diff --git a/documentation/docs/components/operators/snippets/wg-exit-policy-test.mdx b/documentation/docs/components/operators/snippets/wg-exit-policy-test.mdx index e69de29bb2..f8a25006f3 100644 --- a/documentation/docs/components/operators/snippets/wg-exit-policy-test.mdx +++ b/documentation/docs/components/operators/snippets/wg-exit-policy-test.mdx @@ -0,0 +1,39 @@ +import { Tabs } from 'nextra/components'; +import { Steps } from 'nextra/components'; + +import ExitPolicyTestServer from 'components/operators/snippets/wg-exit-policy-testing-from-server.mdx'; +import ExitPolicyTestOutside from 'components/operators/snippets/wg-exit-policy-testing-from-outside.mdx'; + +**For all routing configuration we provide one tool [`network-tunnel-manager.sh` (NTM)](https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/wireguard-exit-policy/wireguard-exit-policy-manager.sh). This tool manages WireGuard tests all configurations, including WireGuard exit policy as well.** + + +You can use NTM to validate the application of the IP tables routes on your `nym-node` by checking it from the server side as well as from the outside. + +
+ From the server, + From the outside - using NymVPN + ]} defaultIndex={0}> + + + +
+ + +If all works , your node has successfully implemented WireGuard exit policy with the same routing permissions like [Nym exit policy](https://nymtech.net/.wellknown/network-requester/exit-policy.txt) used on 5-hop (Mixnet) for TCP routing. + + + + + + + + + + + + + + + + diff --git a/documentation/docs/components/operators/snippets/wg-exit-policy-testing-from-outside.mdx b/documentation/docs/components/operators/snippets/wg-exit-policy-testing-from-outside.mdx index ebc11c315c..35b61745db 100644 --- a/documentation/docs/components/operators/snippets/wg-exit-policy-testing-from-outside.mdx +++ b/documentation/docs/components/operators/snippets/wg-exit-policy-testing-from-outside.mdx @@ -1,9 +1,29 @@ +import { Steps } from 'nextra/components'; + +Here are a few ways you can ensre your WireGuard exit policy is working correctly from the outside. + + + +###### 1. Using NymVPN + +- Connect to NymVPN and use your node as an Exit Gateway in dVPN (2-hop) mode + +- While connected to NymVPN, navigate to [`portquiz.net:12345`](http://portquiz.net:12345) and see if you can load the page + +- It shouldn't load, but if you navigate to some of the accepted ports, like[`portquiz.net:443`](http://portquiz.net:443) it should all work + +###### 2. Test it from your local terminal + - Install these dependencies on your local machine: ```shell sudo apt install tcpdump sudo tcpdump -i nymwg -n ``` -- Connect to [NymVPN](https://nym.com) and select your node as an Exit Gateway (after running the exit policy [manager script](#wireguard-exit-policy-configuration)) +- Connect to [NymVPN](https://nym.com) and select your node as an Exit Gateway + - Run the `tcpdump` command before registering -- Have the output of the `echo $BLOCKED_IP` from your node and try to go into your browser or a registered client and try to connect - It will not resolve. + +- Have the output of the `echo $BLOCKED_IP` from your node and try to go into your browser or a registered client and try to connect - It should not resolve + + \ No newline at end of file diff --git a/documentation/docs/components/operators/snippets/wg-exit-policy-testing-from-server.mdx b/documentation/docs/components/operators/snippets/wg-exit-policy-testing-from-server.mdx index 02fe54adfa..501dcc3876 100644 --- a/documentation/docs/components/operators/snippets/wg-exit-policy-testing-from-server.mdx +++ b/documentation/docs/components/operators/snippets/wg-exit-policy-testing-from-server.mdx @@ -1,11 +1,39 @@ -Run this command to define variable `BLOCKED_IP` and try to `ping` it: +import { Steps } from 'nextra/components'; +import { AccordionTemplate } from 'components/accordion-template.tsx'; +import ExitPolicyTestOutput from 'components/operators/snippets/wg-exit-policy-test-output.mdx'; + + + + +###### 1. Make sure to have the latest NTM: +```sh +curl -L https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh -o network-tunnel-manager.sh && \ +chmod +x network-tunnel-manager.sh && \ +./network-tunnel-manager.sh --help +``` + +###### 2. Run tests with NTM +```sh +./network-tunnel-manager.sh exit_policy_test_connectivity +./network-tunnel-manager.sh exit_policy_tests +``` + +- The output should look like this: + + + + +###### 3. Optionally you can do some manual sanity checks +- Run this command to define variable `BLOCKED_IP` and try to `ping` it: ```shell BLOCKED_IP=$(grep "ExitPolicy reject" /etc/nym/exit-policy.txt | head -1 | sed -E 's/ExitPolicy reject ([^:]+):.*/\1/' | sed 's/\/.*$//') ping -c 3 $BLOCKED_IP ``` -You should see `100% packet loss` as an outcome. +- You should see `100% packet loss` as an outcome. ```shell telnet $BLOCKED_IP 80 ``` -You should see `telnet: Unable to connect to remote host: Connection timed out`. +- You should see `telnet: Unable to connect to remote host: Connection timed out`. + + \ No newline at end of file