How to use GNUnet - in a nutshell

This document is just a brief intro on what can be done with GNUnet. Find much more in our documentation, e.g. in the section "using GNUnet" in the handbook. The configuration in the handbook is done with the UI interface gnunet-gtk.

Get on GNUnet

Now we can start it with the command line tool `gnunet-arm` (Automatic Restart Manager) with the -s option; s=start.

$ gnunet-arm -s

It starts the default GNUnet services. We can list them with the `-I` option:

$ gnunet-arm -I
Running services:
ats (gnunet-service-ats)
revocation (gnunet-service-revocation)
set (gnunet-service-set)
nat (gnunet-service-nat)
transport (gnunet-service-transport)
peerstore (gnunet-service-peerstore)
hostlist (gnunet-daemon-hostlist)
identity (gnunet-service-identity)
namecache (gnunet-service-namecache)
peerinfo (gnunet-service-peerinfo)
datastore (gnunet-service-datastore)
zonemaster (gnunet-service-zonemaster)
zonemaster-monitor (gnunet-service-zonemaster-monitor)
nse (gnunet-service-nse)
cadet (gnunet-service-cadet)
dht (gnunet-service-dht)
core (gnunet-service-core)
gns (gnunet-service-gns)
statistics (gnunet-service-statistics)
topology (gnunet-daemon-topology)
fs (gnunet-service-fs)
namestore (gnunet-service-namestore)
vpn (gnunet-service-vpn)

Get off GNUnet

For stopping GNUnet again we can use the `-e` option; e=end.

$ gnunet-arm -e

Make sure your GNUnet installation works...

After installing and starting GNUnet you should make sure that your peer is connecting to the P2P-network. By typing gnunet-core you should see something like this:

$ gnunet-core
Tue Oct 30 19:58:48 2018: connection established DSTJ (timeout in 293 s)
Tue Oct 30 19:58:48 2018: connection established A4MK (timeout in 292 s)
Tue Oct 30 19:58:48 2018: connection established 7WRD (timeout in 299 s)
Tue Oct 30 19:58:48 2018: connection established 5WBG (timeout in 299 s)

There are much more options to see if you are connected and how. E.g. 'gnunet-peerinfo' shows you all peers your peer knows, or with "tail -f ~/.cache/gnunet/*" you'll get to see what's going on with your node.

... and play around with it.

So let's try out some of GNUnet's use cases. Please mind that some should be done in a particular order, one after another:

  • Filesharing
  • A simple chat using CADET
  • Another simple chat using a nim client
  • Name resolution using GNS on the command line
  • Name resolution using GNS with a browser (do it on the command line first)
  • Serving a website using VPN (do name resolution with a browser first)


Let's publish a file in the GNUnet filesharing network. We use the keywords ("commons" and "state") so other people will be able to search for the file.

We can choose any file and describe it with meaningful keywords (using the `-k` command line option), in this example these are "commons" and "state".

$ gnunet-publish -k commons -k state ostrom.pdf
Publishing `/home/myself/ostrom.pdf' done.
URI is `gnunet://fs/chk/M57S...

Finding the file by keyword works with `gnunet-search`.

$ gnunet-search commons
gnunet-download -o "ostrom.pdf" gnunet://fs/chk/M57S...

It gives us the command line call to download the file (and store it as ostrom.pdf)!

It's recommended for filesharing that you increase your bandwidth restrictions from the actually pretty low defaults. The example below sets the WAN and LAN limits to the value "unlimited".

$ gnunet-config -s ats -o WAN_QUOTA_IN -V unlimited
$ gnunet-config -s ats -o WAN_QUOTA_OUT -V unlimited
$ gnunet-config -s ats -o LAN_QUOTA_IN -V unlimited
$ gnunet-config -s ats -o LAN_QUOTA_OUT -V unlimited

Please note that it might take some time (up to some hours) till your peers can see your freshly uploaded files.

Further reading: Please also refer to the chapter on filesharing in the handbook.

CADET (and Chat)

We can use the `gnunet-cadet` command line tool to open a port and from another machine connect to this port and chat or transfer data. First we need our peer ID of the GNUnet peer opening the port.

$ gnunet-peerinfo -s

Now we open the port (it can be any string!):

$ gnunet-cadet -o my-secret-port

On the other machine we can connect using the peer ID and the port and start chatting! "Other machine can be a friend's one which has GNUnet running, but it can also just be another shell on your machine.

$ gnunet-cadet P4T5GHS1PCZ06R82D3KW8Z8J1113BQZWAWGYHTZ8G1ZXMWXQGAVG my-secret-port

If you are interested into CADET in detail, please have a look in the chapter "Cadet-Subsystem" in our handbook. The CADET subsystem is responsible for secure end-to-end communications between nodes in the GNUnet overlay network; as transport protocol it's somewhat of the heart of the project.

Chatting with a (simple) client

To chat a tiny bit prettier, we can install and compile additional software. If you join the chat mentioned below and no one is there, feel free to ping on IRC/freenode #gnunet and ask if someone can join to test with you! (But we are trying to be there as often as possible).

First we have to install Nim. Please refer to their project site for further details. The preferred method is using our package manager, e.g. for Debian it would look like this:

$ sudo apt install nim $ nim --version Nim Compiler Version 0.20.2 [Linux: amd64] Compiled at 2019-07-17 Copyright (c) 2006-2019 by Andreas Rumpf active boot switches: -d:release -d:nativeStackTrace

If the displayed version is 0.19.0 or newer, we have a compatible version and can continue downloading and compiling the groupchat. If the version is older (like on Ubuntu 18.04) we can install Nim using a tool called choosenim:

$ curl -sSf | sh

Then we follow the onscreen instructions. More information can be found in the official documentation.

In the onscreen instructions you'll be ask to add a line to your bashrc - once you've done that, re-read your bash environment to make the change active:

source ~/.bashrc

After we have installed (and maybe upgraded) Nim we download and compile the groupchat application:

$ git clone
$ cd groupchat
$ make

Fine! We can now try to enter a chat server running on another GNUnet node.

$ LD_LIBRARY_PATH=/path/to/gnunetlibs ./groupchat --config=/path/to/gnunet.conf --server=88RXABKJNMT426FY81N2DXN0M2X37SW5Q1NR005YPDZ1Q7A22CHG --port=t3ss --nick=YOURNICK

(or as alternative server "QYYZ9S0GMRS5GJGA415YEFB29RM1E4NJ4NX8DG0T8GYFDJVYHNJ0" and port "welcome")

The peer and port in this example should work in real, because that peer is almost always online and running groupchat on that port.

You should now see something like this:

> 2018-10-30 19:50:10 Welcome 8Q2T! participants: @[]
Hello GNUnet!
2018-10-30 19:52:53 [8Q2T] Hello GNUnet!

Here we have typed "Hello gnunet!" to standard in which is then written out to standard out after having been sent back from GNUnet.

Name resolution using GNS on the command line

GNS is the GNU name service, a fully decentralized alternatice to DNS. We'll publish an IP address in a GNS record try to resolve it on the command line. First we need an identity which is the equivalent to a zone in DNS. We'll call it "myself" and create it using the `gnunet-identity` command line tool. Instead of "myself" you can surely use your nick or any other name.

$ gnunet-identity -C myself

We can check if it worked using the same tool. We expect the name of our identity and the corresponding public key to be displayed.

$ gnunet-identity -d

Now we add a public `A` record to our zone. It has the name "ccc", a value of "" and it expires after one day.

$ gnunet-namestore -z myself -a -e "1 d" -p -t A -n ccc -V

Now we can query that record using the command line tool `gnunet-gns`.

$ gnunet-gns -t A -u ccc.myself
Got `A' record:

So it worked! But only resolving our own records is boring. So we can give our identity (the public key of it to be precise) to someone else so they can try to resolve our records, too. The other person (Bob) has to add it to his namestore like this:

$ gnunet-namestore -z myself -a -e never -p -t PKEY -n alice -V HWTYD3P5D77JVFNVMZ1M5T10V4SZYNMY3PCGQCSVENKD6ZCRKPMG

Our identity in Bobs namestore is a public record (-p) and never expires (-e never). Now Bob (let's assume he has called his identity myself, too) should be able to resolve our "ccc" record, too!

$ gnunet-gns -t A -u ccc.alice.myself
Got `A' record:

It can continue like this. A friend of Bob would be able to resolve our records too because Bob published our identity in a public record. Bobs friend would simply use "ccc.alice.bob.myself" to resolve our "ccc" record.

See the chapter "Using the GNU Name System" in our handbook for a more detailed documentation.

Name resolution using GNS with a browser

In the previous use case "Name resolution using GNS on the command line" we got an idea about what GNS is about, but now let's use it with a browser, to make it actually useful. Currently Firefox and Chromium are known to work.

Many websites enforce HTTPS and thus provide certificates for their hostnames (and not our GNS names). Browsers don't like wrong hostnames in certificates and will present error messages. So GNUnet has to trick them by generating own certificates for our GNS names. This means we need to create our own certificate authority and tell our browser about it. Luckily there's a script for it:

$ gnunet-gns-proxy-setup-ca

After executing this script the Browser has to be restarted.

GNUnet provides a proxy service (gnunet-gns-proxy) that the browser can send DNS and HTTP traffic to. It will try to resolve names with GNS first and forward the rest of the DNS traffic to the system's DNS resolver. It will also take care of the HTTP traffic, so the browser gets valid certificates and the web server will not be confused by our GNS hostnames. Our GNS namestore doesn't know about any DNS hostnames yet, so we have to store them, too. For our "ccc" A record, we have to store a LEHO (legacy hostname) record, too. It must contain the website's original DNS hostname:

$ gnunet-namestore -z myself -a -e "1 d" -p -t LEHO -n ccc -V

Now let's start gnunet-gns-proxy.

$ /usr/lib/gnunet/libexec/gnunet-gns-proxy

Our browser has to be configured so it uses our proxy. In Firefox we have to set these options under "about:config":

network.proxy.socks: localhost
network.proxy.socks_port: 7777
network.proxy.socks_remote_dns true
network.proxy.type: 1

To tell Chromium to use the proxy, it has to be started with the "--proxy-server" command line option:

$ chromium --proxy-server="socks5://"

Now we should be able to resolve our GNS names in the browser! We just have to type "https://ccc.myself" into the address bar. If our friend Bob prepared his system, too, he can resolve our record by typing "ccc.alice.myself".

See the chapter on Integration with Browsers in our handbook for a more detailed description.


VPN can be used to share your Internet connection (yes, this may be dangerous, just as running a Tor exit node) or to provide access to services on your host (this should be less dangerous, as long as those services are secure).

In this tutorial we concentrate on providing access to services on your host.

For documentation to share your Internet connection have a look into chapter "Configuring the GNUnet VPN" in the handbook.

First you have to edit your gnunet.conf and add this section.


This is necessary to start the exit daemon.

Furthermore you need to add a section for your service.


Here a service named 'http' is configured to be accessed on a remote and local host on port 80. The IP address is the default IP address for the exit interface. If you like to change to another private IP address range you can change the option in section 'exit':


Now we have to add a GNS record to the namestore.

gnunet-namestore -z myself -a -e "1 d" -p -t VPN -n www -V "1 PKEY http"

Where myself is the name of the zone we already used above, but now we are adding a record of type VPN, and the value is a string containing three values. A boolean indicating the use of TCP or UDP (TCP in the example above), the public key of your node and the identifier of the service we used above ([http.gnunet.].

After we added this record we should be able to access www.myself like we did ccc.myself via the browser above.

The UI version of this Tutorial can be find in Chapter Using the GNUnet VPN in the handbook.

Trouble Shooting

You can't reach other people's nodes

Should our computer not have reached the open GNUnet network automatically, we can manually instruct our node how to reach the nodes of our friends. This works by exchanging HELLO strings. This is how we get a hello string for our computer.

$ gnunet-peerinfo -gn

We can now pass this string to our friends "out of band" (using whatever existing chat or messaging technology). If the string contains some private IP networks we don't want to share, we can carefully edit them out.

Once we receive such strings from our friends, we can add them like this:

gnunet-peerinfo -p

Now our GNUnet nodes can attempt reaching each other directly. This may still fail due to NAT traversal issues.