Nym VPN Mixnet Guide (GUI)

Original forum link
https://forum.qubes-os.org/t/37446
Original poster
PP
Created at
2025-11-21 06:05:02
Posts count
6
Likes count
7
Tags
networking

Nym VPN is a decentralized VPN (dVPN) with Mixnet capabilities. It uses cryptocurrency incentives to allow of decentralized VPN experience. The Mixnet has 5 hops per connection and mixes traffic with other nodes. Mixnets also provide cover traffic to ensure consistent packet sizes. This enhances anti-AI detection from network traffic. I am not an expert, please read more here: https://nym.com/mixnet

Nym does not offer wireguard configuration files by default, so the VPN APP is required to use Nym. To take advantage of mixnet, follow this guide below:

  1. Create standalone VM. Use Debian for template (preferably Trixie). Check off box for provides network

  2. Install Nym VPN: Follow the instructions from the official site. i. wget https://apt.nymtech.net/pool/main/n/nym-repo-setup/nym-repo-setup_[VERSIONNUMBER]_amd64.deb -O /tmp/nym-repo-setup_[VERSIONNUMBER]_amd64.deb ii. sudo dpkg -i /tmp/nym-repo-setup_[VERSIONNUMBER]_amd64.deb iii. sudo apt install nym-vpn

  3. Dns handling: i. Create script: sudo nano /usr/local/bin/nym-dns.sh ii. Insert the following into script:

#! /usr/bin/env bash
update_dns() {
  nym_on=$([[ $(grep -v -c "nameserver \+10.139" /etc/resolv.conf) -gt 0 ]] && echo 1 || echo 0)

  if [[ $nym_on -eq 1 ]]; then
    echo "Nym is on"
    nym_dns_ip=$(grep "nameserver" < /etc/resolv.conf | awk '{print $2}' | head -n 1)

    sudo nft flush chain ip qubes dnat-dns
    sudo nft add rule ip qubes dnat-dns meta l4proto {tcp, udp} ip daddr {10.139.1.1, 10.139.1.2} th dport 53 dnat to "$nym_dns_ip"
  else
    echo "Nym is off"
    nameserver_ips=$(grep "nameserver" < /etc/resolv.conf | awk '{print $2}')
    sudo nft flush chain ip qubes dnat-dns

    for ip in $nameserver_ips; do
      sudo nft add rule ip qubes dnat-dns ip daddr "$ip" udp dport 53 dnat to "$ip"
      sudo nft add rule ip qubes dnat-dns ip daddr "$ip" tcp dport 53 dnat to "$ip"
    done
  fi
}

update_dns
inotifywait -m -q -e close_write /etc/resolv.conf | while read -r; do
  update_dns
done
  1. Make script executable: sudo chmod +x /usr/local/bin/nym-dns.sh
  2. Run script at boot: echo "/usr/local/bin/nym-dns.sh &" | sudo tee -a /rw/config/rc.local
  3. MTU issues and killswitch: i. Check app for killswitch setting ii. disable ipv6 iii. add the following rule: sudo nano /rw/config/rc.local

#!/bin/sh

/usr/sbin/nft flush chain qubes dnat-dns
/usr/sbin/nft add rule ip qubes dnat-dns meta l4proto {tcp, udp} ip daddr {10.139.1.1, 10.139.1.2} th dport 53 dnat to 1.1.1.1
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu
7. Make script executable if not already: sudo chmod +x /rw/config/rc.local

EDIT: the mixnet is quite slow so be patient. If you are in a censored country, double vpn with QUIC setting turned on should work.