djedi/privacy-toolkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add LICENSE, fix clone URL, exclude session notes, add i2p/nym/mullvad tools (WIP)

Browse source
This commit is contained in:
rpriven 2026-01-04 22:58:15 -07:00
parent 319efece5f
commit 9d30680295
Signed by: djedi
GPG key ID: D04DED574622EF45
9 changed files with 768 additions and 138 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -23,3 +23,6 @@ downloads/
# Local testing # Local testing
test-* test-*
scratch/ scratch/
# Session notes (private dev notes)
SESSION-NOTES.md

21
LICENSE Normal file
View file

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 rpriven
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

2
README.md
View file

@ -15,7 +15,7 @@ Provide easy-to-install, well-documented privacy tools that protect against comm
```bash ```bash
# Clone the repository # Clone the repository
git clone https://github.com/YOUR_USERNAME/privacy-toolkit.git git clone https://github.com/rpriven/privacy-toolkit.git
cd privacy-toolkit cd privacy-toolkit
# Install a specific tool # Install a specific tool

135
SESSION-NOTES.md
View file

@ -1,135 +0,0 @@
# Privacy Toolkit - Session Notes
## 2025-11-12 - Initial Repository Setup
### 🎯 What We Built
Created a modular privacy toolkit with automated installation scripts for security-focused tools.
### ✅ Completed Tools (5)
1. **Dangerzone** - Document sanitization (Freedom of Press Foundation)
- Container-based PDF/Office sanitization
- Includes GPG keyring permission fix
- Full threat model documentation
2. **croc** - Secure P2P file transfer
- PAKE-based encryption
- Simple curl | bash installation
3. **age** - Modern file encryption
- Simpler than GPG
- Installed via apt
4. **VeraCrypt** - Full disk encryption
- Encrypted containers and full disk encryption
- Launchpad .deb download
- Version 1.26.7
5. **Cryptomator** - Cloud storage encryption
- Client-side encryption for cloud files
- Interactive .deb vs AppImage choice
- **Includes full verification guide** (GPG + SHA256)
### 📁 Repository Structure
```
privacy-toolkit/
├── README.md # Main documentation
├── TOOLS-LIST.md # Progress checklist
├── TOOLS-REFERENCE.md # Detailed tool descriptions
├── SESSION-NOTES.md # This file
└── tools/
├── age/
│ └── install.sh
├── croc/
│ └── install.sh
├── cryptomator/
│ ├── install.sh
│ └── VERIFICATION.md # GPG verification guide
├── dangerzone/
│ ├── install.sh
│ └── README.md
└── veracrypt/
└── install.sh
```
### 🔐 Key Features
- **Modular Design**: Each tool is self-contained
- **Security-First**: GPG verification, checksums, official sources
- **Educational**: Threat models explain WHY you need each tool
- **Consistent**: Same script structure across all tools
- **Practical**: Real-world verification example for Cryptomator
### 🎓 Security Practices Documented
Example verification workflow (Cryptomator):
1. Download .deb + .asc signature
2. Import GPG key
3. Verify fingerprint: `5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235`
4. Check SHA256 checksum
5. Verify GPG signature
6. Install if all checks pass
### 📊 Status
- **Tools Completed**: 5/30+
- **Priority Tools**: 1/6 (Dangerzone)
- **Documentation**: Comprehensive for completed tools
- **Git**: Not yet initialized (ready to be)
### 🎯 Next Steps
Potential additions:
- mat2 (metadata removal)
- Signal Desktop
- Tor Browser
- BleachBit
- firejail
- OnionShare
- ExifTool
### 💡 Design Decisions
1. **Cryptomator: .deb vs AppImage**
- Script offers choice
- Recommendation: .deb for better system integration
- AppImage for portability
2. **VeraCrypt: Version locking**
- Hardcoded 1.26.7 for stability
- Manual update recommended over auto-latest
3. **Dangerzone: GPG keyring fix**
- Includes chmod 644 fix for /etc/apt/keyrings/
- Solves permission denied error
### 🔗 Resources
- Official Cryptomator releases: https://github.com/cryptomator/cryptomator/releases
- Dangerzone: https://dangerzone.rocks/
- VeraCrypt: https://veracrypt.fr/
- Age: https://github.com/FiloSottile/age
- Croc: https://github.com/schollz/croc
---
**Created**: 2025-11-12
**Tools**: 5 complete, 25+ planned
**Focus**: Security, privacy, encryption, sanitization
## SimpleX Installation Discovery
**Issue**: SimpleX .deb packages have library compatibility issues across multiple distros.
**Confirmed broken:**
- Debian Trixie: Crashes with `SIGSEGV in libHSzstd`
- Pop!_OS: Required AppImage
**Solution**: Always use AppImage for SimpleX
- Script: `tools/simplex/install-appimage.sh`
- Location: `~/.local/bin/SimpleX.AppImage`
- Works universally across distros
**Lesson**: For complex cross-platform apps with many dependencies, prefer AppImage over distro-specific packages.

60
install-apt-tools.sh
View file

@ -42,6 +42,22 @@ declare -A TOOLS=(
# OSINT & Privacy Analysis # OSINT & Privacy Analysis
["sherlock"]="Username enumeration tool" ["sherlock"]="Username enumeration tool"
# YubiKey & Hardware Security Keys
["yubikey-manager"]="YubiKey configuration tool (ykman)"
["pcscd"]="PC/SC Smart Card Daemon"
["scdaemon"]="GPG smart card daemon"
["libpam-u2f"]="PAM module for U2F/FIDO2 auth"
# GPG Utilities
["paperkey"]="Extract GPG secret key for paper backup"
# Monitoring & Detection
["inotify-tools"]="Filesystem event monitoring (for honeyfiles)"
# Privacy Analysis & Recon
["nmap"]="Network scanner"
["whois"]="Domain/IP lookup"
) )
section "Privacy Toolkit - APT Tools Installation" section "Privacy Toolkit - APT Tools Installation"
@ -179,13 +195,53 @@ KeePassXC:
age: age:
# Generate key # Generate key
age-keygen -o key.txt age-keygen -o key.txt
# Encrypt file # Encrypt file
age -e -r <public-key> file.txt > file.txt.age age -e -r <public-key> file.txt > file.txt.age
# Decrypt file # Decrypt file
age -d -i key.txt file.txt.age > file.txt age -d -i key.txt file.txt.age > file.txt
YubiKey (ykman):
# List connected YubiKeys
ykman list
# Show detailed info
ykman info
# Check OTP slot status
ykman otp info
# Check OpenPGP status
ykman openpgp info
# GPG smart card status (requires pcscd running)
gpg --card-status
paperkey (GPG backup):
# Extract secret key to paper-friendly format
gpg --export-secret-key KEY_ID | paperkey --output secret.txt
# Restore from paper backup (needs public key)
paperkey --pubring pubkey.gpg --secrets secret.txt | gpg --import
inotify-tools (file monitoring):
# Watch directory for any changes
inotifywait -m -r /path/to/watch
# Trigger on specific events (access, modify, create)
inotifywait -m -e access,modify ~/.honeypot/
nmap (network scanning):
# Quick scan of local network
nmap -sn 192.168.1.0/24
# Service/version detection
nmap -sV target.com
# OS detection (requires root)
sudo nmap -O target.com
USAGE USAGE
echo "" echo ""

153
setup-gpg-yubikey-ssh.sh Executable file
View file

@ -0,0 +1,153 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# GPG + YubiKey SSH Authentication Setup
# ==============================================================================
# Configures GPG agent for YubiKey-based SSH authentication
# Run AFTER install-apt-tools.sh has installed yubikey-manager, pcscd, scdaemon
# ==============================================================================
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly RED='\033[0;31m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; }
section() { echo -e "${BLUE}=== $* ===${NC}"; }
section "GPG + YubiKey SSH Setup"
echo ""
# Check dependencies
log "Checking dependencies..."
MISSING=()
command -v gpg >/dev/null 2>&1 || MISSING+=("gnupg")
command -v ykman >/dev/null 2>&1 || MISSING+=("yubikey-manager")
systemctl list-unit-files | grep -q pcscd || MISSING+=("pcscd")
if [ ${#MISSING[@]} -gt 0 ]; then
error "Missing dependencies: ${MISSING[*]}"
echo "Run: sudo apt install ${MISSING[*]}"
exit 1
fi
log "All dependencies found"
echo ""
section "Configuring GPG Agent"
# Create ~/.gnupg if it doesn't exist
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg
# Configure gpg-agent.conf
GPG_AGENT_CONF=~/.gnupg/gpg-agent.conf
if ! grep -q "enable-ssh-support" "$GPG_AGENT_CONF" 2>/dev/null; then
log "Adding enable-ssh-support to gpg-agent.conf"
echo "enable-ssh-support" >> "$GPG_AGENT_CONF"
else
log "enable-ssh-support already configured"
fi
echo ""
section "Shell Configuration"
echo ""
# Detect shell
SHELL_RC=""
if [ -n "${ZSH_VERSION:-}" ] || [ -f ~/.zshrc ]; then
SHELL_RC=~/.zshrc
elif [ -f ~/.bashrc ]; then
SHELL_RC=~/.bashrc
fi
SSH_AUTH_LINE='export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"'
echo "Add this to your shell config ($SHELL_RC or ~/.exports):"
echo ""
echo " $SSH_AUTH_LINE"
echo ""
if [ -n "$SHELL_RC" ]; then
read -p "Add to $SHELL_RC automatically? [y/N] " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
if ! grep -q "gpgconf --list-dirs agent-ssh-socket" "$SHELL_RC" 2>/dev/null; then
echo "" >> "$SHELL_RC"
echo "# GPG agent for SSH (YubiKey support)" >> "$SHELL_RC"
echo "$SSH_AUTH_LINE" >> "$SHELL_RC"
log "Added to $SHELL_RC"
else
log "Already configured in $SHELL_RC"
fi
fi
fi
echo ""
section "Restart GPG Agent"
log "Killing gpg-agent to apply changes..."
gpgconf --kill gpg-agent
echo ""
section "Testing Setup"
# Start pcscd if not running
if ! systemctl is-active --quiet pcscd; then
log "Starting pcscd..."
sudo systemctl start pcscd
fi
echo ""
log "Checking for YubiKey..."
if ykman list 2>/dev/null | grep -q "YubiKey"; then
log "YubiKey detected!"
ykman list
echo ""
log "Checking GPG card status..."
if gpg --card-status >/dev/null 2>&1; then
log "GPG sees the YubiKey!"
echo ""
gpg --card-status | head -15
else
warn "GPG can't see the card. Try: sudo systemctl restart pcscd"
fi
else
warn "No YubiKey detected. Plug one in and run: gpg --card-status"
fi
echo ""
section "Next Steps"
echo ""
cat << 'NEXT'
1. If you haven't moved GPG keys to YubiKey yet:
gpg --edit-key <KEY_ID>
> key 1 # select auth subkey
> keytocard # move to YubiKey (ONE-WAY!)
> save
2. Export your SSH public key from the YubiKey:
gpg --export-ssh-key <KEY_ID> > ~/.ssh/yubikey.pub
3. Add to remote servers:
ssh-copy-id -f -i ~/.ssh/yubikey.pub user@server
4. Configure SSH to use YubiKey (add to ~/.ssh/config):
Host server-yubikey
User youruser
HostName server.example.com
IdentityAgent /run/user/1000/gnupg/S.gpg-agent.ssh
5. Test SSH:
ssh server-yubikey
NEXT
echo ""
section "Setup Complete!"
log "Reload your shell or run: source $SHELL_RC"
echo ""

190
tools/i2p/install.sh Executable file
View file

@ -0,0 +1,190 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# I2P (Invisible Internet Project) Installation
# ==============================================================================
# Anonymous overlay network using "garlic routing"
# - Internal network of hidden services (eepsites)
# - Anonymous torrenting
# - More resistant to traffic analysis than Tor for internal traffic
# - Every user is both client and relay
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly RED='\033[0;31m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; }
section() { echo -e "${BLUE}=== $* ===${NC}"; }
section "I2P Installation"
echo ""
# Check if already installed
if command -v i2prouter &>/dev/null || [ -d /usr/share/i2p ]; then
log "I2P appears to be already installed"
read -p "Reinstall/upgrade? [y/N] " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log "Skipping installation"
exit 0
fi
fi
# Detect distro
if [ -f /etc/os-release ]; then
. /etc/os-release
DISTRO="${ID:-unknown}"
else
error "Cannot detect distribution"
exit 1
fi
log "Detected: $DISTRO"
case "$DISTRO" in
debian|ubuntu|linuxmint|pop)
# Try i2pd from repos first (C++ implementation - lighter, faster)
if apt-cache show i2pd &>/dev/null; then
section "Installing i2pd (C++ implementation) from Debian repos"
log "i2pd is a lighter, faster C++ implementation of I2P"
sudo apt update
sudo apt install -y i2pd
log "i2pd installed from Debian repositories"
else
section "Installing I2P via Official Repository"
warn "i2pd not in repos, trying official I2P repository..."
# Install dependencies
log "Installing dependencies..."
sudo apt update
sudo apt install -y apt-transport-https curl gnupg
# Add I2P repo signing key
log "Adding I2P repository key..."
curl -fsSL https://geti2p.net/_static/i2p-archive-keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/i2p-archive-keyring.gpg
sudo chmod 644 /usr/share/keyrings/i2p-archive-keyring.gpg
# Add I2P repository
log "Adding I2P repository..."
echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p2.de/ $(lsb_release -sc) main" | \
sudo tee /etc/apt/sources.list.d/i2p.list > /dev/null
# Install I2P
log "Installing I2P..."
sudo apt update
sudo apt install -y i2p i2p-keyring
fi
;;
fedora|rhel|centos)
section "Installing I2P via Copr"
log "Adding I2P Copr repository..."
sudo dnf copr enable -y i2p/i2p
log "Installing I2P..."
sudo dnf install -y i2p
;;
arch|manjaro|endeavouros)
section "Installing I2P via AUR"
if command -v yay &>/dev/null; then
log "Installing via yay..."
yay -S --noconfirm i2pd
elif command -v paru &>/dev/null; then
log "Installing via paru..."
paru -S --noconfirm i2pd
else
warn "No AUR helper found, installing i2pd manually..."
cd /tmp
git clone https://aur.archlinux.org/i2pd.git
cd i2pd
makepkg -si --noconfirm
cd ..
rm -rf i2pd
fi
;;
*)
error "Unsupported distribution: $DISTRO"
log "Please install manually from: https://geti2p.net/en/download"
exit 1
;;
esac
echo ""
section "Installation Complete!"
echo ""
cat << 'EOF'
I2P has been installed. Here's how to use it:
=== IF YOU INSTALLED i2pd (C++ version) ===
START i2pd:
sudo systemctl start i2pd
sudo systemctl enable i2pd # Auto-start on boot
WEB CONSOLE:
Open in browser: http://127.0.0.1:7070
PROXY PORTS:
HTTP Proxy: 127.0.0.1:4444 (for .i2p sites)
SOCKS Proxy: 127.0.0.1:4447
CONFIG FILE:
/etc/i2pd/i2pd.conf
=== IF YOU INSTALLED i2p (Java version) ===
START I2P:
sudo systemctl start i2p
# Or: i2prouter start
WEB CONSOLE:
Open in browser: http://127.0.0.1:7657
PROXY PORT:
HTTP Proxy: 127.0.0.1:4444
=== GENERAL USAGE ===
CONFIGURE YOUR BROWSER:
Set HTTP proxy to: 127.0.0.1:4444
(This lets you access .i2p eepsites)
FIRST-TIME SETUP:
1. Start I2P and wait ~5 minutes for network integration
2. Access the web console
3. Configure bandwidth limits based on your connection
POPULAR EEPSITES TO TEST:
- http://i2p-projekt.i2p (I2P Project homepage)
- http://stats.i2p (Network statistics)
SECURITY NOTES:
- I2P is for accessing I2P internal services (eepsites)
- Don't use I2P for regular web browsing (use Tor for that)
- Takes time to build up "tunnels" - be patient on first run
- More peers = better anonymity and speed
EOF
# Check if service is available
if systemctl list-unit-files | grep -q i2p.service; then
echo ""
log "To start I2P now: sudo systemctl start i2p"
log "To enable auto-start: sudo systemctl enable i2p"
fi
echo ""

163
tools/mullvad-browser/install.sh Executable file
View file

@ -0,0 +1,163 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Mullvad Browser Installation
# ==============================================================================
# Privacy-focused browser developed by Mullvad VPN and Tor Project
# - Based on Firefox ESR with Tor Browser privacy patches
# - Tor-like fingerprint resistance WITHOUT using Tor network
# - No telemetry, no accounts, no tracking
# - Designed to make all users look identical (anti-fingerprinting)
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly RED='\033[0;31m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; }
section() { echo -e "${BLUE}=== $* ===${NC}"; }
section "Mullvad Browser Installation"
echo ""
# Check if already installed
if command -v mullvad-browser &>/dev/null; then
log "Mullvad Browser already installed"
read -p "Reinstall/upgrade? [y/N] " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log "Skipping installation"
exit 0
fi
fi
# Detect distro
if [ -f /etc/os-release ]; then
. /etc/os-release
DISTRO="${ID:-unknown}"
DISTRO_VERSION="${VERSION_CODENAME:-${VERSION_ID:-unknown}}"
else
error "Cannot detect distribution"
exit 1
fi
log "Detected: $DISTRO $DISTRO_VERSION"
case "$DISTRO" in
debian|ubuntu|linuxmint|pop)
section "Installing via Mullvad APT Repository"
# Install dependencies
log "Installing dependencies..."
sudo apt update
sudo apt install -y curl gnupg apt-transport-https ca-certificates
# Add Mullvad signing key
log "Adding Mullvad signing key..."
sudo curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc
sudo chmod 644 /usr/share/keyrings/mullvad-keyring.asc
# Add the repository
log "Adding Mullvad repository..."
ARCH=$(dpkg --print-architecture)
echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$ARCH] https://repository.mullvad.net/deb/stable stable main" | \
sudo tee /etc/apt/sources.list.d/mullvad.list > /dev/null
# Update and install
log "Installing Mullvad Browser..."
sudo apt update
sudo apt install -y mullvad-browser
;;
fedora|rhel|centos)
section "Installing via Mullvad RPM Repository"
# Add Mullvad repo
log "Adding Mullvad repository..."
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
# Install
log "Installing Mullvad Browser..."
sudo dnf install -y mullvad-browser
;;
arch|manjaro|endeavouros)
section "Installing via AUR"
if command -v yay &>/dev/null; then
log "Installing via yay..."
yay -S --noconfirm mullvad-browser-bin
elif command -v paru &>/dev/null; then
log "Installing via paru..."
paru -S --noconfirm mullvad-browser-bin
else
warn "No AUR helper found (yay/paru)"
log "Installing mullvad-browser-bin manually..."
cd /tmp
git clone https://aur.archlinux.org/mullvad-browser-bin.git
cd mullvad-browser-bin
makepkg -si --noconfirm
cd ..
rm -rf mullvad-browser-bin
fi
;;
*)
error "Unsupported distribution: $DISTRO"
log "Please install manually from: https://mullvad.net/en/download/browser"
exit 1
;;
esac
# Verify installation
echo ""
if command -v mullvad-browser &>/dev/null; then
section "Installation Complete!"
log "Mullvad Browser installed successfully"
echo ""
log "Launch with: mullvad-browser"
log "Documentation: https://mullvad.net/en/browser"
else
error "Installation may have failed - mullvad-browser command not found"
exit 1
fi
echo ""
section "Privacy Features"
echo ""
cat << 'EOF'
Mullvad Browser provides Tor Browser-level privacy WITHOUT Tor:
ANTI-FINGERPRINTING:
- All users have identical browser fingerprint
- Resistant to canvas, WebGL, audio fingerprinting
- Letterboxing to hide window size
- Timezone spoofing
TRACKING PROTECTION:
- uBlock Origin pre-installed
- First-party isolation
- Strict tracking protection
- No telemetry or crash reports
PRIVACY BY DEFAULT:
- No accounts or sync
- Private browsing mode encouraged
- HTTPS-Only mode
- WebRTC leak prevention
USE CASE:
- When you want Tor-level privacy but need regular internet speed
- When Tor is blocked or too slow
- For general private browsing without anonymity requirements
NOTE: Does NOT route traffic through Tor - use Tor Browser for anonymity
EOF
echo ""

179
tools/nym/install.sh Executable file
View file

@ -0,0 +1,179 @@
#!/bin/bash
set -euo pipefail
# ==============================================================================
# Nym Mixnet Installation
# ==============================================================================
# Next-generation mixnet for metadata-resistant communication
# - Protects against global passive adversaries
# - Uses mix nodes to shuffle and delay traffic
# - Decentralized with cryptocurrency incentives
# - More advanced privacy than Tor for messaging
# ==============================================================================
# Colors
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly RED='\033[0;31m'
readonly NC='\033[0m'
log() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*"; }
section() { echo -e "${BLUE}=== $* ===${NC}"; }
section "Nym Mixnet Installation"
echo ""
# Note: NymConnect desktop app has been deprecated/moved
# The nym-socks5-client CLI is the recommended approach now
echo "Installing nym-socks5-client (CLI SOCKS5 proxy)..."
echo ""
echo "Note: NymConnect desktop app has been deprecated."
echo "The CLI client is the recommended and maintained option."
echo ""
CHOICE="2"
# Detect architecture
ARCH=$(uname -m)
case "$ARCH" in
x86_64) ARCH="x86_64" ;;
aarch64) ARCH="aarch64" ;;
*)
error "Unsupported architecture: $ARCH"
exit 1
;;
esac
log "Architecture: $ARCH"
# Get latest release version
log "Fetching latest Nym release..."
LATEST_VERSION=$(curl -fsSL https://api.github.com/repos/nymtech/nym/releases/latest | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/')
if [ -z "$LATEST_VERSION" ]; then
warn "Could not determine latest version, using fallback"
LATEST_VERSION="nym-binaries-v2024.13-magura"
fi
log "Latest version: $LATEST_VERSION"
# NymConnect desktop app has been deprecated
# Keeping this function for reference but it's no longer called
install_nymconnect() {
warn "NymConnect desktop app has been deprecated by Nym"
warn "Please use nym-socks5-client CLI instead"
log "For GUI, consider using a SOCKS5 proxy manager with nym-socks5-client"
return 0
}
install_socks5_client() {
section "Installing nym-socks5-client CLI"
# Check for existing installation
if command -v nym-socks5-client &>/dev/null; then
log "nym-socks5-client appears to be installed: $(nym-socks5-client --version 2>/dev/null || echo 'version unknown')"
read -p "Reinstall? [y/N] " -n 1 -r
echo
[[ ! $REPLY =~ ^[Yy]$ ]] && return
fi
log "Downloading nym-socks5-client..."
cd /tmp
# Try to download the client binary
CLIENT_URL="https://github.com/nymtech/nym/releases/download/${LATEST_VERSION}/nym-socks5-client"
curl -fsSL -o nym-socks5-client "$CLIENT_URL" || {
warn "Direct download failed, trying tarball..."
# Try tarball
TARBALL_URL=$(curl -fsSL https://api.github.com/repos/nymtech/nym/releases/latest | grep "browser_download_url.*socks5.*${ARCH}.*tar" | head -1 | cut -d '"' -f 4)
if [ -n "$TARBALL_URL" ]; then
curl -fsSL -o nym-socks5.tar.gz "$TARBALL_URL"
tar xzf nym-socks5.tar.gz
mv nym-socks5-client nym-socks5-client 2>/dev/null || true
fi
}
if [ ! -f nym-socks5-client ]; then
error "Could not download nym-socks5-client"
log "Please download manually from: https://github.com/nymtech/nym/releases"
return 1
fi
chmod +x nym-socks5-client
sudo mv nym-socks5-client /usr/local/bin/
log "nym-socks5-client installed!"
}
case "$CHOICE" in
1) install_nymconnect ;;
2) install_socks5_client ;;
3)
install_nymconnect
install_socks5_client
;;
*)
error "Invalid choice"
exit 1
;;
esac
echo ""
section "Installation Complete!"
echo ""
cat << 'EOF'
Nym Mixnet has been installed. Here's how to use it:
NYMCONNECT (GUI):
Launch: nymconnect
- Click "Connect" to start the SOCKS5 proxy
- Proxy runs on: 127.0.0.1:1080
- Configure apps to use this SOCKS5 proxy
NYM-SOCKS5-CLIENT (CLI):
# Initialize (first time only):
nym-socks5-client init --id my-client
# Run:
nym-socks5-client run --id my-client
# Proxy runs on: 127.0.0.1:1080
CONFIGURE APPLICATIONS:
Set SOCKS5 proxy to: 127.0.0.1:1080
Firefox:
Settings > Network > Manual Proxy > SOCKS Host: 127.0.0.1, Port: 1080
curl:
curl --socks5-hostname 127.0.0.1:1080 https://example.com
SSH:
ssh -o ProxyCommand='nc -x 127.0.0.1:1080 %h %p' user@host
WHAT NYM PROTECTS:
- Traffic timing analysis (messages are mixed and delayed)
- Metadata (who talks to whom)
- Network surveillance (even global passive adversaries)
WHAT NYM DOES NOT PROTECT:
- Content (use E2E encryption like Signal on top)
- Exit node can see traffic (like Tor)
- Very slow compared to regular internet
USE CASES:
- Anonymous messaging
- Privacy-critical communications
- When Tor isn't paranoid enough
RESOURCES:
- https://nymtech.net/
- https://docs.nymtech.net/
EOF
echo ""