How to use GNUnet - in a nutshell

This document is just a brief intro on what can be done with GNUnet. Find much more in our documentation, e.g. in the section "using GNUnet" in the handbook. The configuration in the handbook is done with the UI interface gnunet-gtk.

Make sure your GNUnet installation works...

After installing and starting GNUnet you should make sure that your peer is connecting to the P2P-network. By typing gnunet-core you should see something like this:

$ gnunet-core
Tue Oct 30 19:58:48 2018: connection established DSTJ (timeout in 293 s)
Tue Oct 30 19:58:48 2018: connection established A4MK (timeout in 292 s)
Tue Oct 30 19:58:48 2018: connection established 7WRD (timeout in 299 s)
Tue Oct 30 19:58:48 2018: connection established 5WBG (timeout in 299 s)

... and play around with it.

So let's try out some of GNUnet's use cases. Please mind that some should be done in a particular order, one after another:

  • filesharing
  • A simple chat using CADET
  • Another simple chat using a nim client
  • Name resolution using GNS on the command line
  • Name resolution using GNS with a browser (do it on the command line first)
  • Serving a website using VPN (do name resolution with a browser first)


Let's publish a file in the GNUnet filesharing network. We use the keywords ("commons" and "state") so other people will be able to search for the file.

We can choose any file and describe it with meaningful keywords (using the `-k` command line option).

$ gnunet-publish -k commons -k state ostrom.pdf
Publishing `/home/myself/ostrom.pdf' done.
URI is `gnunet://fs/chk/M57S...

Finding the file by keyword works with `gnunet-search`.

$ gnunet-search commons
gnunet-download -o "ostrom.pdf" gnunet://fs/chk/M57S...

It gives us the command line call to download the file (and store it as ostrom.pdf)!

Please also refer to the chapter on filesharing in the handbook.

CADET (and Chat)

We can use the `gnunet-cadet` command line tool to open a port and from another machine connect to this port and chat or transfer data. First we need our *peer ID* of the GNUnet peer opening the port.

$ gnunet-peerinfo -s

Now we open the port (it can be any string!):

$ gnunet-cadet -o my-secret-port

On the other machine we can connect using the peer ID and the port and start chatting!

$ gnunet-cadet P4T5GHS1PCZ06R82D3KW8Z8J1113BQZWAWGYHTZ8G1ZXMWXQGAVG my-secret-port

If you are interested into CADET in detail, please have a look in the chapter "Cadet-Subsystem" in our handbook.

Chatting with a (simple) client

To chat a tiny bit prettier, we need to install and compile additional software. If you join the chat mentioned below and no one is there, feel free to ping on IRC/freenode #gnunet and ask if someone can join to test with you! (But we are trying to be there as often as possible).

$ git clone
$ cd gnunet-nim/examples
$ nim c groupchat.nim

Fine! We can now try to enter a chat server running on another GNUnet node.

$ LD_LIBRARY_PATH=/path/to/gnunetlibs ./groupchat --config=/path/to/gnunet.conf --server=88RXABKJNMT426FY81N2DXN0M2X37SW5Q1NR005YPDZ1Q7A22CHG --port=t3ss --nick=YOURNICK

(or as alternative server "QYYZ9S0GMRS5GJGA415YEFB29RM1E4NJ4NX8DG0T8GYFDJVYHNJ0" and port "welcome")

The peer and port in this example should work in real, because that peer is almost always online and running groupchat on that port.

You should now see something like this:

> 2018-10-30 19:50:10 Welcome 8Q2T! participants: @[]
Hello GNUnet!
2018-10-30 19:52:53 [8Q2T] Hello GNUnet!

Here we have typed "Hello gnunet!" to standard in which is then written out to standard out after having been sent back from GNUnet.

Name resolution using GNS on the command line

GNS is the GNU name service, a fully decentralized alternatice to DNS. We'll publish an IP address in a GNS record try to resolve it on the command line. First we need an identity which is the equivalent to a zone in DNS. We'll call it "myself" and create it using the `gnunet-identity` command line tool. Instead of "myself" you can surely use your nick or any other name.

$ gnunet-identity -C myself

We can check if it worked using the same tool. We expect the name of our identity and the corresponding public key to be displayed.

$ gnunet-identity -d

Now we add a public `A` record to our zone. It has the name "ccc", a value of "" and it expires after one day.

$ gnunet-namestore -z myself -a -e "1 d" -p -t A -n ccc -V

Now we can query that record using the command line tool `gnunet-gns`.

$ gnunet-gns -t A -u ccc.myself
Got `A' record:

So it worked! But only resolving our own records is boring. So we can give our identity (the public key of it to be precise) to someone else so they can try to resolve our records, too. The other person (Bob) has to add it to his namestore like this:

$ gnunet-namestore -z myself -a -e never -p -t PKEY -n alice -V HWTYD3P5D77JVFNVMZ1M5T10V4SZYNMY3PCGQCSVENKD6ZCRKPMG

Our identity in Bobs namestore is a public record (-p) and never expires (-e never). Now Bob (let's assume he has called his identity myself, too) should be able to resolve our "ccc" record, too!

$ gnunet-gns -t A -u ccc.alice.myself
Got `A' record:

It can continue like this. A friend of Bob would be able to resolve our records too because Bob published our identity in a public record. Bobs friend would simply use "ccc.alice.bob.myself" to resolve our "ccc" record.

See the chapter "Using the GNU Name System" in our handbook for a more detailed documentation.

Name resolution using GNS with a browser

In the previous use case "Name resolution using GNS on the command line" we got an idea about what GNS is about, but now let's use it with a browser, to make it actually useful. Currently Firefox and Chromium are known to work.

Many websites enforce HTTPS and thus provide certificates for their hostnames (and not our GNS names). Browsers don't like wrong hostnames in certificates and will present error messages. So GNUnet has to trick them by generating own certificates for our GNS names. This means we need to create our own certificate authority and tell our browser about it. Luckily there's a script for it:

$ gnunet-gns-proxy-setup-ca

After executing this script the Browser has to be restarted.

GNUnet provides a proxy service (gnunet-gns-proxy) that the browser can send DNS and HTTP traffic to. It will try to resolve names with GNS first and forward the rest of the DNS traffic to the system's DNS resolver. It will also take care of the HTTP traffic, so the browser gets valid certificates and the web server will not be confused by our GNS hostnames. Our GNS namestore doesn't know about any DNS hostnames yet, so we have to store them, too. For our "ccc" A record, we have to store a LEHO (legacy hostname) record, too. It must contain the website's original DNS hostname:

$ gnunet-namestore -z myself -a -e "1 d" -p -t LEHO -n ccc -V

Now let's start gnunet-gns-proxy.

$ /usr/lib/gnunet/libexec/gnunet-gns-proxy

Our browser has to be configured so it uses our proxy. In Firefox we have to set these options under "about:config":

network.proxy.socks: localhost
network.proxy.socks_port: 7777
network.proxy.socks_remote_dns true
network.proxy.type: 1

To tell Chromium to use the proxy, it has to be started with the "--proxy-server" command line option:

$ chromium --proxy-server="socks5://"

Now we should be able to resolve our GNS names in the browser! We just have to type "https://ccc.myself" into the address bar. If our friend Bob prepared his system, too, he can resolve our record by typing "ccc.alice.myself".

See the chapter on Integration with Browsers in our handbook for a more detailed description.


VPN can be used to share your Internet connection (yes, this may be dangerous, just as running a Tor exit node) or to provide access to services on your host (this should be less dangerous, as long as those services are secure).

In this tutorial we concentrate on providing access to services on your host.

For documentation to share your Internet connection have a look into chapter "Configuring the GNUnet VPN" in the handbook.

First you have to edit your gnunet.conf and add this section.


This is necessary to start the exit daemon.

Furthermore you need to add a section for your service.


Here a service named 'http' is configured to be accessed on a remote and local host on port 80. The IP address is the default IP address for the exit interface. If you like to change to another private IP address range you can change the option in section 'exit':


Now we have to add a GNS record to the namestore.

gnunet-namestore -z myself -a -e "1 d" -p -t VPN -n www -V "1 PKEY http"

Where myself is the name of the zone we already used above, but now we are adding a record of type VPN, and the value is a string containing three values. A boolean indicating the use of TCP or UDP (TCP in the example above), the public key of your node and the identifier of the service we used above ([http.gnunet.].

After we added this record we should be able to access www.myself like we did ccc.myself via the browser above.

The UI version of this Tutorial can be find in Chapter Using the GNUnet VPN in the handbook.


TBD, see chapter "Using GNUnet Conversation" in the handbook.