# Thoughts Regarding TLS in Yggdrasil and Mycelium Networks | DevZone

# Thoughts Regarding TLS in Yggdrasil and Mycelium Networks

3 min. reading

September 1

[

1

](https://devzone.org.ua/votes/show/post/40076)

· 40 ·

[

0

](#comments)

·

*Internet version of my publication for the site of the local community of alternative networks administrators.*

In the environment of overlay networks, it is somehow accepted that if node keys are permanent and connections between nodes are protected by TLS, then an additional SSL layer is supposedly not needed. However, lately, I have started to doubt this.

## Key Compromise

In networks like [Yggdrasil](https://devzone.org.ua/post/yggdrasil-mereza-z-detsentralizovanym-routynhom) / [Mycelium](https://github.com/threefoldtech/mycelium), there is no level of complexity in generating private keys, so theoretically (though unlikely) a collision is possible. For this reason, it is recommended to use main addresses instead of subnets, and the latter - developers plan to, but have not yet removed. And they are convenient within shared hosting. Anyway, this does not exclude the possibility of accidental extraction of a copy, or not accidental, considering the potential capabilities of the crypto industry; the question is only the appropriateness of using a supercomputer for this purpose; how many users these networks will include and of what wealth, for potential attacks on routing based on a fixed algorithm for building a tree from peer ID.

## Double Layer

Technically, the Yggdrasil transport protocol takes on the role of traffic encryption when it may not be necessary. For example, in cases:

- saving electricity and CPU resources when forwarding large media files

- when the SSL / HTTPS layer is already used at the software level - to avoid interceptions of login/password or simply confidential forwarding of GET requests through proxies

Practical example: the requirement for traffic encryption [Gemini](https://devzone.org.ua/post/protokol-gemini-iak-alternatyva-http) within Yggdrasil, because the first one wants to be protected for the Internet, but I use it not where the author intended. For this reason, for some time I used the alternative [Nex](https://devzone.org.ua/post/protokol-nex-lehka-alternatyva-gemini), but later realized that some data potentially may still require a certificate, and therefore, I need the old-good HTTP+HTTPS model on sensitive forms.

If sensitive data is transmitted from the client to the server, then in my opinion, it is worth using an SSL certificate, which will serve as a safeguard, but the router has already "taken care" of everything, creating unnecessary problems.

## Certification in Local Networks

Due to the isolation of local networks, in Yggdrasil it is a problem to set up a valid certificate, for example with Let's Encrypt. But in the case of the Gemini protocol - certification authorities are not used at all. Instead, the [TOFU](https://en.wikipedia.org/wiki/Trust_on_first_use) principle is applied, which significantly reduces the risk of data interception over time - until the leak is detected. I even had thoughts about organizing an internal network certification center, why not; why not even make such a service paid?

## Conclusions

When and how exactly to encrypt data - should be decided by the user / network administrator, for those streams / data that require it. Whereas Yggdrasil and Mycelium - do it "voluntarily-compulsorily" as, in fact, other newfangled software with the label "absolutely secure". Modern software, whose developers compete for the right to be called "protected" resembles crypto-cabbage with a security coefficient was == became.

Somehow it already starts to annoy when someone starts deciding something for me where they are not asked. Marketing is marketing, slogans are slogans, but experienced users leave because of such discomfort, and tourists don't stay anyway.

And also the conclusions are that effective network solutions were invented by post-war specialists half a century ago, who had to survive, not play commercial experiments. Nothing fundamentally new has been invented in this time. Perhaps the next breakthrough will be quantum data transmission, not such nonsense: laying an automatic route to probably compromised nodes, while encrypting tons of garbage that goes through it.

Noticed an error? Notify the author, for this it is enough to highlight the text with the error and press Ctrl+Enter

[

Subscribe

](https://devzone.org.ua/login)

##### p.s.  1.3K

Joined:

    1 year ago

##### Comments (0)

#### There are no comments yet

To leave a comment, you need to log in.

Login

#### Similar Articles

1) 

[

My Alfis DNS Preset on Yggdrasil / Mycelium Router

](https://devzone.org.ua/post/miy-preset-alfis-dns-na-routeri-yggdrasilmycelium)

            I managed to crash the operating system again here, so I had to set up the con...

        

2) 

[

About Fediverse Server in Alternative Networks

](https://devzone.org.ua/post/pro-server-fediverse-v-alternatyvnykh-merezakh)

            I have been using Fediverse for a long time, but I set up my own instance relatively recently: approxima...

        

3) 

[

Yggdrasil - Network with Decentralized Routing

](https://devzone.org.ua/post/yggdrasil-mereza-z-detsentralizovanym-routynhom)

            Yggdrasil - experimental protocol for building a self-organized local...

        

4) 

[

Organization of e-mail Mailbox for Local Networks without DNS

](https://devzone.org.ua/post/orhanizatsiia-poshtovoyi-skrynky-e-mail-dlia-lokalnykh-merez-bez-dns)

            This material is an adaptation of the instructions for users of the local [admin community...

        

5) 

[

Reticulum / MeshChat with Connection via Yggdrasil

](https://devzone.org.ua/post/reticulum-vstanovlennia-na-prykladi-meshchat-z-pidkliuchenniam-cherez-yggdrasil)

            Reticulum - a relatively new communication protocol, created primarily for radio-m...

        

6) 

[

Isolation of Linux from Direct Internet Connections Based on QEMU / Virtual Machine Manager with VSOCK

](https://devzone.org.ua/post/izoliatsiia-linux-vid-priamykh-internet-zyednan-na-bazi-qemu-virtual-machine-manager-i-vsock)

            The material provides an example of isolating a virtual Linux operating system (and...

        

7) 

[

Installation and Configuration of IRC Bouncer ZNC in Linux

](https://devzone.org.ua/post/vstanovlennia-ta-nalashtuvannia-irc-baunsera-znc-v-linux)

            IRC is one of the oldest multi-user chat protocols, which is still alive...

        

8) 

[

Limiting Outgoing Connections to the Internet with ufw

](https://devzone.org.ua/post/obmezennia-vykhidnykh-zyednan-na-internet-z-ufw)

            *ufw is a command-line utility frontend for simplified management of iptables rules i...

##### Subscribe to the Weekly Newsletter

Get the best articles of the week by email

Subscribe

Subscribe to the Weekly Newsletter

Subscribe

 Перевод на русский с интеграцией хэштегов прямо в текст.

---

Настройка Fedi-сервера Snac для сети Yggdrasil | DevZone

#Fediverse #Yggdrasil #SelfHosting #P2P #Linux

Время чтения: 15 минут
11 мая

Вскоре после моих размышлений о p2p я решил попробовать развернуть собственный экспериментальный инстанс #Fediverse. Причём сделать это средствами оверлейной сети #Yggdrasil, так как я не планирую покупать выделенный IP или VPS для этой игрушки; вместо этого сервер будет хоститься за модемом — на одноплатнике или даже на ПК, когда я в сети, с динамическим адресом за NAT.

Эта заметка в первую очередь написана для себя, но может быть полезна тем, кто, как и я, только начинает эксперименты с администрированием собственного узла Fediverse и интересуется альтернативными сетями в контексте #Linux.

Что такое Snac

#Snac #ActivityPub #Minimalism

Snac — это минималистичная альтернатива серверу #Mastodon, написанная на C, без JavaScript и без необходимости установки PostgreSQL. Все данные профилей хранятся в JSON-файлах. Недавно в сервер была добавлена поддержка IPv6, поэтому он корректно работает и с диапазоном Yggdrasil 0200::/7.

Поскольку Yggdrasil позволяет бесплатно генерировать неограниченное количество статических IP (на основе приватного ключа #Ed25519), в DNS здесь обычно нет необходимости. Опционально можно прикрутить #Alfis, но лично я этого не делаю (в том числе из-за до сих пор нерешённой проблемы #364), поэтому и не навязываю его в рамках протокола ActivityPub — формат будет просто username@IPv6, без необходимости что-то обновлять или «майнить» позже.

Установка

#BuildFromSource #LinuxAdmin

1. Точный список пакетов для Debian я не знаю — система не новая и многое уже установлено. Согласно README, мне понадобились только libssl-dev и libcurl4-openssl-dev (в Fedora — примерно то же самое, но с суффиксом -devel).

2. Создаём отдельного системного пользователя для изоляции от потенциальных уязвимостей:

   useradd -m snac
   

3. Для удобства меняем shell на bash в /etc/passwd.

4. Логинимся su snac и переходим в домашний каталог: cd.

5. Качаем исходники:
   git clone https://codeberg.org/grunfink/snac2.git

6. Переходим в каталог проекта: cd snac2.

7. Компилируем и устанавливаем:
   make && sudo make install.

8. Инициализируем хранилище сервера:
   snac init /home/snac/storage.

9. Добавляем первого пользователя:
   snac adduser /home/snac/storage.

10. Выходим обратно под root: exit.

Конфигурация

#Networking #Yggdrasil

У меня уже установлен и настроен узел Yggdrasil. Если интересно — см. предыдущую публикацию или официальную документацию.

Адрес подсети Yggdrasil

#IPv6

Этот шаг можно пропустить и использовать основной адрес 2*, если порты 80 или 8001 свободны. Но важно понимать: в API ActivityPub сервер Snac сообщает свой адрес другим узлам, и те кэшируют его как часть ID. Поскольку адрес хранится в файлах, а не в БД, заменить его потом будет сложно. Поэтому лучше сразу выделить отдельный адрес, особенно для продакшена.

1. yggdrasilctl getself — узнаём свой IP и диапазон IPv6.

2. ifconfig lo inet6 add IP — вместо IP указываем произвольный адрес из полученного диапазона, например 3xx:xxxx:xxxx:xxxx::fed/64.

⚠️ Данные, добавленные через ifconfig, не сохраняются после перезагрузки. Команду нужно прописать, например, в /etc/netplan/01-ygglo.yaml, /etc/network/interfaces или в systemd-сервис yggdrasil.service (через ExecStartPost=).

Nginx-прокси

#Nginx #ReverseProxy

На сервере уже установлен Nginx, занимающий порт 80. Менять это я не хочу, как и светить Snac на стандартном порту 8001. Поэтому, имея выделенный IPv6-адрес, просто проксирую API на 80, используя пример из оригинальной конфигурации:

server {
    listen [3xx:xxxx:xxxx:xxxx::fed]:80;
    server_name 3xx:xxxx:xxxx:xxxx::fed;

    location @proxy {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect off;
        proxy_pass http://[3xx:xxxx:xxxx:xxxx::fed]:8001;
    }

    location /.well-known/webfinger { try_files $uri @proxy; }
    location /.well-known/nodeinfo { try_files $uri @proxy; }
    location / { try_files $uri @proxy; }
    location /fedi/ { try_files $uri @proxy; }
}

SSL здесь намеренно отсутствует: #Yggdrasil уже обеспечивает защищённый канал, и дополнительный слой не нужен.

Административный API (admin и oauth) я ограничил по IP, поскольку у клиентов Yggdrasil адреса тоже статические:

location ~ /([^\/]+/admin|oauth) {
    allow ADMIN_IP;
    deny all;
    try_files $uri @proxy;
}

Конфигурация Snac

#JSON #Config

Редактируем /home/snac/storage/server.json, созданный командой snac init:

{
  "host": "[3xx:xxxx:xxxx:xxxx::fed]",
  "address": "3xx:xxxx:xxxx:xxxx::fed",
  "port": 8001,
  "protocol": "http"
}

В моём случае протокол намеренно http.

Доступ через iptables / ufw

#Firewall

Открываю порт только для диапазона Yggdrasil:

ufw allow from 0200::/7 to any port 80

Если не используете Nginx — указывайте реальный порт, например 8001.

systemd

#Systemd

На основе официального примера:

[Unit]
After=network-online.target
Wants=network-online.target

[Service]
User=snac
ExecStart=/usr/local/bin/snac httpd /home/snac/storage

[Install]
WantedBy=multi-user.target

Бэкапы

#Backup #Rsync

Так как база — это файлы, резервное копирование тривиально. Использую rsync через crontab -e:

@daily   rsync -av --delete /home/snac/storage /path/to/snac/daily
@weekly  rsync -av --delete /home/snac/storage /path/to/snac/weekly
@monthly rsync -av --delete /home/snac/storage /path/to/snac/monthly

Использование

#FediverseAdmin

После запуска (snac httpd /home/snac/storage или через systemd) можно открыть
http://[3xx:xxxx:xxxx:xxxx::fed] в браузере.

Тест взаимодействия

#ActivityPub

Для проверки федерации разверните второй узел в Yggdrasil и попробуйте подписку или переписку через Web UI или клиент.

Настройка браузера

#Firefox #IPv6

При первом использовании Yggdrasil-сайтов в Firefox может понадобиться изменить параметры в about:config:

• browser.fixup.fallback-to-https = false

• browser.fixup.alternate.enabled = false

---

#Fediverse #YggdrasilNetwork #Decentralization #AltNet #SelfHosted

 # Setting up a Fedi-server Snac for the Yggdrasil Network | DevZone

# Setting up a Fedi-server Snac for the Yggdrasil Network

15 min. reading

May 11

[

2

](https://devzone.org.ua/votes/show/post/40059)

· 52 ·

[

1

](#comments)

·

Shortly after my [thoughts on p2p](https://devzone.org.ua/post/hrabli-p2p), I decided to try setting up my own experimental instance of [Fediverse](https://uk.wikipedia.org/wiki/%D0%A4%D0%B5%D0%B4%D0%B8%D0%B2%D0%B5%D1%80%D1%81). Moreover, to do this using the means of the overlay network [Yggdrasil](https://devzone.org.ua/post/yggdrasil-mereza-z-detsentralizovanym-routynhom), since I do not plan to buy a dedicated IP or VPS for this toy; instead, I will host from a modem, a single-board computer, or even from a PC when I am online, with a dynamic address behind NAT.

I am writing this note primarily for myself, and also, it may be useful for those who, like me, are just starting their experiments in the field of administering their own Fediverse node and are interested in alternative networks, in the context of Linux.

## What is Snac

[Snac](https://codeberg.org/grunfink/snac2) is a minimalistic, JS-less, written in C alternative to the [Mastodon](https://joinmastodon.org/uk) server, which also does not require installing PostgreSQL; instead, it stores all profile data in JSON files. Recently, [IPv6 support was added](https://codeberg.org/grunfink/snac2/pulls/256) to this server, and therefore, it will work with the Yggdrasil range `0200::/7` as well.

Since Yggdrasil allows generating an unlimited number of static IPs for free (based on the private key [Ed25519](https://en.wikipedia.org/wiki/EdDSA#Ed25519)), there is no usual need for DNS here. Although, you can optionally attach [Alfis](https://devzone.org.ua/post/alfis-dns-reyestratsiia-domenu-v-blokcheyn), but personally, I do not use it (including due to the still unresolved issue [#364](https://github.com/Revertron/Alfis/issues/364)), so I also do not want to impose it within the ActivityPub protocol—it will simply be the format `username@IPv6`, which I do not need to update or mine later.

## Installation

1. 

I do not know the exact list of packages for Debian, since my system is not new and already has previously installed packages. As indicated in the [README](https://codeberg.org/grunfink/snac2#building-and-installation), I only installed libssl-dev and libcurl4-openssl-dev (for Fedora, it should be approximately the same with the suffix *-devel).

2. 

Next, create a separate system user to isolate from potential vulnerabilities:

```

useradd -m snac

```

1. Change the environment to bash in the /etc/passwd file for convenience.

2. Log in via su snac and go to this user's home directory: cd

3. Download the latest source code: git clone https://codeberg.org/grunfink/snac2.git

4. Go to the working directory cd snac2

5. Compile make && sudo make install and install with appropriate permissions.

6. Initialize the server storage: snac init /home/snac/storage

7. And add our first user to it snac adduser /home/snac/storage

8. Then continue from root by executing the command exit

## Configuration

I already have an installed and configured Yggdrasil node; if anyone is interested in the installation process, use the [previous publication](https://devzone.org.ua/post/yggdrasil-mereza-z-detsentralizovanym-routynhom) or the [official documentation](https://yggdrasil-network.github.io/documentation.html).

### Yggdrasil Subnet Address

You can skip this step and use the main address `2*`, if ports `80` or `8001` are not occupied. But note that within the ActivityPub protocol API, the Snac server will provide your host address to other nodes, and they will cache it as part of the ID, and since the host address is stored locally in files, not in a DB, it will be difficult to replace it later. Therefore, it is better to allocate a separate one, especially if it is production:

1. yggdrasilctl getself - find out your IP, including the IPv6 subnet output

2. ifconfig lo inet6 add IP - instead of IP, specify an arbitrary address for the received range, for example 3xx:xxxx:xxxx:xxxx::fed/64, where fed is a kind of wordplay within the "dictionary" of IPv6 (0-9A-F).

* note that ifconfig routing data is not saved after system reboot; for this, you need to add the corresponding entry (command from point 2), for example to /etc/netplan/01-ygglo.yaml, /etc/network/interfaces, or directly to systemd yggdrasil.service (section ExecStartPost=) - depending on the operating system.

### Nginx Proxy

My server already has the [Nginx](https://nginx.org/) web server installed, which occupies port `80`; I do not want to change anything yet, and I also do not want to have public Snac addresses with its standard port `8001`. Therefore, since I already have a dedicated subnet address, I will simply proxy the API to port `80` through a new virtual host, partially using the [original configuration example](https://codeberg.org/grunfink/snac2/src/branch/master/examples/nginx-alpine-ssl/default.conf):

```

# /etc/nginx/sites-available/default

server {

    listen [3xx:xxxx:xxxx:xxxx::fed]:80;

    server_name 3xx:xxxx:xxxx:xxxx::fed;

    location @proxy {

        proxy_http_version      1.1;

        proxy_set_header        Upgrade $http_upgrade;

        proxy_set_header        Connection "upgrade";

        proxy_redirect          off;

        proxy_connect_timeout   90;

        proxy_send_timeout      90;

        proxy_read_timeout      90;

        proxy_set_header        Host $host;

        proxy_set_header        X-Real-IP $remote_addr;

        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;

        proxy_set_header        Proxy "";

        proxy_pass_header       Server;

        proxy_buffering on;

        tcp_nodelay on;

        proxy_pass http://[3xx:xxxx:xxxx:xxxx::fed]:8001;

        proxy_set_header Host $http_host;

    }

    location /.well-known/webfinger {

        try_files $uri @proxy;

    }

    location /.well-known/nodeinfo {

        try_files $uri @proxy;

    }

    location / {

        try_files $uri @proxy;

    }

    location /fedi/ {

        try_files $uri @proxy;

    }

}

```

* systemctl reload nginx - apply changes

* perhaps, you will want to create a separate configuration file for Nginx, instead of default - I have one for all hosts.

* optionally, using Nginx, you can close separate locations by IP

As you can see, in the example above, port `443` is not specified, and there are no SSL certificates. This is done intentionally, since Yggdrasil already has a secure channel, and I do not want to create an extra layer here.

Since Yggdrasil client connections also have a static address, I decided to restrict access to the administrative API (admin of all accounts + `oauth`) by IP. How effective this is and whether I forgot about other addresses - I do not know, but I will add my example of a regular expression for `location`:

```

location ~ /([^\/]+/admin|oauth) {

    allow ADMIN_IP;

    deny all;

    try_files $uri @proxy;

}

```

### Snac Configuration

Edit the file `/home/snac/storage/server.json` previously generated by the `snac init` command:

```

{

    "host": "[3xx:xxxx:xxxx:xxxx::fed]",

    "prefix": "",

    "address": "3xx:xxxx:xxxx:xxxx::fed",

    "port": 8001,

    "layout": 2.7,

    "dbglevel": 0,

    "queue_retry_minutes": 2,

    "queue_retry_max": 10,

    "queue_timeout": 6,

    "queue_timeout_2": 8,

    "cssurls": [

        ""

    ],

    "def_timeline_entries": 50,

    "max_timeline_entries": 50,

    "timeline_purge_days": 120,

    "local_purge_days": 0,

    "min_account_age": 0,

    "admin_email": "",

    "admin_account": "",

    "title": "",

    "short_description": "",

    "short_description_raw": false,

    "protocol": "http",

    "fastcgi": false

}

```

* note that in my example, the protocol is changed to http

### iptables Accesses

The configuration in the examples does not provide for access to the node from the Internet network, so I opened the port only for Yggdrasil, so that other nodes within this network could interact with each other on events like following (both nodes must be online for the transaction):

```

ufw allow from 0200::/7 to any port 80

```

* if you do not use Nginx, or the server has a standard or other port, just specify the actual one instead of 80, for example 8001

* if you limit traffic by the range 0200::/7, also pay attention to the note about private mode, which is described below

### systemd Configuration

There is a ready [official configuration example](https://codeberg.org/grunfink/snac2/src/branch/master/examples/snac.service), but I supplemented it a bit:

```

# /etc/systemd/system/snac.service

[Unit]

After=network-online.target

Wants=network-online.target

[Service]

Type=simple

User=snac

Group=snac

ExecStart=/usr/local/bin/snac httpd /home/snac/storage

StandardOutput=file:/home/snac/debug.log

StandardError=file:/home/snac/error.log

[Install]

WantedBy=multi-user.target

```

* systemctl daemon-reload - update systemd configuration

* systemctl enable snac - autostart on system startup

* systemctl start snac - launch

* systemctl status snac - check status

### Backup

Since the Snac database is stored in file format, it is quite simple to backup the profile by only one location.

I do this using `rsync` for different time intervals with the following `crontab -e` command:

```

@daily /usr/bin/rsync -av --delete /home/snac/storage /path/to/snac/daily

@weekly /usr/bin/rsync -av --delete /home/snac/storage /path/to/snac/weekly

@monthly /usr/bin/rsync -av --delete /home/snac/storage /path/to/snac/monthly

```

## Usage

After launching Snac with the command `snac httpd /home/snac/storage` or through the `systemd` service, you can try opening `http://[3xx:xxxx:xxxx:xxxx::fed]` in the browser.

### Testing Interaction (API)

To check interaction with another Yggdrasil node, repeat the same actions for it and do a test following or correspondence between users via Web UI or a connected external client application.

### Browser Tuning

If you are using Yggdrasil sites in Firefox for the first time, you may need to optimize the handling of "raw" IPv6 addresses in `about:config`:

* browser.fixup.fallback-to-https : false - disable redirect http -> https

* browser.fixup.alternate.enabled : false