Yggdrasil Network — Encrypted IPv6 Mesh Overlay Network

Introduction

Yggdrasil is an experimental encrypted mesh networking protocol that assigns every node a cryptographic IPv6 address derived from its public key. Nodes automatically discover peers and route traffic through a spanning tree, requiring no manual routing configuration or central authority.

What Yggdrasil Does

• Assigns each node a stable IPv6 address (200::/7 range) derived from its public key
• Encrypts all traffic end-to-end between nodes using Curve25519 key exchange
• Builds a self-healing spanning tree topology that adapts as nodes join or leave
• Supports peering over TCP, TLS, Unix sockets, and multicast LAN discovery
• Works as a TUN adapter providing standard IPv6 connectivity to applications

Architecture Overview

Yggdrasil creates a virtual network interface (TUN) that intercepts IPv6 traffic in the 200::/7 range. Each node generates a Curve25519 keypair; the IPv6 address is a truncated hash of the public key. Nodes peer with each other over existing network links (LAN, internet, VPN tunnels) and collectively build a globally shared spanning tree. Routing decisions are made using distance on the tree plus a DHT for locating destination coordinates, enabling efficient path selection without global routing tables.

Self-Hosting & Configuration

• Available as packages for Debian, Ubuntu, Fedora, macOS, and Windows
• Configuration file at /etc/yggdrasil/yggdrasil.conf (HJSON format)
• Add public peers by listing their URI in the Peers section
• Enable multicast for automatic LAN peer discovery
• Runs as a system service with minimal resource usage

Key Features

• Zero-configuration mesh routing with automatic peer discovery
• Cryptographic addressing eliminates the need for IP allocation authorities
• End-to-end encryption for all traffic with no unencrypted hops
• Works alongside existing network infrastructure as an overlay
• Supports both public internet peering and private isolated networks

Comparison with Similar Tools

• Tailscale / Headscale — centralized coordination server for WireGuard; Yggdrasil is fully decentralized
• ZeroTier — overlay network with centralized controllers; Yggdrasil needs no controller
• WireGuard — point-to-point VPN tunnel; Yggdrasil provides mesh routing automatically
• CJDNS — similar encrypted mesh approach but less actively maintained
• Nebula (Slack) — certificate-based mesh VPN; requires a lighthouse node for coordination

FAQ

Q: Is Yggdrasil production-ready? A: It is considered experimental but stable enough for personal and community use. The protocol may still evolve.

Q: Can I use it to access the regular internet? A: Not directly. Yggdrasil is an overlay network. You need a gateway node configured for NAT64 or proxying to reach the public internet.

Q: How do I find public peers? A: The Yggdrasil project maintains a list of public peers. Add their URIs to your configuration to join the global network.

Q: Does it work behind NAT? A: Yes. Nodes behind NAT can connect to public peers via outbound TCP or TLS connections.

Sources

• https://github.com/yggdrasil-network/yggdrasil-go
• https://yggdrasil-network.github.io