-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexample.conf
More file actions
324 lines (296 loc) · 15.1 KB
/
example.conf
File metadata and controls
324 lines (296 loc) · 15.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
{
# Your private key. DO NOT share this with anyone!
PrivateKey: f610cf4627cb881c99e66965050f600eba696dc9689ba4f7fa76a41f4a1af9be727280d36e65d12e25989bedf29d76cbb60cfeab7ac7b047886dedb8c16d7da8
# The path to your private key file in PEM format. If this is set,
# Yggdrasil will load the private key from this file instead of using
# the inline "PrivateKey" value above.
PrivateKeyPath: ""
# List of outbound peer connection strings (e.g. tls://a.b.c.d:e,
# quic://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j).
# Connection strings can contain options,
# see https://yggdrasil-network.github.io/configurationref.html#peers.
# Yggdrasil has no concept of bootstrap nodes - all network traffic
# will transit peer connections. Therefore make sure to only peer with
# nearby nodes that have good connectivity and low latency. Avoid adding
# peers to this list from distant countries as this will worsen your
# node's connectivity and performance considerably.
Peers: []
# List of connection strings for outbound peer connections in URI format,
# arranged by source interface, e.g. { "eth0": [ "tls://a.b.c.d:e" ] }.
# You should only use this option if your machine is multi-homed and you
# want to establish outbound peer connections on different interfaces.
# Otherwise you should use "Peers".
InterfacePeers: {}
# Listen addresses for incoming connections. You will need to add
# listeners in order to accept incoming peerings from non-local nodes.
# This is not required if you wish to establish outbound peerings only.
# Multicast peer discovery will work regardless of any listeners set
# here. Each listener should be specified in URI format as above.
# Supported daemon listener schemes are tcp, tls, ws, quic and unix.
# Use wss for outbound peers behind a secure WebSocket reverse proxy; direct
# wss listeners are not supported. WebSocket listeners can allow
# cross-origin browser clients with origin=host-pattern or origin=*.
# Example listeners:
# tls://0.0.0.0:0, quic://[::]:0, ws://0.0.0.0:0, ws://0.0.0.0:0?origin=* or unix:///var/run/ygg.sock.
Listen: []
# Listen address for admin connections. Default is to listen for local
# connections either on TCP/9001 or a UNIX socket depending on your
# platform. Use this value for yggdrasilctl -endpoint=X. To disable
# the admin socket, use the value "none" instead.
#
# If this is left at the platform default and startup TUN does not need
# native OS TUN privileges (TunType "none", "sockstun" or "outproxy", or the
# "socks" alias), Yggdrasil falls back to tcp://localhost:9001 when it cannot
# create a privileged UNIX socket path such as /var/run/yggdrasil.sock.
# Set AdminListen explicitly to force a specific admin endpoint.
AdminListen: unix:///var/run/yggdrasil.sock
# Optional TCP listen address for the HTTP admin API and web panel.
# When set, requests under /.yggapi are dispatched to the same admin
# handlers as the local admin socket, while other paths serve static files.
# Use "none" or an empty value to disable it. Example:
# AdminWebListen: 127.0.0.1:9002
AdminWebListen: ""
# Optional directory of static files for the HTTP admin panel. When empty,
# Yggdrasil serves its built-in minimal web interface. This only has effect
# when AdminWebListen is enabled.
AdminWebStaticDir: ""
# Optional local DNS listen address for mesh-name resolution. When set,
# Yggdrasil starts a simple local DNS server that answers IN A and IN AAAA
# queries through mnlib.Resolver. Unsupported record types are rejected.
# Example:
# LocalDNSListen: 127.0.0.1:5353
LocalDNSListen: ""
# Configuration for which interfaces multicast peer discovery should be
# enabled on. Regex is a regular expression which is matched against an
# interface name, and interfaces use the first configuration that they
# match against. Beacon controls whether or not your node advertises its
# presence to others, whereas Listen controls whether or not your node
# listens out for and tries to connect to other advertising nodes. See
# https://yggdrasil-network.github.io/configurationref.html#multicastinterfaces
# for more supported options.
MulticastInterfaces: [
{
Regex: .*
Beacon: true
Listen: true
# Optional TCP/TLS listen port to advertise for multicast-discovered
# peers. Leave this as 0 to advertise the port chosen by your listener.
Port: 0
# Link priority for multicast-discovered peers. Lower values are
# preferred when there are multiple links to the same node.
Priority: 0
# Optional password used to restrict multicast peering to nodes using
# the same value.
Password: ""
}
]
# List of peer public keys to allow incoming peering connections
# from. If left empty/undefined then all connections will be allowed
# by default. This does not affect outgoing peerings, nor does it
# affect link-local peers discovered via multicast.
# WARNING: THIS IS NOT A FIREWALL and DOES NOT limit who can reach
# open ports or services running on your machine!
AllowedPublicKeys: []
# Configuration for the transport manager networks used by core.
# If this block is omitted entirely, Yggdrasil uses the built-in
# native network as the default network and installs nil host-based
# mappings for *.onion, *.i2p and *.loki so those peers stay disabled
# unless you enable them explicitly. Set DefaultNetwork to null to
# disable the default network entirely. Set a NetworkMappings entry
# to null to keep the mapping but disable its network. Supported
# non-null values today are "native" or a socks network object with a
# ProxyURL such as "socks5://proxy:1080".
Transport: {
# Default gonnect.Network used for transport hosts that do not match
# any optional host pattern in NetworkMappings. Set this to null to
# make unmatched transport connections unavailable. Supported values
# are "native" or an object such as:
# { Type: socks, ProxyURL: "socks5://proxy:1080" }
DefaultNetwork: native
# Optional host-pattern to gonnect.Network overrides for transport
# connections. Patterns use the same matching rules as
# transport.Manager, for example "*.example" or "node.example".
# Default config installs nil mappings for *.onion, *.i2p and *.loki
# so those peers are blocked unless you explicitly assign a network.
# Set a value to null to keep the mapping but disable its network.
# Remove the entry entirely to unset the mapping. Supported values
# are "native" or an object such as:
# { Type: socks, ProxyURL: "socks5://proxy:1080" }
NetworkMappings: {
"*.onion": null
"*.i2p": null
"*.loki": null
# "*.onion": { Type: socks, ProxyURL: "socks5://127.0.0.1:9050" }
}
}
# Configuration for public-peer autopeering. When enabled, Yggdrasil
# will periodically fetch peer candidates from configured sources and
# add one matching peer when your runtime connectivity thresholds are
# not met. Sources may be URLs returning public-peers JSON documents
# or the special value "BUILTIN" for the embedded list.
AutoPeer: {
# Enable public-peer autopeering.
Enabled: false
# Ordered list of public-peer sources. Entries may be HTTPS URLs
# returning the public-peers JSON document format or the special
# value "BUILTIN" for the embedded peer list.
Sources: [
BUILTIN
]
# How often to refresh configured public-peer sources. Uses Go
# duration syntax such as "30m" or "1h".
FetchInterval: 1h
# How often runtime autopeering policy should be evaluated. Uses Go
# duration syntax such as "1m".
CheckInterval: 1m
# Minimum number of connected peers before autopeering remains idle.
MinimumConnected: 0
# Minimum number of connected peers whose URIs are present in the
# filtered autopeer source set before autopeering remains idle.
MinimumConnectedFromFetch: 0
# Optional country filters for peer selection, matched
# case-insensitively against public-peer metadata.
Countries: []
# Transport scheme filters for peer selection, e.g.
# ["tcp", "tls"]. Autopeering stays idle unless both this
# and Countries are configured.
TransportSchemes: []
}
# Configuration for optional NodeInfo-based direct peering. When enabled,
# Yggdrasil watches routed traffic, fetches the remote node's NodeInfo,
# and tries explicitly published jumper addresses as direct peer links.
# It does not perform NAT traversal.
Jumper: {
# Enable NodeInfo-based direct peering.
Enabled: false
# Public peering addresses to publish in NodeInfo for other jumper nodes,
# for example ["tls://example.net:12345"]. These must be reachable by
# remote nodes; jumper does not perform NAT traversal.
Addresses: []
# How often queued jumper targets and owned link cleanup should be checked.
# Uses Go duration syntax such as "10s".
CheckInterval: 10s
# How long a jumper-added link may remain disconnected before jumper removes
# it and tries another published address. Uses Go duration syntax such as
# "30s".
LinkTimeout: 30s
}
# TUN implementation to attach at startup. Supported values are
# "native", "sockstun", "outproxy" and "none". "native" creates an OS TUN
# device. "sockstun" creates a VTun netstack and exposes it through a local
# SOCKS server. "outproxy" creates a VTun netstack, listens for SOCKS clients
# inside Yggdrasil, and proxies them to the outer network. "none",
# "sockstun" and "outproxy" can start without root or escalated privileges
# when no other configured option needs them.
TunType: native
# Local network interface name for TUN adapter, or "auto" to select
# an interface automatically, or "none" to run without TUN. For
# TunType "sockstun" or "outproxy", this is the VTun name.
IfName: auto
# Maximum Transmission Unit (MTU) size for your local TUN interface.
# Default is the largest supported size for your platform. The lowest
# possible value is 1280.
IfMTU: 65535
# SOCKS TCP listen address for TunType "sockstun" or "outproxy". Sockstun
# listens on the local network and proxies through VTun. Outproxy listens on
# VTun for Yggdrasil clients and proxies to the outer network; loopback or
# unspecified listen hosts are replaced with the node's Yggdrasil address.
TunSocksListen: 127.0.0.1:1080
# Optional SOCKS proxy routing for TunType "sockstun" or "outproxy". Each
# entry has a Filter in socksgo.BuildFilter format and a ProxyURL. Sockstun
# reaches matching proxies through VTun. Outproxy reaches matching proxies
# through the outer network. Explicit rules are checked before
# TunSocksDefaultProxy.
#
# Example:
# TunSocksProxies: [
# { Filter: "*.onion,*.i2p", proxy_url: "socks5://[200::1]:9050" },
# { Filter: "10.0.0.0/8,192.168.0.0/16", proxy_url: "socks5://[300::1]:1080" },
# ]
# Recommended community public Ygg-to-clearnet SOCKS proxies include:
# - socks5://[324:71e:281a:9ed3::fa11]:1080
# - socks5://[200:c0fc:de66:7a1:443a:ddd:df92:e7db]:1080
#
# Minimal outproxy host example with Tor/I2P routed through local proxies:
# TunType: outproxy
# TunSocksListen: 127.0.0.1:1080
# TunSocksProxies: [
# { Filter: "*.onion", proxy_url: "socks5://127.0.0.1:9050" },
# { Filter: "*.i2p", proxy_url: "socks5://127.0.0.1:4447" },
# ]
TunSocksProxies: []
# Optional fallback SOCKS proxy URL for TunType "sockstun" or "outproxy". If
# set for sockstun, unmatched destinations outside the Yggdrasil 200::/7
# address range are sent to this proxy through VTun while Yggdrasil addresses
# stay direct. If set for outproxy, all unmatched destinations are sent to
# this proxy through the outer network.
# Example:
# TunSocksDefaultProxy: socks5://[324:71e:281a:9ed3::fa11]:1080
TunSocksDefaultProxy: ""
# Optional fallback DNS server for TunType "sockstun". Sockstun first uses
# mnlib mesh-name resolution and, when a lookup succeeds, routes the request
# using the resolved address. If this DNS server is set, fallback DNS queries
# themselves travel through the same sockstun routing pipeline, including
# TunSocksProxies and TunSocksDefaultProxy. The built-in protected zones
# *.onion, *.i2p and *.loki are never resolved and are routed as hostnames.
# Community-hosted fallback DNS servers include:
# - [324:71e:281a:9ed3::53]:53
# - [302:db60::53]:53
# - [300:6223::53]:53
# - [302:7991::53]:53
# - [202:1d4e:724e:de52:8273:e2b5:4988:a9ba]:53
TunSocksDNSFallback: ""
# Additional DNS zones that TunType "sockstun" must never resolve before
# routing. Entries may be written as "example", ".example" or "*.example".
TunSocksNoResolve: []
# Optional selective TLS MITM for TunType "sockstun". When ca_file and
# key_file point to a pre-generated local CA certificate and private key,
# sockstun intercepts matching TCP/443 CONNECT requests before DNS
# resolution or proxy routing, terminates client TLS using certificates
# generated from that CA, and forwards plaintext TCP to port 80 on the same
# hostname through normal sockstun routing. Clients must trust the CA.
# If hostnames is empty, the defaults are:
# *.ygg, *.meshname, *.meship, *.onion and *.i2p.
#
# Example:
# TunSocksTLSMITM: {
# ca_file: "/etc/yggd/sockstun-mitm-ca.crt",
# key_file: "/etc/yggd/sockstun-mitm-ca.key",
# hostnames: ["*.ygg", "*.meshname", "*.meship", "*.onion", "*.i2p"]
# }
#
# CA generation example:
# openssl genrsa -out ca.key 2048
# openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt -subj "/CN=MyTestCA/O=MyOrg/C=US"
TunSocksTLSMITM: {}
# Optional IP firewall for packets between the attached TUN implementation
# and core. When Enabled is null, the daemon enables it for TunType "native"
# and disables it for other TUN types. ICMPv6 is always allowed. Outgoing TCP
# and UDP create temporary return-flow entries. Unsolicited incoming TCP and
# UDP are allowed only for the listed destination ports.
# Example:
# TunFirewall: { enabled: true, allowed_tcp_ports: [22, 80], allowed_udp_ports: [53] }
TunFirewall: {}
# Minimum write offset for VTun-backed TUN implementations. Leave at 0
# unless a custom packet path needs reserved headroom.
# It is mostly debug config option.
TunMWO: 0
# Minimum read offset for VTun-backed TUN implementations. Leave at 0
# unless a custom packet path needs reserved headroom.
# It is mostly debug config option.
TunMRO: 0
# Enables the "lookups" admin API handler, which records lookup activity
# for later inspection over the admin socket.
LogLookups: false
# By default, nodeinfo contains some defaults including the platform,
# architecture and Yggdrasil version. These can help when surveying
# the network and diagnosing network routing problems. Enabling
# nodeinfo privacy prevents this, so that only items specified in
# "NodeInfo" are sent back if specified.
NodeInfoPrivacy: false
# Optional nodeinfo. This must be a { "key": "value", ... } map
# or set as null. This is entirely optional but, if set, is visible
# to the whole network on request.
# E.g: { "jumper": { "addresses": [ "tls://example.net:12345" ] } }
NodeInfo: {}
}