Yggdrasil Protected Group

Sync Yggdrasil Network Peers, AllowedPublicKeys and whitelist IPs via UFW.

When you start building your own Yggdrasil Network cluster you face the decision of either not connecting to the wider network or having all of the nodes in your cluster beeing exposed to it. Using this script you can form a private group of nodes that can reach each others ports while keeping them unavailable to the rest of the network.

This script:

• Adds a new config file under /etc/yggdrasil-protected-group.conf
• Watches the new config file for changes
• Automatically syncs changes with the group
• Automatically updates and restarts Yggdrasil
• Whitelists group members Yggdrasil IPs for access to local ports via UFW
• The properties Peers and AllowedPublicKeys in /etc/yggdrasil/yggdrasil.conf will be managed by this service and automatically overriden on changes

Install

# Install the systemd service
bash -c "$(curl -fsSL https://raw.githubusercontent.com/perguth/yggdrasil-protected-group/main/setup.sh)"

# Set/copy the `SharedSecret` of the group
sudo nano /etc/yggdrasil/yggdrasil-protected-group.conf
# and restart the service if changed
sudo service yggdrasil-protected-group restart
# Repeat the previous steps on all nodes.

# Add your allowed Yggdrasil peers to:
sudo nano /etc/yggdrasil-protected-group.conf
# Changes will be synced to all nodes.
# Peers will be whitelisted and Yggdrasil restarted automatically.

# Already whitelisted IPs are shown with
sudo ufw show added

# Enable the firewall
sudo ufw enable

Usage

Directly edit the Hjson ("JSON with comments") file:

/etc/yggdrasil-protected-group.conf

{
  SharedSecret: ...
  Peers:
  {
    GroupShared: [
      # Some comment
      tls://somehost:443
    ]
    LocalOnly: []
  }
  AllowedPublicKeys:
  {
    GroupShared: [
      # Another comment
      A-public-key-EIANruysiaUISaiu...
    ]
    LocalOnly: []
  }
}