The Yggdrasil Network is an IPv6 overlay network that aims to create a decentralized and encrypted mesh network. It does this by treating networks as leaves in a binary tree. Being an overlay network, Yggdrasil also serves as a virtual private network (VPN) that allows its users to securely interact with each other.
Furthermore, Yggdrasil is free, relatively easy to set up and is also available to a wide array of platforms. This makes Yggdrasil a strong alternative for people who are interested in having a secure, private connection with other people.
Also read: How to Utilize Python for Basic Linux System Administration and Networking Tasks
What Is Mesh Networking and Yggdrasil?
Yggdrasil achieves mesh networking by representing a network as a tree of interconnected nodes. In that, these nodes can act as relays to other nodes. This makes Yggdrasil a true mesh network.
Furthermore, the network’s structure allows Yggdrasil to easily find the machine or website you want to visit. In turn, this allows you to interact with other users without the need for a central server to route the traffic for you.
Why Use Yggdrasil?
Yggdrasil’s main selling point is that it changes the way data is routed through the Internet. It achieves that by assuming a few things about the default state of the said network:
- All nodes are connected to at least one other node.
- Each node can transparently relay data to the other node.
- Each node can broadcast the nodes connected to it.
These assumptions create a structure that is both rigid and predictable but also highly flexible. For example, you can make your machine publicly accessible by connecting to just one public node. This public node is, then, connected to other nodes. From there, other users can peer with that node to connect to you.
Not only that, Yggdrasil also allows you to create a subnetwork of local machines. As such, this is highly useful if you want to create a VPN.
Also read: How to Control Your Wi-Fi Network in Linux
How to Install Yggdrasil
As discussed above, Yggdrasil is available in many platforms and operating systems. This includes most Linux distributions.
However, Yggdrasil is not always in the default repositories. As such, some distributions require you to include its sources before you install it.
Installing Yggdrasil in Debian and Ubuntu
For example, if you want to install Yggdrasil in Debian and Ubuntu, you have to first add their official GPG key to apt. To do that, run the following commands:
gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | sudo apt-key add -
From there, you need to add the repository to the list of sources that apt looks for in its packages:
echo 'deb http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | sudo tee /etc/apt/sources.list.d/yggdrasil.list
Once done, update apt and install the program. Do that by running this single line of code:
sudo apt update && sudo apt install yggdrasil
Also read: 9 of the Best Email Clients for Linux
Installing Yggdrasil in Fedora
In contrast to Debian and Ubuntu, the process of installing Yggdrasil in Fedora is simple, as it is already a part of Fedora’s “Community Packages.”
As such, installing the program is as simple as running the commands:
sudo dnf copr enable rany/yggdrasil sudo dnf install yggdrasil
Installing Yggdrasil in Arch Linux
Lastly, installing Yggdrasil in Arch Linux is also extremely simple. Like Fedora, it is already included in Arch’s community sources repository.
As such, you can install the program through pacman:
sudo pacman -Syu yggdrasil
Configuring Your Installation
Once done, setting up Yggdrasil to connect to a node is very simple, in that you only need to edit “/etc/yggdrasil.conf” to configure the program’s behavior. To access it, use nano:
sudo nano -w /etc/yggdrasil.conf
Yggdrasil will create this file after installation. However, if it does not, you can run this command to create a new configuration file:
su --command="yggdrasil -genconf > /etc/yggdrasil.conf"
Connecting to a Public Node
As we discussed above, there are two ways to use the program:
- Connect to a public node to make your machine discoverable.
- Connect a bunch of machines together in a virtual private network.
For the first one, add a public node’s address to your “/etc/yggdrasil.conf” file by editing the Peers:
block in that configuration file.
This is the section in the configuration that determines which nodes you want to connect to. As such, the machines listed here should all be publicly discoverable and connectable from the Internet.
With that in mind, consider the following example:
{ # List of connection strings for outbound peer connections in URI format, # e.g. tls://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j. These connections # will obey the operating system routing table, therefore you should # use this section when you may connect via different interfaces. Peers: [ tls://address.domain:port tcp://1.2.3.4:port socks://[aaaa:...:ffff]/[1111:...:9999] ] [...]
The peers block is a basic list of all the nodes you want to connect to.
It can either establish an encrypted connection using TLS and SOCKS or an unencrypted one using TCP. The latter is useful for connecting small, embedded devices that do not support TLS but have basic network connectivity.
With that, you can connect to the public Yggdrasil network by copying a few of the node links provided by its community.
Once done, you can enable the program by running the following commands:
sudo systemctl enable yggdrasil sudo systemctl start yggdrasil
You can test whether you have connected properly to the network by visiting this webpage.
Also read: How to Use tcpdump for Packet Capture
Creating Your Own Private Network
On the other hand, creating a private network can be a bit involved but is still relatively simple. To create a private Yggdrasil network, you will need a few things:
- A publicly discoverable machine. This could either be a local machine that is not blocked by CG-NAT or a cheap virtual private server.
- A number of machines located in different networks that cannot talk directly to each other.
Configuring Your Personal Public Node
To create a private Yggdrasil network, you need to first allow your public machine to connect to other nodes. To do that, modify the Listen:
block of the public machine’s “/etc/yggdrasil.conf.”
For example, a node configured to take public connections could look something like this:
[...] # Listen addresses for incoming connections. You will need to add # listeners in order to accept incoming peerings from non-local nodes. # Multicast peer discovery will work regardless of any listeners set # here. Each listener should be specified in URI format as above, e.g. # tls://0.0.0.0:0 or tls://[::]:0 to listen on all interfaces. Listen: [ tls://your.ipv4.address.here:12345 tcp://[your:ipv6:address:here]:12345 ] [...]
We have set the node to take any incoming connections in port 12345 from both IPv4 and IPv6. Further, the IPv4 connection is wrapped in TLS, while IPv6 is in unencrpyted TCP.
From here, enable and start the Yggdrasil service to apply your settings. After that, connecting to this node would just be similar to connecting to a public node.
Address Discovery and Restricting Access
By default, your newly created Yggdrasil node will accept any incoming connections, provided they are using the right port. To create a truly private VPN for your machines, you need to add them to a public key whitelist.
An Yggdrasil node works by broadcasting a unique public key that Yggdrasil generated when you first installed it. This key is used to secure you within a network and create your address.
You can check your Yggdrasil address by running this command:
sudo yggdrasilctl getself
This will display an IPv6 address that starts with “20x: … ” It can be used to directly connect to that machine through Yggdrasil.
Furthermore, the getself
command will also display a machine’s public key. This is what you need to create an allowed list of machines in your public node.
Configuring Your Personal Node to Restrict Access
To restrict access to your Yggdrasil node, you need to edit the AllowedPublicKeys:
block in your public node’s “/etc/yggdrasil.conf.” Just add all the public keys that you want this node to accept.
For example, this is a configuration for a node that only accepts three public keys:
# List of peer public keys to allow incoming peering connections # from. If left empty/undefined then all connections will be allowed # by default. This does not affect outgoing peerings, nor does it # affect link-local peers discovered via multicast. AllowedPublicKeys: [ "publickey1" "publickey2" "publickey3" ]
Once done, you can apply your settings by restarting the Yggdrasil service:
sudo systemctl restart yggdrasil
Congratulations! You now have a basic understanding of how the Yggdrasil Network works, as well as a basic idea of how to connect and configure a private network.
If all this talk makes you curious about how the Internet works, you can check out this article about capturing TCP packets with tcpdump.
Also read: How to Generate SSL Certificates on Linux Using OpenSSL
Frequently Asked Questions
1. I have added my friend’s Yggdrasil address to my configuration file but can’t connect to him. What am I doing wrong?
This can be due to a number of things. However, the most common causes for this issue are:
- Both machines are behind a NAT and, therefore, cannot establish a direct connection with each other.
- The
Peers:
block andListen:
block in “/etc/yggdrasil.conf” are configured incorrectly.
For the first cause, you need to make sure that at least one machine is accessible publicly. You also need to make sure that the port you are using is properly port forwarded and can be seen from outside your local network.
For the second cause, make sure the Peers:
and Listen:
blocks contain the real IPv4 or IPv6 address of the peering machine and not its Yggdrasil address.
2. How do I know if my machines are properly peering with each other?
You can easily check whether the your machines are properly peering with each other by running this command:
sudo yggdrasilctl getpeers
This will display all of the currently connected peers to you as well as their relative position in the Yggdrasil network tree.
3. Is it possible to create a strong Yggdrasil key and address?
Yes! You can do this by using an address miner. This is a simple program that will compute in brute force a public key pair that has a certain amount of zeroes in front.
The most common program to do this is Simple Yggdrasil Generator (SYG) with the latest version being written in C++.
Image credit: Unsplash
Our latest tutorials delivered straight to your inbox