From deb97c35155648dc4fc147b4ab84499a2dccd16c Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Mon, 18 Jun 2018 20:19:31 +0100 Subject: [PATCH] Create faq.md --- faq.md | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 faq.md diff --git a/faq.md b/faq.md new file mode 100644 index 0000000..e6cd53e --- /dev/null +++ b/faq.md @@ -0,0 +1,61 @@ +# Frequently Asked Questions + +## I've just installed Yggdrasil and I can't ping anyone. What have I missed? + +Yggdrasil requires that you configure either a static peer to another Yggdrasil node, or that you discover another Yggdrasil node *on the same subnet* using multicast discovery (which is enabled by default). If you have not added or discovered any peers, you will not be able to reach beyond your own node. + +You can check if you have any peers by running `yggdrasilctl getPeers` - peer on port 0 is your own node, ports 1 and above are your active peers. + +Stuck for peers? Try adding a [public peer](https://github.com/yggdrasil-network/public-peers). + +## I've installed the Yggdrasil Debian package and now I can't find the logs. + +The Debian package installs the Yggdrasil service into systemd, therefore you can query systemd for the logs: +- `systemctl status yggdrasil` +- `journalctl -u yggdrasil` + +## I've modified the configuration file but nothing has changed. + +Yggdrasil only loads the configuration at startup. Restart the Yggdrasil process or service to load the new configuration. + +## I'm running Yggdrasil on a machine that is reachable from the Internet. Does this mean anyone can peer with me? + +Without any further configuration, yes. However, you can limit who can peer with you by modifying the `AllowedEncryptionPublicKeys` configuration option. When this list is empty, any remote node is allowed to peer with you. + +To restrict incoming peerings to certain nodes, you should first ask the operators of those nodes for their `EncryptionPublicKey` and then add those public keys into your own `AllowedEncryptionPublicKeys` setting. + +## I've changed my `AdminListen` port and now `yggdrasilctl` doesn't work. + +`yggdrasilctl` will assume that your admin port is on `localhost:9001`. If you have changed it, simply pass this option through to `yggdrasilctl`, i.e. +``` +yggdrasilctl -endpoint=127.0.0.1:12345 +``` + +## I want to run an Yggdrasil router to provide connectivity for other people, but I don't want them to be able to reach my own machine. + +You can set the `IfName` configuration setting to `none`. This will load Yggdrasil, but will not create a TUN/TAP adapter, meaning that your host will not be exposed to the Yggdrasil network. + +## I want to allow outgoing connections from my machine but prevent unwanted incoming connections. + +Generally this requires you to use a firewall. The steps for this will vary from platform to platform. + +### Linux (with `ip6tables`) +Assuming your TUN/TAP adapter is `tun0`: +``` +ip6tables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +ip6tables -A INPUT -i tun0 -m conntrack --ctstate INVALID -j DROP +ip6tables -A INPUT -i tun0 -j DROP +``` + +### Windows (with Windows Firewall) +Windows, by default, will classify the TAP adapter as a "Public Network". Configure Windows Firewall to prevent incoming connections on Public networks. + +Note that this does mean that your node won't be able to send any traffic to the Yggdrasil either - it will act purely as an intermediate router. + +### macOS (with built-in firewall) +macOS has an application firewall, therefore any firewall policies applied on other interfaces will also apply to the Yggdrasil interface. + +## Why does my Yggdrasil adapter have an unusually high MTU? + +Yggdrasil peerings are typically stream-based and therefore don't suffer from fragmentation issues when pushing large amounts of data. By using the largest possible MTU supported by a platform, we can send much more data for every TCP control message. This also helps somewhat in the reduction of TCP-over-TCP amplification, as there are less control messages to be amplified. +