NIP-12: Nym Exit Policy Update – Opening Ports for eufy Security, FiveM, IRCv3 and Nym WebSocket

Node Operators
,
1
ID title created status kind author(s) champions
NIP-12 Nym Exit Policy Update – Opening Ports for eufy Security, FiveM (CFX.re), IRCv3 and Nym WebSocket 11-06-2026 proposed standard Serinko, Nym network technical lead & devrel serinko@nymtech.net, Jaya, Chief of strategy jaya@nymtech.net Merve, Operator technical mentor merve@nymtech.net, <br />Sudo, Head of community simon.toth@nymtech.net

NIP-12 proposes updating the Nym exit policy to open specific TCP and UDP ports, enabling NymVPN users to access eufy Security devices (cameras, doorbells), FiveM (CFX.re) game servers and IRCv3 (6697) instant messaging services while maintaining privacy and network security. Additionally we are adding 9000 to access Nym mixnet through various clients while using NymVPN system-wide.

Motivation

The Nym exit policy defines which ports are accessible on exit nodes to ensure privacy, security, and reliable service.

  • eufy Security devices – require specific ports for video streaming, audio communication, and P2P hole punching.
  • FiveM (CFX.re) – a popular multiplayer modification framework for Grand Theft Auto V, using port 30120 for client-server communication.
  • IRCv3 over TLS (port 6697) – modern, lightweight, mixnet-friendly instant messaging with TLS encryption. Currently, this port is commented out (not active) in the exit policy due to historical Tor DNSBL concerns. However, Nym’s architecture (zk-nym credentials, no free unlimited usage) makes this risk irrelevant. Opening this port improves usability without compromising privacy or security.
  • Nym Mixnet - Opening WebSocket port 9000 allows users to acces NymSocks5 Client while using NymVPN

This update will follow operator governance, consistent with previous exit policy changes (example).

Since NIP-1, exit policy decisions are managed via Nym Governator to ensure transparency and accountability.

Proposal to Enable Ports for NymVPN Users

eufy Security Services

  • Video Stream: *:8554-8555
  • TURN/TLS (P2P hole punching): *:5349

FiveM (CFX.re) Services

  • Game Server: *:30120

IRCv3 Services

  • IRC over TLS: *:6697

Nym WebSocket

  • Nym WebSocket: *:9000

Voting options

Voting takes place at Nym Governator. Proposed options:

  • YES: Approve opening the above ports.
  • NO: Reject the proposal entirely.

Submit any concerns with supporting documentation for review before finalizing.

Process

If the vote meets quorum and a majority approves:

  1. A pull request will update the exit policy.
  2. The Network Tunnel Manager (NTM) will be updated to allow operators to configure WireGuard exit policy ports in line with the Mixnet policy.

Background

The Nym exit policy protects operators and users by controlling accessible ports.

Previously, Network Requesters used a centralized allow list. To decentralize control and enhance privacy, Nym transitioned to a deny list, forming the current exit policy.

Exit nodes in Gateway mode act both as:

  • SOCKS5 Network Requesters
  • Exit nodes for IP traffic from mixnet and VPN clients

Applying a uniform policy ensures reliable, privacy-preserving service for all NymVPN users.

Proposal for a new NIP - Opening ports 6667/6697 for IRCv3 instant messaging