Skip Navigation
Selfhosted @lemmy.world z3bra @lemmy.sdf.org

Yggdrasil as a VPN alternative

yggdrasil-network.github.io Yggdrasil Network

End-to-end encrypted IPv6 networking to connect worlds

I've been accessing my servers over Yggdrasil for the last few years and I never see it mentioned in self hosting communities, so here you go !

Yggdrasil works over IPv6 and brings encryption at the network interface level (similarly to a VPN). The cool thing is that your IP address is derived from your private key, so when you try to connect to a specific IP, your packets are encrypted so that ONLY the destination server can decrypt it (thus preventing MITM attacks). And as everything is encrypted at the NIC level, you can safely use plain text protocols ;)

How cool is that ?

5
Lemmy Support @lemmy.ml Tekakutli @lemmy.dbzer0.com
solution proposal to the domain-change problem (FMHY situation)
IPv6 @lemmy.world eleitl @lemmy.world
Yggdrasil Network
The Invisible Internet Project @lemmy.world eleitl @lemmy.world
Yggdrasil Network
5 comments

  • Wonder how this compares to wireguard. Been thinking about https://github.com/juanfont/headscale

  • Thanks for sharing. I recall hearing about this before. After reading this thread I've been trying to vend some of my selfhosted apps over yggdrasil. The documentation is difficult to find. A good tutorial would be really useful. Here are my two biggest stumbling blocks headaches:

    1. ipv6 headache: I had to update my server host binding from 0.0.0.0 to :: (from ipv4 to ipv6). Apparently ipv4 still works but now ipv6 also works. This was the biggest blocker for me gaining access to my apps over yggdrasil using ipv6.
    2. yggdrasil.conf headache: ipv6 syntax issues (apparently I need to learn me some ipv6 stuff) You need to put ipv6 ip addresses in brackets. This is an excerpt from my Listen attribute in my yggdrasil.conf file.
      # Listen addresses for incoming connections. You will need to add
  # listeners in order to accept incoming peerings from non-local nodes.
  # Multicast peer discovery will work regardless of any listeners set
  # here. Each listener should be specified in URI format as above, e.g.
  # tls://0.0.0.0:0 or tls://[::]:0 to listen on all interfaces.
Listen: [
          tls://[::]:8000
          tls://[::]:8080
]

    I also downloaded an yggdrasil vpn app for Android and was able to access both apps with Android after adding a peer connection in the settings. Later, I added my Android public key to the AllowedPublicKeys to lock down my apps to be only accessible to my client.

    Thanks @wgs for the tip! 🏆

  • 🤯That is super cool! Is there a good comparison between this and WireGuard from a security perspective? I know Cloudflare is moving away from WireGuard and implementing MASQUE which uses HTTP/3+QUIC. Wonderful to see multiple attempts at this, interested to see what gets the adoption.

  • this sounds a lot like part of how cloudflares tunnel works. me like!

    • I never used CF tunnels, but from the descriptions I read, it seem to serve a very different purpose. Yggdrasil will just connect your server to an overlay network that's fully encrypted (but public). If you expose services over Yggdrasil, your server will be directly exposed on the network, you just get full encryption as a bonus. Cloudfare on the other hand will "shift" your server access to their own server, and redirect traffic internally to your server over a secure channel. This means that your server is not publicly accessible.