The NymVPN app is already a reasonable secure VPN app given its on-going security audits. However, vulnerabilities are still a problem for all opensource applications, including NYM. An exploit of the NymVPN app could decide whether an attacker can doxx your location regardless of whether you are using mixnet or double VPN.
Unfortunately, the security posture of your opsec is dependent on the OS level, not NYM VPN. Your success of mitigating malware on your system is highly dependent on your OS/anti-virus. In the event, an attacker is able to break the sandbox of NymVPN, the attacker can silently intercept traffic, doxx your real IP address, deploy spyware, and even steal password credentials.
The most secure method to use NymVPN on a laptop/PC is arguable on http://qubes-os.org/ (not an endorsement, do your own due diligence). By utilizing a Virtual Machine, you can eliminate the possibility of malware ever reaching NymVPN, by separating your VPN in its own dedicated Operating System. This way it makes it incredibly difficult for malware to escape the XEN Hypervisor and affect your standalone VM. XEN is also open source and has significantly less attack surface than traditional linux systems, Windows, Mac.
Here is how I setup NymVPN on the most secure OS
Nym does not offer wireguard configuration files by default, so the VPN APP is required to use Nym. To take advantage of mixnet, follow this guide below:
-
Create standalone VM. Use Debian for template (preferably Trixie). Check off box for
provides network -
Install Nym VPN:
Follow the instructions from the official site.
i.wget https://apt.nymtech.net/pool/main/n/nym-repo-setup/nym-repo-setup_[VERSIONNUMBER]_amd64.deb -O /tmp/nym-repo-setup_[VERSIONNUMBER]_amd64.deb
ii.sudo dpkg -i /tmp/nym-repo-setup_[VERSIONNUMBER]_amd64.deb
iii.sudo apt install nym-vpn -
Dns handling:
i. Create script:sudo nano /usr/local/bin/nym-dns.sh
ii. Insert the following into script:
#! /usr/bin/env bash
update_dns() {
nym_on=$([[ $(grep -v -c "nameserver \+10.139" /etc/resolv.conf) -gt 0 ]] && echo 1 || echo 0)
if [[ $nym_on -eq 1 ]]; then
echo "Nym is on"
nym_dns_ip=$(grep "nameserver" < /etc/resolv.conf | awk '{print $2}' | head -n 1)
sudo nft flush chain ip qubes dnat-dns
sudo nft add rule ip qubes dnat-dns meta l4proto {tcp, udp} ip daddr {10.139.1.1, 10.139.1.2} th dport 53 dnat to "$nym_dns_ip"
else
echo "Nym is off"
nameserver_ips=$(grep "nameserver" < /etc/resolv.conf | awk '{print $2}')
sudo nft flush chain ip qubes dnat-dns
for ip in $nameserver_ips; do
sudo nft add rule ip qubes dnat-dns ip daddr "$ip" udp dport 53 dnat to "$ip"
sudo nft add rule ip qubes dnat-dns ip daddr "$ip" tcp dport 53 dnat to "$ip"
done
fi
}
update_dns
inotifywait -m -q -e close_write /etc/resolv.conf | while read -r; do
update_dns
done
-
Make script executable:
sudo chmod +x /usr/local/bin/nym-dns.sh -
Run script at boot:
echo "/usr/local/bin/nym-dns.sh &" | sudo tee -a /rw/config/rc.local -
MTU issues and killswitch:
i. Check app for killswitch setting
ii. disable ipv6
iii. add the following rule:sudo nano /rw/config/rc.local
#!/bin/sh
/usr/sbin/nft flush chain qubes dnat-dns
/usr/sbin/nft add rule ip qubes dnat-dns meta l4proto {tcp, udp} ip daddr {10.139.1.1, 10.139.1.2} th dport 53 dnat to 1.1.1.1
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu
- Make script executable if not already:
sudo chmod +x /rw/config/rc.local
Now you can switch between Mixnet and Double VPN on the most secure OS. The mixnet is quite slow so be patient. If you are in a censored country, double vpn with QUIC setting turned on should work.
EDIT: Typos
