💾 Archived View for ix.cyb.red › wiki › yggdrasil captured on 2024-12-17 at 09:40:00. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

yggdrasil

private, but not anonymous, encrypted overlay network. yggdrasil is used to encrypt our internal infrastructure and is the backbone of our CDN. all peers accept connections on the same standard ports.

https://yggdrasil-network.github.io/

routers

future versions of the network will use sslh or haproxy to multiplex port 443 and allow mesh access on restrictive networks. with this configuration, all of your communications will look like normal web traffic going to a /cyb/red server.

• tcp://*:6969
• tls://*:42069
• tls://*:443 [ALPHA]

the routers are organized in two tiers: first by city, then bioregion. /cyb/red is primarily set up to serve north american peers because we are located on the western side of the continent. we would love to partner with groups serving adjacent continents to provide trusted routing infrastructure to south america, central america, and europe.

"hardening"

generate stronger keys

after generating your config file, burn some cycles generating a stronger key. this can be done async, this command will generate multiple keys.

genkeys

tls minor cloak

router operators can use haproxy to direct tls-wrapped peer traffic from port 443 to the appropriate port. this is useful for allowing users on restricted networks to connect to the overlay network. overlay traffic will look like normal tls traffic, connecting to the same tls-wrapped services you access normally.

configure a tls listener in yggdrasil.conf

  Listen: [
    "tls:[::]:42069"
  ]

instruct haproxy to forward tls connections to yggdrasil, unless they match SNI for another domain.

defaults
	timeout client 24h
	timeout queue 1m
	timeout server 1h

frontend tls
	mode tcp
	bind 0.0.0.0:443
	bind :::443
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	# yggdrasil does not send SNI, so this has to be the default backend
	default_backend ygg_backend
	use_backend https_backend if { req_ssl_sni -i $YOUR_DOMAIN }
	use_backend https_backend if { req_ssl_sni -i $YOUR_OTHER_DOMAIN }

backend ygg_backend
	mode tcp
	server router ::1:42069

backend https_backend
	mode tcp
	server httpd ::1:8443 send-proxy-v2