demos second pass

This commit is contained in:
mfahampshire
2026-06-09 17:07:49 +01:00
parent 9ca0f32c47
commit 7529cde148
14 changed files with 230 additions and 179 deletions
@@ -195,7 +195,7 @@ export function EnsDemo() {
<div style={legend}>ENS lookup</div>
<div style={row}>
<Button onClick={verifyIp} disabled={!connected || busy}>Verify IP routing</Button>
<span style={sub}>Confirm traffic exits through Nym before resolving.</span>
<span style={sub}>Confirms traffic exits through Nym. The comparison makes one direct (clearnet) call to ipinfo.io, so you will see a single ipinfo.io row in the Network tab.</span>
</div>
<div style={row}>
@@ -292,6 +292,7 @@ export function RailgunDemo() {
<Button onClick={verifyIp} disabled={!connected || busy}>Verify IP routing</Button>
<span style={sub}>{balance}</span>
</div>
<div style={sub}>Verify IP makes one direct (clearnet) call to ipinfo.io for the comparison, so you will see a single ipinfo.io row in the Network tab.</div>
</div>
<div style={box}>
@@ -0,0 +1,50 @@
// Shared mixnet glossary for the demo pages, with links to the relevant docs.
// Raw <a> inside a React component does not pick up Nextra's MDX link styling,
// so the links are styled explicitly via the L helper.
import React from 'react';
function L({ href, children }: { href: string; children: React.ReactNode }) {
return (
<a href={href} style={{ color: '#3b82f6', textDecoration: 'underline' }}>
{children}
</a>
);
}
export function MixnetGlossary() {
return (
<ul>
<li>
<strong>Mixnet.</strong> An overlay network that routes your traffic through several relays
and mixes it with other people's, hiding who is talking to whom. Nym operates one. See{' '}
<L href="/network/mixnet-mode">mixnet mode</L>.
</li>
<li>
<strong>Entry gateway.</strong> Your first hop into the mixnet. Your browser holds one
WebSocket to it; all tunnelled traffic rides that connection as opaque frames. See{' '}
<L href="/network/infrastructure/nym-nodes">Nym nodes</L>.
</li>
<li>
<strong>IPR (IP Packet Router), the exit.</strong> The mixnet's exit point onto the normal
internet. The RPC node and gateway see the IPR's IP address, never yours. See{' '}
<L href="/network/infrastructure/exit-services#ip-packet-router">exit services</L>.
</li>
<li>
<strong>SURB (single-use reply block).</strong> A prepaid, single-use return envelope. It
lets the exit send a reply back through the mixnet without learning your address. See{' '}
<L href="/network/mixnet-mode/anonymous-replies">anonymous replies</L>.
</li>
<li>
<strong>Cover traffic / Poisson timing.</strong> Decoy packets and randomised send timing.
Together they keep your real traffic statistically hard to pick out. See{' '}
<L href="/network/mixnet-mode/cover-traffic">cover traffic</L>.
</li>
<li>
<strong>mixFetch.</strong> The{' '}
<L href="/developers/mix-fetch"><code>@nymproject/mix-fetch</code></L> package's{' '}
<code>fetch()</code>-shaped function. It runs the mixnet client (smolmix) in a Web Worker and
sends your request through the mixnet instead of the browser's network stack.
</li>
</ul>
);
}
@@ -0,0 +1,19 @@
// Shared "Watch the Network tab" callout, used on the playground and the demo
// pages. Generic wording so it reads correctly wherever a single mixnet tunnel
// carries the page's traffic.
import React from 'react';
import { Callout } from 'nextra/components';
export function NetworkTabCallout() {
return (
<Callout type="info">
<strong>Watch the Network tab.</strong> Open DevTools Network before you connect. Once the
tunnel reports ready, every operation you run here adds <strong>no new request</strong> to that
tab: it is multiplexed inside the single WebSocket to the entry gateway. Only the clearnet
comparison buttons add rows. (Setup also fetches the network topology over HTTPS and refreshes
it periodically, so those nym-api calls and the gateway WebSocket are the only clearnet requests
you will see.) Your real traffic never leaves the browser as an identifiable, per-destination
request.
</Callout>
);
}
@@ -95,30 +95,44 @@ export function MixTunnelSetup({
try {
const m = mods ?? (await loadMixFetch());
if (!mods) setMods(m);
await m.setupMixTunnel({
...(useRandomIpr ? {} : { preferredIpr: iprAddress.trim() }),
clientId,
forceTls,
disablePoissonTraffic: disablePoisson,
disableCoverTraffic: disableCover,
openReplySurbs: clampSurbs(openSurbs, 1),
dataReplySurbs: clampSurbs(dataSurbs, 0),
primaryDns: optStr(primaryDns),
fallbackDns: optStr(fallbackDns),
dnsTimeoutMs: optInt(dnsTimeout),
connectTimeoutMs: optInt(connectTimeout),
maxRedirects: optInt(maxRedirects),
storagePassphrase: storagePassphrase || undefined,
debug,
});
// One WASM instance per browser tab, shared across demo pages by the
// bundler. If another page already brought the tunnel up, reuse it rather
// than calling setupMixTunnel again (which throws "already initialised").
const existing = await m.getTunnelState().catch(() => null);
if (existing && existing.state === 'ready') {
log('tunnel', 'Tunnel already up from another page; reusing it (its original options apply).', 'green');
} else {
await m.setupMixTunnel({
...(useRandomIpr ? {} : { preferredIpr: iprAddress.trim() }),
clientId,
forceTls,
disablePoissonTraffic: disablePoisson,
disableCoverTraffic: disableCover,
openReplySurbs: clampSurbs(openSurbs, 1),
dataReplySurbs: clampSurbs(dataSurbs, 0),
primaryDns: optStr(primaryDns),
fallbackDns: optStr(fallbackDns),
dnsTimeoutMs: optInt(dnsTimeout),
connectTimeoutMs: optInt(connectTimeout),
maxRedirects: optInt(maxRedirects),
storagePassphrase: storagePassphrase || undefined,
debug,
});
log('tunnel', 'Tunnel ready', 'green');
}
setConnected(true);
setStatus({ text: 'Connected', colour: 'green' });
log('tunnel', 'Tunnel ready', 'green');
onReady(m.mixFetch);
} catch (e) {
setStatus({ text: 'Failed', colour: 'red' });
log('tunnel', `Connection failed: ${e}`, 'red');
log('tunnel', "Timeouts and IPR rate-limits are common. Try again, or tick 'Use random IPR' and reload.", 'orange');
const msg = String((e as any)?.message ?? e);
if (/already initialised/i.test(msg)) {
log('tunnel', 'Tunnel already initialised in this tab; reload the page if it does not connect.', 'orange');
setStatus({ text: 'Failed (already initialised, reload)', colour: 'red' });
} else {
setStatus({ text: 'Failed', colour: 'red' });
log('tunnel', `Connection failed: ${msg}`, 'red');
log('tunnel', "Timeouts and IPR rate-limits are common. Try again, or tick 'Use random IPR' and reload.", 'orange');
}
} finally {
setBusy(false);
}
@@ -1,6 +1,6 @@
{
"nodes": 679,
"nodes": 685,
"locations": 75,
"mixnodes": 240,
"exit_gateways": 431
"exit_gateways": 437
}
@@ -1 +1 @@
Tuesday, June 9th 2026, 15:17:20 UTC
Tuesday, June 9th 2026, 16:06:04 UTC
@@ -9,8 +9,7 @@ Commands:
Options:
-c, --config-env-file <CONFIG_ENV_FILE> Path pointing to an env file that configures the Nym API [env: NYMAPI_CONFIG_ENV_FILE_ARG=]
--no-banner A no-op flag included for consistency with other binaries (and compatibility with nymvisor, oops) [env:
NYMAPI_NO_BANNER_ARG=]
--no-banner A no-op flag included for consistency with other binaries (and compatibility with nymvisor, oops) [env: NYMAPI_NO_BANNER_ARG=]
-h, --help Print help
-V, --version Print version
```
@@ -12,8 +12,7 @@ Commands:
help Print this message or the help of the given subcommand(s)
Options:
-c, --config-env-file <CONFIG_ENV_FILE> Path pointing to an env file that configures the nym-node and overrides any preconfigured values [env:
NYMNODE_CONFIG_ENV_FILE_ARG=]
-c, --config-env-file <CONFIG_ENV_FILE> Path pointing to an env file that configures the nym-node and overrides any preconfigured values [env: NYMNODE_CONFIG_ENV_FILE_ARG=]
--no-banner Flag used for disabling the printed banner in tty [env: NYMNODE_NO_BANNER=]
-h, --help Print help
-V, --version Print version
@@ -4,127 +4,95 @@ Start this nym-node
Usage: nym-node run [OPTIONS]
Options:
--id <ID>
Id of the nym-node to use [env: NYMNODE_ID=] [default: default-nym-node]
--config-file <CONFIG_FILE>
Path to a configuration file of this node [env: NYMNODE_CONFIG=]
--accept-operator-terms-and-conditions
Explicitly specify whether you agree with the terms and conditions of a nym node operator as defined at
<https://nymtech.net/terms-and-conditions/operators/v1.0.0> [env: NYMNODE_ACCEPT_OPERATOR_TERMS=]
--deny-init
Forbid a new node from being initialised if configuration file for the provided specification doesn't already exist [env: NYMNODE_DENY_INIT=]
--init-only
If this is a brand new nym-node, specify whether it should only be initialised without actually running the subprocesses [env: NYMNODE_INIT_ONLY=]
--local
Flag specifying this node will be running in a local setting [env: NYMNODE_LOCAL=]
--mode [<MODE>...]
Specifies the current mode(s) of this nym-node [env: NYMNODE_MODE=] [possible values: mixnode, entry-gateway, exit-gateway, exit-providers-only]
--modes <MODES>
Specifies the current mode(s) of this nym-node as a single flag [env: NYMNODE_MODES=] [possible values: mixnode, entry-gateway, exit-gateway,
exit-providers-only]
-w, --write-changes
If this node has been initialised before, specify whether to write any new changes to the config file [env: NYMNODE_WRITE_CONFIG_CHANGES=]
--bonding-information-output <BONDING_INFORMATION_OUTPUT>
Specify output file for bonding information of this nym-node, i.e. its encoded keys. NOTE: the required bonding information is still a subject to change and
this argument should be treated only as a preview of future features [env: NYMNODE_BONDING_INFORMATION_OUTPUT=]
-o, --output <OUTPUT>
Specify the output format of the bonding information (`text` or `json`) [env: NYMNODE_OUTPUT=] [default: text] [possible values: text, json]
--public-ips <PUBLIC_IPS>
Comma separated list of public ip addresses that will be announced to the nym-api and subsequently to the clients. In nearly all circumstances, it's going
to be identical to the address you're going to use for bonding [env: NYMNODE_PUBLIC_IPS=]
--hostname <HOSTNAME>
Optional hostname associated with this gateway that will be announced to the nym-api and subsequently to the clients [env: NYMNODE_HOSTNAME=]
--location <LOCATION>
Optional **physical** location of this node's server. Either full country name (e.g. 'Poland'), two-letter alpha2 (e.g. 'PL'), three-letter alpha3 (e.g.
'POL') or three-digit numeric-3 (e.g. '616') can be provided [env: NYMNODE_LOCATION=]
--http-bind-address <HTTP_BIND_ADDRESS>
Socket address this node will use for binding its http API. default: `[::]:8080` [env: NYMNODE_HTTP_BIND_ADDRESS=]
--landing-page-assets-path <LANDING_PAGE_ASSETS_PATH>
Path to assets directory of custom landing page of this node [env: NYMNODE_HTTP_LANDING_ASSETS=]
--http-access-token <HTTP_ACCESS_TOKEN>
An optional bearer token for accessing certain http endpoints. Currently only used for prometheus metrics [env: NYMNODE_HTTP_ACCESS_TOKEN=]
--expose-system-info <EXPOSE_SYSTEM_INFO>
Specify whether basic system information should be exposed. default: true [env: NYMNODE_HTTP_EXPOSE_SYSTEM_INFO=] [possible values: true, false]
--expose-system-hardware <EXPOSE_SYSTEM_HARDWARE>
Specify whether basic system hardware information should be exposed. default: true [env: NYMNODE_HTTP_EXPOSE_SYSTEM_HARDWARE=] [possible values: true,
false]
--expose-crypto-hardware <EXPOSE_CRYPTO_HARDWARE>
Specify whether detailed system crypto hardware information should be exposed. default: true [env: NYMNODE_HTTP_EXPOSE_CRYPTO_HARDWARE=] [possible values:
true, false]
--nyxd-urls <NYXD_URLS>
Addresses to nyxd chain endpoint which the node will use for chain interactions [env: NYMNODE_NYXD=]
--nyxd-websocket-url <NYXD_WEBSOCKET_URL>
Url to the websocket endpoint of a nyx validator, for example `wss://rpc.nymtech.net/websocket`. It is used for subscribing to new block events [env:
NYMNODE_NYXD_WEBSOCKET=]
--mixnet-bind-address <MIXNET_BIND_ADDRESS>
Address this node will bind to for listening for mixnet packets default: `[::]:1789` [env: NYMNODE_MIXNET_BIND_ADDRESS=]
--mixnet-announce-port <MIXNET_ANNOUNCE_PORT>
If applicable, custom port announced in the self-described API that other clients and nodes will use. Useful when the node is behind a proxy [env:
NYMNODE_MIXNET_ANNOUNCE_PORT=]
--nym-api-urls <NYM_API_URLS>
Addresses to nym APIs from which the node gets the view of the network [env: NYMNODE_NYM_APIS=]
--enable-console-logging <ENABLE_CONSOLE_LOGGING>
Specify whether running statistics of this node should be logged to the console [env: NYMNODE_ENABLE_CONSOLE_LOGGING=] [possible values: true, false]
--wireguard-enabled <WIREGUARD_ENABLED>
Specifies whether the wireguard service is enabled on this node [env: NYMNODE_WG_ENABLED=] [possible values: true, false]
--wireguard-bind-address <WIREGUARD_BIND_ADDRESS>
Socket address this node will use for binding its wireguard interface. default: `[::]:51822` [env: NYMNODE_WG_BIND_ADDRESS=]
--wireguard-tunnel-announced-port <WIREGUARD_TUNNEL_ANNOUNCED_PORT>
Tunnel port announced to external clients wishing to connect to the wireguard interface. Useful in the instances where the node is behind a proxy [env:
NYMNODE_WG_ANNOUNCED_PORT=]
--wireguard-private-network-prefix <WIREGUARD_PRIVATE_NETWORK_PREFIX>
The prefix denoting the maximum number of the clients that can be connected via Wireguard. The maximum value for IPv4 is 32 and for IPv6 is 128 [env:
NYMNODE_WG_PRIVATE_NETWORK_PREFIX=]
--wireguard-userspace <WIREGUARD_USERSPACE>
Use userspace implementation of WireGuard (wireguard-go) instead of kernel module. Useful in containerized environments without kernel WireGuard support
[env: NYMNODE_WG_USERSPACE=] [possible values: true, false]
--verloc-bind-address <VERLOC_BIND_ADDRESS>
Socket address this node will use for binding its verloc API. default: `[::]:1790` [env: NYMNODE_VERLOC_BIND_ADDRESS=]
--verloc-announce-port <VERLOC_ANNOUNCE_PORT>
If applicable, custom port announced in the self-described API that other clients and nodes will use. Useful when the node is behind a proxy [env:
NYMNODE_VERLOC_ANNOUNCE_PORT=]
--entry-bind-address <ENTRY_BIND_ADDRESS>
Socket address this node will use for binding its client websocket API. default: `[::]:9000` [env: NYMNODE_ENTRY_BIND_ADDRESS=]
--announce-ws-port <ANNOUNCE_WS_PORT>
Custom announced port for listening for websocket client traffic. If unspecified, the value from the `bind_address` will be used instead [env:
NYMNODE_ENTRY_ANNOUNCE_WS_PORT=]
--announce-wss-port <ANNOUNCE_WSS_PORT>
If applicable, announced port for listening for secure websocket client traffic [env: NYMNODE_ENTRY_ANNOUNCE_WSS_PORT=]
--enforce-zk-nyms <ENFORCE_ZK_NYMS>
Indicates whether this gateway is accepting only coconut credentials for accessing the mixnet or if it also accepts non-paying clients [env:
NYMNODE_ENFORCE_ZK_NYMS=] [possible values: true, false]
--mnemonic <MNEMONIC>
Custom cosmos wallet mnemonic used for zk-nym redemption. If no value is provided, a fresh mnemonic is going to be generated [env: NYMNODE_MNEMONIC=]
--upgrade-mode-attestation-url <UPGRADE_MODE_ATTESTATION_URL>
Endpoint to query to retrieve current upgrade mode attestation. This argument should never be set outside testnets and local networks [env:
NYMNODE_UPGRADE_MODE_ATTESTATION_URL=]
--upgrade-mode-attester-public-key <UPGRADE_MODE_ATTESTER_PUBLIC_KEY>
Expected public key of the entity signing the published attestation. This argument should never be set outside testnets and local networks [env:
NYMNODE_UPGRADE_MODE_ATTESTER_PUBKEY=]
--upstream-exit-policy-url <UPSTREAM_EXIT_POLICY_URL>
Specifies the url for an upstream source of the exit policy used by this node [env: NYMNODE_UPSTREAM_EXIT_POLICY=]
--open-proxy <OPEN_PROXY>
Specifies whether this exit node should run in 'open-proxy' mode and thus would attempt to resolve **ANY** request it receives [env: NYMNODE_OPEN_PROXY=]
[possible values: true, false]
--nr-allow-local-ips <NR_ALLOW_LOCAL_IPS>
Allow the network requester to forward traffic to non-globally-routable addresses. Intended for local development, private-network deployments, and testnet
scenarios. Not recommended on production exit gateway unless you know what you're doing [env: NYMNODE_NR_ALLOW_LOCAL_IPS=] [possible values: true, false]
--ipr-allow-local-ips <IPR_ALLOW_LOCAL_IPS>
Allow the IP packet router to forward traffic to non-globally-routable addresses. Intended for local development, private-network deployments, and testnet
scenarios. Not recommended on production exit gateway unless you know what you're doing [env: NYMNODE_IPR_ALLOW_LOCAL_IPS=] [possible values: true, false]
--lp-control-bind-address <LP_CONTROL_BIND_ADDRESS>
Bind address for the TCP LP control traffic. default: `[::]:41264` [env: NYMNODE_LP_CONTROL_BIND_ADDRESS=]
--lp-control-announce-port <LP_CONTROL_ANNOUNCE_PORT>
Custom announced port for listening for the TCP LP control traffic. If unspecified, the value from the `lp_control_bind_address` will be used instead [env:
NYMNODE_LP_CONTROL_ANNOUNCE_PORT=]
--lp-data-bind-address <LP_DATA_BIND_ADDRESS>
Bind address for the UDP LP data traffic. default: `[::]:51264` [env: NYMNODE_LP_DATA_BIND_ADDRESS=]
--lp-data-announce-port <LP_DATA_ANNOUNCE_PORT>
Custom announced port for listening for the UDP LP data traffic. If unspecified, the value from the `lp_data_bind_address` will be used instead [env:
NYMNODE_LP_DATA_ANNOUNCE_PORT=]
--lp-use-mock-ecash <LP_USE_MOCK_ECASH>
Use mock ecash manager for LP testing. WARNING: Only use this for local testing! Never enable in production. When enabled, the LP listener will accept any
credential without blockchain verification [env: NYMNODE_LP_USE_MOCK_ECASH=] [possible values: true, false]
-h, --help
Print help
--id <ID> Id of the nym-node to use [env: NYMNODE_ID=] [default: default-nym-node]
--config-file <CONFIG_FILE> Path to a configuration file of this node [env: NYMNODE_CONFIG=]
--accept-operator-terms-and-conditions Explicitly specify whether you agree with the terms and conditions of a nym node operator as defined at
<https://nymtech.net/terms-and-conditions/operators/v1.0.0> [env: NYMNODE_ACCEPT_OPERATOR_TERMS=]
--deny-init Forbid a new node from being initialised if configuration file for the provided specification doesn't already exist
[env: NYMNODE_DENY_INIT=]
--init-only If this is a brand new nym-node, specify whether it should only be initialised without actually running the subprocesses
[env: NYMNODE_INIT_ONLY=]
--local Flag specifying this node will be running in a local setting [env: NYMNODE_LOCAL=]
--mode [<MODE>...] Specifies the current mode(s) of this nym-node [env: NYMNODE_MODE=] [possible values: mixnode, entry-gateway,
exit-gateway, exit-providers-only]
--modes <MODES> Specifies the current mode(s) of this nym-node as a single flag [env: NYMNODE_MODES=] [possible values: mixnode,
entry-gateway, exit-gateway, exit-providers-only]
-w, --write-changes If this node has been initialised before, specify whether to write any new changes to the config file [env:
NYMNODE_WRITE_CONFIG_CHANGES=]
--bonding-information-output <BONDING_INFORMATION_OUTPUT> Specify output file for bonding information of this nym-node, i.e. its encoded keys. NOTE: the required bonding
information is still a subject to change and this argument should be treated only as a preview of future features [env:
NYMNODE_BONDING_INFORMATION_OUTPUT=]
-o, --output <OUTPUT> Specify the output format of the bonding information (`text` or `json`) [env: NYMNODE_OUTPUT=] [default: text] [possible
values: text, json]
--public-ips <PUBLIC_IPS> Comma separated list of public ip addresses that will be announced to the nym-api and subsequently to the clients. In
nearly all circumstances, it's going to be identical to the address you're going to use for bonding [env:
NYMNODE_PUBLIC_IPS=]
--hostname <HOSTNAME> Optional hostname associated with this gateway that will be announced to the nym-api and subsequently to the clients
[env: NYMNODE_HOSTNAME=]
--location <LOCATION> Optional **physical** location of this node's server. Either full country name (e.g. 'Poland'), two-letter alpha2 (e.g.
'PL'), three-letter alpha3 (e.g. 'POL') or three-digit numeric-3 (e.g. '616') can be provided [env: NYMNODE_LOCATION=]
--http-bind-address <HTTP_BIND_ADDRESS> Socket address this node will use for binding its http API. default: `[::]:8080` [env: NYMNODE_HTTP_BIND_ADDRESS=]
--landing-page-assets-path <LANDING_PAGE_ASSETS_PATH> Path to assets directory of custom landing page of this node [env: NYMNODE_HTTP_LANDING_ASSETS=]
--http-access-token <HTTP_ACCESS_TOKEN> An optional bearer token for accessing certain http endpoints. Currently only used for prometheus metrics [env:
NYMNODE_HTTP_ACCESS_TOKEN=]
--expose-system-info <EXPOSE_SYSTEM_INFO> Specify whether basic system information should be exposed. default: true [env: NYMNODE_HTTP_EXPOSE_SYSTEM_INFO=]
[possible values: true, false]
--expose-system-hardware <EXPOSE_SYSTEM_HARDWARE> Specify whether basic system hardware information should be exposed. default: true [env:
NYMNODE_HTTP_EXPOSE_SYSTEM_HARDWARE=] [possible values: true, false]
--expose-crypto-hardware <EXPOSE_CRYPTO_HARDWARE> Specify whether detailed system crypto hardware information should be exposed. default: true [env:
NYMNODE_HTTP_EXPOSE_CRYPTO_HARDWARE=] [possible values: true, false]
--nyxd-urls <NYXD_URLS> Addresses to nyxd chain endpoint which the node will use for chain interactions [env: NYMNODE_NYXD=]
--nyxd-websocket-url <NYXD_WEBSOCKET_URL> Url to the websocket endpoint of a nyx validator, for example `wss://rpc.nymtech.net/websocket`. It is used for
subscribing to new block events [env: NYMNODE_NYXD_WEBSOCKET=]
--mixnet-bind-address <MIXNET_BIND_ADDRESS> Address this node will bind to for listening for mixnet packets default: `[::]:1789` [env: NYMNODE_MIXNET_BIND_ADDRESS=]
--mixnet-announce-port <MIXNET_ANNOUNCE_PORT> If applicable, custom port announced in the self-described API that other clients and nodes will use. Useful when the
node is behind a proxy [env: NYMNODE_MIXNET_ANNOUNCE_PORT=]
--nym-api-urls <NYM_API_URLS> Addresses to nym APIs from which the node gets the view of the network [env: NYMNODE_NYM_APIS=]
--enable-console-logging <ENABLE_CONSOLE_LOGGING> Specify whether running statistics of this node should be logged to the console [env: NYMNODE_ENABLE_CONSOLE_LOGGING=]
[possible values: true, false]
--wireguard-enabled <WIREGUARD_ENABLED> Specifies whether the wireguard service is enabled on this node [env: NYMNODE_WG_ENABLED=] [possible values: true,
false]
--wireguard-bind-address <WIREGUARD_BIND_ADDRESS> Socket address this node will use for binding its wireguard interface. default: `[::]:51822` [env:
NYMNODE_WG_BIND_ADDRESS=]
--wireguard-tunnel-announced-port <WIREGUARD_TUNNEL_ANNOUNCED_PORT> Tunnel port announced to external clients wishing to connect to the wireguard interface. Useful in the instances where
the node is behind a proxy [env: NYMNODE_WG_ANNOUNCED_PORT=]
--wireguard-private-network-prefix <WIREGUARD_PRIVATE_NETWORK_PREFIX> The prefix denoting the maximum number of the clients that can be connected via Wireguard. The maximum value for IPv4 is
32 and for IPv6 is 128 [env: NYMNODE_WG_PRIVATE_NETWORK_PREFIX=]
--wireguard-userspace <WIREGUARD_USERSPACE> Use userspace implementation of WireGuard (wireguard-go) instead of kernel module. Useful in containerized environments
without kernel WireGuard support [env: NYMNODE_WG_USERSPACE=] [possible values: true, false]
--verloc-bind-address <VERLOC_BIND_ADDRESS> Socket address this node will use for binding its verloc API. default: `[::]:1790` [env: NYMNODE_VERLOC_BIND_ADDRESS=]
--verloc-announce-port <VERLOC_ANNOUNCE_PORT> If applicable, custom port announced in the self-described API that other clients and nodes will use. Useful when the
node is behind a proxy [env: NYMNODE_VERLOC_ANNOUNCE_PORT=]
--entry-bind-address <ENTRY_BIND_ADDRESS> Socket address this node will use for binding its client websocket API. default: `[::]:9000` [env:
NYMNODE_ENTRY_BIND_ADDRESS=]
--announce-ws-port <ANNOUNCE_WS_PORT> Custom announced port for listening for websocket client traffic. If unspecified, the value from the `bind_address` will
be used instead [env: NYMNODE_ENTRY_ANNOUNCE_WS_PORT=]
--announce-wss-port <ANNOUNCE_WSS_PORT> If applicable, announced port for listening for secure websocket client traffic [env: NYMNODE_ENTRY_ANNOUNCE_WSS_PORT=]
--enforce-zk-nyms <ENFORCE_ZK_NYMS> Indicates whether this gateway is accepting only coconut credentials for accessing the mixnet or if it also accepts
non-paying clients [env: NYMNODE_ENFORCE_ZK_NYMS=] [possible values: true, false]
--mnemonic <MNEMONIC> Custom cosmos wallet mnemonic used for zk-nym redemption. If no value is provided, a fresh mnemonic is going to be
generated [env: NYMNODE_MNEMONIC=]
--upgrade-mode-attestation-url <UPGRADE_MODE_ATTESTATION_URL> Endpoint to query to retrieve current upgrade mode attestation. This argument should never be set outside testnets and
local networks [env: NYMNODE_UPGRADE_MODE_ATTESTATION_URL=]
--upgrade-mode-attester-public-key <UPGRADE_MODE_ATTESTER_PUBLIC_KEY> Expected public key of the entity signing the published attestation. This argument should never be set outside testnets
and local networks [env: NYMNODE_UPGRADE_MODE_ATTESTER_PUBKEY=]
--upstream-exit-policy-url <UPSTREAM_EXIT_POLICY_URL> Specifies the url for an upstream source of the exit policy used by this node [env: NYMNODE_UPSTREAM_EXIT_POLICY=]
--open-proxy <OPEN_PROXY> Specifies whether this exit node should run in 'open-proxy' mode and thus would attempt to resolve **ANY** request it
receives [env: NYMNODE_OPEN_PROXY=] [possible values: true, false]
--nr-allow-local-ips <NR_ALLOW_LOCAL_IPS> Allow the network requester to forward traffic to non-globally-routable addresses. Intended for local development,
private-network deployments, and testnet scenarios. Not recommended on production exit gateway unless you know what
you're doing [env: NYMNODE_NR_ALLOW_LOCAL_IPS=] [possible values: true, false]
--ipr-allow-local-ips <IPR_ALLOW_LOCAL_IPS> Allow the IP packet router to forward traffic to non-globally-routable addresses. Intended for local development,
private-network deployments, and testnet scenarios. Not recommended on production exit gateway unless you know what
you're doing [env: NYMNODE_IPR_ALLOW_LOCAL_IPS=] [possible values: true, false]
--lp-control-bind-address <LP_CONTROL_BIND_ADDRESS> Bind address for the TCP LP control traffic. default: `[::]:41264` [env: NYMNODE_LP_CONTROL_BIND_ADDRESS=]
--lp-control-announce-port <LP_CONTROL_ANNOUNCE_PORT> Custom announced port for listening for the TCP LP control traffic. If unspecified, the value from the
`lp_control_bind_address` will be used instead [env: NYMNODE_LP_CONTROL_ANNOUNCE_PORT=]
--lp-data-bind-address <LP_DATA_BIND_ADDRESS> Bind address for the UDP LP data traffic. default: `[::]:51264` [env: NYMNODE_LP_DATA_BIND_ADDRESS=]
--lp-data-announce-port <LP_DATA_ANNOUNCE_PORT> Custom announced port for listening for the UDP LP data traffic. If unspecified, the value from the
`lp_data_bind_address` will be used instead [env: NYMNODE_LP_DATA_ANNOUNCE_PORT=]
--lp-use-mock-ecash <LP_USE_MOCK_ECASH> Use mock ecash manager for LP testing. WARNING: Only use this for local testing! Never enable in production. When
enabled, the LP listener will accept any credential without blockchain verification [env: NYMNODE_LP_USE_MOCK_ECASH=]
[possible values: true, false]
-h, --help Print help
```
+1 -1
View File
@@ -1526,7 +1526,7 @@ const config = {
form-action 'self';
frame-ancestors 'none';
upgrade-insecure-requests;
connect-src 'self' wss://nym-node-cli.devrel.nymte.ch:9001 https://github.com *.vercel.app *.nymtech.net *.nymvpn.com *.nymte.ch *.nyx.network *.nym.com https://nym.com nymvpn.com https://nymvpn.com *.nymtech.cc;
connect-src 'self' wss://nym-node-cli.devrel.nymte.ch:9001 https://github.com *.vercel.app *.nymtech.net *.nymvpn.com *.nymte.ch *.nyx.network *.nym.com https://nym.com nymvpn.com https://nymvpn.com *.nymtech.cc https://ipinfo.io;
frame-src 'self' https://vercel.live *.vercel.app *.nym.com https://nym.com;
worker-src 'self' blob: https://vercel.live *.vercel.app *.nym.com https://nym.com;
`;
@@ -13,6 +13,9 @@ export const EnsDemo = dynamic(
{ ssr: false },
)
import { NetworkTabCallout } from '../../../components/demos/shared/NetworkTabCallout'
import { MixnetGlossary } from '../../../components/demos/shared/MixnetGlossary'
# ENS over the mixnet
A normal ENS lookup (name to address to IPFS website) built with
@@ -64,6 +67,8 @@ not, so the demo adds a `DecompressionStream` step after each response (Cloudfla
gzips RPC replies). The full version with decompression and per-call logging is in
[`components/demos/ens/lib.ts`](https://github.com/nymtech/nym/tree/develop/documentation/docs/components/demos/ens).
On npm: [`@nymproject/mix-fetch`](https://www.npmjs.com/package/@nymproject/mix-fetch) and [`ethers`](https://www.npmjs.com/package/ethers).
The lookup itself is three steps, each an Ethereum call or HTTPS GET over the same
tunnel:
@@ -83,6 +88,8 @@ Connect to bring the tunnel up (a default IPR exit is pinned; tick **Use random
IPR** for auto-discovery), click **Verify IP routing** to confirm traffic exits
through Nym, then run the three steps.
<NetworkTabCallout />
<EnsDemo />
## What to expect
@@ -93,26 +100,15 @@ through Nym, then run the three steps.
sequential round trips). smolmix keeps that connection warm and reuses it, so
later requests to the same host are much quicker. A long pause is handshakes in
flight, not a hang.
- **You will not see the requests in DevTools.** The RPC and IPFS requests never
touch the browser's `fetch`. They leave the worker as encrypted packets over a
single WebSocket to the entry gateway, which is the one connection the Network
tab shows.
- **You will not see the tunnelled requests in DevTools.** The RPC and IPFS
requests never touch the browser's `fetch`. They leave the worker as encrypted
packets over a single WebSocket to the entry gateway, which is the one
connection the Network tab shows. The exception is **Verify IP routing**, which
deliberately makes one direct clearnet call to ipinfo.io for comparison.
- **Rate limiting.** Public IPFS gateways and Ethereum RPCs rate-limit shared IP
addresses. If requests start failing with 403, 429, or connection errors, the
exit IP is likely flagged: tick **Use random IPR** and reload for a fresh exit.
## Glossary
- **Mixnet.** An overlay network that routes your traffic through several relays
and mixes it with other people's, hiding who is talking to whom. Nym operates one.
- **Entry gateway.** Your first hop into the mixnet. Your browser holds one
WebSocket to it; all tunnelled traffic rides that connection as opaque frames.
- **IPR (IP Packet Router), the exit.** The mixnet's exit point onto the normal
internet. The RPC node and IPFS gateway see the IPR's IP address, never yours.
- **SURB (single-use reply block).** A prepaid, single-use return envelope. It
lets the exit send a reply back through the mixnet without learning your address.
- **Cover traffic / Poisson timing.** Decoy packets and randomised send timing.
Together they keep your real traffic statistically hard to pick out.
- **mixFetch.** The [`@nymproject/mix-fetch`](/developers/mix-fetch) package's
`fetch()`-shaped function. It runs the mixnet client (smolmix) in a Web Worker
and sends your request through the mixnet instead of the browser's network stack.
<MixnetGlossary />
@@ -13,6 +13,9 @@ export const RailgunDemo = dynamic(
{ ssr: false },
)
import { NetworkTabCallout } from '../../../components/demos/shared/NetworkTabCallout'
import { MixnetGlossary } from '../../../components/demos/shared/MixnetGlossary'
# Railgun over the mixnet
Two privacy layers stacked. **Nym** hides the network layer: every Ethereum RPC
@@ -67,6 +70,8 @@ Railgun resolve to different ethers copies, the handler installs on one and the
engine uses the other. Pin the exact ethers version Railgun peer-depends on (this
demo aliases ethers to one instance in the bundler).
On npm: [`@nymproject/mix-fetch`](https://www.npmjs.com/package/@nymproject/mix-fetch), [`@railgun-community/wallet`](https://www.npmjs.com/package/@railgun-community/wallet), and [`ethers`](https://www.npmjs.com/package/ethers).
Shielding is a four-step flow, all over the mixnet: sign a shield key, estimate
gas, populate the transaction, then sign and broadcast. The broadcast that lands
on Sepolia is observable on Etherscan, but the IP that submitted it stays hidden.
@@ -83,6 +88,8 @@ small amount. If the wallet is low, top it up at a
**Sepolia testnet only.** The wallet holds only test ETH and the mnemonic is
stored in plain browser storage. Never paste a mainnet mnemonic.
<NetworkTabCallout />
<RailgunDemo />
## What to expect
@@ -97,3 +104,7 @@ stored in plain browser storage. Never paste a mainnet mnemonic.
- **Rate limiting.** If RPC calls start failing with 403/429 or connection
errors, the exit IP is flagged: disconnect, tick **Use random IPR**, reload,
and reconnect for a fresh exit.
## Glossary
<MixnetGlossary />
@@ -9,6 +9,7 @@ lastUpdated: "2026-06-09"
import { Callout } from 'nextra/components'
import { MixPlayground } from '../../components/playground/MixPlayground'
import { MessagingDemo } from '../../components/playground/messaging-section'
import { NetworkTabCallout } from '../../components/demos/shared/NetworkTabCallout'
# Mixnet playground
@@ -19,18 +20,11 @@ This playground runs Nym's browser TypeScript packages against the live mixnet.
Some sections send the same request over the tunnel and over the clearnet, so you can compare the two.
On npm: [`@nymproject/mix-fetch`](https://www.npmjs.com/package/@nymproject/mix-fetch), [`@nymproject/mix-dns`](https://www.npmjs.com/package/@nymproject/mix-dns), [`@nymproject/mix-tunnel`](https://www.npmjs.com/package/@nymproject/mix-tunnel), [`@nymproject/mix-websocket`](https://www.npmjs.com/package/@nymproject/mix-websocket), and [`@nymproject/sdk`](https://www.npmjs.com/package/@nymproject/sdk).
## HTTPS / DNS / WebSockets
<Callout type="info">
**Watch the Network tab.** Open DevTools → Network before you connect. Once
`setupMixTunnel` reports ready, every tunnel operation here (`mixFetch`,
`mixDNS`, `MixWebSocket`) adds **no new request** to that tab: it is multiplexed
inside the single WebSocket to the entry gateway. Only the *clearnet* comparison
buttons add rows. (Setup also fetches the network topology over HTTPS and
refreshes it periodically, so those nym-api calls and the gateway WebSocket are
the only clearnet requests you will see.) Your real traffic never leaves the
browser as an identifiable, per-destination request.
</Callout>
<NetworkTabCallout />
<Callout type="info">
Everything here runs client-side over the live Nym mixnet. The first