routing-yggdrasil: add package

Yggdrasil builds end-to-end encrypted networks with IPv6. Beyond the similarities with cjdns is a different routing algorithm. This globally-agreed spanning tree uses greedy routing in a metric space. Back-pressure routing techniques allow advanced link aggregation bonding on per-stream basis. In turn, a single stream will span across multiple network interfaces simultaneously with much greater throughput. Authored by: William Fleurant <meshnet@protonmail.com> Signed-off-by: Paul Spooren <mail@aparcar.org>
2026-04-30 15:38:40 +01:00 · 2019-03-19 10:50:25 +01:00
parent e2884eb99a
commit aa4a59b715
3 changed files with 211 additions and 0 deletions
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+yggConfig="/etc/yggdrasil.conf"
+
+if [ ! -e ${yggConfig} ]; then
+
+  yggdrasil -genconf -json > ${yggConfig}
+
+  # create the firewall zone
+  uci -q batch <<-EOF >/dev/null
+    add firewall zone
+    set firewall.@zone[-1].name=yggdrasil
+    add_list firewall.@zone[-1].network=yggdrasil
+    set firewall.@zone[-1].input=REJECT
+    set firewall.@zone[-1].output=ACCEPT
+    set firewall.@zone[-1].forward=REJECT
+    set firewall.@zone[-1].conntrack=1
+    set firewall.@zone[-1].family=ipv6
+EOF
+
+  # allow ICMP from yggdrasil zone, e.g. ping6
+  uci -q batch <<-EOF >/dev/null
+    add firewall rule
+    set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
+    set firewall.@rule[-1].src=yggdrasil
+    set firewall.@rule[-1].proto=icmp
+    add_list firewall.@rule[-1].icmp_type=echo-request
+    add_list firewall.@rule[-1].icmp_type=echo-reply
+    add_list firewall.@rule[-1].icmp_type=destination-unreachable
+    add_list firewall.@rule[-1].icmp_type=packet-too-big
+    add_list firewall.@rule[-1].icmp_type=time-exceeded
+    add_list firewall.@rule[-1].icmp_type=bad-header
+    add_list firewall.@rule[-1].icmp_type=unknown-header-type
+    set firewall.@rule[-1].limit='1000/sec'
+    set firewall.@rule[-1].family=ipv6
+    set firewall.@rule[-1].target=ACCEPT
+EOF
+
+  # allow SSH from yggdrasil zone, needs to be explicitly enabled
+  uci -q batch <<-EOF >/dev/null
+    add firewall rule
+    set firewall.@rule[-1].enabled=0
+    set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
+    set firewall.@rule[-1].src=yggdrasil
+    set firewall.@rule[-1].proto=tcp
+    set firewall.@rule[-1].dest_port=22
+    set firewall.@rule[-1].target=ACCEPT
+EOF
+
+  # allow LuCI access from yggdrasil zone, needs to be explicitly enabled
+  uci -q batch <<-EOF >/dev/null
+    add firewall rule
+    set firewall.@rule[-1].enabled=0
+    set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
+    set firewall.@rule[-1].src=yggdrasil
+    set firewall.@rule[-1].proto=tcp
+    set firewall.@rule[-1].dest_port=80
+    set firewall.@rule[-1].target=ACCEPT
+EOF
+
+
+else
+  :
+fi
+
+exit 0
@@ -0,0 +1,33 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=85
+
+USE_PROCD=1
+
+start_service()
+{
+	[ -f /etc/uci-defaults/yggdrasil ] && ( . /etc/uci-defaults/yggdrasil )
+
+	procd_open_instance
+	procd_set_param respawn
+	procd_set_param command /usr/sbin/yggdrasil -useconffile /etc/yggdrasil.conf
+    procd_set_param command /bin/ash -c "/usr/sbin/yggdrasil -useconffile /etc/yggdrasil.conf | logger -t yggdrasil"
+
+	procd_close_instance
+}
+
+stop_service()
+{
+	killall yggdrasil
+}
+
+reload_service()
+{
+	restart
+}
+
+service_triggers()
+{
+	procd_add_reload_trigger yggdrasil
+}