Create faq.md

faq.md

@@ -0,0 +1,61 @@
+# Frequently Asked Questions
+
+## I've just installed Yggdrasil and I can't ping anyone. What have I missed?
+
+Yggdrasil requires that you configure either a static peer to another Yggdrasil node, or that you discover another Yggdrasil node *on the same subnet* using multicast discovery (which is enabled by default). If you have not added or discovered any peers, you will not be able to reach beyond your own node.
+
+You can check if you have any peers by running `yggdrasilctl getPeers` - peer on port 0 is your own node, ports 1 and above are your active peers.
+
+Stuck for peers? Try adding a [public peer](https://github.com/yggdrasil-network/public-peers).
+
+## I've installed the Yggdrasil Debian package and now I can't find the logs.
+
+The Debian package installs the Yggdrasil service into systemd, therefore you can query systemd for the logs:
+- `systemctl status yggdrasil`
+- `journalctl -u yggdrasil`
+
+## I've modified the configuration file but nothing has changed.
+
+Yggdrasil only loads the configuration at startup. Restart the Yggdrasil process or service to load the new configuration.
+
+## I'm running Yggdrasil on a machine that is reachable from the Internet. Does this mean anyone can peer with me?
+
+Without any further configuration, yes. However, you can limit who can peer with you by modifying the `AllowedEncryptionPublicKeys` configuration option. When this list is empty, any remote node is allowed to peer with you.
+
+To restrict incoming peerings to certain nodes, you should first ask the operators of those nodes for their `EncryptionPublicKey` and then add those public keys into your own `AllowedEncryptionPublicKeys` setting. 
+
+## I've changed my `AdminListen` port and now `yggdrasilctl` doesn't work.
+
+`yggdrasilctl` will assume that your admin port is on `localhost:9001`. If you have changed it, simply pass this option through to `yggdrasilctl`, i.e.
+```
+yggdrasilctl -endpoint=127.0.0.1:12345
+```
+
+## I want to run an Yggdrasil router to provide connectivity for other people, but I don't want them to be able to reach my own machine.
+
+You can set the `IfName` configuration setting to `none`. This will load Yggdrasil, but will not create a TUN/TAP adapter, meaning that your host will not be exposed to the Yggdrasil network.
+
+## I want to allow outgoing connections from my machine but prevent unwanted incoming connections.
+
+Generally this requires you to use a firewall. The steps for this will vary from platform to platform.
+
+### Linux (with `ip6tables`)
+Assuming your TUN/TAP adapter is `tun0`:
+```
+ip6tables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A INPUT -i tun0 -m conntrack --ctstate INVALID -j DROP
+ip6tables -A INPUT -i tun0 -j DROP
+```
+
+### Windows (with Windows Firewall)
+Windows, by default, will classify the TAP adapter as a "Public Network". Configure Windows Firewall to prevent incoming connections on Public networks.
+
+Note that this does mean that your node won't be able to send any traffic to the Yggdrasil either - it will act purely as an intermediate router.
+
+### macOS (with built-in firewall)
+macOS has an application firewall, therefore any firewall policies applied on other interfaces will also apply to the Yggdrasil interface.
+
+## Why does my Yggdrasil adapter have an unusually high MTU?
+
+Yggdrasil peerings are typically stream-based and therefore don't suffer from fragmentation issues when pushing large amounts of data. By using the largest possible MTU supported by a platform, we can send much more data for every TCP control message. This also helps somewhat in the reduction of TCP-over-TCP amplification, as there are less control messages to be amplified.
+