[NTM]: NIP-7 port update & [DOCs/operators]: Release notes for v2026.2 oscypek (#6384)

* add operators notes

* add dev notes

* bump up version

* open NIP-7 ports

* bump up stats

* fix incorrect dash
This commit is contained in:
import this
2026-01-29 13:21:28 +00:00
committed by GitHub
parent 561182ce6b
commit 982786b678
8 changed files with 152 additions and 11 deletions
@@ -1 +1 @@
Thursday, January 15th 2026, 09:44:55 UTC
Wednesday, January 28th 2026, 09:28:07 UTC
@@ -76,6 +76,10 @@ Options:
Indicates whether this gateway is accepting only coconut credentials for accessing the mixnet or if it also accepts non-paying clients [env: NYMNODE_ENFORCE_ZK_NYMS=] [possible values: true, false]
--mnemonic <MNEMONIC>
Custom cosmos wallet mnemonic used for zk-nym redemption. If no value is provided, a fresh mnemonic is going to be generated [env: NYMNODE_MNEMONIC=]
--upgrade-mode-attestation-url <UPGRADE_MODE_ATTESTATION_URL>
Endpoint to query to retrieve current upgrade mode attestation. This argument should never be set outside testnets and local networks [env: NYMNODE_UPGRADE_MODE_ATTESTATION_URL=]
--upgrade-mode-attester-public-key <UPGRADE_MODE_ATTESTER_PUBLIC_KEY>
Expected public key of the entity signing the published attestation. This argument should never be set outside testnets and local networks [env: NYMNODE_UPGRADE_MODE_ATTESTER_PUBKEY=]
--upstream-exit-policy-url <UPSTREAM_EXIT_POLICY_URL>
Specifies the url for an upstream source of the exit policy used by this node [env: NYMNODE_UPSTREAM_EXIT_POLICY=]
--open-proxy <OPEN_PROXY>
@@ -25,12 +25,12 @@
| [LiteServer](https://liteserver.nl) | Netherlands | Yes, on by default | Yes | Very reliable Dutch provider. They do allow Relay nodes but for Exit nodes you need to contact them. Always check T&C https://liteserver.nl/legal | 07/2024 |
| [Lowendbox](https://lowendbox.com/category/dedicated-servers) | | | | Just an aggregator with good offers | 07/2025 |
| [M247](https://m247.com/eu/services/host/dedicated-servers/) | UK, Austria, Br, Sw, Jp, Poland, Fr, USA, Netherlands | Yes | No | nan | 07/2025 |
| [Mebilcom](https://www.melbicom.net/dedicatedserver/) | NL, USA, DE, UAE, NG, ESP, IN, IT, FR, LT, SG, BG, LV, PL | nan | No | nan | 07/2025 |
| [Mebilcom](https://www.melbicom.net/dedicatedserver/) | NL, US, DE, UAE, NG, ESP, IN, IT, FR, LT, SG, BG, LV, PL | nan | No | nan | 07/2025 |
| [Mevspace](https://mevspace.com) | Poland | Yes, on by default | Yes | Flexible Polish providers with 3 DCs in Poland. They do allow Tor Exit nodes but you may need a dedicated server for this. Make sure you open a ticket to check. As of today's date, they have 48h for 1 EUR tariff | 07/2024 |
| [Misaka](https://www.misaka.io/) | South Africa | Yes, native support | No | Very Expensive | 05/2024 |
| [NiceVPS](https://nicevps.net/) | Netherlands | Yes | nan | nan | 07/2025 |
| [Njalla](https://nja.la) | Sweden | Yes | Yes | Privacy vandguards! The biggest VPS 45 is 3 cores only, but it works better than many “larger” servers on the market. | 05/2024 |
| [OVH](https://us.ovhcloud.com/bare-metal/rise/rise-3/) | USA, DE, FR, UK, PL, CA | | No | Not all locations always available | 07/2025 |
| [OVH](https://us.ovhcloud.com/bare-metal/rise/rise-3/) | USA, DE, FR, UK, PL, CA | | No | Exit nodes not allowed on VPS offering, see their [Service Specific Terms](https://us.ovhcloud.com/legal/service-specific-terms/). Not all locations always available | 09/2025 |
| [Oneprovider](https://oneprovider.com/en/dedicated-servers/ipv6) | PL, FR, NL, UA, USA, BG, RO, DK, ESP, NO, CZ, RS, IE, IT, UK, HU, CH, SK, AT, BE, BA, HK, JP, SG, LU, AU, SWE, UAE, BR, CR, MX, GR, CL, MA, AR | Yes | No | nan | 07/2025 |
| [PrivateLayer](https://privatelayer.com) | Swiss | Yes | Yes | Slow customer response | 07/2025 |
| [Privex](https://www.privex.io/tor-exit-policy/) | USA, Germany, Sweden | Yes | Yes | nan | 07/2025 |
@@ -49,6 +49,136 @@ This page displays a full list of all the changes during our release cycle from
<VarInfo />
## `v2026.2-oscypek`
- [Release Binaries](https://github.com/nymtech/nym/releases/tag/nym-binaries-v2026.2-oscypek)
- [`nym-node`](nodes/nym-node.mdx) version `1.24.0`
```sh
nym-node
Binary Name: nym-node
Build Timestamp: 2026-01-27T14:54:15.579821601Z
Build Version: 1.24.0
Commit SHA: 83bf9dc7cc2b01f65cab671733f2bf6c3abd471d
Commit Date: 2026-01-27T15:46:52.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.91.1
rustc Channel: stable
cargo Profile: release
```
### Operators Updates & Tools
<Callout type="warning" emoji="⚠️">
**This release comes with breaking changes - please follow the [steps below](#oscypek-special-update) before upgrading!**
Secondly, the outcome of [NIP-7: Nym Exit Policy Update - Opening Ports for Steam, Discord & SSH](https://governator.nym.com/proposal/prop-281e9ec1-8e10-4e97-848c-311823e83f61), is added to the [Network tunnel manager (NTM)](https://github.com/nymtech/nym/blob/develop/scripts/nym-node-setup/network-tunnel-manager.sh) and operators are required to rerun the tool on their servers as [documented here](update-nym-exit-policy).
</ Callout>
#### `oscypek` special update
This release brings changes which would lead into a *foreign constraint bug* if operators just switched binaries and restarted the node. To prevent it we need to do a little `sqlite` tweak on the node database.
To simplify this, we made **a build in command, which operators must run after getting the new binary, but beofre restarting the node.**
These are the steps to follow:
<Steps>
###### 1. Get `oscypek` binary
- SSH to your machine as root
- Navigate to the destination where you have `nym-node` binary
- Get the latest binary and provide it with permissions to run
```sh
curl -L "https://github.com/nymtech/nym/releases/download/nym-binaries-v2026.2-oscypek/nym-node" -o nym-node && \
chmod +x nym-node
```
###### 2. Run `debug` command
```sh
./nym-node debug reset-providers-gateway-dbs --id <ID>
```
###### 3. Restart your node
- Restart the `nym-node.service`
```sh
systemctl restart nym-node
```
- Additionaly look for starus or serivice journal
```sh
service nym-node status
# or
journalctl -u nym-node -f --all
```
</ Steps>
#### Update Nym exit policy
As a result of [NIP-7: Nym Exit Policy Update - Opening Ports for Steam, Discord & SSH](https://governator.nym.com/proposal/prop-281e9ec1-8e10-4e97-848c-311823e83f61), we updated [`network-tunnel-manager.sh` (NTM)](https://github.com/nymtech/nym/blob/develop/scripts/nym-node-setup/network-tunnel-manager.sh). Every operator is required to download and re-run the current version of NTM on the servers hosting Nym nodes.
These are the steps for the exit policy update, using NTM.
<Steps>
###### 1. Get the new NTM
- Download the updated NTM and make executable
```sh
curl -L https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh -o ./network-tunnel-manager.sh && \
chmod +x network-tunnel-manager.sh
```
###### 2. Update exit policy
- To be sure that your routing is clean, run this command:
```sh
./network-tunnel-manager.sh complete_networking_configuration
```
</ Steps>
### Features
- [Deriving `Serialize` for `GatewayData`](https://github.com/nymtech/nym/pull/6314): Deriving `Serialize` for gateway data, that will be used by the diagnostic tool in the `vpn-client` repo
- [DNS static table pre-resolve](https://github.com/nymtech/nym/pull/6297): This PR adds pre-resolve stage that returns addres if we have used static table previously. This ensures that we don't continually suffer the penalty of a lookup timeout, while also allowing for the possibility of going back to the default internal secure resolver if one or more nameservers becomes usable again at a future time.
- [Add `Copy+Clone` to `nym_api_provider::Config`](https://github.com/nymtech/nym/pull/6296): Add `Copy+Clone` to `nym_client_core::client::topology_control::nym_api_provider::Config`
- [LP Registration + Telescoping + Gateway Probe Localnet Mode](https://github.com/nymtech/nym/pull/6286): Combines LP registration protocol implementation, adds telescoping/nested sessions support, adds localnet mode for `gateway-probe` testing, integrates KKT & PSQ cryptographic primitives
- [Minor DNS improvements](https://github.com/nymtech/nym/pull/6283): Increase timeouts back to 10 seconds for overall lookup and 5 seconds per query, gnore unreliable test, remove JIT resolution in http client as it is at best not useful, and at worst increasing timeout
- [HTTP client without default features](https://github.com/nymtech/nym/pull/6281): Fix compile issue caused when using the http client using `default-features=false`
- [DNS: reduce number of attempts](https://github.com/nymtech/nym/pull/6278): Reduce number of retry attempts performed by hickory to `0`, define `new_resolver` as infallible, use `ResolverOpts` to build builder
- [Fallback gateway listener and remove legacy key support](https://github.com/nymtech/nym/pull/6249)
- [Fix assertion](https://github.com/nymtech/nym/pull/6238)
- [Initial changes to support extra configurable parameters and to print…](https://github.com/nymtech/nym/pull/6237): This branch adds support for the additional configurable parameters introduced in `nicolas/sdk-param-support-debug` in the nym vpn client branch and also debugging messages to verify that it works
- [Data Observatory](https://github.com/nymtech/nym/pull/6172): This PR adds the Data Observatory that is:
- chain scraper
- parses Cosmos SDK messages
- parses Cosmwasm messages
- stores data in pgsql
### Bugfix
- [Downgrade gateway protocol to clients proposed version](https://github.com/nymtech/nym/pull/6377)
- [Ack fix](https://github.com/nymtech/nym/pull/6364)
- [Sqlite transaction escalation was causing errors ](https://github.com/nymtech/nym/pull/6299): Getting tickets from credential storage requires a transaction doing a read and then a write. Running registration in parallel was causing sqlite to return errors, because it can't escalate two transactions, only one.
- [Use proper mixing delay instead of poisson delay in cover traffic](https://github.com/nymtech/nym/pull/6269): Currently the secondary cover traffic loop uses its Poisson process delays instead of a proper mixing delay, this PR fixes that
### Refactors & Maintenance
- [Update nix to `v0.30.1`](https://github.com/nymtech/nym/pull/6316)
- [Rremove repetitive words in comment](https://github.com/nymtech/nym/pull/6313)
- [Clippy fixes and use fixed rust version from `REQUIRED_RUSTC_VERSION`](https://github.com/nymtech/nym/pull/6295)
## `v2026.1-niolo`
- [Release Binaries](https://github.com/nymtech/nym/releases/tag/nym-binaries-v2026.1-niolo)
@@ -120,7 +250,7 @@ Please, let us know how that worked for you.
- [`gateway-probe` fixes for run-local](https://github.com/nymtech/nym/pull/6212)
- [Upgrade mode: VPN adjustments](https://github.com/nymtech/nym/pull/6189): This PR further builds up on [\#6174](https://github.com/nymtech/nym/pull/6174) to include changes required by the VPN-client to fully support the upgrade mode, what is relevant here is that this PR modifies the credential storage to allow it to storage an opaque `emergency credential` that lets it be shared between sessions (if it is still valid) ]
- [Upgrade mode: VPN adjustments](https://github.com/nymtech/nym/pull/6189): This PR further builds up on [\#6174](https://github.com/nymtech/nym/pull/6174) to include changes required by the VPN-client to fully support the upgrade mode, what is relevant here is that this PR modifies the credential storage to allow it to storage an opaque `emergency credential` that lets it be shared between sessions (if it is still valid)
- [Add weighted scoring to NS API](https://github.com/nymtech/nym/pull/6144)
@@ -21,11 +21,11 @@ This documentation page provides a guide on how to set up and run a [NYM NODE](.
```sh
nym-node
Binary Name: nym-node
Build Timestamp: 2025-12-02T16:21:03.251191389Z
Build Version: 1.23.0
Commit SHA: 46fe1bc8191f42aa27f34743c96e9e9f26453d87
Commit Date: 2025-12-02T15:29:30.000000000Z
Commit Branch: release/2025.22-niolo
Build Timestamp: 2026-01-27T14:54:15.579821601Z
Build Version: 1.24.0
Commit SHA: 83bf9dc7cc2b01f65cab671733f2bf6c3abd471d
Commit Date: 2026-01-27T15:46:52.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.91.1
rustc Channel: stable
cargo Profile: release
@@ -651,6 +651,7 @@ apply_port_allowlist() {
["NTP"]="123"
["IMAP"]="143"
["IMAP3"]="220"
["SSHAlternative1"]="223"
["LDAP"]="389"
["HTTPS"]="443"
["SMBWindowsFileShare"]="445"
@@ -688,10 +689,13 @@ apply_port_allowlist() {
["GNUnet"]="2086-2087"
["NBX"]="2095-2096"
["Zephyr"]="2102-2104"
["SSHAlternative2"]="2222"
["XboxLive"]="3074"
["MySQL"]="3306"
["SteamGaming1"]="3478"
["SVN"]="3690"
["RWHOIS"]="4321"
["SteamGaming2"]="4379-4380"
["Virtuozzo"]="4643"
["RTPVOIP"]="5000-5005"
["MMCC"]="5050"
@@ -727,6 +731,7 @@ apply_port_allowlist() {
["DarkFi"]="26661"
["Steam"]="27000-27050"
["WhatsAppRange"]="3478-3484"
["DiscordVoiceChat"]="50000-65535"
["ElectrumSSL"]="50002"
["MOSH"]="60000-61000"
["Mumble"]="64738"
@@ -1067,6 +1072,8 @@ test_port_range_rules() {
"8332-8333:tcp:bitcoin"
"18080-18081:tcp:monero"
"3478-3484:tcp:whatsapp"
"50000-65535:tcp:discord"
"4379-4380:tcp:steam"
)
local failures=0