3.6 KiB
Frequently Asked Questions
I've just installed Yggdrasil and I can't ping anyone. What have I missed?
Yggdrasil requires that you configure either a static peer to another Yggdrasil node, or that you discover another Yggdrasil node on the same subnet using multicast discovery (which is enabled by default). If you have not added or discovered any peers, you will not be able to reach beyond your own node.
You can check if you have any peers by running yggdrasilctl getPeers
- peer on port 0 is your own node, ports 1 and above are your active peers.
Stuck for peers? Try adding a public peer.
I've installed the Yggdrasil Debian package and now I can't find the logs.
The Debian package installs the Yggdrasil service into systemd, therefore you can query systemd for the logs:
systemctl status yggdrasil
journalctl -u yggdrasil
I've modified the configuration file but nothing has changed.
Yggdrasil only loads the configuration at startup. Restart the Yggdrasil process or service to load the new configuration.
I'm running Yggdrasil on a machine that is reachable from the Internet. Does this mean anyone can peer with me?
Without any further configuration, yes. However, you can limit who can peer with you by modifying the AllowedEncryptionPublicKeys
configuration option. When this list is empty, any remote node is allowed to peer with you.
To restrict incoming peerings to certain nodes, you should first ask the operators of those nodes for their EncryptionPublicKey
and then add those public keys into your own AllowedEncryptionPublicKeys
setting.
I've changed my AdminListen
port and now yggdrasilctl
doesn't work.
yggdrasilctl
will assume that your admin port is on localhost:9001
. If you have changed it, simply pass this option through to yggdrasilctl
, i.e.
yggdrasilctl -endpoint=127.0.0.1:12345
I want to run an Yggdrasil router to provide connectivity for other people, but I don't want them to be able to reach my own machine.
You can set the IfName
configuration setting to none
. This will load Yggdrasil, but will not create a TUN/TAP adapter, meaning that your host will not be exposed to the Yggdrasil network.
I want to allow outgoing connections from my machine but prevent unwanted incoming connections.
Generally this requires you to use a firewall. The steps for this will vary from platform to platform.
Linux (with ip6tables
)
Assuming your TUN/TAP adapter is tun0
:
ip6tables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i tun0 -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -i tun0 -j DROP
Windows (with Windows Firewall)
Windows, by default, will classify the TAP adapter as a "Public Network". Configure Windows Firewall to prevent incoming connections on Public networks.
Note that this does mean that your node won't be able to send any traffic to the Yggdrasil either - it will act purely as an intermediate router.
macOS (with built-in firewall)
macOS has an application firewall, therefore any firewall policies applied on other interfaces will also apply to the Yggdrasil interface.
Why does my Yggdrasil adapter have an unusually high MTU?
Yggdrasil peerings are typically stream-based and therefore don't suffer from fragmentation issues when pushing large amounts of data. By using the largest possible MTU supported by a platform, we can send much more data for every TCP control message. This also helps somewhat in the reduction of TCP-over-TCP amplification, as there are less control messages to be amplified.