Skip to content

Instantly share code, notes, and snippets.

@gyrusdentatus
Last active March 26, 2023 21:33
Show Gist options
  • Save gyrusdentatus/e81658af3086c8d833720af53d5b2c3d to your computer and use it in GitHub Desktop.
Save gyrusdentatus/e81658af3086c8d833720af53d5b2c3d to your computer and use it in GitHub Desktop.
A full guide on how to set up a Nym mixnode on a fresh server

How to set up a server running NYM for dummies

Introduction


This guide is written for people that have absolutely no or little experience with terminal and remote server configuration. Should work on all Debian based distros although this has been tested only with fresh Debian 10 Buster. It does not yet cover the actual node configuration yet. For that see the official Nym docs here https://nymtech.net/docs/run-nym-nodes/mixnodes/

If you are complete beginner and just installed Debian on your VPS then I suggest going through the bash crash course in the introduction section

If you are at least little experienced, then skip to section Nym installation.

What will you need to start

  1. a computer running Linux/MacOS X/Windows 10
  2. VPS with full root access
  3. courage and patience if this is the first time you are managing server.

1. Bash crash course for total beginners

Using Terminal

Opening up a terminal for the first time might be intimadating at least, you might think to yourself "Damn what do I do now??? I am not a programmer, I want to go back to my window where I can see all files and use my mouse!"

Don't be scared, using terminal can give you the ultimate powers over your machine, automate stuff and realize what is really going on under the hood. It gives you the ultimate freedom, what you type is what you get, an answer, an exit code perhaps, but the machine always gives you an honest answer.

But enough talk ...

Let's dive into it !

How to open a terminal

Majority of you will probably be using a Windows or MacOS so I will focus on these two operating systems in the introduction.

MacOS

I assume you know how to open spotlight on your Mac, when you search for stuff on your computer ...

  1. press cmd + space and type terminal and hit enter. You can also find it in your Applications or launchpad in subfolder Other. Whatever is your workflow ... Open the terminal. This is what you should see. >> image
  2. If this is the firs time you are using terminal, let me walk you throught some essential commands and basics. Try them for yourself before you attempt to connect to the server. Try creating a directory test in your home folder.
Command description
whoami tells you which account are you using in the current shell
which COMMAND shows you the path to the command if it is in your $PATH(*explained later)
cd change directory - if you type cd, it will get you back to your home directory
cd DIRECTORY for example, you want to go to nym/. Type cd nym and it will get you there if the folder exists
cd .. go(back) to a lower level directory. /home/username/test/ or on MacOS /Users/username/test/ cd .. would get you one level lower in the directory tree.
cd - returns you to the previous directory you were in before changing to the current directory
pwd shows you the full path of the directory you are currently in
mkdir DIRECTORY NAME creates a new directory with a name you choose for it
whatis COMMAND tells you a short info about a given command
COMMAND --help shows you the help output of any given command, syntax and available arguments.
man COMMAND opens up a manual page for a given command, most of the time just RTFM if you get stuck ! :}
cat FILENAME prints the content of a file. Example: You want to read your ssh key. ```cat .ssh/id_ecdsa.pub and voila, you can copy it!
ls lists files in the current directory or you can specify the directory. Example: you are in your home folder and want to see if you have the ssh keys in directory .ssh/ ls .ssh/
ls -la more detailed output of the ls command. Prints out permissions, who is the owner and which group, size, time of creation and also prints the hidden dot files (usually system files)
nano FILENAME opens a simple text editor, you can also create new files with it. Press CTRL+O to save then CTRL+X to quit
touch FILENAME creates a new file with a current time stamp. We will use this just for some practices in the following exercise
mv FILENAME PATH move a file from SOMEWHERE to SOMEWHERE ELSE. This command can also change name of a file so watch out for this. For copying use the following command. mv can be dangerous if you are root!
cp FILENAME PATH copy a file from SOMEWHERE to SOMEWHERE ELSE
rm removes a file. Use with extreme caution !!! If you type rm -rf / as a root user, you will wipe out the entire server haha.
ssh-keygen generates an ssh key in your home directory in folder .ssh/ . Use this with argument -t ecdsa for stronger encryption algorithm.
ssh root@x.x.x.x ssh means secure shell connection and it will create a tunnel between your computer and your server. Syntax is ssh USERNAME@IPADDRESS OF THE REMOTE SERVER

All these commands work on MacOS and also on any UNIX system. Remember, if you get lost, type pwd and it shows you where you are. If you need help with command arguments, type --help after the command. If you need to get back to your home folder, just type cd and you are back home. Need to get back to the previous directory? Type cd - . Do you want to see what files are inside the directory? Type ls -la or simply ls.

It is really that simple


Before we move on ...some quick exercise.

All right ! So you have your cheatsheet with some essential commands, now let's try it out before we move on to the actual connection to the server!

Exercise 1

Create a folder, create some files in the folder, copy a file, write something in a file and print the output to the file.

OK try this simple exercise:

  • Where are you? Which command prints you the full path of the current directory you're in?

  • Make sure you are inside your home folder and create a new folder named test.

  • Then create file1 file2 file3 in that folder.

  • Next list all the files in the directory to see if they are there. Make sure you cd to the new directory :}...

  • Next, create another folder in the folder test called newfolder and copy file1 there.

  • Write something in thefile you copied there, use nano to do so. Write some shit such as "I am using terminal, much wow, very hacking!!!". Save it and exit nano.

  • Print the output of the file1 you just edited with nano it should display your message.

  • now return to the previous directory test/

  • Print the output of the file1 in THAT directory. It should be empty so print no result.

  • return back to your home directory and check if you are there with pwd

Here are all the steps broke down with exact steps/commands

  1. cd
  2. pwd
  3. mkdir test
  4. cd test
  5. touch file1 file2 file3
  6. ls -la
  7. nano file1
  8. mkdir newfolder
  9. cp file1 newfolder/
  10. ls -la newfolder/
  11. cd newfolder
  12. pwd
  13. cat file1
  14. cd ..
  15. pwd
  16. cat file1
  17. ls -la
  18. cd
  19. pwd

Was it that hard? I guess not.

Now you should be almost ready to connect to your server and not fuck something up.

Later on we will discuss permissons, ownerships, users and groups. Which you can skip if you don't give a shit about security, but majority of the hacks are due to badly configured permissions and ownerships which leads to privilege escalations and pwning the machine.


2. SSH and connecting to your server

So now that you now some basic commands, we may proceed to the next step, which is the actual connection to your VPS.

Note:This guide won't yet be covering details on how to set up a node running from your home through NAT or from some cloud provider without a dedicated IP address.

Now is the time to create your ssh keys with which you will authenticate yourself with the server.

Some notes about security

Some VPS providers will send you a password, which includes some extra security steps.

Like web servers use HTTP and HTTPS, that have ports 80 and 443, SSH usually runs on port 22. Many automated scanners scan through the whole internet looking for open ports 22 and try to crack the password. On my server, I get usually 300 attacks per day from unique IP addresses.

If your VPS provider gives you a long password for your root account, it might take them years to crack it but if the actual attackers are from some government such as the US, China or Russia, they have an immense computing power which would allow them to crack the password much faster even if it is long.

General good practice is to disable root login and password login, use SSH on another port and only allow access with a key and strong password.

See the ssh website for some good practices which I won't be covering here right now in this guide.


SSH connection to your server

  • open your terminal
  • create your keys with command ssh-keygen -t ecdsa
  • This will create your private key and public key, I suggest using some password for it as well. It will prompt you to enter it during the generation of your keys
  • if all goes well, then your keys will be in a directory .ssh/ in your home folder.
  • cd into the folder and do cat id_ecdsa.pub ---> this will print the public key which you have to copy and paste into a section in your VPS web dashboard.
  • else if you have a password for the root account then you should use ssh-copy-id ssh-copy-id -i someserver where -i is the name of the file of your PUBLIC! key. Your private key always stays on your local machine.
  • ssh root@x.x.x.x
  • you will be asked if you would like to add the server to your know_hosts list on your local machine. Press y and hit enter
  • If you got the right key on the server and chose to use password during the key generation process, then you will be asked to enter the same password.
  • now you should be in!
  • whoami output should be root

3. A complete step by step Nym installation on Debian 10 Buster

If you are running other distro with already created sudo user, then skip the first 3 steps. Now would be the time to install all the essentials for the installation of Nym.

I suggest running Nym node with new user without any privileges and /usr/sbin/nologin

On fresh Debian 10 Buster, there are many things not installed, it is really stripped down. So to following command should install everything even on Debian.

apt install sudo sudo which allows user to act as a root user for the given command is not installed on Debian 10, so install it.

Next we will create a new user in sudo group, which you should use while maintaining you server. Do it with the following command

useradd --shell /bin/bash --create-home --groups sudo YOURNAME

  • this will add a new user with a home folder at /home/USERNAME, with default shell /bin/bash and adds it to the group sudo

Now set a password for the username in case you haven't been asked to do so during the previous command.

passwd USERNAME

  • set the password for your new user

Now change to your new user with su USERNAME. su means "switch user" or at least that is my understanding of it.

whoami should tell you if you are logged in as your new user. Whenever want to exit back to being root then type exit

Let's create another user specifically for the Nym node, so if there is any vulnerability in the Nym code your server would not be so easily pwnd from there.

sudo useradd nym --create-home -U -s /usr/sbin/nologin

  • this will create a user nym belonging to group nym, with home directory at /home/nym/ and without a login option for the user nym.

sudo usermod -a -G nym YOURUSERNAME

  • not sure about this * ... this adds your user to the group nym so you could then have permissions to write in /home/nym

sudo apt update

sudo apt install git curl wget pkg-config build-essential libssl-dev ufw nano

  • this will install all the essentials

Let's login as a nym user to install nym

sudo -u nym bash

  • This command will "borrow" nym user and allow him to use bash for the time being.

Go to nym home directory

cd

Verify you are at /home/nym and as a user nym

whoami && pwd

output should be nym /home/nym

Install Rust with this. Enter 1 after the script asks you for the desired option.

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

source $HOME/.cargo/env

  • this will install Rust and all its packages to your home folder and puts it in your $PATH in config file .bashrc

Check if Cargo is in your $PATH

cargo --version

  • this should print out the version of Cargo. If it does not, you forgot something. Maybe source $HOME/.cargo/env or forgot to cd to nym home directory

git clone https://github.com/nymtech/nym.git

  • this will download the developer version from github
  • there is one additional important step!!! In the following command. You must not forget to do so

The following command will switch the branch to the testnet version

git checkout tags/v0.9.2

You should now be ready to build NYM!

cargo build --release

  • This will take some time. Maybe even up to 30 minutes. So go and grab a coffee, beer, snack or roll a nice phat joint

Now let's try to run the node. Assuming you are in /home/nym/nym/ directory then go here

cd target/release

./nym-mixnode init --help

  • this will print the help of the initial configuration of the nym-mixnode. Make sure to see the official docs for further info as well.

Now make up some name for the --id argument. You can also run the node in layer 1 or 3, right now with this version it does not matter which layer you choose.

./nym-mixnode init --id SOMENAME --layer 2 --host $(curl -sS v4.icanhazip.com)

  • creates a config for the node and curl command gets the ip of your server for you.
  • you may add --location CITY argument so on nym dashboard the city where the node is located would be visible. Totally up to you though.

Now try to run the node to see if everything is all right and is mixing packets.

./nym-mixnode run --id SOMENAME

  • Make sure you enter the same id as in the config in the previous command.

After a while you should see your node is mixing packets. If you still see "mixed 0 packets!" after a few minutes, then something went wrong, most likely you did not set up your firewall (ufw) properly.

Exit the process anytime with CTRL + C.

switch back to your user

exit

Set up the firewall rules to allow traffic for nym and also ssh so you would not lock yourself out.

sudo ufw allow 22/tcp && sudo ufw limit 22/tcp && sudo ufw allow 1789/tcp

  • Set the firewall rules to allow connections with ssh and allow in/out traffic to port 1789 which is used by the mixnode.

Now enable the firewall. Make sure you did the previous step and allowed 22/tcp else you will get LOCKED OUT! after you exit the session.

sudo ufw enable Then check if the 22/tcp and 1789/tcp are allowed.

sudo ufw status You should see something like this

To Action From
22/tcp ALLOW Anywhere
22/tcp LIMIT Anywhere
1789/tcp ALLOW Anywhere

4. Making your node persistent with

If you close current session, the mixnode will stop. There are multiple ways on how to make it persistent even after exiting your ssh session. Tmux, screen for instance.

Easy solution would be to use nohup -> ``nohup`./nym-mixnode run --id NYM & ``` where --id NYM is the id you set during the init command previously. You should be able to check if the node is mixing packets with multiple ways:

  • nym dashboard
  • nohup file in the same directory as you are launching the script from (did not verify this)
  • sudo ss -s -t | grep 1789
  • sudo lsof -i TCP:1789 if you get command not found, do sudo apt install lsof.

However, the most reliable and elegant solution is to create a systemd.service script and run the nym-mixnode with systemctl command.

Credits to https://github.com/ststefa for writing this file.

Create a file with nano and copy there following. IMPORTANT: You need to write there your node id which you set up in the config earlier, else it won't work! At line ExecStart, rewrite the --id SOMENAME with exactly the same name as you used for the config.

sudo nano /etc/systemd/system/nym-mixnode.service

Copy there this and change the id name

[Unit]
Description=nym mixnode service
After=network.target

[Service]
Type=simple
User=nym
LimitNOFILE=65536
ExecStart=/home/nym/target/release/nym-mixnode run --id nym
KillSignal=SIGINT
Restart=on-failure
RestartSec=30
Restart=on-abort
[Install]
WantedBy=multi-user.target

Now pres CTRL + O to write the file, hit enter. Then exit with CTRL + W.

sudo systemctl enable nym-mixnode

  • Enable the service

sudo systemctl start nym-mixnode

  • Start the service

sudo systemctl status nym-mixnode

  • Check if the service is running properly and mixnode is mixing.

Now your node should be mixing all the time unless you restart the server! Congratz and thanks for contributing to the testnet.

If you encounter any problems, feel free to ask at our Telegram chat group https://t.me/nymchan_help_chat The installation process will get easier and more automated in the future, but hopefully this guide helped you to set up and run your mixnode on your fresh server.

@paddyson79
Copy link

Next

chmod -R g+w /home/nym/

here I had to use sudo as I got a permission error

nice and easy guide though

@gyrusdentatus
Copy link
Author

Next

chmod -R g+w /home/nym/

here I had to use sudo as I got a permission error

nice and easy guide though

Thanks! Will update it

@ststefa
Copy link

ststefa commented Jun 9, 2020

Nice guide! How about adding a section on how to create a little systemd service in order to have it properly started/stopped along with the system? Check https://github.com/nymtech/nym/blob/develop/scripts/systemd/nym-mixnode.service in that case.
And how about contributing to the nym project? In this case you might also want to check https://nymtech.net/docs and work together with the members in order to distill it to a unitary whole. However keep in mind that the current approach is probably only intermediary. I would suspect that at some point it will be transformed to standard packaging and distribution concepts in order to make it easier to consume for a broad public.

@OscarB-hdlr99
Copy link

I ask you if it is possible to run a Nym node on a raspberrypi4, and if so what else do you need at the hardware level?
thanks for the info👍🏼

@ststefa
Copy link

ststefa commented May 20, 2022

Absolutely! Based on my observations to date the requirements for a mixnode are minimal. Let's say fifty MB of memory and hardly measurable amounts of CPU cycles and disk IO. However the network runs more or less in idle mode now. Things will change if some serious traffic is routed through it. In that scenario I'd guess that the most important resource is network bandwidth. One can already speculate with some probability that the CPU load increases far under-linear with the number of packets. I.e. 100 times the packets will require far less than 100 times the CPU cycles. Due to the nature of what the process is doing, memory and io will never be an issue imho.

@gyrusdentatus
Copy link
Author

@OscarB-hdlr99 this guide might be a little bit outdated - just a note. :)

I am currently working on an OpenWRT packages for Nym, you can find binaries for mixnode and gateway for aarch64-uknown-linux-musl (64-bit OpenWRT for Raspi 4) in my other repo called Nym-router iirc.

Give it a try, it will be a nice learning experience :)

I suggest you run a gateway though. There is still an issue somewhat with traversing NAT, if your main router does not let you do any configuration.

@ststefa yeah, the network is idle...give it a couple of weeks/months until the development really kicks off from the 3rd parties like us.

Cheers and feel free to fix my 2 year old guide with opening a PR or just fork it ! <3

@OscarB-hdlr99
Copy link

Many thanks!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment