diff --git a/.gitignore b/.gitignore index dfeb64f..05ed734 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,6 @@ downloads/ # Local testing test-* scratch/ + +# Session notes (private dev notes) +SESSION-NOTES.md diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d0b0e61 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 rpriven + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 756607f..c239c2a 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Provide easy-to-install, well-documented privacy tools that protect against comm ```bash # Clone the repository -git clone https://github.com/YOUR_USERNAME/privacy-toolkit.git +git clone https://github.com/rpriven/privacy-toolkit.git cd privacy-toolkit # Install a specific tool diff --git a/SESSION-NOTES.md b/SESSION-NOTES.md deleted file mode 100644 index 7162494..0000000 --- a/SESSION-NOTES.md +++ /dev/null @@ -1,135 +0,0 @@ -# Privacy Toolkit - Session Notes - -## 2025-11-12 - Initial Repository Setup - -### 🎯 What We Built - -Created a modular privacy toolkit with automated installation scripts for security-focused tools. - -### ✅ Completed Tools (5) - -1. **Dangerzone** - Document sanitization (Freedom of Press Foundation) - - Container-based PDF/Office sanitization - - Includes GPG keyring permission fix - - Full threat model documentation - -2. **croc** - Secure P2P file transfer - - PAKE-based encryption - - Simple curl | bash installation - -3. **age** - Modern file encryption - - Simpler than GPG - - Installed via apt - -4. **VeraCrypt** - Full disk encryption - - Encrypted containers and full disk encryption - - Launchpad .deb download - - Version 1.26.7 - -5. **Cryptomator** - Cloud storage encryption - - Client-side encryption for cloud files - - Interactive .deb vs AppImage choice - - **Includes full verification guide** (GPG + SHA256) - -### 📁 Repository Structure - -``` -privacy-toolkit/ -├── README.md # Main documentation -├── TOOLS-LIST.md # Progress checklist -├── TOOLS-REFERENCE.md # Detailed tool descriptions -├── SESSION-NOTES.md # This file -└── tools/ - ├── age/ - │ └── install.sh - ├── croc/ - │ └── install.sh - ├── cryptomator/ - │ ├── install.sh - │ └── VERIFICATION.md # GPG verification guide - ├── dangerzone/ - │ ├── install.sh - │ └── README.md - └── veracrypt/ - └── install.sh -``` - -### 🔐 Key Features - -- **Modular Design**: Each tool is self-contained -- **Security-First**: GPG verification, checksums, official sources -- **Educational**: Threat models explain WHY you need each tool -- **Consistent**: Same script structure across all tools -- **Practical**: Real-world verification example for Cryptomator - -### 🎓 Security Practices Documented - -Example verification workflow (Cryptomator): -1. Download .deb + .asc signature -2. Import GPG key -3. Verify fingerprint: `5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235` -4. Check SHA256 checksum -5. Verify GPG signature -6. Install if all checks pass - -### 📊 Status - -- **Tools Completed**: 5/30+ -- **Priority Tools**: 1/6 (Dangerzone) -- **Documentation**: Comprehensive for completed tools -- **Git**: Not yet initialized (ready to be) - -### 🎯 Next Steps - -Potential additions: -- mat2 (metadata removal) -- Signal Desktop -- Tor Browser -- BleachBit -- firejail -- OnionShare -- ExifTool - -### 💡 Design Decisions - -1. **Cryptomator: .deb vs AppImage** - - Script offers choice - - Recommendation: .deb for better system integration - - AppImage for portability - -2. **VeraCrypt: Version locking** - - Hardcoded 1.26.7 for stability - - Manual update recommended over auto-latest - -3. **Dangerzone: GPG keyring fix** - - Includes chmod 644 fix for /etc/apt/keyrings/ - - Solves permission denied error - -### 🔗 Resources - -- Official Cryptomator releases: https://github.com/cryptomator/cryptomator/releases -- Dangerzone: https://dangerzone.rocks/ -- VeraCrypt: https://veracrypt.fr/ -- Age: https://github.com/FiloSottile/age -- Croc: https://github.com/schollz/croc - ---- - -**Created**: 2025-11-12 -**Tools**: 5 complete, 25+ planned -**Focus**: Security, privacy, encryption, sanitization - -## SimpleX Installation Discovery - -**Issue**: SimpleX .deb packages have library compatibility issues across multiple distros. - -**Confirmed broken:** -- Debian Trixie: Crashes with `SIGSEGV in libHSzstd` -- Pop!_OS: Required AppImage - -**Solution**: Always use AppImage for SimpleX -- Script: `tools/simplex/install-appimage.sh` -- Location: `~/.local/bin/SimpleX.AppImage` -- Works universally across distros - -**Lesson**: For complex cross-platform apps with many dependencies, prefer AppImage over distro-specific packages. diff --git a/install-apt-tools.sh b/install-apt-tools.sh index 0112d3e..26b02c1 100755 --- a/install-apt-tools.sh +++ b/install-apt-tools.sh @@ -42,6 +42,22 @@ declare -A TOOLS=( # OSINT & Privacy Analysis ["sherlock"]="Username enumeration tool" + + # YubiKey & Hardware Security Keys + ["yubikey-manager"]="YubiKey configuration tool (ykman)" + ["pcscd"]="PC/SC Smart Card Daemon" + ["scdaemon"]="GPG smart card daemon" + ["libpam-u2f"]="PAM module for U2F/FIDO2 auth" + + # GPG Utilities + ["paperkey"]="Extract GPG secret key for paper backup" + + # Monitoring & Detection + ["inotify-tools"]="Filesystem event monitoring (for honeyfiles)" + + # Privacy Analysis & Recon + ["nmap"]="Network scanner" + ["whois"]="Domain/IP lookup" ) section "Privacy Toolkit - APT Tools Installation" @@ -179,13 +195,53 @@ KeePassXC: age: # Generate key age-keygen -o key.txt - + # Encrypt file age -e -r file.txt > file.txt.age - + # Decrypt file age -d -i key.txt file.txt.age > file.txt +YubiKey (ykman): + # List connected YubiKeys + ykman list + + # Show detailed info + ykman info + + # Check OTP slot status + ykman otp info + + # Check OpenPGP status + ykman openpgp info + + # GPG smart card status (requires pcscd running) + gpg --card-status + +paperkey (GPG backup): + # Extract secret key to paper-friendly format + gpg --export-secret-key KEY_ID | paperkey --output secret.txt + + # Restore from paper backup (needs public key) + paperkey --pubring pubkey.gpg --secrets secret.txt | gpg --import + +inotify-tools (file monitoring): + # Watch directory for any changes + inotifywait -m -r /path/to/watch + + # Trigger on specific events (access, modify, create) + inotifywait -m -e access,modify ~/.honeypot/ + +nmap (network scanning): + # Quick scan of local network + nmap -sn 192.168.1.0/24 + + # Service/version detection + nmap -sV target.com + + # OS detection (requires root) + sudo nmap -O target.com + USAGE echo "" diff --git a/setup-gpg-yubikey-ssh.sh b/setup-gpg-yubikey-ssh.sh new file mode 100755 index 0000000..0ab27de --- /dev/null +++ b/setup-gpg-yubikey-ssh.sh @@ -0,0 +1,153 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# GPG + YubiKey SSH Authentication Setup +# ============================================================================== +# Configures GPG agent for YubiKey-based SSH authentication +# Run AFTER install-apt-tools.sh has installed yubikey-manager, pcscd, scdaemon +# ============================================================================== + +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly BLUE='\033[0;34m' +readonly RED='\033[0;31m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; } +section() { echo -e "${BLUE}=== $* ===${NC}"; } + +section "GPG + YubiKey SSH Setup" +echo "" + +# Check dependencies +log "Checking dependencies..." +MISSING=() +command -v gpg >/dev/null 2>&1 || MISSING+=("gnupg") +command -v ykman >/dev/null 2>&1 || MISSING+=("yubikey-manager") +systemctl list-unit-files | grep -q pcscd || MISSING+=("pcscd") + +if [ ${#MISSING[@]} -gt 0 ]; then + error "Missing dependencies: ${MISSING[*]}" + echo "Run: sudo apt install ${MISSING[*]}" + exit 1 +fi +log "All dependencies found" + +echo "" +section "Configuring GPG Agent" + +# Create ~/.gnupg if it doesn't exist +mkdir -p ~/.gnupg +chmod 700 ~/.gnupg + +# Configure gpg-agent.conf +GPG_AGENT_CONF=~/.gnupg/gpg-agent.conf +if ! grep -q "enable-ssh-support" "$GPG_AGENT_CONF" 2>/dev/null; then + log "Adding enable-ssh-support to gpg-agent.conf" + echo "enable-ssh-support" >> "$GPG_AGENT_CONF" +else + log "enable-ssh-support already configured" +fi + +echo "" +section "Shell Configuration" +echo "" + +# Detect shell +SHELL_RC="" +if [ -n "${ZSH_VERSION:-}" ] || [ -f ~/.zshrc ]; then + SHELL_RC=~/.zshrc +elif [ -f ~/.bashrc ]; then + SHELL_RC=~/.bashrc +fi + +SSH_AUTH_LINE='export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"' + +echo "Add this to your shell config ($SHELL_RC or ~/.exports):" +echo "" +echo " $SSH_AUTH_LINE" +echo "" + +if [ -n "$SHELL_RC" ]; then + read -p "Add to $SHELL_RC automatically? [y/N] " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]]; then + if ! grep -q "gpgconf --list-dirs agent-ssh-socket" "$SHELL_RC" 2>/dev/null; then + echo "" >> "$SHELL_RC" + echo "# GPG agent for SSH (YubiKey support)" >> "$SHELL_RC" + echo "$SSH_AUTH_LINE" >> "$SHELL_RC" + log "Added to $SHELL_RC" + else + log "Already configured in $SHELL_RC" + fi + fi +fi + +echo "" +section "Restart GPG Agent" +log "Killing gpg-agent to apply changes..." +gpgconf --kill gpg-agent + +echo "" +section "Testing Setup" + +# Start pcscd if not running +if ! systemctl is-active --quiet pcscd; then + log "Starting pcscd..." + sudo systemctl start pcscd +fi + +echo "" +log "Checking for YubiKey..." +if ykman list 2>/dev/null | grep -q "YubiKey"; then + log "YubiKey detected!" + ykman list + echo "" + + log "Checking GPG card status..." + if gpg --card-status >/dev/null 2>&1; then + log "GPG sees the YubiKey!" + echo "" + gpg --card-status | head -15 + else + warn "GPG can't see the card. Try: sudo systemctl restart pcscd" + fi +else + warn "No YubiKey detected. Plug one in and run: gpg --card-status" +fi + +echo "" +section "Next Steps" +echo "" + +cat << 'NEXT' +1. If you haven't moved GPG keys to YubiKey yet: + gpg --edit-key + > key 1 # select auth subkey + > keytocard # move to YubiKey (ONE-WAY!) + > save + +2. Export your SSH public key from the YubiKey: + gpg --export-ssh-key > ~/.ssh/yubikey.pub + +3. Add to remote servers: + ssh-copy-id -f -i ~/.ssh/yubikey.pub user@server + +4. Configure SSH to use YubiKey (add to ~/.ssh/config): + Host server-yubikey + User youruser + HostName server.example.com + IdentityAgent /run/user/1000/gnupg/S.gpg-agent.ssh + +5. Test SSH: + ssh server-yubikey + +NEXT + +echo "" +section "Setup Complete!" +log "Reload your shell or run: source $SHELL_RC" +echo "" diff --git a/tools/i2p/install.sh b/tools/i2p/install.sh new file mode 100755 index 0000000..58b3bf2 --- /dev/null +++ b/tools/i2p/install.sh @@ -0,0 +1,190 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# I2P (Invisible Internet Project) Installation +# ============================================================================== +# Anonymous overlay network using "garlic routing" +# - Internal network of hidden services (eepsites) +# - Anonymous torrenting +# - More resistant to traffic analysis than Tor for internal traffic +# - Every user is both client and relay +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly BLUE='\033[0;34m' +readonly RED='\033[0;31m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; } +section() { echo -e "${BLUE}=== $* ===${NC}"; } + +section "I2P Installation" +echo "" + +# Check if already installed +if command -v i2prouter &>/dev/null || [ -d /usr/share/i2p ]; then + log "I2P appears to be already installed" + read -p "Reinstall/upgrade? [y/N] " -n 1 -r + echo + if [[ ! $REPLY =~ ^[Yy]$ ]]; then + log "Skipping installation" + exit 0 + fi +fi + +# Detect distro +if [ -f /etc/os-release ]; then + . /etc/os-release + DISTRO="${ID:-unknown}" +else + error "Cannot detect distribution" + exit 1 +fi + +log "Detected: $DISTRO" + +case "$DISTRO" in + debian|ubuntu|linuxmint|pop) + # Try i2pd from repos first (C++ implementation - lighter, faster) + if apt-cache show i2pd &>/dev/null; then + section "Installing i2pd (C++ implementation) from Debian repos" + log "i2pd is a lighter, faster C++ implementation of I2P" + + sudo apt update + sudo apt install -y i2pd + + log "i2pd installed from Debian repositories" + else + section "Installing I2P via Official Repository" + warn "i2pd not in repos, trying official I2P repository..." + + # Install dependencies + log "Installing dependencies..." + sudo apt update + sudo apt install -y apt-transport-https curl gnupg + + # Add I2P repo signing key + log "Adding I2P repository key..." + curl -fsSL https://geti2p.net/_static/i2p-archive-keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/i2p-archive-keyring.gpg + sudo chmod 644 /usr/share/keyrings/i2p-archive-keyring.gpg + + # Add I2P repository + log "Adding I2P repository..." + echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p2.de/ $(lsb_release -sc) main" | \ + sudo tee /etc/apt/sources.list.d/i2p.list > /dev/null + + # Install I2P + log "Installing I2P..." + sudo apt update + sudo apt install -y i2p i2p-keyring + fi + ;; + + fedora|rhel|centos) + section "Installing I2P via Copr" + + log "Adding I2P Copr repository..." + sudo dnf copr enable -y i2p/i2p + + log "Installing I2P..." + sudo dnf install -y i2p + ;; + + arch|manjaro|endeavouros) + section "Installing I2P via AUR" + + if command -v yay &>/dev/null; then + log "Installing via yay..." + yay -S --noconfirm i2pd + elif command -v paru &>/dev/null; then + log "Installing via paru..." + paru -S --noconfirm i2pd + else + warn "No AUR helper found, installing i2pd manually..." + cd /tmp + git clone https://aur.archlinux.org/i2pd.git + cd i2pd + makepkg -si --noconfirm + cd .. + rm -rf i2pd + fi + ;; + + *) + error "Unsupported distribution: $DISTRO" + log "Please install manually from: https://geti2p.net/en/download" + exit 1 + ;; +esac + +echo "" +section "Installation Complete!" +echo "" + +cat << 'EOF' +I2P has been installed. Here's how to use it: + +=== IF YOU INSTALLED i2pd (C++ version) === + +START i2pd: + sudo systemctl start i2pd + sudo systemctl enable i2pd # Auto-start on boot + +WEB CONSOLE: + Open in browser: http://127.0.0.1:7070 + +PROXY PORTS: + HTTP Proxy: 127.0.0.1:4444 (for .i2p sites) + SOCKS Proxy: 127.0.0.1:4447 + +CONFIG FILE: + /etc/i2pd/i2pd.conf + +=== IF YOU INSTALLED i2p (Java version) === + +START I2P: + sudo systemctl start i2p + # Or: i2prouter start + +WEB CONSOLE: + Open in browser: http://127.0.0.1:7657 + +PROXY PORT: + HTTP Proxy: 127.0.0.1:4444 + +=== GENERAL USAGE === + +CONFIGURE YOUR BROWSER: + Set HTTP proxy to: 127.0.0.1:4444 + (This lets you access .i2p eepsites) + +FIRST-TIME SETUP: + 1. Start I2P and wait ~5 minutes for network integration + 2. Access the web console + 3. Configure bandwidth limits based on your connection + +POPULAR EEPSITES TO TEST: + - http://i2p-projekt.i2p (I2P Project homepage) + - http://stats.i2p (Network statistics) + +SECURITY NOTES: + - I2P is for accessing I2P internal services (eepsites) + - Don't use I2P for regular web browsing (use Tor for that) + - Takes time to build up "tunnels" - be patient on first run + - More peers = better anonymity and speed + +EOF + +# Check if service is available +if systemctl list-unit-files | grep -q i2p.service; then + echo "" + log "To start I2P now: sudo systemctl start i2p" + log "To enable auto-start: sudo systemctl enable i2p" +fi + +echo "" diff --git a/tools/mullvad-browser/install.sh b/tools/mullvad-browser/install.sh new file mode 100755 index 0000000..e8164bd --- /dev/null +++ b/tools/mullvad-browser/install.sh @@ -0,0 +1,163 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Mullvad Browser Installation +# ============================================================================== +# Privacy-focused browser developed by Mullvad VPN and Tor Project +# - Based on Firefox ESR with Tor Browser privacy patches +# - Tor-like fingerprint resistance WITHOUT using Tor network +# - No telemetry, no accounts, no tracking +# - Designed to make all users look identical (anti-fingerprinting) +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly BLUE='\033[0;34m' +readonly RED='\033[0;31m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; } +section() { echo -e "${BLUE}=== $* ===${NC}"; } + +section "Mullvad Browser Installation" +echo "" + +# Check if already installed +if command -v mullvad-browser &>/dev/null; then + log "Mullvad Browser already installed" + read -p "Reinstall/upgrade? [y/N] " -n 1 -r + echo + if [[ ! $REPLY =~ ^[Yy]$ ]]; then + log "Skipping installation" + exit 0 + fi +fi + +# Detect distro +if [ -f /etc/os-release ]; then + . /etc/os-release + DISTRO="${ID:-unknown}" + DISTRO_VERSION="${VERSION_CODENAME:-${VERSION_ID:-unknown}}" +else + error "Cannot detect distribution" + exit 1 +fi + +log "Detected: $DISTRO $DISTRO_VERSION" + +case "$DISTRO" in + debian|ubuntu|linuxmint|pop) + section "Installing via Mullvad APT Repository" + + # Install dependencies + log "Installing dependencies..." + sudo apt update + sudo apt install -y curl gnupg apt-transport-https ca-certificates + + # Add Mullvad signing key + log "Adding Mullvad signing key..." + sudo curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc + sudo chmod 644 /usr/share/keyrings/mullvad-keyring.asc + + # Add the repository + log "Adding Mullvad repository..." + ARCH=$(dpkg --print-architecture) + echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$ARCH] https://repository.mullvad.net/deb/stable stable main" | \ + sudo tee /etc/apt/sources.list.d/mullvad.list > /dev/null + + # Update and install + log "Installing Mullvad Browser..." + sudo apt update + sudo apt install -y mullvad-browser + ;; + + fedora|rhel|centos) + section "Installing via Mullvad RPM Repository" + + # Add Mullvad repo + log "Adding Mullvad repository..." + sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo + + # Install + log "Installing Mullvad Browser..." + sudo dnf install -y mullvad-browser + ;; + + arch|manjaro|endeavouros) + section "Installing via AUR" + + if command -v yay &>/dev/null; then + log "Installing via yay..." + yay -S --noconfirm mullvad-browser-bin + elif command -v paru &>/dev/null; then + log "Installing via paru..." + paru -S --noconfirm mullvad-browser-bin + else + warn "No AUR helper found (yay/paru)" + log "Installing mullvad-browser-bin manually..." + + cd /tmp + git clone https://aur.archlinux.org/mullvad-browser-bin.git + cd mullvad-browser-bin + makepkg -si --noconfirm + cd .. + rm -rf mullvad-browser-bin + fi + ;; + + *) + error "Unsupported distribution: $DISTRO" + log "Please install manually from: https://mullvad.net/en/download/browser" + exit 1 + ;; +esac + +# Verify installation +echo "" +if command -v mullvad-browser &>/dev/null; then + section "Installation Complete!" + log "Mullvad Browser installed successfully" + echo "" + log "Launch with: mullvad-browser" + log "Documentation: https://mullvad.net/en/browser" +else + error "Installation may have failed - mullvad-browser command not found" + exit 1 +fi + +echo "" +section "Privacy Features" +echo "" +cat << 'EOF' + Mullvad Browser provides Tor Browser-level privacy WITHOUT Tor: + + ANTI-FINGERPRINTING: + - All users have identical browser fingerprint + - Resistant to canvas, WebGL, audio fingerprinting + - Letterboxing to hide window size + - Timezone spoofing + + TRACKING PROTECTION: + - uBlock Origin pre-installed + - First-party isolation + - Strict tracking protection + - No telemetry or crash reports + + PRIVACY BY DEFAULT: + - No accounts or sync + - Private browsing mode encouraged + - HTTPS-Only mode + - WebRTC leak prevention + + USE CASE: + - When you want Tor-level privacy but need regular internet speed + - When Tor is blocked or too slow + - For general private browsing without anonymity requirements + + NOTE: Does NOT route traffic through Tor - use Tor Browser for anonymity +EOF +echo "" diff --git a/tools/nym/install.sh b/tools/nym/install.sh new file mode 100755 index 0000000..4009d56 --- /dev/null +++ b/tools/nym/install.sh @@ -0,0 +1,179 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Nym Mixnet Installation +# ============================================================================== +# Next-generation mixnet for metadata-resistant communication +# - Protects against global passive adversaries +# - Uses mix nodes to shuffle and delay traffic +# - Decentralized with cryptocurrency incentives +# - More advanced privacy than Tor for messaging +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly BLUE='\033[0;34m' +readonly RED='\033[0;31m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; } +section() { echo -e "${BLUE}=== $* ===${NC}"; } + +section "Nym Mixnet Installation" +echo "" + +# Note: NymConnect desktop app has been deprecated/moved +# The nym-socks5-client CLI is the recommended approach now +echo "Installing nym-socks5-client (CLI SOCKS5 proxy)..." +echo "" +echo "Note: NymConnect desktop app has been deprecated." +echo "The CLI client is the recommended and maintained option." +echo "" +CHOICE="2" + +# Detect architecture +ARCH=$(uname -m) +case "$ARCH" in + x86_64) ARCH="x86_64" ;; + aarch64) ARCH="aarch64" ;; + *) + error "Unsupported architecture: $ARCH" + exit 1 + ;; +esac + +log "Architecture: $ARCH" + +# Get latest release version +log "Fetching latest Nym release..." +LATEST_VERSION=$(curl -fsSL https://api.github.com/repos/nymtech/nym/releases/latest | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') + +if [ -z "$LATEST_VERSION" ]; then + warn "Could not determine latest version, using fallback" + LATEST_VERSION="nym-binaries-v2024.13-magura" +fi + +log "Latest version: $LATEST_VERSION" + +# NymConnect desktop app has been deprecated +# Keeping this function for reference but it's no longer called +install_nymconnect() { + warn "NymConnect desktop app has been deprecated by Nym" + warn "Please use nym-socks5-client CLI instead" + log "For GUI, consider using a SOCKS5 proxy manager with nym-socks5-client" + return 0 +} + +install_socks5_client() { + section "Installing nym-socks5-client CLI" + + # Check for existing installation + if command -v nym-socks5-client &>/dev/null; then + log "nym-socks5-client appears to be installed: $(nym-socks5-client --version 2>/dev/null || echo 'version unknown')" + read -p "Reinstall? [y/N] " -n 1 -r + echo + [[ ! $REPLY =~ ^[Yy]$ ]] && return + fi + + log "Downloading nym-socks5-client..." + + cd /tmp + + # Try to download the client binary + CLIENT_URL="https://github.com/nymtech/nym/releases/download/${LATEST_VERSION}/nym-socks5-client" + curl -fsSL -o nym-socks5-client "$CLIENT_URL" || { + warn "Direct download failed, trying tarball..." + # Try tarball + TARBALL_URL=$(curl -fsSL https://api.github.com/repos/nymtech/nym/releases/latest | grep "browser_download_url.*socks5.*${ARCH}.*tar" | head -1 | cut -d '"' -f 4) + if [ -n "$TARBALL_URL" ]; then + curl -fsSL -o nym-socks5.tar.gz "$TARBALL_URL" + tar xzf nym-socks5.tar.gz + mv nym-socks5-client nym-socks5-client 2>/dev/null || true + fi + } + + if [ ! -f nym-socks5-client ]; then + error "Could not download nym-socks5-client" + log "Please download manually from: https://github.com/nymtech/nym/releases" + return 1 + fi + + chmod +x nym-socks5-client + sudo mv nym-socks5-client /usr/local/bin/ + + log "nym-socks5-client installed!" +} + +case "$CHOICE" in + 1) install_nymconnect ;; + 2) install_socks5_client ;; + 3) + install_nymconnect + install_socks5_client + ;; + *) + error "Invalid choice" + exit 1 + ;; +esac + +echo "" +section "Installation Complete!" +echo "" + +cat << 'EOF' +Nym Mixnet has been installed. Here's how to use it: + +NYMCONNECT (GUI): + Launch: nymconnect + - Click "Connect" to start the SOCKS5 proxy + - Proxy runs on: 127.0.0.1:1080 + - Configure apps to use this SOCKS5 proxy + +NYM-SOCKS5-CLIENT (CLI): + # Initialize (first time only): + nym-socks5-client init --id my-client + + # Run: + nym-socks5-client run --id my-client + + # Proxy runs on: 127.0.0.1:1080 + +CONFIGURE APPLICATIONS: + Set SOCKS5 proxy to: 127.0.0.1:1080 + + Firefox: + Settings > Network > Manual Proxy > SOCKS Host: 127.0.0.1, Port: 1080 + + curl: + curl --socks5-hostname 127.0.0.1:1080 https://example.com + + SSH: + ssh -o ProxyCommand='nc -x 127.0.0.1:1080 %h %p' user@host + +WHAT NYM PROTECTS: + - Traffic timing analysis (messages are mixed and delayed) + - Metadata (who talks to whom) + - Network surveillance (even global passive adversaries) + +WHAT NYM DOES NOT PROTECT: + - Content (use E2E encryption like Signal on top) + - Exit node can see traffic (like Tor) + - Very slow compared to regular internet + +USE CASES: + - Anonymous messaging + - Privacy-critical communications + - When Tor isn't paranoid enough + +RESOURCES: + - https://nymtech.net/ + - https://docs.nymtech.net/ + +EOF + +echo ""