I2P over Yggdrasil: Anonymity in Mesh Networks
I2P (Invisible Internet Protocol) is a free tool for organizing anonymous communications over the internet. It is a peer-to-peer network where every user is, by default, a potential link in the anonymous chain of other network participants. I2P traffic is encrypted and resistant to analysis. Unlike Tor, I2P does not have the concept of an “exit node”—there is no permanent node through which all traffic exits the network. From the perspective of a home internet provider, a user’s interaction with I2P appears as chaotic connections to random hosts. The number of connections for a client with a public IP typically averages around four thousand. This includes not only useful traffic but also the exchange of service information with other network routers and transit traffic.
Provider-Side Request Blocking
Unlike the regular internet, I2P users without a dedicated (public) IP address experience lower quality when using the hidden network compared to those with a public IP. This is due to the constant need for direct communication with other network routers. Each router publishes its address, which includes encryption keys, an IP address, and a port for receiving messages. Obviously, reaching a node behind a NAT server is not easy.
Difference Between a User with a Public IP and a User Behind NAT
However, routers can still function without a dedicated address: a client behind NAT must constantly maintain an active UDP connection, reserving a port on the provider’s outbound server so that incoming requests can be forwarded to the client. This scenario is quite complex, especially when it comes to initiating connections from the outside. The mechanics of a client behind NAT are an engineering feat worthy of a separate article.
Brief Overview of Yggdrasil
Yggdrasil is one of the few functional mesh network protocols. Its main concept is automatic routing within an internal IPv6 subnet (200::/7) and complete scalability. Yggdrasil is a fully peer-to-peer network: there are no “master nodes” with global responsibilities. It is the ideological successor to the CJDNS (Hyperborea) project.
The abstract idea of a mesh network prioritizes performance, privacy, and ease of use: encrypted traffic and a low entry barrier for new users. Yggdrasil is not an anonymity tool, since the nodes closest to the user can see their real network interfaces on the local network, or their IP address when connecting to a public peer over the internet. Mesh networks are used to create pseudo-local networks, connecting remote computers into a single IPv6 network (similar to Hamachi for Minecraft and other multiplayer games). They are also used for organizing other internal network resources like websites and VoIP telephony.
First Integration Attempts
A Small Note
The I2P router publishes its addresses, including IPv6, if it is enabled in the config and actually present. Since Yggdrasil provides a full network interface (using the TUN driver from WireGuard) rather than just a local proxy, until recently, the I2P router would publish an IPv6 address from the Yggdrasil subnet. Since there were more than just one or two users with both IPv6 enabled in the I2P router config and Yggdrasil installed, it was sometimes possible to see I2P clients (routers) communicating with other Yggdrasil addresses.
However, there were some clear drawbacks:
- Requests to the reseed server ultimately had to go through the regular internet.
- The IPv6-Yggdrasil address published by the router was unknown and inaccessible to the vast majority of I2P users.
- Successfully running an I2P router on a Yggdrasil-only device was unlikely, since the reseed or the local router database might not contain nodes with IPv6-Yggdrasil addresses.
Full Compatibility Begins
Starting with version 2.36.0, i2pd has several new configuration parameters, the main one being meshnets.yggdrasil=true. This parameter is independent of IPv4 and IPv6 configuration. In particular, real network interfaces can be disabled. In this case, the I2P router will operate in Yggdrasil-only mode.
A special reseed server is also available via Yggdrasil, providing users with a package primarily consisting of known routers with IPv6-Yggdrasil addresses. Each time an I2P router running in Yggdrasil-only mode starts, it checks the local database for available nodes at the transport level, i.e., for other nodes with IPv6-Yggdrasil addresses. If, for some reason, there are no compatible routers in the local database, the router will re-request the Yggdrasil reseed server.
Since Yggdrasil is now mostly used via overlay connections to public peers over the internet, running an I2P router over Yggdrasil is similar to using “Tor-over-VPN”: this approach completely hides the use of the hidden network from the home provider. I2P has an additional specific advantage: users do not need a dedicated IP from their provider for seamless external connections, since IPv6-Yggdrasil is globally accessible within the Yggdrasil network segment (a physically connected group of participants, including through public peers on the internet).
Network Integrity
The described solution does not fragment the I2P network. Building tunnels in the hidden network is a complex and precise process, during which the transport capabilities of nodes are negotiated. When forming a “garlic” (an encrypted message to a group of nodes that should form a tunnel), the router checks their addresses for compatibility. For example, a node with only an IPv4 address will not receive instructions to contact an IPv6 address, since that is impossible.
For a Yggdrasil-only router to build a tunnel to a node with a regular internet address, at least one transit router with both IPv6-Yggdrasil and, for example, regular IPv4 interfaces will be selected. Other Yggdrasil-only routers can also act as transit nodes in the tunnel, but only for communication with nodes compatible at the transport level, i.e., also having a Yggdrasil network interface. The more routers in the I2P network with IPv4, IPv6, and Yggdrasil interfaces enabled simultaneously, the more connected the network becomes.
Connecting to I2P via Yggdrasil
Outlook
The Yggdrasil example is a specific step toward the future, not an end in itself. This successful integration of a hidden network into a mesh network is an important conceptual step that, if needed, will allow I2P to be integrated into other mesh networks. The potential becomes clear when considering self-organized mesh network segments, for example, in apartment buildings without a centralized provider. In a local network, a Yggdrasil client automatically finds and communicates with other nodes, acting as a transit node if necessary. If at least one node in such a segment connects to another network segment (for example, to the global network via the internet), the networks automatically merge. This approach to network organization is now even more realistic, as the hidden side of the familiar internet is now also present.
For a more detailed introduction to I2P and Yggdrasil, check out the following video: