Setting your DNS

If you're having issues with resolving .loki addresses, you need to edit your resolv.conf files and add your DNS resolver.

Method 1

Install systemd-resolved and let that manage dns.

apt install systemd-resolved

Method 2

Install resolvconf and let that manage dns.

apt install resolvconf

Then restart lokinet.service with systemd.

If resolvconf by itself doesn't work, you'll need to add the Lokinet nameserver manually to resolvconf.

sudo nano /etc/resolvconf/resolv.conf.d/head

Add the following line at the bottom of this file:

nameserver 127.3.2.1

Once that line is added, hold Ctrl and type X, then type Enter to confirm the file changes.

Next we need to update our /etc/resolv.conf file by running the command:

sudo resolvconf -u

Then restart lokinet.service with systemd.

Lokinet becomes "stuck" trying to connect to the network.

As of 0.9.11 there is an issue where sometimes lokinet will get into a bad state and refuse to connect to the network.

This case is not related network censors blocking lokinet, it's a bug. see https://github.com/oxen-io/lokinet/issues/2116

If this happens, makes ure you back up any persisting private keys for .loki and....

• stop the lokinet service

• remove /var/lib/lokinet/profiles.dat

• start the lokinet service

This will remove the client's inferred network state that it slowly generates over time, thus will start retrying nodes it thought were dead before.

Installing on Windows

Installing on macOS

Installing on Linux (CLI)

Installing on Linux (GUI)

Initial setup

First add the oxen.io apt repository to your system:

Update your apt package list:

Install the lokinet-gui package:

This will also install and start a background service called lokinet.service that can be controlled with the lokinet-gui application.

Toggling Lokinet off and on

Simply jump into the lokinet-gui client and click the large green power button.

Using Lokinet

Head over to or for an overview of the exciting things you can do with Lokinet up and running!

See the troubleshooting guide if you have issues.

Initial setup

1. Computer Preparation

Begin by updating your package lists. The below command downloads package lists from your repositories and "updates" them to get information on the newest versions of packages and their dependencies. It will do this for all repositories and PPAs.

Run the following command:

sudo apt-get update

You'll notice a bunch of package lists were downloaded. Once this is complete, run the below command to fetch new versions of any packages we currently have installed on the system:

sudo apt-get upgrade

You'll be prompted to authorise the use of disk space. Type y and press Enter to authorise.

If you do not have curl installed on your computer, now is also a good time to install it, as we will use it later:

sudo apt install curl

2. Installation

You only need to do this step the first time you want to set up the Lokinet repository. After you've done it once, the repository will automatically update whenever you fetch new system updates.

This first command installs the public key used to sign official Lokinet binaries.

sudo curl -so /etc/apt/trusted.gpg.d/oxen.gpg https://deb.oxen.io/pub.gpg

The next command tells apt where to find the packages:

echo "deb https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list

Note: if you're running Linux Mint and get an error with this command, check out Troubleshooting.

Then resync your package repositories with:

sudo apt update

Now install Lokinet:

sudo apt install lokinet

Congratulations, Lokinet is now installed and running in the background.

Starting and stopping Lokinet

By default, lokinet will be running in the background on boot.

You can disable lokinet from starting on boot with:

sudo systemctl disable --now lokinet

You can re-enable lokinet to run on boot with:

sudo systemctl enable --now lokinet

You can stop the lokinet service with:

sudo systemctl stop lokinet

You can use stop, start or restart to start and stop lokinet using the command above replacing stop with start or restart

Updating Lokinet

To update Lokinet when installed with apt run the following command:

sudo apt update && sudo apt upgrade lokinet

Using Lokinet

Head over to Exit nodes or Accessing SNApps for an overview of the exciting things you can do with Lokinet up and running!

CLI installation troubleshooting

If lokinet gets "stuck" trying to connect to the network, back up any persisting private keys for .loki and....

• stop the lokinet service

• remove /var/lib/lokinet/profiles.dat

• start the lokinet service

this will remove the client's inferred network state that it slowly generates over time, thus will start retrying nodes it thought were dead before.

Linux Mint does not work with (lsb-release)

It has been reported that Linux Mint users may need to use the following command instead of the second command in 2. Installation:

echo "deb https://deb.oxen.io jammy main" | sudo tee /etc/apt/sources.list.d/oxen.list

Lokinet is open-source software which uses the Oxen Service Node network to operate a low-latency onion routing protocol. This allows users to browse the web without the destination or origin of data packets being exposed via Lokinet exit nodes, as well as accessing internally-hosted services called SNApps.

Why Lokinet?

Lokinet is an open-source, fully decentralised overlay network which allows users to browse the internet privately and securely, as well as access services (called SNApps) hosted on Lokinet. Lokinet achieves this through use of a low-latency onion routing protocol (LLARP) designed as a hybrid between I2P and Tor, while providing additional benefits.

When using Lokinet to browse the internet, encrypted data packets are routed through multiple service nodes. No single node ever knows the full path your data takes, so you can browse with true anonymity. Since these nodes are part of the Oxen network, they are also required (and economically incentivised) to provide high-quality service, unlike onion routers like Tor which rely on volunteers.

Lokinet also provides the benefit of being protocol-agnostic — while competing onion routers operate on the transport layer and are only able to carry TCP traffic, Lokinet operates on the network layer and is therefore able to onion-route any IP-based protocol: TCP, UDP, ICMP, etc. In plainer terms, this means Lokinet can relay real-time voice and video calls, video streams, and other high-bandwidth content which simply can't be routed over other onion routers.

Get Lokinet

To download Lokinet, head over to the Lokinet website.

Thanks for downloading Lokinet on MacOS. This guide will help you install Lokinet.

Latest releases can be found and downloaded here https://github.com/oxen-io/lokinet/releases/latest

macOS Monterey

macOS Ventura guide here

Open the .dmg file in your downloads directory (or wherever you downloaded Lokinet).

Select agree to agree to the GNU GPLv3 license agreement.

Drag and drop the Lokinet application into the applications folder.

Start the Lokinet application from the “Applications” folder and click open when prompted.

Once Lokinet is open, press the power button to turn Lokinet on. You will be prompted with a ‘System Extension Blocked’ popup, click ‘Open Security Preferences’.

If you do not see this popup, open System Preferences and navigate to Security & Privacy instead.

With the Security & Privacy settings window open, click the padlock in the bottom left corner.

After the padlock unlocks, click ‘Allow’, allowing Lokinet to load a system extension which is necessary for VPN functionality.

Enter your password and press unlock when prompted.

Once System Preference changes are allowed, a system prompt will appear. Click “Allow” to allow Lokinet to add a VPN Configuration.

Congratulations! You’re all done. Lokinet should now automatically start, if not try pressing the on button again and Lokinet should startup.

You can view, check, or alter the VPN Configuration created by Lokinet by opening System Preferences and navigating to Network.

macOS Ventura

Select agree to agree to the GNU GPLv3 license agreement.

Drag and drop the Lokinet application into the applications folder.

Start the Lokinet application from the “Applications” folder and click open when prompted.

Once Lokinet is open, press the power button to turn Lokinet on. You will be prompted with a ‘System Extension Blocked’ popup, click ‘Open Security Preferences’.

If you do not see this popup, open System Preferences and navigate to Privacy & Security menu instead.

click ‘Allow’, allowing Lokinet to load a system extension which is necessary for VPN functionality.

Enter your password and press unlock when prompted.

Once System Preference changes are allowed, a system prompt will appear. Click “Allow” to allow Lokinet to add a VPN Configuration.

Congratulations! You’re all done. Lokinet should now automatically start, if not try pressing the on button again and Lokinet should startup.

You can view, check, or alter the VPN Configuration created by Lokinet by opening System Preferences and navigating to Network.

Troubleshooting

Lokinet is not turning on when i press the start button

Go to System Preferences / Security & Privacy settings and press the lock to make changes

See if there are any pending requests from Lokinet, if so make sure you allow any Lokinet requests.

If there are no requests, try starting the Lokinet app again and see if a request shows up on the Security & Privacy page

Initial setup

1. Download the latest Windows installer here or on our GitHub

2. Run the downloaded .exe file

3. Check both "lokinet" and "gui" in the installer and then click "install"

4. Run the application

5. Press the big power button in the Lokinet interface to start or stop Lokinet

All done!

Using Lokinet

Head over to Exit nodes or Accessing SNApps for an overview of the exciting things you can do with Lokinet up and running!

Uninstalling

To uninstall Lokinet on Windows, open control panel and navigate to "Uninstall a Program", then find Lokinet and click uninstall.

Mumble is a fantastic open-source voice chat platform known for its reliability and ease of use.

And Lokinet is a cutting-edge onion routing network that offers unparalleled security and anonymity potential.

In this guide, we’re going to show you how to run a Mumble server over Lokinet, combining Mumble’s ease of use with Lokinet’s security and anonymity to create the ultimate secure voice chat service. With just 15 minutes of your time and $3 a month, you or your organisation can create one of the most secure voice chat platforms possible.

A Mumble server running over Lokinet on a server you control gives you absolute certainty that your voice conversations, associated metadata, and other Mumble activity cannot be stored or recorded, because no computer ever knows who is talking to whom — not even the Mumble server itself. So long as you trust the device that you run the Mumble server on (which you can, because it’s yours), you can be certain that no one else on earth can eavesdrop on your conversation — or even know that you’re connected to the server at all.

If this is your first time using SSH and the Linux command line, don’t stress. We’ll walk you through every step! With that, let’s get to it.

Step 1: Rent a VPS

The first thing you’ll want to do is rent yourself a VPS (Virtual Private Server) to host your Mumble voice chat server. You could run the Mumble server from your own computer instead, but if you want the server to stay up 24/7, without having to leave your own PC on all the time, a VPS is the way to go. Mumble’s chat server has extremely low system requirements, so a VPS with any amount of storage and at least 512MB RAM will do the trick — you can find VPSs that meet these requirements for around US$3 a month.

Try https://www.hetzner.com/cloud, or https://evolution-host.com/vps-hosting.php if you want to pay in $OXEN! When ordering, select Ubuntu 22.04 or Debian 11 as the operating system.

Step 2: Prepare your VPS

Once you have access to your new VPS, you’re almost ready to install Lokinet, but there’s a little bit of preparatory work to do first. Start by opening a command prompt on your local machine (Terminal on macOS, any command prompt on Linux, or PowerShell on Windows 10). SSH into (get remote access to) your VPS with this command:

ssh root@[VPS IP address]

Replacing [VPS IP address] with the IP of your VPS. It’ll prompt you for a password which will usually be provided to you by the VPS host. More advanced users can and should disable root password access and instead use SSH keys, but if that sounds hard, don’t worry about it for now. As you learn more about Linux, you’ll get more familiar with these best practices.

Once you’ve logged in, we’re ready to roll. First, we’ll update our package lists to make sure our VPS sees the most recent versions of all available packages. Type:

sudo apt update

You’ll see a bunch of package lists being downloaded. Once this command completes, run the following command to upgrade any outdated packages currently installed on the VPS:

sudo apt upgrade

We’ll also need to make sure the curl command is installed before we proceed. Run this command:

which curl

It should output the location of your installed curl command. If you get an error, install curl:

sudo apt install curl

Then run which curl again to make sure curl is installed.

Success? Congrats, you’re ready to move on to the next step:

Step 3: Install Lokinet

To install Lokinet, we need to add the Lokinet repository. Run the following command to install the public key used by the Lokinet dev team to sign Lokinet binaries:

sudo curl -so /etc/apt/trusted.gpg.d/oxen.gpg https://deb.oxen.io/pub.gpg

Then run the following command to tell apt where to find the Lokinet packages:

echo "deb https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list

Next, update your repository package lists again with:

sudo apt update

And now, install Lokinet:

sudo apt install lokinet

Congrats, Lokinet is now installed and running in the background. We’re nearly there.

Step 4: Installing the Mumble server

Run this command:

sudo apt install mumble-server

That’s it. The Mumble server is now installed. On to Step 5:

Step 5: Setting up a persistent keyfile

This step is a bit more involved. We need to set up Lokinet to always generate a keyfile in the same directory, so it will work consistently. Linux servers don’t have a graphical interface, but they do ship with some in-terminal text editors. We need to edit a file now, so start by opening your lokinet.ini file with this command:

sudo nano /etc/loki/lokinet.ini

Using the arrow keys, move the cursor down to the [network] section of the file. Remove the # from before the “keyfile=” line, then add the following after the = symbol:

/var/lib/lokinet/mumble.private

Then hit Ctrl+X. Type “Y” (for yes) when asked if you want to save your changes, then press Enter to save and exit.

Now that you’ve exited nano, you’re back in the terminal. Restart Lokinet to generate a keyfile for Mumble:

sudo systemctl restart lokinet

Step 6: Binding the Mumble server to Lokinet

Now we need to make sure your Mumble server is using Lokinet for all traffic. Start with this command to grab the IP address we need to bind Mumble to:

dig @127.3.2.1 +short localhost.loki

This command will output 2 strings of text: a long string of random letters and numbers ending in .loki, and an IP address (a number in the format xxx.xx(x).x.x).

Select and copy (Ctrl+C on Windows or Linux; Cmd+C on macOS) the IP address. Some SSH clients allow you to copy by highlighting the text and right-clicking on it as well.

Now, we need to point the Mumble server to that IP address. Use this command to open the configuration file for the Mumble server:

nano /etc/mumble-server.ini

Using the arrow keys, navigate down to the line “;host=” under the section Specific IP or hostname to bind to. Delete the ; from the start of the line, then paste the IP address we copied earlier after the = symbol. Hit Ctrl+X to exit. Type “Y” when asked if you want to save your changes, then press Enter to save and exit.

Back at the command line, restart the Mumble server to apply changes:

systemctl restart mumble-server

Step 7: Done!

Congrats! A Mumble server is now up and running on your VPS, and all its traffic is being routed through Lokinet. All that’s left is to grab the Lokinet address of the Mumble server and give it to anyone you want to be able to connect. In case you missed it, run this command to find the Lokinet address of the Mumble server:

dig @127.3.2.1 +short localhost.loki

This is the same command we ran earlier, but this time, pay attention to the long string of characters ending in .loki (be sure to include the .loki part!). This is the Lokinet address of your secure, onion-routed Mumble server.

Copy this address and provide it to anyone you want to be able to connect to the server — all they have to do is paste the address into the Address field of the Add Server dialog in the Mumble client, add a username and label to identify the server, hit OK, and connect!

Mumble can be downloaded for free on all major platforms. Anyone that wants to access your secret Mumble server will also need to have Lokinet installed and running. To download and install Lokinet, just head to https://lokinet.org/. Additional Lokinet guides can be found back at the Lokinet guide hub here on Oxen Docs.

And that’s it! Only 15 minutes and $3 later, you can now have completely surveillance-free conversations over the internet. We hope to integrate voice features into Session to make it even easier to access secure voice channels with this level of privacy and security.

In the meantime, though, this Mumble/Lokinet setup is perhaps the most secure voice channel option available. This unique combination of services is just one example of the power of the Oxen tech stack — stay tuned for more guides and articles about what Oxen’s tech can do.

Have fun!

Lokinet's exit node functionality allows you to browse the normal Internet (the 'clearnet') with all the privacy and security protections Lokinet provides. To use an exit node, all you need is a working Lokinet client and an exit node address (the OPTF is currently operating a test exit node available at exit.loki, suitable for basic web browsing).

Using exit nodes with the Lokinet GUI client

Using exit nodes with the Lokinet GUI client is as easy as 1, 2, 3!

Step 1: Enter your exit node address

Open the Lokinet Control Panel and enter the address of the exit node you'd like to use (e.g. exit.loki) in the Exit Node box:

Step 2: Enter your exit node auth code (if applicable)

Some exit nodes may require an authentication code (password) to use (note: exit.lokidoes not require an authentication code). If the exit node you're using requires an authentication code, enter it in the Auth Code box:

Step 3: Enable!

With your exit address and auth code (if applicable) entered, all you need to do is click the switch next to Enable Exit:

Now turn on Lokinet (if not already on) with the big green power button, and you're ready to browse the internet with all the privacy protections of Lokinet.

Using exit nodes with the Lokinet CLI client

To begin browsing from an exit node, use the following command, replacing EXITNODEADDRESS.loki with the address of your desired exit node:

lokinet-vpn --up --exit EXITNODEADDRESS.loki --token authcodegoeshere

To disable exit node functionality:

lokinet-vpn --down

Accessing SNApps is as simple as , opening your browser of choice, and entering the SNApp's .loki address in the address bar!

Test services

Jump into a browser such as Chrome or Firefox and enter the following SNApp address:

This should take you to the Lokinet Wiki, hosted within Lokinet. If this SNApp works, you have full Lokinet access!

Lokinet SNApps allow users to interact with applications or services entirely within Lokinet, similar to Tor's hidden services. SNApps provide an even higher degree of anonymity than can be achieved when accessing externally hosted content through . SNApps allow for users to set up and host marketplaces, forums, whistle-blowing websites, social media sites, and other web-based applications on their own servers while maintaining full server- and client-side anonymity. SNApps greatly expand what's possible with Lokinet, and allow users to build meaningful communities entirely within Lokinet itself.

SNApp operators use the traditional server-client model, with the key difference being that act as intermediaries in a user's connection to the SNApp server. When a SNApp wishes to register on the network, it must update the DHT with its descriptor. This descriptor contains various introducers, which are specific Oxen Service Nodes that users can contact to form a path to the SNApp. When these paths are set up, users can connect to the SNApp without either party knowing where the other is located in the network.

SNApp 📚 Guides

Lokinet Addresses

By default Lokinet uses 52 character non human readable strings as addresses in the network, for example:

These default addresses can be hard to remember and communicate to users.

ONS Records

ONS (Oxen Name Service) allows SNApp operators to map a human readable name to any default .loki address, as an example

Which is an ONS record mapping the human readable name probably and the Lokinet address dw68y1xhptqbhcm5s8aaaip6dbopykagig5q5u1za4c7pzxto77y

ONS records are registered as transactions the and can be resolved by Lokinet clients, which with the Service Node network. They work in a similar manner to other blockchain naming services like

Registering a .loki ONS Record

Registering a .loki ONS mapping requires the user to create an Oxen wallet and deposit at least 7 Oxen (plus transactions fees), visit the to find out where Oxen can be bought

You can register a ONS record by opening the "Oxen Name Service" tab in the

Once the "Oxen Name Service" tab is open, select the drop down menu underneath "ONS Record Type", and choose how long you would like to register your Lokinet name for.

Add your preferred human readable name, and your existing .loki address, an Oxen address may also be specified if you want to delegate ownership to a wallet separate from the wallet currently in use. Backup owners can be specified and have the same rights as the owner.

Once the relevant fields have been populated press "purchase" and confirm the transaction, transactions can take up to 20 minutes to confirm, once confirmed, you record will be registered and resolution between the human readable name and the default loki address should be complete.

It is possible to configure your SNApp so that others can get service information when looking it up. For example, you may want to tell the user you are hosting an xmpp server at a specific port, or even at a different .loki address, or perhaps even load-balance a service across multiple .loki addresses.

To start open the Lokinet config file, If you have built Lokinet from Deb packages, you can open your lokinet.ini file in the nano text editor with the following command:

Otherwise, if you have built Lokinet from source, your lokinet.ini file will be in the folder ~/.lokinet/lokinet.ini, and can be opened in nano with the following command:

Under the section heading [network] add one or more entries with the following format:

An example:

This would be an entry for the XMPP protocol, pointing to mylokiaddress.loki at port 1234.

Another example:

This would be an entry for Mumble, pointing to the SNApp you are configuring at port 64738.

The target in this entry MUST be one of the following:

• empty, which means "just use the .loki for this SNApp"

• a single dot (.), which means "this SNApp does NOT have that service available"

• any valid name in the .loki TLD.

For more information on SRV records and what you can do with them, visit .

Depending on the nature of the application or service which you want to make accessible over Lokinet, you may want to only run a temporary SNApp, or a SNApp that continues to persistently use the same .loki pubkey.

A temporary SNApp is a service accessible over Lokinet that does not have a permanent address. This means that the address you supply to others will not work once the server hosting the SNApp is restarted.

If you want users to be able to access your application or service over an extended period of time, a temporary SNApp is not recommended.

If you only want to host a temporary SNApp, jump to .

Note: This guide assumes you are running a standard Debian or Ubuntu Linux distribution on the machine on which you'll be hosting the SNApp and that you have Lokinet installed and running on this machine, if not please follow the guide to get Lokinet running. This guide also assumes you are relatively familiar with using the command line.

Step 1: Preparing your Lokinet address

Start by opening your lokinet.ini file and adding a path to where your SNApp key files will be stored.

If you have installed Lokinet from Deb packages, you can open your lokinet.ini file in the nano text editor with the following command:

Otherwise, if you have built Lokinet from source, your lokinet.ini file will be in the folder ~/.lokinet/lokinet.ini, and can be opened in nano with the following command:

With lokinet.ini open in the text editor, scroll down to your [network] section and add the following line:

Alternatively, you can set the filepath to wherever you want your SNApp private key to be stored.

Now, when you restart Lokinet, it will generate your snappkey.private file in the directory you have set.

Step 2: Finding your SNApp's Lokinet address

You can find your SNApp's current address using a host lookup tool:

You can also use the host command (the .loki address to query is the same, but the resolver uses the address 127.3.2.1 as to not conflict with other resolvers you may have installed):

Step 3: Install nginx

Install a proper web server:

Step 4: Configure nginx

Setup a Lokinet exclusive SNApp

If you want your SNApp to be accessible only via Lokinet and not via your IP address or domain name then you will need to configure nginx to run only on the lokinet interface.

this can go underneath your existing network config changes, after this change is made restart Lokinet using:

Once Lokinet is restarted run the following command to open your nginx default configuration file, we are going to make a few changes here.

This should leave your default file in sites available looking something like this:

save the changes and exit the file. Once this step is complete you can reload nginx with the following command:

Setup a clearnet and Lokinet accessible SNApp

If you want your SNApp to be accessible via Lokinet and your clearnet IP/Domain name then fewer changes are required. First open /etc/nginx/sites-enabled/default using:

Nginx Tips:

TIP: By default, you can drop files into /var/www/html to serve them as a SNApp. Make sure they are accessible via the www-data user (or whichever user nginx runs as.

TIP: You can make nginx generate a directory listing of files by adding autoindex on; on a new line into the location block in the nginx config file.

Step 5. Security (Optional)

Make sure no services bind to all interfaces.

Step 6: All done!