yggdrasil

private, but not anonymous, encrypted overlay network. yggdrasil is used to encrypt sunshine gardens' internal infrastructure and is the backbone of our CDN. all peers accept connections on the same standard ports.

https://yggdrasil-network.github.io/

routers

future versions of the network will use sslh or haproxy to multiplex port 443 and allow mesh access on restrictive networks. with this configuration, all of your communications will look like normal web traffic going to sunshine gardens.

exit routing (with rate limits) will eventually be granted to authenticated members and to members of affiliated grids. the exit routing update will also disable unauthenticated peering.

the routers are organized in two tiers: first by city, then bioregion. sunshine gardens is primarily set up to serve north american peers because we are located on the western side of the continent. we would love to partner with groups serving adjacent continents to provide trusted routing infrastructure to south america, central america, and europe.

service regions

bioregions of NA

bioregions of NA

DO NOT LIST THESE ON YGGDRASIL PUBLIC PEERS

# cascadia region
cascadia.hypergate.nyu.tokyo
	seattle-0.hypergate.nyu.tokyo
# california region
california.hypergate.nyu.tokyo
	losangeles-0.hypergate.nyu.tokyo
# sonora region
sonora.hypergate.nyu.tokyo
	lasvegas-0.hypergate.nyu.tokyo
# laurentia region
laurentia.hypergate.nyu.tokyo
	chicago-0.hypergate.nyu.tokyo
	newjersey-0.hypergate.nyu.tokyo

this are flattened in the DNS, so the region domain points to all of the router ips in the region, then the specifc routers get their own names.

"hardening"

generate stronger keys

after generating your config file, burn some cycles generating a stronger key. this can be done async, this command will generate multiple keys.

go run cmd/genkeys/main.go

tls minor cloak

router operators can use haproxy to direct tls-wrapped peer traffic from port 443 to the appropriate port. this is useful for allowing users on restricted networks to connect to the overlay network. overlay traffic will look like normal tls traffic, connecting to the same tls-wrapped services you access normally.

configure a tls listener in yggdrasil.conf

  Listen: [
    "tls:[::]:42069"
  ]

instruct haproxy to forward tls connections to yggdrasil, unless they match SNI for another domain.

defaults
	timeout client 24h
	timeout queue 1m
	timeout server 1h
frontend tls
	mode tcp
	bind 0.0.0.0:443
	bind :::443
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	# yggdrasil does not send SNI, so this has to be the default backend
	default_backend ygg_backend
	use_backend https_backend if { req_ssl_sni -i $YOUR_DOMAIN }
	use_backend https_backend if { req_ssl_sni -i $YOUR_OTHER_DOMAIN }
backend ygg_backend
	mode tcp
	server router ::1:42069
backend https_backend
	mode tcp
	server httpd ::1:8443 send-proxy-v2