Nym Mixnet & dVPN: A Node Operator's Guide (2026) + `nym-node-cli.py`

Node Operators
1

I published an updated guide: Nym Mixnet & dVPN: A Node Operator’s Guide (2026).

It’s a complete rewrite / 2026 update of my earlier (now superseded) 2025 guide: Nym Mixnet & dVPN: A Node Operator’s Guide (2025).

Nym Node CLI

Overall, the new Nym Node CLI script (nym-node-cli.py) is a big improvement and makes the setup much smoother - but I ran into a few issues that might be worth calling out/improving:

  • Missing nginx caused a “silent” reverse proxy/WSS setup failure (only visible in the scrolling output/logs). I initially thought I had to configure the reverse proxy manually, and only later realized the script is supposed to do it, but didn’t due to missing nginx:

* * * Starting nginx configuration for landing page, reverse proxy and WSS * * *

Landing page at /var/www/wznymnode2.root.sx/index.html

Cleaning existing nginx configuration

Failed to restart nginx.service: Unit nginx.service not found.

Failed to start nginx.service: Unit nginx.service not found.

  • Bonding surprise: there’s a one wallet → one node restriction. This was the first time I set up a second node and I wasn’t aware of this constraint (and don’t recall seeing it highlighted in operator docs).

  • QUIC Bridge required manual intervention to open the port when nftables was detected:


Detected nftables - please manually configure port 4443/udp

Example: nft add rule inet filter input udp dport 4443 accept
  • Firewall flow felt inconsistent/confusing: it starts with UFW, but later UFW ends up in conflict with netfilter-persistent (pulled in via iptables-persistent).

Nym Gateway Probe

Also: I added a section on the Nym Gateway Probe and noted that you can see scary-looking fail / ping-timeout messages in the probe logs even if Harbourmaster later shows the node fully green (so treat these as a weak signal on their own):


2026/01/19 20:42:11 Read attempt 1 failed, retrying: i/o timeout

2026/01/19 20:42:14 Ping attempt 1/2 failed: i/o timeout

2026/01/19 20:42:18 Read attempt 1 failed, retrying: i/o timeout

2026/01/19 20:42:22 Ping attempt 2/2 failed: i/o timeout

2026/01/19 20:42:22 Failed to send ping: ping failed after 2 attempts

Avoro vs. Netcup DDoS protection debugging story

Finally, the post includes my “Avoro networking debugging story” that may help others dealing with provider-side DDoS protection / UDP throttling.

Current status of the new Nym node

avoro2 is still not operating as well as avoro1 (or when I run the same setup on netcup2). I’m continuing the debugging, but I’d be happy if someone has a clue or can give me a hand.

1 Like