Skip to content

code-zm/nymux

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

nymux

Lightweight process isolation and Nym mixnet routing for arbitrary commands

"nymux" clones the current process into new Linux namespaces (mount, PID, user), sets up a temporary resolv.conf, brings up loopback, and connects to the Nym mix network via nym-vpnc. It then runs your specified command inside the isolated environment. Upon completion, it cleanly disconnects and shuts down the Nym daemon, restoring your host network state.

Features

  • Namespace isolation: new mount, PID, and user namespaces
  • Temporary /etc/resolv.conf for DNS isolation
  • Automatic Nym network connection (entry & exit gateways chosen at random)
  • Graceful cleanup: nym-vpnc disconnect and SIGINT to nym-vpnd

Requirements

  • Linux with /dev/net/tun and support for user/mount namespaces
  • nym-vpnd and nym-vpnc binaries on PATH
  • Rust toolchain (for building) or prebuilt binary

Installation

# From source (requires Rust & cargo)
cargo install --path .

# Or build and copy binary
cargo build --release
cp target/release/nymux /usr/local/bin/

Usage

nymux [OPTIONS] -- <COMMAND> [ARGS...]

Options:

  • -c, --config-env-file <FILE> Path to a Nym network env file (skips HTTP discovery)

Example:

# Run 'ls -la' through Nym isolation
nymux -- ls -la /home/user

# With custom env file
nymux -c ~/.nym/env -- my-script.sh arg1 arg2

Privacy & Isolation Architecture

nymux confines your application in isolated Linux namespaces (mount, user, and PID), while sharing the host network namespace so that DNS lookups and the VPN tunnel remain accessible. The Nym VPN daemon (nym-vpnd) runs in the host network namespace, and a temporary /etc/resolv.conf and loopback interface are configured inside the isolated namespaces. Below is an ASCII diagram illustrating the namespace boundaries and packet flow:

Host Namespace (root privileges)
+---------------------------------------------+
| tunX (VPN TUN interface)                    |
| nym-vpnd (VPN daemon)                       |
| iptables NAT/FORWARD (VPN routing rules)    |
+---------------------------------------------+
          ^
          | (shared network namespace)
Child Namespace (new mount, user, PID)
+-------------------------------------------+
| Loopback (lo)                             |
| /etc/resolv.conf (bound temp file)        |
| nym-vpnc (connect/disconnect)             |
| your command/process                      |
+-------------------------------------------+
          |
          v
      Nym Mixnet

This model ensures that DNS and network traffic cannot escape your controlled namespaces, and that all external communication is routed through the privacy-preserving Nym mix network.

Cleanup Behavior

Upon command exit, nymux will:

  1. Invoke nym-vpnc disconnect to remove VPN routes
  2. Send SIGINT to the nym-vpnd daemon for graceful shutdown
  3. Wait for nym-vpnd to exit, restoring host network state

If nymux is killed abruptly, residual network rules may persist, requiring manual cleanup or system reboot.

Contributing

Contributions welcome! Please:

  1. Fork the repository
  2. Create a branch for your feature or bugfix
  3. Run cargo fmt and cargo clippy -- -D warnings
  4. Submit a pull request

This README was generated by the nymux team.

About

Route arbitrary commands through the mixnet

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages