Ability to run multiple instances of Ygg router at the same machine

[tribals]

Hi there!

I would like to run multiple instances of Yggdrasil router at the same machine (at the same time). You may wonder: why ever do so? Well, because with Yggdrasil it is so easy to build some overlay network and connect multiple machines that should all have direct connectivity to each other that it is worth creating as many Yggdrasil networks as one could imagine!

Particular for my case, I have one instance that joins needed machines to they own private segment, and another instance that is connected to global network and provides others to reach it.

I've managed to start multiple instances with this modification to systemd unit:

# cp -v /usr/lib/systemd/system/yggdrasil.service /etc/systemd/system/yggdrasil@.service

--- /usr/lib/systemd/system/yggdrasil.service   2023-10-27 21:20:44.000000000 +0300
+++ /etc/systemd/system/yggdrasil@.service      2025-11-02 22:41:03.850134670 +0300
@@ -1,5 +1,5 @@
 [Unit]
-Description=yggdrasil
+Description=Yggdrasil router on %i interface
 Wants=network-online.target
 After=network-online.target

@@ -11,11 +11,11 @@
 NoNewPrivileges=true
 RuntimeDirectory=yggdrasil
 ReadWritePaths=/var/run/yggdrasil /run/yggdrasil
-SyslogIdentifier=yggdrasil
+SyslogIdentifier=yggdrasil-%i
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStartPre=+-/sbin/modprobe tun
-ExecStart=/usr/sbin/yggdrasil -useconffile /etc/yggdrasil/yggdrasil.conf
+ExecStart=/usr/sbin/yggdrasil -useconffile %E/%p/%i.conf
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 TimeoutStopSec=5

The idea is barely as simple as:

• instead of service unit, we have template unit (indicated by @ in filename)
• template unit accepts mandatory parameter at creation after @ character: systemctl start yggdrasil@<instance-name>
• that <instance-name> is taken as %i in unit template, and maps to config file under /etc/yggdrasil
• %E/%p/%i.conf in ExecStart means:
  • %E - configuration file directory (/etc)
  • %p - this refers to the string before the first "@" character of the unit name (yggdrasil)
  • %i - <instance-name>

That is, if one start a yggdrasil@ygg0 service, then it will load /etc/yggdrasil/ygg0.conf file.

Next issue was that both instances will compete for admin socket (/run/yggdrasil/yggdrasil.socket), so we need to configure this in corresponding config file, using undocumented AdminListen config option:

# ygg0.conf
{
  # Listen address for admin connections. Default is to listen for local
  # connections either on TCP/9001 or a UNIX socket depending on your
  # platform. Use this value for yggdrasilctl -endpoint=X. To disable
  # the admin socket, use the value "none" instead.
  AdminListen: unix:///var/run/yggdrasil/ygg0.sock
  
  # Local network interface name for TUN adapter, or "auto" to select
  # an interface automatically, or "none" to run without TUN.
  IfName: ygg0 
  #       ^^^^- Don't forget to rename interface accordingly
}

And it works!

The next issue is that now we have two entries in routing table (routes for LL address are skipped):

$ ip -6 route show match 200::/7
200::/7 dev ygg0 proto kernel metric 256 pref medium
200::/7 dev ygg42 proto kernel metric 256 pref medium

Again, in my configuration, one instance (ygg0) is supposed to act exclusively as a public peer, and internal Yggdrasil traffic will not ever show up on that interface. On the other hand, second instance (ygg42) is do supposed to be used as a bridge between local machine and private network segment, so it is totally acceptable to have traffic both come and go to ygg42 interface.

Unfortunately, depending on whatever, I don't know for sure, may be start order of services, one route "beats" another resulting in packets going to wrong network segment. Is there a way to prevent yggdrasil from installing routes?

Another issue is that when any of multiple services going to be stopped, it removes /run/yggdrasil making other's admin socket disappear. Could this also be prevented?

[neilalexander]

You can run as many instances as you want, but you can only run one instance with TUN enabled in a given network namespace if you want anything to work right. As you pointed out there are multiple routing table entries that will conflict.

is supposed to act exclusively as a public peer, and internal Yggdrasil traffic will not ever show up on that interface.

In this case, set IfName: none to disable TUN and that instance will not conflict with others.

Another issue is that when any of multiple services going to be stopped, it removes /run/yggdrasil making other's admin socket disappear. Could this also be prevented?

I don't think we ever envisaged that more than one systemd unit would be running precisely because of the fact that multiple TUN interfaces will conflict and most people wouldn't ever figure out how to work around that.

[tribals]

Thanks.