💾 Archived View for jsreed5.org › log › 2023 › 202308 › 20230831-yggdrasil.gmi captured on 2023-11-04 at 11:36:05. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-09-08)
-=-=-=-=-=-=-
---
When I moved my capsule from self-hosting to EC2, I gave up a static IP address for my residence and changed my jsreed5.org domain to point to AWS. As I have a home server designed for deploying and managing VMs, this change also meant I was giving up the ability to spin up new servers on the fly and configure them to run Internet-facing services. Now I have only one EC2 instance in AWS, and if I want more, I have to pay a monthly cost for each one.
The decision to move from self-hosting to AWS was a financial one: I saved quite a bit of money each month by changing my home ISP plan from a business account to a residential account. But beyond the ability to self-host, I lost other functionality that I use quite often: using SFTP to move files to and from my NAS, kicking off backup and download jobs on my home connection, and so on.
Fortunately, I was able to find and install a tool that got around these issues: Yggdrasil.^ Yggdrasil is an overlay IPv6 network that allocates addresses by cryptographic keys rather than using the traditional hierarchical addressing system of the current Internet. Its implementation is also meshed in structure, allowing for peer-to-peer routing while also being scalable. It can be configured to allow connections from anyone running Yggdrasil, or only from certain nodes--this makes it useful for building private networks over public infrastructure.
In terms of software implementation, Yggdrasil works by creating a network tunnel and connects to other Yggdrasil nodes over another connection. It can also be deployed directly as a drop-in replacement for the Internet, but I use it over the Internet for my purposes.
I use Debian and Fedora at home, and my EC2 instance runs Amazon Linux. There are Yggdrasil packages for Debian and Fedora, but I prefer to build it from source on all my systems, since I already use other tools written in Go and Go is easy to run portably.
Once Yggdrasil is compiled, one command generates a configuration file in HJSON format. The configuration file contains the private and public keys for that node, as well as peering information and network connection settings. By default multicast is enabled on the local network; this enables nodes on the same LAN to connect to each other automatically. I disable this in my environment, as when I'm on my home network I can connect between devices without needing to go through Yggdrasil at all.
I configure my nodes to connect to a common peer: the Yggdrasil node running on the capsule EC2 instance. Since the instance has a domain name associated with it, it's always resolvable when my devices are connected to the Internet. The EC2 peer is then configured to accept the other nodes, I open a port in the VPC security group to allow incoming connections, I start a service on the instance to listen for connections, and presto! My devices can all reach each other as if they were on the same network, even across the open Internet.
IPv6 addresses are somewhat cumbersome, so I maintain a list of the Yggdrasil addresses of all my nodes. I could certainly mitigate this through a hosts file or local DNS settings, but I'm too lazy to do that.
I first learned about Yggdrasil (and NNCP) through an excellent series of write-ups by John Goerzen.^^ I thoroughly recommend his articles if you're interested in free, open-source, decentralized technology that gives agency back to users.
^ Yggdrasil Network | End-to-end encrypted IPv6 networking to connect worlds (HTTPS)
---
[Last updated: 2023-08-31]