Wireguard VPN, Yggdrasil, ALFIS DNS & AdGuard

 

Wireguard VPN, Yggdrasil, ALFIS DNS and AdGuard

Hornbeam
6 min

This article provoked the writing of this article , with a bunch of oddities, and optional actions. In short, the author does not understand why he installs certain programs, namely Unbound and dnsproxy. But since, in addition to correcting the shortcomings of that article, I would like to add something useful, we will somewhat expand the capabilities of clients connecting to the server.

First, a few words about Yggdrasil . This is a peer-to-peer network with IPv6 addresses, which in fact can be considered a new layer of the Internet. When you install and configure, you have a new network interface that is a window into this new layer. Everything is the same as with the usual IPv6 protocol - you can use it to remotely connect to your devices without real IPv4, for remote administration, to host some resources there, for example, the same Nextcloud. All this is located, as it were, in the global space of a common private network. Someone there has placed proxy servers for Telegram that cannot be blocked, someone has access to the "big" Internet through the Tor network. There are also several servers for communication, like Mattermost, IRC and XMPP. Articles onconfiguration and use on Habré is already enough.

But what is ALFIS? There are a number of distrustful people in the Yggdrasil network ;) community of crypto hackers who really wanted to be independent of the global domain name system, and I had to write a system that solves the problem of domain database synchronization without unnecessary overhead. As you know, the problem of the Zuko Triangle was not completely solved until the advent of the blockchain. But blockchains are different, and most often they have serious drawbacks, such as the huge size of the blockchain, the need for large capacities, and so on. Thus, having collected all the requirements in one place, putting in several months of work, I presented to the community ALFIS - a blockchain of the minimum size, and not constantly growing, which provides the work of ten alternative domain zones.

What is AdGuard, or rather AdGuard Home , I don't want to tell you much. In short, this is a filtering DNS server for small networks. Filters better than any PiHole and similar projects, contains its own very cool list of rules, the rules in which are more complicated than in regular lists, and thus require less RAM, etc. For example, there you can ban hosts by mask, like *.adserver.com.

A small disclaimer to make it clear why I suggest configuring Wireguard and Yggdrasil this way and not otherwise. After all, you can do it differently, for example, install only Yggdrasil, and somewhere on the VPS raise a proxy for yourself, and connect to that proxy through Yggdrasil . This is also an option. But it will be necessary to configure the use of a proxy server in each software, and all Yggdrasil builds for Android now crash when the network is disconnected due to an error in go-mobile. So, on clients like Android OS, where only one VPN interface can be running at a time, it's better to just install and configure only Wireguard. It is he who will provide your device with both ad blocking, and Internet access without blocking and intercepting traffic, and to the "Internet of the future" - Yggdrasil :)

Installing Yggdrasil on the server

I suggest installing the software in this order, first Yggdrasil, then Wireguard, then AdGuard Home. A little further you will understand why.

It is best to install according to the official guides. The official page has everything you need: https://yggdrasil-network.github.io/installation.html

If you're having trouble, then follow these steps:

  1. Install the Yggdrasil package

  2. Register 1-2 public peers in the config/etc/yggdrasil.conf

  3. Enable service, start service (or immediately systemctl enable --now yggdrasil)

  4. After a couple of seconds, try to ping one of the addresses 302:db60::53, or302:7991::53.

  5. If you didn’t manage it, then you can go to the Russian-language chat in Telegram and ask for help there: https://t.me/Yggdrasil_ru

Installing Wireguard on the server

Like the author of the previous article, I suggest using the script for installing Wireguard, but only with a different one, which has a very convenient feature - it asks through which interfaces to access the network, and allows you to select the Yggdrasil interface for walking in IPv6 :)

  1. wget https://raw.githubusercontent.com/Nyr/wireguard-install/master/wireguard-install.sh

  2. chmod +x wireguard-install.sh

  3. ./wireguard-install.sh

During the installation process, answer questions about network interfaces, and select an interface tun0when the script asks for IPv6. Thus, this script will write the necessary rules to your firewall (ip6tables) so that you can access nodes in Yggdrasil.

In principle, already now you can run this script again, and by selecting the "Add a new client" item, create a config for the first client. You can scan the shown QR code with the Wireguard app on Android and connect immediately and check the connection and your IP address. But we wanted to do something else with advertising, right? Yes, and Alphys is there this ...

Advertising, ALFIS and all-all-all (the easy way)

Right now, in the Wireguard client, you can register a couple of DNS servers from this list: 302:7991::53, 300:6223::53, 302:db60::53, and enjoy using ALFIS domain names and no ads. All your traffic is encrypted by going through Wireguard, including DNS. Why did the author of that article install DNSCrypt if there is encryption before his VPS anyway? And then his DNS traffic went to the usual Unbound, oddities.

But in this mode, your DNS traffic will be read by the administrator of those servers, if he is not too lazy. And he will see your (oh horror!) IPv6 generated on your server.

Making it difficult, and a little more private and safer

Install ALFIS as written in the README for your OS. The config will be at /etc/alfis.confThere you will notice that its built-in DNS server listens on the address 127.0.0.1:53, in addition, it is registered there forwarders- these are the servers to which ALFIS will transfer your requests to regular domains. There you can even specify DoH addresses from the same AdGuard DNS, and complete the setup (do not forget to redirect it to 10.7.0.1:53) ;)

If you have something else on your server listening at address 127.0.0.1:53, then you won't be able to use that address/port. You need, for example, to change at least the port in the ALFIS config, for example 5353.

After starting ALFIS, and after waiting a bit, you can check its operation, for example nslookup myip.ygg 127.0.0.1, this command should show some kind of AAAA record in the range 200::/7.

Now let's take on AdGuard Home. We go to the GitHub of the project , and perform an automatic installation, as written in the README. After that, go to the web-gui at the address of your server, and configure AdGuard Home so that it listens to all interfaces, but in the access settings, specify your VPN range, for example, 10.7.0.0/24 (this is what the proposed script uses).

In order for AdGuard Home to send requests for Alphys domain zones to Alphys itself, you need to enter the following line in the Upstream servers section: [/anon/btn/conf/index/merch/mirror/mob/screen/srv/ygg/]127.0.0.1:5353, in addition, you can also join OpenNIC zones by typing [/bbs/chan/cyb/dyn/epic/geek/gopher/indy/libre/neo/null/o/oss/oz/parody/pirate/]51.254.25.115Well, or another IP, closer to your server.

Conclusion

At this stage, you will already have a working VPN with modern traffic encryption, ad blocking at the DNS level (by the way, there are other levels for more thorough blocking), support for independent ALFIS domain zones (and maybe OpenNIC), and a wild desire to go somewhere go to Yggdrasil network ;)

If you want, go to sites.ygg .

P.S. or some goodies

To work nicely with Yggdrasil (and with IPv6-only sites) in Firefox, there are two settings you need to make in about:config.

network.http.fast-fallback-to-IPv4 = false- this will allow you to open IPv6-only sites normally. browser.fixup.alternate.enabled = false- and this will turn off automatic domain substitution wwwSometimes Firefox will immediately switch to HTTPS instead of HTTP, this will disable this behavior: browser.fixup.fallback-to-https = false.

Google Chrome is not designed to work properly with IPv6-only sites.

Просмотры:

Коментарі

Популярні публікації