@@ -93,26 +100,15 @@ through Nym, then run the three steps.
|
||||
sequential round trips). smolmix keeps that connection warm and reuses it, so
|
||||
later requests to the same host are much quicker. A long pause is handshakes in
|
||||
flight, not a hang.
|
||||
- **You will not see the requests in DevTools.** The RPC and IPFS requests never
|
||||
touch the browser's `fetch`. They leave the worker as encrypted packets over a
|
||||
single WebSocket to the entry gateway, which is the one connection the Network
|
||||
tab shows.
|
||||
- **You will not see the tunnelled requests in DevTools.** The RPC and IPFS
|
||||
requests never touch the browser's `fetch`. They leave the worker as encrypted
|
||||
packets over a single WebSocket to the entry gateway, which is the one
|
||||
connection the Network tab shows. The exception is **Verify IP routing**, which
|
||||
deliberately makes one direct clearnet call to ipinfo.io for comparison.
|
||||
- **Rate limiting.** Public IPFS gateways and Ethereum RPCs rate-limit shared IP
|
||||
addresses. If requests start failing with 403, 429, or connection errors, the
|
||||
exit IP is likely flagged: tick **Use random IPR** and reload for a fresh exit.
|
||||
|
||||
## Glossary
|
||||
|
||||
- **Mixnet.** An overlay network that routes your traffic through several relays
|
||||
and mixes it with other people's, hiding who is talking to whom. Nym operates one.
|
||||
- **Entry gateway.** Your first hop into the mixnet. Your browser holds one
|
||||
WebSocket to it; all tunnelled traffic rides that connection as opaque frames.
|
||||
- **IPR (IP Packet Router), the exit.** The mixnet's exit point onto the normal
|
||||
internet. The RPC node and IPFS gateway see the IPR's IP address, never yours.
|
||||
- **SURB (single-use reply block).** A prepaid, single-use return envelope. It
|
||||
lets the exit send a reply back through the mixnet without learning your address.
|
||||
- **Cover traffic / Poisson timing.** Decoy packets and randomised send timing.
|
||||
Together they keep your real traffic statistically hard to pick out.
|
||||
- **mixFetch.** The [`@nymproject/mix-fetch`](/developers/mix-fetch) package's
|
||||
`fetch()`-shaped function. It runs the mixnet client (smolmix) in a Web Worker
|
||||
and sends your request through the mixnet instead of the browser's network stack.
|
||||
<MixnetGlossary />
|
||||
|
||||
@@ -13,6 +13,9 @@ export const RailgunDemo = dynamic(
|
||||
{ ssr: false },
|
||||
)
|
||||
|
||||
import { NetworkTabCallout } from '../../../components/demos/shared/NetworkTabCallout'
|
||||
import { MixnetGlossary } from '../../../components/demos/shared/MixnetGlossary'
|
||||
|
||||
# Railgun over the mixnet
|
||||
|
||||
Two privacy layers stacked. **Nym** hides the network layer: every Ethereum RPC
|
||||
@@ -67,6 +70,8 @@ Railgun resolve to different ethers copies, the handler installs on one and the
|
||||
engine uses the other. Pin the exact ethers version Railgun peer-depends on (this
|
||||
demo aliases ethers to one instance in the bundler).
|
||||
|
||||
On npm: [`@nymproject/mix-fetch`](https://www.npmjs.com/package/@nymproject/mix-fetch), [`@railgun-community/wallet`](https://www.npmjs.com/package/@railgun-community/wallet), and [`ethers`](https://www.npmjs.com/package/ethers).
|
||||
|
||||
Shielding is a four-step flow, all over the mixnet: sign a shield key, estimate
|
||||
gas, populate the transaction, then sign and broadcast. The broadcast that lands
|
||||
on Sepolia is observable on Etherscan, but the IP that submitted it stays hidden.
|
||||
@@ -83,6 +88,8 @@ small amount. If the wallet is low, top it up at a
|
||||
**Sepolia testnet only.** The wallet holds only test ETH and the mnemonic is
|
||||
stored in plain browser storage. Never paste a mainnet mnemonic.
|
||||
|
||||
<NetworkTabCallout />
|
||||
|
||||
<RailgunDemo />
|
||||
|
||||
## What to expect
|
||||
@@ -97,3 +104,7 @@ stored in plain browser storage. Never paste a mainnet mnemonic.
|
||||
- **Rate limiting.** If RPC calls start failing with 403/429 or connection
|
||||
errors, the exit IP is flagged: disconnect, tick **Use random IPR**, reload,
|
||||
and reconnect for a fresh exit.
|
||||
|
||||
## Glossary
|
||||
|
||||
<MixnetGlossary />
|
||||
|
||||
@@ -9,6 +9,7 @@ lastUpdated: "2026-06-09"
|
||||
import { Callout } from 'nextra/components'
|
||||
import { MixPlayground } from '../../components/playground/MixPlayground'
|
||||
import { MessagingDemo } from '../../components/playground/messaging-section'
|
||||
import { NetworkTabCallout } from '../../components/demos/shared/NetworkTabCallout'
|
||||
|
||||
# Mixnet playground
|
||||
|
||||
@@ -19,18 +20,11 @@ This playground runs Nym's browser TypeScript packages against the live mixnet.
|
||||
|
||||
Some sections send the same request over the tunnel and over the clearnet, so you can compare the two.
|
||||
|
||||
On npm: [`@nymproject/mix-fetch`](https://www.npmjs.com/package/@nymproject/mix-fetch), [`@nymproject/mix-dns`](https://www.npmjs.com/package/@nymproject/mix-dns), [`@nymproject/mix-tunnel`](https://www.npmjs.com/package/@nymproject/mix-tunnel), [`@nymproject/mix-websocket`](https://www.npmjs.com/package/@nymproject/mix-websocket), and [`@nymproject/sdk`](https://www.npmjs.com/package/@nymproject/sdk).
|
||||
|
||||
## HTTPS / DNS / WebSockets
|
||||
|
||||
<Callout type="info">
|
||||
**Watch the Network tab.** Open DevTools → Network before you connect. Once
|
||||
`setupMixTunnel` reports ready, every tunnel operation here (`mixFetch`,
|
||||
`mixDNS`, `MixWebSocket`) adds **no new request** to that tab: it is multiplexed
|
||||
inside the single WebSocket to the entry gateway. Only the *clearnet* comparison
|
||||
buttons add rows. (Setup also fetches the network topology over HTTPS and
|
||||
refreshes it periodically, so those nym-api calls and the gateway WebSocket are
|
||||
the only clearnet requests you will see.) Your real traffic never leaves the
|
||||
browser as an identifiable, per-destination request.
|
||||
</Callout>
|
||||
<NetworkTabCallout />
|
||||
|
||||
<Callout type="info">
|
||||
Everything here runs client-side over the live Nym mixnet. The first
|
||||
|
||||
Reference in New Issue
Block a user