Yggdrasil on OpenWrt

If you’re using an OpenWrt router for your home internet, installing Yggdrasil will allow you to communicate on a separate, public encrypted IPv6 network from any host on your LAN.

You can also run Yggdrasil on individual hosts, but it’s substantially more useful (and easier to configure) when any host on your network can “magically use it”

Installing Yggdrasil

# opkg update
# opkg install yggdrasil luci-proto-yggdrasil

Configuring Yggdrasil

Setup can be completed via the LuCI WebUI. Your network should have IPv6 enabled and routeable from your ISP!

Ensure your firewall zones are configured as mentioned. Proper zone configuration will ensure your network’s nodes on Yggdrasil are protected by the default OpenWrt filewall rules!

  1. Create Yaggdrasil WAN Interface
    1. Navigate to Network -> Interfaces
    2. Click Add new interface
    3. Name: yggwan, Protocol: Yaggdrasil Network
    4. Click Generate new key pair
    5. Navigate to Firewall Settings -> wan zone
    6. Peers -> Add peer address (add some close peers from the public-peer list)
    7. Save, Save & Apply
  2. Create Yaggdrasil LAN Interface
    1. Note your IPv6-PD for the newly created yggwan interface
    2. Add new interface
    3. Name: ygglan, Protocol: Static Address
    4. Firewall Settings -> lan zone
    5. IPv6 address: IPv6-PD address above, adding a 1 onto the end (like 301:dead:beef::1/64)
    6. IPv6 routed prefix: IPv6-PD address above as displayed (like 301:deaf:beef::/64)
    7. Save, Save & Apply
  3. Assuming everything is ok, click Restart on your LAN Interface.
  4. Assuming everything is ok, restart networking on your client device.
  5. Your client / desktop should have a new 301:… IPv6 address advertised from your router.
  6. Your client / desktop can now access any endpoints on the Yaggdrasil network (any IPv6 address starting with 301…)

Yggdrasil Ingress via Tinyproxy

For bonus points, you can pick an IP on Yggdrasil within your subnet, and route it to services or Kubernetes on your local network via tinyproxy

Install Tinyproxy

# opkg update
# opkg install tinyproxy luci-app-tinyproxy

Configuring TinyProxy

Once again, setup can be completed via the LuCI WebUI.

  1. Assign an IP for your service
  2. Navigate to Network -> Interfaces
  3. Add new interface
  4. Name: yggapp, Protocol: Static Address
  5. Device: br-lan
  6. IPv6 address: 301:... (choose an unused IP within your Yaggdrasil assignment)
  7. Firewall Settings -> Zone. Assign to lan (or a special new zone)
  8. Save, Save & Apply
  9. Setup Tinyproxy
  10. Services -> Tinyproxy
  11. Enable Tinyproxy server
  12. Listen address: IPv6 IP assigned above
  13. Bind address: IPv4 address of your router, or IPv6 address of your router
  14. Add Upstream Proxies. (Either a catchall via an Ingress controller like Traefik, or let Tinyproxy route to individual services on your LAN)