Encrypted IPv6 VPN with Yggdrasil
You need for your friends or your company a computer to computer encrypted network with fixed IP address for all computers in this network, no matter how often your provider gives your router a new IP address? I’ll show you how to get it up and running.
Yggdrasil VPN
Yggdrasil is a network software developed in the programming language Go with the following great features:
- Easy to install with just a few parameters to customize
- Runs on Linux, Mac, Windows and many other operating systems
- All data transmissions are end-to-end encrypted
- Automatically connects all computers to each other
- Works also through your router without extra configuration
- Always searches for the shortest network path from computer to computer
- New computers can participate automatically, if desired
- You finally have a fixed IP address that stays no matter where you are.
- Your IP address is attached to a secret key that only you know.
Installation
I myself use Arch-Linux or Manjaro, which is very similar. This is how the software is installed on different platforms: Manjaro-Linux and Arch-Linux
With Manjaro you can select the software graphically via the package manager, with Arch or on servers without graphics it works like this:
git clone https://aur.archlinux.org/yggdrasil.git
cd yggdrasil
makepkg -sir
Now we have to copy the integration into the system start or systemd from this directory. This file determines how the software is started and stopped (the version must be adapted later if necessary):
sudo cp src/yggdrasil-go-0.3.5/contrib/systemd/yggdrasil.service /etc/systemd/system/
Debian, Ubuntu, Raspian and the like
On some platforms, dirmngr and the HTTPS secured transport route for new software may have to be installed beforehand:
sudo apt-get install dirmngr
sudo apt-get install apt-transport-https
Then you have to get the keys from the project so that you know that you are not getting compromised software on board, but really the original:
echo 'deb http://neilalexander.s3.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | sudo tee /etc/apt/sources.list.d/yggdrasil.list
sudo apt-get update
Now we can install the software. By the way: All this manual adding of keys and repositories made me switch to Manjaro, it’s all much easier. But now:
sudo apt-get install yggdrasil
The software is now installed and there should also be a basic configuration in /etc/yggdrasil.conf, which we will change later.
Windows and Mac
For installation on commercial platforms, please refer to the original documentation. I cannot test this myself, because I don’t own any computers that have these operating systems.
In the following I refer to Linux as a platform.
Configuration
Yggdrasil can be operated in two different ways: Either you become part of a large worldwide encrypted overlay network or you explicitly specify which nodes you want to connect to.
Overlay configuration
So you are part of a large network and are in a network with others you do not know. This can be useful, if you want to be accessible worldwide and for everyone, for example for social networks, which should use the secure transmission path of Yggdrasil. A good example would be Patchwork, the client of the network Scuttlebutt:
yggdrasil --autoconf
Friends-to-Friends configuration
In this way you create a configuration for a closed and expandable user group:
yggdrasil -genconf -json > /etc/yggdrasil.conf
This is now a slim basic configuration, which we can adjust in some places.
First of all we need any computer that has a fixed IP address or at least a DynDNS fixed name in the big wide internet. Because we have to find each other somehow. And if nobody knows nobody’s address, then we won’t find each other. We enter this computer as follows with IP address (or name) and port (here for example 8123) at the peers, these are so to speak our partner computers:
"Peers": ["tcp://188.68.55.245:8123", "tcp://beispielrechner.de:8123"],
The port can be different for each computer. By the way, you can also flange your computers at home, they only have to be reachable in your network at home with a fixed IP address or a name. And at least one of your computers must connect to the outside world (if that’s what you want).
We are finished with that for now. If we want to prevent that any other computer can connect to ours, then we have to enter the public keys of our partners:
"AllowedEncryptionPublicKeys": [
"84b354ab1821a3fd0d24c6094fe586184d58527c1f45776bee4306049fae1046",
"9fae10460d24c6094fe586184d58527c1f45776bee4306041821a3fd1821a3fd",
"21a3fd0d24c6094fe586184d58527c1f45776bee4306049fae104684b354ab18"
],
And we must also give our own public key to our friends:
"EncryptionPublicKey": "8db2723c44398251803d94d4db7f5736bfae2b963cc113d620152729206c2b97",
Start and full power ahead
We now start our encrypted network and see if it works without errors:
systemctl start yggdrasil
If we copied the yggdrasil.service file correctly to the systemd folder as described above, the network should now come up. We should do this first on the central machine node on the Internet. But even if we are alone at first, we already get a new network and a corresponding IPv6 address:
ip -br a
lo UNKNOWN ::1/128
wlp7s0 UP fe80::21b:fde7:f07a:7559/64
tun0 UNKNOWN 201:7625:8b9b:aa26:d830:c459:fa5e:dc7/7 fe80::7b82:2761:71fa:8fd4/64
The last address with the tun0 is it. Looks weird because it is an address according to the new IPv6 standard, but all good! If you can’t see anything, it may be because we have committed ourselves or made another mistake. We can now check this with the journalctl command from systemd:
journalctl -u yggdrasil
The result, which you have to scroll down if necessary, looks like this:
Mär 24 17:53:04 acer systemd[1]: Starting yggdrasil...
Mär 24 17:53:04 acer systemd[1]: Started yggdrasil.
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Build name: yggdrasil
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Build version: 0.3.5
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Starting up...
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Found 2 multicast interface(s)
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Starting switch
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Starting router
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Multicast discovery is enabled
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 UNIX admin socket listening on /var/run/yggdrasil.sock
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Interface name: tun0
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Interface IPv6: 201:7625:8b9b:aa26:d830:c459:fa5e:dc7/7
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Interface MTU: 65535
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Startup complete
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Your IPv6 address is 201:7625:8b9b:aa26:d830:c459:fa5e:dc7
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Your IPv6 subnet is 301:7625:8b9b:aa26::/64
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Listening for TCP on: [fe80::21b:fde7:f07a:7559%wlp7s0]:40633
Mär 24 17:53:04 acer yggdrasil[16545]: 2019/03/24 17:53:04 Connected TCP: 201:1749:a708:d684:e86e:9514:252b:1ee9@188.68.55.245, source >
Mär 24 18:06:08 acer yggdrasil[16545]: 2019/03/24 18:06:08 Disconnected TCP: 201:1749:a708:d684:e86e:9514:252b:1ee9@188.68.55.245, sour>
Mär 24 18:06:17 acer yggdrasil[16545]: 2019/03/24 18:06:17 Connected TCP: 201:1749:a708:d684:e86e:9514:252b:1ee9@188.68.55.245, source >
Mär 24 18:06:41 acer yggdrasil[16545]: 2019/03/24 18:06:41 Disconnected TCP: 201:1749:a708:d684:e86e:9514:252b:1ee9@188.68.55.245, sour>
Mär 24 18:07:18 acer yggdrasil[16545]: 2019/03/24 18:07:18 Connected TCP: 201:1749:a708:d684:e86e:9514:252b:1ee9@188.68.55.245, source >
Since we have our own network, there is currently no DNS server in it that translates names into IP addresses and vice versa. A simple solution is to make entries in our /etc/hosts file for these fixed IP addresses so that we don’t have to write these miserably long addresses everywhere:
201:7625:8b9b:aa26:d830:c459:fa5e:dc7 meinrechner
201:7625:8b9b:aa26:d830:c459:fa5e:dc7 freund1
201:7625:8b9b:aa26:d830:c459:fa5e:dc7 freund2
Then we can see with the command ping and the name if it works:
ping freund1
Conclusion
It was a bit of writing here now, because I also explained the individual steps, but in principle there are very few things you have to do.
The big advantage now is that you and your friends now have fixed IP addresses in this network. So you can install your own web servers, game servers, chat servers and so on and use them over this network. Everything is encrypted. Even if your data is transmitted over other computers, they can’t read what it is, because your keys encrypt the data over the whole transmission path. That alone is a reason to use such an encrypted network.
The software is still quite new and unknown, but on the project page you can read that productive operation is already possible. There you can also get more information in English. I wrote this manual for you because I didn’t find a manual that really describes an installation from top to bottom.
So now have fun with your new network. Your Mr. Döring. :-)