this post was submitted on 28 Jun 2023
23 points (84.8% liked)

Selfhosted

40728 readers
512 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
23
Yggdrasil as a VPN alternative (yggdrasil-network.github.io)
submitted 2 years ago* (last edited 2 years ago) by [email protected] to c/selfhosted
 

I've been accessing my servers over Yggdrasil for the last few years and I never see it mentioned in self hosting communities, so here you go !

Yggdrasil works over IPv6 and brings encryption at the network interface level (similarly to a VPN). The cool thing is that your IP address is derived from your private key, so when you try to connect to a specific IP, your packets are encrypted so that ONLY the destination server can decrypt it (thus preventing MITM attacks). And as everything is encrypted at the NIC level, you can safely use plain text protocols ;)

How cool is that ?

top 14 comments
sorted by: hot top controversial new old
[–] lwuy9v5 6 points 2 years ago

Wonder how this compares to wireguard. Been thinking about https://github.com/juanfont/headscale

[–] [email protected] 4 points 2 years ago

🤯That is super cool! Is there a good comparison between this and WireGuard from a security perspective? I know Cloudflare is moving away from WireGuard and implementing MASQUE which uses HTTP/3+QUIC. Wonderful to see multiple attempts at this, interested to see what gets the adoption.

[–] [email protected] 4 points 2 years ago (1 children)

this sounds a lot like part of how cloudflares tunnel works. me like!

[–] [email protected] 4 points 2 years ago (1 children)

I never used CF tunnels, but from the descriptions I read, it seem to serve a very different purpose. Yggdrasil will just connect your server to an overlay network that's fully encrypted (but public). If you expose services over Yggdrasil, your server will be directly exposed on the network, you just get full encryption as a bonus. Cloudfare on the other hand will "shift" your server access to their own server, and redirect traffic internally to your server over a secure channel. This means that your server is not publicly accessible.

[–] [email protected] 2 points 2 years ago* (last edited 2 years ago) (1 children)

Not quite true, I use cloudflared daily, its simply a daemon that connects back to CF. The daemon is configured on the CF side to proxy various local network (class C) URIs. I usually toss the daemon in the private network with the containers. The machines themselves still work fine over normal internet, the daemon does not cut a system off it simply provides proxy forward services.

This sounds very similar but without the configurability, just whatever I toss on the line I get. Which for the cases im thinking (replacing VPNs as suggested here) it will be great.

[–] [email protected] 1 points 2 years ago (1 children)

Ok thanks for the clarification (I've never used CF). Yggdrasil doesn't act as a proxy at all though so it's quite different. It simply creates a virtual interface on your host, and whatever comes in or get out of this interface is encrypted by default. Also, this interface can only access and be accessed over the Yggdrasil network.

[–] [email protected] 1 points 2 years ago

its just attached at a different network layer. this would show up as an adapter on the machine i suspect.

[–] BrianTheeBiscuiteer 2 points 2 years ago (1 children)

Doesn't seem like a direct replacement. A VPN will anonymize you when connecting via regular protocols. This is kind of its own protocol. If your intended destination doesn't use Yggdrasil then you can't talk to them. Do I have that right? Not saying it's bad, it's just not equivalent.

[–] peregus 5 points 2 years ago (1 children)

VPN per sé is a connection between 2 points (Virtual Private Network) so that the remote host can be reachable with a private IP and doesn't meet this be public;, what you're talking about is VPN services (ProtonVPN, NordVPN, etc.) that are used to bypass Internet blocks and makes you appear as you are accessing Internet from a different location.

[–] lemmygc 1 points 2 years ago

This is a cleaner way of presenting it, and more proprietary in nature versus the standard RFCs.

[–] [email protected] 2 points 2 years ago (1 children)

Does this require a static IP address? Can it be easily used when all nodes are behind a NAT with dynamic IP addresses?

[–] [email protected] 2 points 2 years ago (1 children)

No static IP required ! I use it on my phone over LTE and it works great. Same goes for the NAT, I use it at work to where my laptop sits behind a NAT and I don't have any issue.

[–] axzxc1236 3 points 2 years ago* (last edited 2 years ago)

From my understanding by reading the website, if non of your devices have a static IPv6 address, you need to add a public node or get a VPS that has static IPv6 address, is that true?

[–] [email protected] 1 points 2 years ago

Thanks for sharing. I recall hearing about this before. After reading this thread I've been trying to vend some of my selfhosted apps over yggdrasil. The documentation is difficult to find. A good tutorial would be really useful. Here are my two biggest ~~stumbling blocks~~ headaches:

  1. ipv6 headache: I had to update my server host binding from 0.0.0.0 to :: (from ipv4 to ipv6). Apparently ipv4 still works but now ipv6 also works. This was the biggest blocker for me gaining access to my apps over yggdrasil using ipv6.
  2. yggdrasil.conf headache: ipv6 syntax issues (apparently I need to learn me some ipv6 stuff) You need to put ipv6 ip addresses in brackets. This is an excerpt from my Listen attribute in my yggdrasil.conf file.
  # Listen addresses for incoming connections. You will need to add
  # listeners in order to accept incoming peerings from non-local nodes.
  # Multicast peer discovery will work regardless of any listeners set
  # here. Each listener should be specified in URI format as above, e.g.
  # tls://0.0.0.0:0 or tls://[::]:0 to listen on all interfaces.
Listen: [
          tls://[::]:8000
          tls://[::]:8080
]

I also downloaded an yggdrasil vpn app for Android and was able to access both apps with Android after adding a peer connection in the settings. Later, I added my Android public key to the AllowedPublicKeys to lock down my apps to be only accessible to my client.

Thanks @wgs for the tip! 🏆

load more comments
view more: next ›