What Is the Yggdrasil Network and How to Install It

Yggdrasil Network 00 Featured Image

The Yggdrasil Network is an IPv6 overlay network that aims to create a decentralized and encrypted mesh network. It does this by treating networks as leaves in a binary tree. Being an overlay network, Yggdrasil also serves as a virtual private network (VPN) that allows its users to securely interact with each other.

Furthermore, Yggdrasil is free, relatively easy to set up and is also available to a wide array of platforms. This makes Yggdrasil a strong alternative for people who are interested in having a secure, private connection with other people.

Also read: How to Utilize Python for Basic Linux System Administration and Networking Tasks

What Is Mesh Networking and Yggdrasil?

Yggdrasil achieves mesh networking by representing a network as a tree of interconnected nodes. In that, these nodes can act as relays to other nodes. This makes Yggdrasil a true mesh network.

Yggdrasil Network 02 Comparison

Furthermore, the network’s structure allows Yggdrasil to easily find the machine or website you want to visit. In turn, this allows you to interact with other users without the need for a central server to route the traffic for you.

Why Use Yggdrasil?

Yggdrasil’s main selling point is that it changes the way data is routed through the Internet. It achieves that by assuming a few things about the default state of the said network:

  • All nodes are connected to at least one other node.
  • Each node can transparently relay data to the other node.
  • Each node can broadcast the nodes connected to it.
Yggdrasil Network 03 Example Routing

These assumptions create a structure that is both rigid and predictable but also highly flexible. For example, you can make your machine publicly accessible by connecting to just one public node. This public node is, then, connected to other nodes. From there, other users can peer with that node to connect to you.

Yggdrasil Network 04 Public Private Node

Not only that, Yggdrasil also allows you to create a subnetwork of local machines. As such, this is highly useful if you want to create a VPN.

Also read: How to Control Your Wi-Fi Network in Linux

How to Install Yggdrasil

As discussed above, Yggdrasil is available in many platforms and operating systems. This includes most Linux distributions.

However, Yggdrasil is not always in the default repositories. As such, some distributions require you to include its sources before you install it.

Installing Yggdrasil in Debian and Ubuntu

For example, if you want to install Yggdrasil in Debian and Ubuntu, you have to first add their official GPG key to apt. To do that, run the following commands:

gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt
gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | sudo apt-key add -
Yggdrasil Network 05 Import Gpg Key

From there, you need to add the repository to the list of sources that apt looks for in its packages:

echo 'deb http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | sudo tee /etc/apt/sources.list.d/yggdrasil.list
Yggdrasil Network 06 Yggdrasil Sources

Once done, update apt and install the program. Do that by running this single line of code:

sudo apt update && sudo apt install yggdrasil
Yggdrasil Network 07 Apt Install

Also read: 9 of the Best Email Clients for Linux

Installing Yggdrasil in Fedora

In contrast to Debian and Ubuntu, the process of installing Yggdrasil in Fedora is simple, as it is already a part of Fedora’s “Community Packages.”

As such, installing the program is as simple as running the commands:

sudo dnf copr enable rany/yggdrasil
sudo dnf install yggdrasil

Installing Yggdrasil in Arch Linux

Lastly, installing Yggdrasil in Arch Linux is also extremely simple. Like Fedora, it is already included in Arch’s community sources repository.

As such, you can install the program through pacman:

sudo pacman -Syu yggdrasil

Configuring Your Installation

Once done, setting up Yggdrasil to connect to a node is very simple, in that you only need to edit “/etc/yggdrasil.conf” to configure the program’s behavior. To access it, use nano:

sudo nano -w /etc/yggdrasil.conf
Yggdrasil Network 10 Sample Conf

Yggdrasil will create this file after installation. However, if it does not, you can run this command to create a new configuration file:

su --command="yggdrasil -genconf > /etc/yggdrasil.conf"

Connecting to a Public Node

As we discussed above, there are two ways to use the program:

  • Connect to a public node to make your machine discoverable.
  • Connect a bunch of machines together in a virtual private network.

For the first one, add a public node’s address to your “/etc/yggdrasil.conf” file by editing the Peers: block in that configuration file.

This is the section in the configuration that determines which nodes you want to connect to. As such, the machines listed here should all be publicly discoverable and connectable from the Internet.

With that in mind, consider the following example:

{
   # List of connection strings for outbound peer connections in URI format,
   # e.g. tls://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j. These connections
   # will obey the operating system routing table, therefore you should
   # use this section when you may connect via different interfaces.
   Peers: [
         tls://address.domain:port
         tcp://1.2.3.4:port
         socks://[aaaa:...:ffff]/[1111:...:9999]
   ]
 
   [...]

The peers block is a basic list of all the nodes you want to connect to.

Yggdrasil Network 15 Sample Peers

It can either establish an encrypted connection using TLS and SOCKS or an unencrypted one using TCP. The latter is useful for connecting small, embedded devices that do not support TLS but have basic network connectivity.

With that, you can connect to the public Yggdrasil network by copying a few of the node links provided by its community.

Once done, you can enable the program by running the following commands:

sudo systemctl enable yggdrasil
sudo systemctl start yggdrasil
Yggdrasil Network 11 Systemctl Active

You can test whether you have connected properly to the network by visiting this webpage.

Also read: How to Use tcpdump for Packet Capture

Creating Your Own Private Network

On the other hand, creating a private network can be a bit involved but is still relatively simple. To create a private Yggdrasil network, you will need a few things:

  • A publicly discoverable machine. This could either be a local machine that is not blocked by CG-NAT or a cheap virtual private server.
  • A number of machines located in different networks that cannot talk directly to each other.

Configuring Your Personal Public Node

To create a private Yggdrasil network, you need to first allow your public machine to connect to other nodes. To do that, modify the Listen: block of the public machine’s “/etc/yggdrasil.conf.”

For example, a node configured to take public connections could look something like this:

  [...]
 
  # Listen addresses for incoming connections. You will need to add
  # listeners in order to accept incoming peerings from non-local nodes.
  # Multicast peer discovery will work regardless of any listeners set
  # here. Each listener should be specified in URI format as above, e.g.
  # tls://0.0.0.0:0 or tls://[::]:0 to listen on all interfaces.
    Listen: [
           tls://your.ipv4.address.here:12345
           tcp://[your:ipv6:address:here]:12345
    ]
 
  [...]

We have set the node to take any incoming connections in port 12345 from both IPv4 and IPv6. Further, the IPv4 connection is wrapped in TLS, while IPv6 is in unencrpyted TCP.

Yggdrasil Network 12 Listen Sample

From here, enable and start the Yggdrasil service to apply your settings. After that, connecting to this node would just be similar to connecting to a public node.

Address Discovery and Restricting Access

By default, your newly created Yggdrasil node will accept any incoming connections, provided they are using the right port. To create a truly private VPN for your machines, you need to add them to a public key whitelist.

An Yggdrasil node works by broadcasting a unique public key that Yggdrasil generated when you first installed it. This key is used to secure you within a network and create your address.

You can check your Yggdrasil address by running this command:

sudo yggdrasilctl getself
Yggdrasil Network 13 Sample Getself

This will display an IPv6 address that starts with “20x: … ” It can be used to directly connect to that machine through Yggdrasil.

Furthermore, the getself command will also display a machine’s public key. This is what you need to create an allowed list of machines in your public node.

Configuring Your Personal Node to Restrict Access

To restrict access to your Yggdrasil node, you need to edit the AllowedPublicKeys: block in your public node’s “/etc/yggdrasil.conf.” Just add all the public keys that you want this node to accept.

For example, this is a configuration for a node that only accepts three public keys:

 # List of peer public keys to allow incoming peering connections
  # from. If left empty/undefined then all connections will be allowed
  # by default. This does not affect outgoing peerings, nor does it
  # affect link-local peers discovered via multicast.
    AllowedPublicKeys: [
    "publickey1" 
    "publickey2"
    "publickey3"
    ]
Yggdrasil Network 14 Sample Public Keys

Once done, you can apply your settings by restarting the Yggdrasil service:

sudo systemctl restart yggdrasil

Congratulations! You now have a basic understanding of how the Yggdrasil Network works, as well as a basic idea of how to connect and configure a private network.

If all this talk makes you curious about how the Internet works, you can check out this article about capturing TCP packets with tcpdump.

Also read: How to Generate SSL Certificates on Linux Using OpenSSL

Frequently Asked Questions

1. I have added my friend’s Yggdrasil address to my configuration file but can’t connect to him. What am I doing wrong?

This can be due to a number of things. However, the most common causes for this issue are:

  • Both machines are behind a NAT and, therefore, cannot establish a direct connection with each other.
  • The Peers: block and Listen: block in “/etc/yggdrasil.conf” are configured incorrectly.

For the first cause, you need to make sure that at least one machine is accessible publicly. You also need to make sure that the port you are using is properly port forwarded and can be seen from outside your local network.

For the second cause, make sure the Peers: and Listen: blocks contain the real IPv4 or IPv6 address of the peering machine and not its Yggdrasil address.

2. How do I know if my machines are properly peering with each other?

You can easily check whether the your machines are properly peering with each other by running this command:

sudo yggdrasilctl getpeers

This will display all of the currently connected peers to you as well as their relative position in the Yggdrasil network tree.

3. Is it possible to create a strong Yggdrasil key and address?

Yes! You can do this by using an address miner. This is a simple program that will compute in brute force a public key pair that has a certain amount of zeroes in front.

The most common program to do this is Simple Yggdrasil Generator (SYG) with the latest version being written in C++.

Image credit: Unsplash

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Ramces Red
Ramces Red - Staff Writer

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.