NymVPN alpha CLI: Guide for MacOS
NymVPN is an experimental software and it’s for testing purposes only. All users testing the client are expected to sign GDPR Information Sheet and Consent Form (shared at the workshop) so we use their results to improve the client, and submit the form NymVPN User research with the testing results.
Preparation
Any syntax in
<>
brackets is a user’s/version unique variable. Exchange with a corresponding name without the<>
brackets.
- Open Github releases page and download the binary for MacOS
- Verify sha hash of your downloaded binary with the one listed on the releases page. You can use a simple
shasum
command and compare strings (ie with Python) or run in the same directory the following command, exchanging<SHA_STRING>
with the one of your binary, like in the example:
echo "<SHA_STRING>" | shasum -a 256 -c
# choose a correct one according to your binary, this is just an example
# echo "96623ccc69bc4cc0e4e3e18528b6dae6be69f645d0a592d926a3158ce2d0c269 nym-vpn-cli_0.0.7_macos_x86_64.zip" | shasum -a 256 -c
- Extract files:
tar -xvf <BINARY>
# for example
# tar -xvf nym-vpn-cli_0.0.7_macos_aarch64.tar.gz
- Make executable by running:
# possibly you may have to cd into a sub-directory
chmod u+x ./nym-vpn-cli
- Create Sandbox environment config file by saving this as
sandbox.env
in the same directory as your NymVPN binaries by running:
curl -L "https://raw.githubusercontent.com/nymtech/nym/develop/envs/sandbox.env" -o sandbox.env
Run NymVPN
For NymVPN to work, all other VPNs must be switched off! At this alpha stage of NymVPN, the network connection (wifi) must be reconnected after or in between the testing rounds.
Make sure your terminal is open in the same directory as your nym-vpn-cli
binary.
- Go to nymvpn.com/en/alpha to get the entire command with all the needed arguments’ values and your wireguard private key for testing purposes
- Run it as root with
sudo
- the command will look like this with specified arguments:
sudo ./nym-vpn-cli -c ./sandbox.env --entry-gateway-id <ENTRY_GATEWAY_ID> --exit-router-address <EXIT_ROUTER_ADDRESS> --enable-wireguard --private-key <PRIVATE_KEY> --wg-ip <WIREGUARD_IP>
- To choose different Gateways, visit nymvpn.com/en/alpha/api/gateways and pick one
- See all possibilities in command explanation section below
In case of errors, see troubleshooting section.
CLI Commands and Options
The basic syntax of nym-vpn-cli
is:
sudo ./nym-vpn-cli -c ./sandbox.env --entry-gateway-id <ENTRY_GATEWAY_ID> --exit-router-address <EXIT_ROUTER_ADDRESS> --enable-wireguard --private-key <PRIVATE_KEY> --wg-ip <WG_IP>
- To choose different Gateways, visit nymvpn.com/en/alpha/api/gateways
- To see all possibilities run with
--help
flag:
./nym-vpn-cli --help
Console output
Usage: nym-vpn-cli [OPTIONS]
Options:
-c, --config-env-file <CONFIG_ENV_FILE>
Path pointing to an env file describing the network
--mixnet-client-path <MIXNET_CLIENT_PATH>
Path to the data directory of a previously initialised mixnet client, where the keys reside
--entry-gateway-id <ENTRY_GATEWAY_ID>
Mixnet public ID of the entry gateway
--entry-gateway-country <ENTRY_GATEWAY_COUNTRY>
Auto-select entry gateway by country ISO
--exit-router-address <EXIT_ROUTER_ADDRESS>
Mixnet recipient address
--exit-gateway-id <EXIT_GATEWAY_ID>
--exit-router-country <EXIT_ROUTER_COUNTRY>
Mixnet recipient address
--enable-wireguard
Enable the wireguard traffic between the client and the entry gateway
--private-key <PRIVATE_KEY>
Associated private key
--wg-ip <WG_IP>
The IP address of the wireguard interface used for the first hop to the entry gateway
--nym-ip <NYM_IP>
The IP address of the nym TUN device that wraps IP packets in sphinx packets
--nym-mtu <NYM_MTU>
The MTU of the nym TUN device that wraps IP packets in sphinx packets
--disable-routing
Disable routing all traffic through the nym TUN device. When the flag is set, the nym TUN device will be created, but to route traffic through it you will need to do it manually, e.g. ping -Itun0
--enable-two-hop
Enable two-hop mixnet traffic. This means that traffic jumps directly from entry gateway to exit gateway
--enable-poisson-rate
Enable Poisson process rate limiting of outbound traffic
--disable-background-cover-traffic
Disable constant rate background loop cover traffic
-h, --help
Print help
-V, --version
Print version
Here is a list of the options and their descriptions. Some are essential, some are more technical and not needed to be adjusted by users.
Fundamental commands and arguments
-c
is a path to the Sandbox config file saved assandbox.env
--entry-gateway-id
: paste one of the values labeled with a key"identityKey"
(without" "
) from here--exit-router-address
: paste one of the values labeled with a key"address"
(without" "
) from here here--enable-wireguard
: Enable the wireguard traffic between the client and the entry gateway. NymVPN uses Mullvad libraries for wrappingwireguard-go
and to setup local routing rules to route all traffic to the TUN virtual network device--wg-ip
: The address of the wireguard interface, you can get it here--private-key
: get your private key for testing purposes here--enable-two-hop
is a faster setup where the traffic is routed from the client to Entry Gateway and directly to Exit Gateway (default is 5-hops)
Advanced options
--enable-poisson
: Enables process rate limiting of outbound traffic (disabled by default). It means that NymVPN client will send packets at a steady stream to the Entry Gateway. By default it’s on average one sphinx packet per 20ms, but there is some randomness (poisson distribution). When there are no real data to fill the sphinx packets with, cover packets are generated instead.--ip
is the IP address of the TUN device. That is the IP address of the local private network that is set up between local client and the Exit Gateway.--mtu
: The MTU of the TUN device. That is the max IP packet size of the local private network that is set up between local client and the Exit Gateway.--disable-routing
: Disable routing all traffic through the VPN TUN device.