diff --git a/documentation/operators/src/changelog.md b/documentation/operators/src/changelog.md index 1d3e495664..088fe6e15a 100644 --- a/documentation/operators/src/changelog.md +++ b/documentation/operators/src/changelog.md @@ -93,6 +93,137 @@ sudo -E ./nym-vpn-cli -c ../qa.env run --entry-gateway-id $entry_gateway --exit- ### Operators Guide updates +* [WireGuard tunnel configuration guide](nodes/configuration.md#routing-configuration) for `nym-node` (currently Gateways functionalities). For simplicity we made a detailed step by step guide to upgrade an existing `nym-node` to the latest version and configure your VPS routing for WireGuard. Open by clicking on the example block below. + +~~~admonish example collapsible=true title='Upgrading `nym-node` with WG' +**Prerequisites** + +- **Nym Node Version:** You must be running the `2024.9-topdeck` release branch, which operates as `nym-node` version `1.1.6`. You can find the release here: [Nym 2024.9-topdeck Release](https://github.com/nymtech/nym/releases/tag/nym-binaries-v2024.9-topdeck). + +- **Important:** Before proceeding, make sure to [back up](nodes/maintenance.md#backup-a-node) your current `nym-node` configuration to avoid any potential data loss or issues. + + +- **Download Nym Node:** + - You can download the `nym-node` binary directly using the following command: +```bash +curl -s https://github.com/nymtech/nym/releases/tag/nym-binaries-v2024.9-topdeck/nym-node -o nym-node && chmod u+x nym-node +``` + +**Step 1: Update UFW Firewall Rules** + +- **Warning:** Enabling the firewall with UFW without allowing SSH port 22 first will lead to losing access over SSH. Make sure port 22 is allowed before proceeding with any UFW configurations. + +Run the following as root or with `sudo` prefix: + +1. Check the current status of UFW (Uncomplicated Firewall): +```bash +ufw status +``` + +2. Ensure that the following ports are allowed on your machine before adding the WireGuard port: + +```bash +ufw allow 22/tcp # SSH - you're in control of these ports +ufw allow 80/tcp # HTTP +ufw allow 443/tcp # HTTPS +ufw allow 1789/tcp # Nym specific +ufw allow 1790/tcp # Nym specific +ufw allow 8080/tcp # Nym specific - nym-node-api +ufw allow 9000/tcp # Nym Specific - clients port +ufw allow 9001/tcp # Nym specific - wss port +ufw allow 51822/udp # WireGuard +``` + +3. Confirm that the UFW rules have been updated: +```bash +ufw status +``` + +**Step 2: Download and Prepare the Network Tunnel Manager Script** + +1. Download the [`network_tunnel_manager.sh`](https://gist.github.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77) script: +```bash +curl -L -o network_tunnel_manager.sh https://gist.githubusercontent.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77/raw/3c0a38c1416f8fdf22906c013299dd08d1497183/network_tunnel_manager.sh +``` + +2. Make the script executable: +```bash +chmod u+x network_tunnel_manager.sh +``` + +3. Apply the WireGuard IPTables rules: +```bash +./network_tunnel_manager.sh apply_iptables_rules_wg +``` + +**Step 3: Update the Nym Node Service File** + +1. Modify your [`nym-node` service file](nodes/configuration.md#systemd) to enable WireGuard. Open the file (usually located at `/etc/systemd/system/nym-node.service`) and update the `[Service]` section as follows: + +```ini +[Service] +User= +Type=simple +#Environment=RUST_LOG=debug +# CAHNGE PATH IF YOU DON'T RUN IT FROM ROOT HOME DIRECTORY +ExecStart=/root/nym-node run --mode exit-gateway --id --accept-operator-terms-and-conditions --wireguard-enabled true +Restart=on-failure +RestartSec=30 +StartLimitInterval=350 +StartLimitBurst=10 +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target + +# ADD OR TWEAK ANY CUSTOM SETTINGS +``` + +2. Reload the systemd daemon to apply the changes: +```bash +systemctl daemon-reload +``` + +3. Restart the `nym-node service`: +```bash +systemctl restart nym-node.service +``` + +4. Optionally, you can check if the node is running correctly by monitoring the service logs: +```bash +journalctl -u nym-node.service -f -n 100 +``` + +**Step 4: Run the Network Tunnel Manager Script** + +Finally, run the following command to initiate our favorite routing test - run the joke through the WireGuard tunnel: +```bash +./network_tunnel_manager.sh joke_through_wg_tunnel +``` +~~~ + +* [Change `--wireguard-enabled` flag to `true`](nodes/setup.md#-initialise--run): With a proper [routing configuration](nodes/configuration.md#routing-configuration) `nym-nodes` running as Gateways can now enable WG. See the example below: + +~~~admonish example collapsible=true title='Syntax to run `nym-node` with WG enabled' +For Exit Gateway: +```sh +./nym-node run --id --mode exit-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname "" --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --location --accept-operator-terms-and-conditions --wireguard-enabled true + +# is in format without 'https://' prefix +# is format like 'Jamaica', or two-letter alpha2 (e.g. 'JM'), three-letter alpha3 (e.g. 'JAM') or three-digit numeric-3 (e.g. '388') can be provided. +# wireguard can be enabled from version 1.1.6 onwards +``` + +For Entry Gateway: +```sh +./nym-node run --id --mode entry-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname "" --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --accept-operator-terms-and-conditions --wireguard-enabled true + +# is in format without 'https://' prefix +# is format like 'Jamaica', or two-letter alpha2 (e.g. 'JM'), three-letter alpha3 (e.g. 'JAM') or three-digit numeric-3 (e.g. '388') can be provided. +# wireguard can be enabled from version 1.1.6 onwards +``` +~~~ + * [Update Nym exit policy](https://nymtech.net/.wellknown/network-requester/exit-policy.txt): Based on the survey, AMA and following discussions we added several ports to Nym exit policy. The ports voted upon in the [forum governance](https://forum.nymtech.net/t/poll-a-new-nym-exit-policy-for-exit-gateways-and-the-nym-mixnet-is-inbound/464) have not been added yet due to the concerns raised. These ports were unrestricted: ~~~admonish example collapsible=true title='Newly opened ports in Nym exit policy' diff --git a/documentation/operators/src/nodes/configuration.md b/documentation/operators/src/nodes/configuration.md index 87d2f795ed..dd57723c31 100644 --- a/documentation/operators/src/nodes/configuration.md +++ b/documentation/operators/src/nodes/configuration.md @@ -140,7 +140,7 @@ Basically, you want the full `///nym-mixnode run --id [entry-gateway] -> [mixnode layer 1] -> [your mixnode] -> [IPv6 mixnode layer3] -> [exit-gateway] ``` In this (unusual) case your `mixnode` will not be able to route the packets. The node will drop the packets and its performance would go down. For that reason it's beneficial to have IPv6 enabled when running a `mixnode` functionality. -### Quick IPv6 Check +```admonish info +We recommend operators to configure their `nym-node` with the full routing configuration. -```admonish caution -Make sure to keep your IPv4 address enabled while setting up IPv6, as the majority of routing goes through that one! +However, most of the time the packets sent through the Mixnet are IPv4 based. The IPv6 packets are still pretty rare and therefore it's not mandatory from operational point of view to have this configuration implemented if you running only `mixnode` mode. + +If you preparing to run a `nym-node` with all modes enabled in the future, this setup is required. ``` +```admonish tip title="Delegation Program" +For everyone participating in Delegation Program or Service Grant program, this setup is a requirement! +``` + +### Quick IPv6 Check + You can always check IPv6 address and connectivity by using some of these methods: +~~~admonish example collapsible=true ```sh # locally listed IPv6 addresses ip -6 addr @@ -221,55 +231,69 @@ curl -6 https://ipv6.icanhazip.com # using telnet telnet -6 ipv6.telnetmyip.com ``` +~~~ -### IPv6 Configuration +```admonish caution +Make sure to keep your IPv4 address enabled while setting up IPv6, as the majority of routing goes through that one! +``` -While we're working on Rust implementation to have these settings as a part of the binary build, we wrote a script to solve these connectivity requirements in the meantime we wrote a script [`network_tunnel_manager.sh`](https://gist.github.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77) to support the operators to configure their servers and address all the connectivity requirements. +### Routing Configuration + +While we're working on Rust implementation to have these settings as a part of the binary build, to solve these connectivity requirements in the meantime we wrote a script [`network_tunnel_manager.sh`](https://gist.github.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77) to support the operators to configure their servers and address all the connectivity requirements. Networking configuration across different ISPs and various operation systems does not have a generic solution. If the provided configuration setup doesn't solve your problem check out [IPv6 troubleshooting](../troubleshooting/vps-isp.md#ipv6-troubleshooting) page. Be aware that you may have to do more research and customised adjustments. -#### Mode: `exit-gateway` The `nymtun0` interface is dynamically managed by the `exit-gateway` service. When the service is stopped, `nymtun0` disappears, and when started, `nymtun0` is recreated. -The script should be used in a context where `nym-node --mode exit-gateway` is running to fully utilise its capabilities, particularly for fetching IPv6 addresses or applying network rules that depend on the `nymtun0` interface. +The script should be used in a context where `nym-node`is running to fully utilise its capabilities, particularly for fetching IPv6 addresses or applying network rules that depend on the `nymtun0` interface and to establish a WireGuard tunnel. + +Before starting with the following, make sure you have the [latest `nym-node` binary](https://github.com/nymtech/nym/releases/) installed and your [VPS setup](vps-setup.md) finished properly! 1. Download `network_tunnel_manager.sh`, make executable and run: ```sh -curl -o network_tunnel_manager.sh -L https://gist.githubusercontent.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77/raw/9d785d6ee3aa2970553633eccbd89a827f49fab5/network_tunnel_manager.sh && chmod +x network_tunnel_manager.sh && ./network_tunnel_manager.sh +curl -L -o network_tunnel_manager.sh https://gist.githubusercontent.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77/raw/3c0a38c1416f8fdf22906c013299dd08d1497183/network_tunnel_manager.sh && \ +chmod +x network_tunnel_manager.sh && \ +./network_tunnel_manager.sh ``` -Here is a quick command explanation, for more details on the `network_tunnel_manager.sh` script, refer to the [overview](https://gist.github.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77) under the code block. +2. Make sure your `nym-node` service is up and running +- **If you setting up a new node and not upgrading an existing one, keep it running and [bond](bonding.md) your node now**. Then come back here and follow the rest of the configuration. -~~~admonish example collapsible=true title="A summarized usage of `network_tunnel_manager.sh`" +```admonish tip title="" +Run the following steps as root or with `sudo` prefix! +``` + +3. Display IPv6: +- At this point you should see a `global ipv6` address. ```sh -summary: -This is a comprehensive script for configuring network packet forwarding and iptables rules, -aimed at ensuring smooth operation of a tunnel interface. -It includes functionality for both setup and tear-down of nymtun network configurations, -alongside diagnostics for verifying system settings and network connectivity. - -* fetch_ipv6_address_nym_tun - Fetches the IPv6 address assigned to the 'nymtun0'. -* fetch_and_display_ipv6 - Displays the IPv6 address on the default network device. -* apply_iptables_rules - Applies necessary IPv4 and IPv6 iptables rules. -* remove_iptables_rules - Removes applied IPv4 and IPv6 iptables rules. -* check_ipv6_ipv4_forwarding - Checks if IPv4 and IPv6 forwarding are enabled. -* check_nymtun_iptables - Check nymtun0 device -* perform_ipv4_ipv6_pings - Perform ipv4 and ipv6 pings to google -* check_ip6_ipv4_routing - Check ipv6 and ipv4 routing -* joke_through_the_mixnet - Run a joke through the mixnet via ipv4 and ipv6 +./network_tunnel_manager.sh fetch_and_display_ipv6 +``` +~~~admonish example collapsible=true title="Correct `./network_tunnel_manager.sh fetch_and_display_ipv6` output:" +```sh +iptables-persistent is already installed. +Using IPv6 address: 2001:db8:a160::1/112 #the address will be different for you +operation fetch_ipv6_address_nym_tun completed successfully. ``` ~~~ - - To run the script next time, just enter `./network_tunnel_manager ` +4. Apply the rules for IPv4 and IPv6: +```sh +./network_tunnel_manager.sh apply_iptables_rules +``` + +- The process may prompt you if you want to save current IPv4 and IPv6 rules, choose yes. + +![](../images/ip_table_prompt.png) -2. Make sure your `nym-node --mode exit-gateway` service is up running +5. Check Nymtun IP tables: +- If there's no process running it wouldn't return anything. +- In case you see `nymtun0` but not active, this is probably because you are setting up a new (never bonded) node and not upgrading an existing one. -3. Check Nymtun IP tables: ```sh -sudo ./network_tunnel_manager.sh check_nymtun_iptables +./network_tunnel_manager.sh check_nymtun_iptables ``` ~~~admonish example collapsible=true title="Correct `./network_tunnel_manager.sh check_nymtun_iptables` output:" @@ -303,40 +327,19 @@ operation check_nymtun_iptables completed successfully. ``` ~~~ - - If there's no process running it wouldn't return anything. - - In case you see `nymtun0` but not active, this is probably because you are setting up a new (never bonded) node and not upgrading an exisitng one. In that case you need to [bond](bonding.md) your node now. +6. Apply the rules for WG routing: -4. Display IPv6: ```sh -sudo ./network_tunnel_manager.sh fetch_and_display_ipv6 +./network_tunnel_manager.sh apply_iptables_rules_wg ``` - - if you have a `global ipv6` address this is good -~~~admonish example collapsible=true title="Correct `./network_tunnel_manager.sh fetch_and_display_ipv6` output:" -```sh -iptables-persistent is already installed. -Using IPv6 address: 2001:db8:a160::1/112 #the address will be different for you -operation fetch_ipv6_address_nym_tun completed successfully. -``` -~~~ +7. At this point your node needs to be [bonded](bonding.md) to the API for `nymtun0` to interact with the network. After bonding please follow up with the remaining steps below to ensure that your node is routing properly. -5. Apply the rules: -```sh -sudo ./network_tunnel_manager.sh apply_iptables_rules -``` - - - The process may prompt you if you want to save current IPv4 and IPv6 rules, choose yes. - -![](../images/ip_table_prompt.png) - - - check IPv6 again like in point 3 - -6. At this point your node needs to be [bonded](bonding.md) to the API for `nymtun0` to interact with the network. After bonding please follow up with the remaining streps below to ensure that your Exit Gateway is routing properly. - -7. Check `nymtun0` interface: +8. Check `nymtun0` interface: ```sh ip addr show nymtun0 ``` + ~~~admonish example collapsible=true title="Correct `ip addr show nymtun0` output:" ```sh # your addresses will be different @@ -351,82 +354,28 @@ ip addr show nymtun0 ``` ~~~ -8. Validate your IPv6 and IPv4 networking by running a joke via Mixnet: -```sh -sudo ./network_tunnel_manager.sh joke_through_the_mixnet -``` - -Make sure that you get the validation of IPv4 and IPv6 connectivity. If there are still any problems, please refer to [troubleshooting section](../troubleshooting/vps-isp.md#incorrect-gateway-network-check). - -#### Mode: `mixnode` - -```admonish caution title="" -Most of the time the packets sent through the Mixnet are IPv4 based. The IPv6 packets are still pretty rare and therefore it's not mandatory from operational point of view. If you preparing to run a `nym-node` with all modes enabled once this option is implemented, then the IPv6 setup on your VPS is required. -``` - -1. Download `network_tunnel_manager.sh`, make executable and run: - -```sh -curl -o network_tunnel_manager.sh -L https://gist.githubusercontent.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77/raw/9d785d6ee3aa2970553633eccbd89a827f49fab5/network_tunnel_manager.sh && chmod +x network_tunnel_manager.sh && ./network_tunnel_manager.sh -``` - -Here is a quick command explanation, for more details on the `network_tunnel_manager.sh` script, refer to the [overview](https://gist.github.com/tommyv1987/ccf6ca00ffb3d7e13192edda61bb2a77) under the code block. Mind that for `mixnode` VPS setup we will use only a few of the commands. - -~~~admonish example collapsible=true title="A summarized usage of `network_tunnel_manager.sh`" +9. Validate your IPv6 and IPv4 networking by running a joke test via Mixnet: ```sh -summary: -This is a comprehensive script for configuring network packet forwarding and iptables rules, -aimed at ensuring smooth operation of a tunnel interface. -It includes functionality for both setup and tear-down of nymtun network configurations, -alongside diagnostics for verifying system settings and network connectivity. - -* fetch_ipv6_address_nym_tun - Fetches the IPv6 address assigned to the 'nymtun0'. -* fetch_and_display_ipv6 - Displays the IPv6 address on the default network device. -* apply_iptables_rules - Applies necessary IPv4 and IPv6 iptables rules. -* remove_iptables_rules - Removes applied IPv4 and IPv6 iptables rules. -* check_ipv6_ipv4_forwarding - Checks if IPv4 and IPv6 forwarding are enabled. -* check_nymtun_iptables - Check nymtun0 device -* perform_ipv4_ipv6_pings - Perform ipv4 and ipv6 pings to google -* check_ip6_ipv4_routing - Check ipv6 and ipv4 routing -* joke_through_the_mixnet - Run a joke through the mixnet via ipv4 and ipv6 - +./network_tunnel_manager.shjoke_through_the_mixnet ``` -~~~ - - - To run the script next time, just enter `./network_tunnel_manager ` -2. Display IPv6: +10. Validate your tunneling by running a joke test via WG: ```sh -sudo ./network_tunnel_manager.sh fetch_and_display_ipv6 +./network_tunnel_manager.sh joke_through_wg_tunnel ``` - - if you have a `global ipv6` address this is good -~~~admonish example collapsible=true title="Correct `./network_tunnel_manager.sh fetch_and_display_ipv6` output:" +11. Now you can run your node with the `--wireguard-enabled true` flag or add it to your [systemd service config](#systemd). Restart your `nym-node` or [systemd](#following-steps-for-nym-nodes-running-as-systemd-service) service (recommended): ```sh -iptables-persistent is already installed. -Using IPv6 address: 2001:db8:a160::1/112 #the address will be different for you -operation fetch_ipv6_address_nym_tun completed successfully. +systemctl daemon-reload && systemctl restart nym-node.service ``` -~~~ - -3. Apply the rules: +- Optionally, you can check if the node is running correctly by monitoring the service logs: ```sh -sudo ./network_tunnel_manager.sh apply_iptables_rules +journalctl -u nym-node.service -f -n 100 ``` - - The process may prompt you if you want to save current IPv4 and IPv6 rules, choose yes. - -![](../images/ip_table_prompt.png) - - - check IPv6 again like in point 2 - -4. Check connectivity -```sh -telnet -6 ipv6.telnetmyip.com -``` +Make sure that you get the validation of all connectivity. If there are still any problems, please refer to [troubleshooting section](../troubleshooting/vps-isp.md#incorrect-gateway-network-check). -Make sure that you get the validation of IPv4 and IPv6 connectivity. If there are still any problems, please refer to [troubleshooting section](../troubleshooting/vps-isp.md#incorrect-gateway-network-check). ## Next Steps -There are a few more good suggestions for `nym-node` VPS configuration, especially to be considered for `exit-gateway` functionality, like Web Secure Socket or Reversed Proxy setup. Visit [Proxy configuration](proxy-configuration.md) page to see the guides. +There are a few more good suggestions for `nym-node` configuration, like Web Secure Socket or Reversed Proxy setup. These are optional and you can skip them if you want. Visit [Proxy configuration](proxy-configuration.md) page to see the guides. diff --git a/documentation/operators/src/nodes/maintenance.md b/documentation/operators/src/nodes/maintenance.md index 00b91f1b69..df109c7f83 100644 --- a/documentation/operators/src/nodes/maintenance.md +++ b/documentation/operators/src/nodes/maintenance.md @@ -344,22 +344,18 @@ less ~/.nym/nym-nodes/default-nym-node/config/config.toml ## Ports All ``-specific port configuration can be found in `$HOME/.nym///config/config.toml`. If you do edit any port configs, remember to restart your client and node processes. -### Nym Node: Mixnode mode port reference +### Nym Node Port Reference | Default port | Use | | ------------ | ------------------------- | | `1789` | Listen for Mixnet traffic | | `1790` | Listen for VerLoc traffic | | `8080` | Metrics http API endpoint | - - -### Nym Node: Gateway modes port reference -| Default port | Use | -|--------------|---------------------------| | `1789` | Listen for Mixnet traffic | | `9000` | Listen for Client traffic | | `9001` | WSS | +| `51822/udp` | WireGuard | -### Validator port reference +### Validator Port Reference All validator-specific port configuration can be found in `$HOME/.nymd/config/config.toml`. If you do edit any port configs, remember to restart your validator. | Default port | Use | diff --git a/documentation/operators/src/nodes/nym-node.md b/documentation/operators/src/nodes/nym-node.md index c33cce3ef3..a95b67657a 100644 --- a/documentation/operators/src/nodes/nym-node.md +++ b/documentation/operators/src/nodes/nym-node.md @@ -6,21 +6,25 @@ If you are a `nym-mixnode` or `nym-gateway` operator and you are not familiar wi NYM NODE is a tool for running a node within the Nym network. Nym Nodes containing functionality such as `mixnode`, `entry-gateway` and `exit-gateway` are fundamental components of Nym Mixnet architecture. Nym Nodes are ran by decentralised node operators. -To setup any type of Nym Node, start with either building [Nym's platform](../binaries/building-nym.md) from source or download [pre-compiled binaries](../binaries/pre-built-binaries.md) on the [configured server (VPS)](vps-setup.md) where you want to run the node. Nym Node will need to be bond to [Nym's wallet](wallet-preparation.md). Follow [preliminary steps](preliminary-steps.md) page before you initialise and run a node. +To setup any type of Nym Node, start with either building [Nym's platform](../binaries/building-nym.md) from source or download [pre-compiled binaries](../binaries/pre-built-binaries.md) on the [configured server (VPS)](vps-setup.md) where you want to run the node. Your Nym Node will need to be bonded before it can be run. We recommend most users use the [Nym desktop wallet](wallet-preparation.md) for this. -```admonish info -**Migrating an existing node to a new `nym-node` is simple. The steps are documented on the [next page](setup.md#migrate)** -``` +**Follow [preliminary steps](preliminary-steps.md) page before you configure and run a `nym-node`!** ## Steps for Nym Node Operators -Once VPS and Nym wallet are configured, binaries ready, the operators of `nym-node` need to: +Once [VPS and Nym wallet are configured](preliminary-steps.md), binaries ready, the operators of `nym-node` need to: + +1. **[Setup](setup.md) the node** + +2. **[Configure](configuration.md) the node and optionally automation, Wireguard, WSS, reversed proxy ...** -1. **[Setup & Run](setup.md) the node** +3. **[Run](setup.md#initialise--run) the node or [the service](configuration.md#following-steps-for-nym-nodes-running-as-systemd-service)** -2. **[Configure](configuration.md) the node** (and optionally WSS, reversed proxy, automation) +4. **[Bond](bonding.md) the node to the Nym API, using Nym wallet** -3. **[Bond](bonding.md) the node to the Nym API, using Nym wallet** +Make sure to follow the steps thoroughly, in case you find any point difficult don't hesitate to ask in our [Operators channel](https://matrix.to/#/#operators:nymtech.chat). + + diff --git a/documentation/operators/src/nodes/setup.md b/documentation/operators/src/nodes/setup.md index f35185e040..542dc7d883 100644 --- a/documentation/operators/src/nodes/setup.md +++ b/documentation/operators/src/nodes/setup.md @@ -82,10 +82,8 @@ To list all available flags for each command, run `./nym-node --help` ``` ~~~ -```admonish bug -The Wireguard flags currently have limited functionality. This feature is under development and testing. - -**Keep Wireguard disabled for the time being!** +```admonish warning +The Wireguard flags currently have limited functionality. From version `1.1.6` ([`v2024.9-topdeck`](https://github.com/nymtech/nym/releases/tag/nym-binaries-v2024.9-topdeck)) wireguard is available and recommended to be switched on for nodes running as Gateways. Keep in mind that this option needs a bit of a special [configuration](configuration.md#wireguard-setup). ``` #### Flags Summary @@ -170,11 +168,11 @@ To prevent over-flooding of our documentation we cannot provide with every singl ./nym-node run --mode exit-gateway # with other options -./nym-node run --id --mode exit-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname "" --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --location --accept-operator-terms-and-conditions --wireguard-enabled false +./nym-node run --id --mode exit-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname "" --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --location --accept-operator-terms-and-conditions --wireguard-enabled true # is in format without 'https://' prefix # is format like 'Jamaica', or two-letter alpha2 (e.g. 'JM'), three-letter alpha3 (e.g. 'JAM') or three-digit numeric-3 (e.g. '388') can be provided. -# keep wireguard disabled +# wireguard can be enabled from version 1.1.6 onwards ``` **Initialise only** without running the node with `--init-only` command : @@ -184,11 +182,11 @@ To prevent over-flooding of our documentation we cannot provide with every singl ./nym-node run --init-only --mode exit-gateway # with a custom `--id` and other options -./nym-node run --id --init-only --mode exit-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname "" --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --location --accept-operator-terms-and-conditions --wireguard-enabled false +./nym-node run --id --init-only --mode exit-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname "" --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --location --accept-operator-terms-and-conditions --wireguard-enabled true # is in format without 'https://' prefix # is format like 'Jamaica', or two-letter alpha2 (e.g. 'JM'), three-letter alpha3 (e.g. 'JAM') or three-digit numeric-3 (e.g. '388') can be provided. -# keep wireguard disabled +# wireguard can be enabled from version 1.1.6 onwards ``` Run the node with custom `--id` without initialising, using `--deny-init` command @@ -203,7 +201,16 @@ Run the node with custom `--id` without initialising, using `--deny-init` comman ./nym-node run --mode entry-gateway ``` -Initialise only with a custom `--id` and `--init-only` command: +Initialise & run with all options +```sh +./nym-node run --id --mode entry-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname "" --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --accept-operator-terms-and-conditions --wireguard-enabled true + +# is in format without 'https://' prefix +# is format like 'Jamaica', or two-letter alpha2 (e.g. 'JM'), three-letter alpha3 (e.g. 'JAM') or three-digit numeric-3 (e.g. '388') can be provided. +# wireguard can be enabled from version 1.1.6 onwards +``` + +Initialise only, with an `--init-only` command (a custom `--id` used): ```sh ./nym-node run --id --init-only --mode entry-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname "" --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --accept-operator-terms-and-conditions ``` diff --git a/documentation/operators/src/nodes/vps-setup.md b/documentation/operators/src/nodes/vps-setup.md index 1594d6a147..6cbba86cdf 100644 --- a/documentation/operators/src/nodes/vps-setup.md +++ b/documentation/operators/src/nodes/vps-setup.md @@ -97,18 +97,26 @@ ufw enable ufw status ``` -2. Open all needed ports to have your firewall working correctly: +2. Open all needed ports to have your firewall for `nym-node` working correctly: ```sh -# for nym-node -ufw allow 1789,1790,8080,9000,9001,22/tcp - -# in case of planning to setup a WSS (for Gateway functionality) -ufw allow 9001/tcp +ufw allow 22/tcp # SSH - you're in control of these ports +ufw allow 80/tcp # HTTP +ufw allow 443/tcp # HTTPS +ufw allow 1789/tcp # Nym specific +ufw allow 1790/tcp # Nym specific +ufw allow 8080/tcp # Nym specific - nym-node-api +ufw allow 9000/tcp # Nym Specific - clients port +ufw allow 9001/tcp # Nym specific - wss port +ufw allow 51822/udp # WireGuard +``` -# in case of reverse proxy for the swagger page (for Gateway optionality) -ufw allow 80,443/tcp +- In case of reverse proxy setup add: +```sh +ufw allow 443/tcp +``` -# for validator +- For validator setup open these ports: +```sh ufw allow 1317,26656,26660,22,80,443/tcp ``` @@ -237,6 +245,7 @@ All node-specific port configuration can be found in `$HOME/.nym//