For a while, I've been noticing Yggdrasil being mentioned alongside Tor and I2P. That finally caught my attention.

From their website: "Yggdrasil was created in order to build a decentralised routing scheme for mesh networks that can potentially operate at a global scale, motivated in particular by significant performance and scaling issues that were present in cjdns at the time."
But how would that help avoid censorship? Or, maybe, Yggdrasil offers anonymity?

No, Yggdrasil is not an anonymizing network: "Direct peers over the Internet will be able to see your IP address and may be able to use this information to determine your location or identity".

"Why not just use ipv6 then?" I thought. After all, Yggdrasil uses ipv6 routing too.
Turns out, there are certain advantages to Yggdrasil network, and I'll try to explain why I think it's awesome!

All the traffic across Yggdrasil network is end to end encrypted. That means your ISP or government can't detect what data you send through it and block your connection. That is also advantageous for downloading torrents: while not anonymous, it still lets you bypass torrenting restrictions from your ISP (slowdowns, protocol filtering, port blocking). I also don't think there are any copyright owners snooping around on Yggdrasil, at least for now.

Every node gets its own static ipv6 address (derived from its public key) and an additional /64 subnet on 200::/7 (which was reserved and then deprecated, so it won't interfere with anything). You no longer need to do any NAT traversal, any node on the network can connect to any other node. That's awesome! And it works over ipv4 too! You get all the advantages of ipv6 on with any network connection, even behind CG-NAT. But you WILL need to configure your firewall. Since any program listening on all interfaces will be available from Yggdrasil network. Just like with ipv6, you need to be mindful of that.

There are a lot of cool services on Yggdrasil network. Websites, proxy servers, tor bridges, game servers, DNS, IRC and the list goes on. All ran by individuals! Let's say, tor is blocked in your county, and tor bridges don't work, since your government also uses DPI to filter the traffic. You can just use on of the tor bridges on Yggdrasil network and connect with no issues. But, you may ask, couldn't they just block Yggdrasil too? In theory, yes, but it would be hard.

To connect to the Yggdrasil, you only need to find at least one unrestricted peer. Yggdrasil can use TCP, TCP+TLS (with any SNI), QUIC+TLS, WebSockets, WebSockets+TLS, UNIX sockets and it also supports socks proxies. You would have to try very hard to block all thos protocols. Blocking individual peers is pointless, since there would almost always be at least one non-blocked point. And even if your government enables whitelist internet access, getting a 4G modem on one of the borders would be enough, since all other nodes could just connect to that one and to each other.
There is no peer discovery protocol (outside of local network), so you'll need to find public peers online. It's easy to find a public peer, since many people run nodes and publish their address on different platforms. Here is a github repo with public peers. And here is my public peer:

Peers:
[
  tls://mango.vg:65534
]
You can find more peers on forums and social networks.

Ease of initial setup also surprised me. You just need to install Yggdrasil (which is available on Linux, macOS, Windows, IOS and Android), generate the config file, add a couple or more peers to it, start the Yggdrasil service, and you're good to go! You should now be able to open this page: Yggdrasil Network Map. Running yggdrasilctl getself will print your address on Yggdrasil network.
Yggdrasil supports ipv6 link-local addressing with multicast peer discovery, so if you run at least one node on your network, other nodes will be able to peer with it without adding peers to the config. To allow other nodes connect to your node, add an entry to the listen section of the config file. Now you can share your peer address with others, so they could connect to the network using your node.

I use Yggdrasil network to connect to my VPS using wireguard. Since the wireguard protocol is blocked in my country, I can't connect directly. I spun up multiple Yggdrasil nodes and connected them all together. Even if one of the nodes fails, Yggdrasil would still have connectivity, since every node has multiple peers and is self-healing. My home server, which hosts this blog too, doesn't have a public ipv4 address, so I rent a VPS and use it as a gateway. It's easy to exclude Yggdrasil peers from wireguard AllowedIPs, and just use my VPS's Yggdrasil address as Endpoint address in wireguard. As an advantage, since wireguard doesn't support automatic endpoint switching, with Yggdrasil I don't need to choose between ipv6 (which is more stable with my ISP, but not available on 4G modem) and ipv4. Yggdrasil has an android app, but you can also compile the cli version with go, if your phone is rooted. I chose this option to connect to wireguard with my phone, since android doesn't support double VPN. I could also just use wireguard in root mode and use Yggdrasil's android app.

As for the performance. Yggdrasil adds almost no additional latency or speed penalty. I have the same 150mbit/s full duplex connection to my VPS server, just like I had with bare wireguard through ipv4.

In conclusion, Yggdrasil turned out to be quite a resilient, fast and easy to use network. I hope it succeeds and finds its use alongside Tor and I2P. While it serves a different purpose, I think more people should consider it as an option when fighting with censorship on the Internet.


1 Comments latest

  • Ilya_MZP Author

    I'm currently experimenting with WiFi mesh networking, or rather, peer to peer networking with meshing done by yggdrasil. Not all WiFi adapters support 802.11s, but a lot of them support IBSS (Ad-hoc). Turns out it's quite easy to set up with a few iw commands and yggdrasil just automagically connects all the peers together. Might write about it a bit later.