Yggdrasil

Yggdrasil is an early-stage implementation of a fully end-to-end encrypted IPv6 network. It is lightweight, self-arranging, supported on multiple platforms, and allows pretty much any IPv6-capable application to communicate securely with other Yggdrasil nodes.

This article describes how to set up and use Yggdrasil.

Installation

Install the yggdrasil package.

Running

Start/enable yggdrasil.service.

This will create a tun network interface and make available two new IPv6 network interfaces. The important one starts with 200: which is what your machine will be known as in the Yggdrasil network. This IP address is using a reserved part of the IPv6 standard. This avoids any conflicts with the wider Internet.

To test this works you can run:

# yggdrasilctl getself

Configuration

You can create default configuration file /etc/yggdrasil.conf by running yggdrasil-default-config.service, also it will be created and used by running yggdrasil.service first time. By default your Yggdrasil instance will not have any peers and thus you are running a standalone service. Editing the /etc/yggdrasil.conf file, which uses the JSON format, allows one to add peers and after restarting the service your node can both reach the wider network, as well as others can find your node.

Tip: You may want to enable a local firewall before peering with the wider network because your machine and all its services will reachable from outside when you do.

More details about the configuration is available in the upstream documentation.

To peer with the wider network, start with the public-peers documentation.

Local firewall

In todays networking practices a common Linux installation is not exposed directly to the Internet. Only servers will typically have a public IP address. As a result our ssh or similar services are not able to be attacked by anyone and everyone.

It is important to realize that running Yggdrasil and peering it to the wider Yggdrasil network changes this. Services that listen on all network connections will become reachable by anyone that connects to this network. You might want configure them to not listen on the Yggdrasil network or quickly hide running services with a couple of firewall rules.

/etc/iptables/ip6tables.rules
#yggdrasil
*filter
:INPUT ACCEPT [8:757]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:463]
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate INVALID -j DROP
-A INPUT -i tun0 -j DROP
COMMIT

Start/enable ip6tables.service to make this take effect.

gollark: Is solarflame being wrong again?
gollark: I decided it was apiohazardous and switched back, although it kept randomly switching me to new reddit for a bit.
gollark: I have, in fact, tried it.
gollark: I *like* the "1998 website" aesthetic.
gollark: It uses unreasonable amounts of client side JS and may actually leak memory while old reddit uses mostly HTML, I have uBO anyway, infinite scrolling means you lose your place if the tab is suspended or whatever and can also trap you in an inescapable reddit cycle, and even "compact" view seems to be wasting space on the sides.

See also
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.