Yggdrasil network connection

Since there is very little up to date information about connecting to Yggdrasil network I decided to share my experience on OpenWrt 23.05.5.

Installation: opkg update; opkg install luci-proto-yggdrasil yggdrasil-jumper ( yggdrasil-jumper is optional).

It should be noted that I had to reboot my router to see new type of network interface.

Configuration: Network → Interfaces → Add new interface..., choose Yggdrasil Network as new interface's protocol and give it some name (ygg in my case).

Now is the time to setup new interface. Press Generate new key pair in General Settings tab:

Screenshot 2024-10-02 at 07-47-25 router - LuCI900×807 62.2 KB

Assign firewall zone in Firewall Settings:

Screenshot 2024-10-02 at 07-48-10 router - LuCI900×251 25.5 KB

And add several peers (sure, if you want to connect to public playground) from https://github.com/yggdrasil-network/public-peers (choose geographically closest to you). Enabling multicast on br-lan may be a useful option too if you want other nodes in your LAN to autoconnect without setting up peers manually:

Screenshot 2024-10-02 at 07-49-04 router - LuCI900×815 58.4 KB

Now press Save and restart ygg interface (I don't know why but new settings were not applied immediately after saving).

After that all your local network devices should receive new IPv6 address from the prefix delegated to Yggdrasil without any additional configuration. That's it.

Curious one can configure Alfis DNS, lazy one can leave it as it is and use ygg.at domain instead of ygg. For example domain rutracker.ygg also can be accessed as rutracker.ygg.at.

Map of Yggdrasil: http://[21e:e795:8e82:a9e2:ff48:952d:55f2:f0bb]/.

Torrent tracker I tried: http://[316:c51a:62a3:8b9::5]/announce.

Out proxy (just for testing purposes): 324:71e:281a:9ed3::fa11 port 1080 (SOCKS5) and port 3128 (HTTP/HTTPS).

EDIT (early 2025): Added yggdrasil-jumper to installation packages.

Is Yggdrasil optimum for a home mesh setup versus using a traditional AP mesh setup?

It's just an IPv6 overlay network with non-traditional routing scheme. Nothing to do with wireless mesh networks.

What do you mean by that? Is that it is not required to run Yggdrasil software on those devices in order to reach Ygg network?

I've tried to ping one from another, from within local network as well as from remote (peer, connected to same Ygg network) - got "Destination unreachable: Port unreachable" error. IIRC, I did not assigned ygg interface to any firewall zone - is it required?

Also, I've tried to access router over Ygg network, in order to get SSH, but failed.

Here is my setup:

Both router and "remote" are connected to my own public peer.

Router:

# yggdrasilctl -endpoint=unix:///tmp/yggdrasil/ygg.sock getself
Build name:             yggdrasil-openwrt
Build version:          0.5.10
IPv6 address:           200:>_<:18d7

Remote:

$ sudo yggdrasilctl getself
Build name:             yggdrasil
Build version:          0.5.12
IPv6 address:           207:>_<:c649

I can confirm both are connected to the public peer:

$ sudo yggdrasilctl getpeers
URI             State Dir     IP Address
tcp://a.b.c.d:p Up    In      207:>_<:c649
tcp://w.x.y.z:q Up    In      200:>_<:18d7

I can ping "remote" from router:

# ping -6 207:>_<:c649
PING 207:>_<:c649 (207:>_<:c649): 56 data bytes
64 bytes from 207:>_<:c649: seq=0 ttl=64 time=50.765 ms
64 bytes from 207:>_<:c649: seq=1 ttl=64 time=49.197 ms
64 bytes from 207:>_<:c649: seq=2 ttl=64 time=49.422 ms

I can even ping another (connected through multicast peering with router) from "remote":

$ ping -6 207:>_<:1cbc
PING 207:>_<:1cbc(207:>_<:1cbc) 56 data bytes
64 bytes from 207:>_<:1cbc: icmp_seq=1 ttl=64 time=612 ms
64 bytes from 207:>_<:1cbc: icmp_seq=2 ttl=64 time=240 ms
64 bytes from 207:>_<:1cbc: icmp_seq=3 ttl=64 time=269 ms

But I can not neither ping router, nor access it with SSH, from "remote":

$ ping -6 200:>_<:18d7
PING 200:>_<:18d7(200:>_<:18d7) 56 data bytes
From 200:>_<:18d7 icmp_seq=1 Destination unreachable: Port unreachable
From 200:>_<:18d7 icmp_seq=2 Destination unreachable: Port unreachable
From 200:>_<:18d7 icmp_seq=3 Destination unreachable: Port unreachable

$ ssh 200:>_<:18d7
ssh: connect to host 200:>_<:18d7 port 22: Connection refused

There is no any log messages along the way.

Here is my firewall rules (those are pretty default):

image1202×1025 41.7 KB

What I'm doing wrong?

No, it is not required. Yggdrasil will look just like another IPv6 address space. You can check it on your device's network preferences.

Check if your "Peers" tab shows successful connection to your peer(s). Normally (if you made everything how I explained) it is treated as WAN interface. So you can establish new connections from within your LAN to Yggdrasil network but no one is seeing your device's open ports from outside (pings should go through).

Well, unless you specifically enabled it, SSH access is disabled on WAN...

Screenshot 2025-01-24 at 08-19-07 router - LuCI716×326 26.7 KB

Unfortunately, that's not the case: pings are not go trough.

The screenshot you provided says that "it will listen on all interfaces, if unspecified". And it is unspecified in my settings, so I'm assuming I should be able to SSH into router over Yggdrasil network.

Well, unless you specifically enabled it, SSH access is disabled on WAN...

Could you please point me to some reference which confirms this?

https://www.whatismyip.com/port-scanner/ - scan port 22. That's my result:

Screenshot 2025-01-30 at 07-13-20 Port Scanner - Open Port Checker - WhatIsMyIP.com®970×324 12 KB

I don't understand, how I'm supposed to do so if my router is not publicly available - it does not have publicly accessible IP.

I don't understand either why do I need to do so if I'm 100 % sure that port is open because I already SSH'ing to router:

image1483×793 53.2 KB

But I'm only able to SSH into router from local network.

Now that I've set up Yggdrasil on router, I need to make it possible to SSH into router over Yggdrasil. I rather can scan port from other peer (of same, my personal Yggdrasil network segment, to which router is connected):

$ sudo nmap -6 -sS -p 22 200:>_<:18d7
Starting Nmap 7.93 ( https://nmap.org ) at 2025-01-30 13:17 MSK
Nmap scan report for 200:>_<:18d7
Host is up (0.093s latency).

PORT   STATE  SERVICE
22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds

Indeed, I believe this is due to the fact that I can't even ping router over Yggdrasil:

$ ping -6 200:>_<:18d7
PING 200:>_<:18d7(200:>_<:18d7) 56 data bytes
From 200:>_<:18d7 icmp_seq=1 Destination unreachable: Port unreachable
From 200:>_<:18d7 icmp_seq=2 Destination unreachable: Port unreachable
From 200:>_<:18d7 icmp_seq=3 Destination unreachable: Port unreachable
^C
--- 200:>_<:18d7 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2002ms

I don't understand what is the reason of all this.

Which one of those two can you ping:

21c:368a:5bd6:786e:68b7:711b:1b53:cd5f
31c:368a:5bd6:786e::1

?

None of them - my Yggdrasil segment is not connected to any public peer (meaning that it is not connected to public Yggdrasil network).

I didn't get that from very beginning. Probably you should address your question directly to Yggdrasil developers then...

To be able to receive a SSH connection over Yggdrasil, the Yggdrasil network interface must be in a firewall zone that has a rule allowing SSH (TCP 22) input, or has the zone default as accept (any) input. The firewall defaults to rejecting input on interfaces that are not in any zone. Always put a new interface into some defined zone don't use the default feature.

If the Yggdrasil public can send packets to your Yggdrasil IP (I'm not sure how Yggdrasil works) you have to be careful about firewalling them out. A default accept input would be dangerous. Either way it would be best to make a new zone for it.

The way I configured it explicitly says "Assign firewall zone to WAN".

But you're right, providing /etc/config/firewall,network would be much more helpful.

That will work but it means that an allow SSH rule will also open the regular direct Internet WAN to SSH.

Yep, I don't see why I should treat Yggdrasil as something different from public Internet... But in @anthony_s 's scenario probably it is worth to have dedicated firewall zone since he's using it as his private VPN.

Okay, it is clear now that I need to set up some firewall rules in order to do what I want.

So, I decided to assign Yggdrasil interface to it's own zone (gan which roughly means "global area network"). I decided to configure gan zone as follows:

• input: REJECT
• output: ACCEPT
• forward: ACCEPT

And then, open required ports on per-service basis, eg. if I need SSH then I explicitly open SSH port for gan zone.

What is not clear is how to configure forwarding to/from other zones. I mean, if I want to allow traffic from local Yggdrasil nodes to remote - do I need to forward from gan to wan? Or from lan to gan? Or what?

To be more precise, here is my network and firewall configs:

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd44:6d3f:67fe::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.31.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'ygg'
        option proto 'yggdrasil'
        option private_key '>_<'
        option public_key '>_<'

config yggdrasil_ygg_peer
        option address 'tcp://here.is.my.private.peer.address:4242'

config yggdrasil_ygg_interface
        list interface 'br-lan'
        option beacon '1'
        option listen '1'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option log '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Also, I don't see any reason to explicitly allow ICMP on each network/interface, as it is essential part of networking which no one should ever break.

As I wrote above, currently I can't ever ping router from private peer. Is there a way to enable ICMP etc on all interface in one swoop?