Merge pull request #19 from yggdrasil-network/develop

Branch Develop: Base to Fork
2025-04-30 07:05:06 +03:00 · 2019-03-22 08:53:49 +02:00 · 2019-03-22 08:53:49 +02:00 · 240883ad4b
commit 240883ad4b
parent 50987142a8 67c670ab4c
32 changed files with 802 additions and 413 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1,11 +1,11 @@
 # Golang CircleCI 2.0 configuration file
 #
 # Check https://circleci.com/docs/2.0/language-go/ for more details
-version: 2
+version: 2.1
 jobs:
  build-linux:
    docker:
-      - image: circleci/golang:1.11
+      - image: circleci/golang:1.12
    steps:
      - checkout
@ -79,30 +79,28 @@ jobs:
              echo -e "Host *\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
      - run:
-          name: Install Go 1.11
+          name: Install Go 1.12
          command: |
              cd /tmp
-              curl -LO https://dl.google.com/go/go1.11.5.darwin-amd64.pkg
+              curl -LO https://dl.google.com/go/go1.12.darwin-amd64.pkg
-              sudo installer -pkg /tmp/go1.11.5.darwin-amd64.pkg -target /
+              sudo installer -pkg /tmp/go1.12.darwin-amd64.pkg -target /
-      - run:
+      #- run:
-          name: Install Gomobile
+      #    name: Install Gomobile
-          command: |
+      #    command: |
-              GO111MODULE=off go get golang.org/x/mobile/cmd/gomobile
+      #        GO111MODULE=off go get golang.org/x/mobile/cmd/gomobile
-              gomobile init
+      #        gomobile init
      - run:
          name: Build for macOS
          command: |
              rm -f {yggdrasil,yggdrasilctl}
              GO111MODULE=on GOOS=darwin GOARCH=amd64 ./build
-              mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-darwin-amd64
+              cp yggdrasil /tmp/upload/$CINAME-$CIVERSION-darwin-amd64
-              mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-darwin-amd64;
+              cp yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-darwin-amd64;
      - run:
          name: Build for macOS (.pkg format)
          command: |
              rm -rf {yggdrasil,yggdrasilctl}
              PKGARCH=amd64 sh contrib/macos/create-pkg.sh
              mv *.pkg /tmp/upload/
@ -121,7 +119,7 @@ jobs:
  build-other:
    docker:
-      - image: circleci/golang:1.11
+      - image: circleci/golang:1.12
    steps:
      - checkout
@ -180,8 +178,8 @@ jobs:
          destination: /
 workflows:
-  version: 2
+  version: 2.1
-  build-all:
+  build:
    jobs:
      - build-linux
      - build-macos
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
 [submodule "doc/yggdrasil-network.github.io"]
 	path = doc/yggdrasil-network.github.io
 	url = https://github.com/yggdrasil-network/yggdrasil-network.github.io/
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -25,7 +25,38 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - in case of vulnerabilities.
 -->
-## [0.3.3] - 2018-02-18
+## [0.3.5] - 2019-03-13
 ### Fixed
 - The `AllowedEncryptionPublicKeys` option has now been fixed to handle incoming connections properly and no longer blocks outgoing connections (this was broken in v0.3.4)
 - Multicast TCP listeners will now be stopped correctly when the link-local address on the interface changes or disappears altogether
 ## [0.3.4] - 2019-03-12
 ### Added
 - Support for multiple listeners (although currently only TCP listeners are supported)
 - New multicast behaviour where each multicast interface is given it's own link-local listener and does not depend on the `Listen` configuration
 - Blocking detection in the switch to avoid parenting a blocked peer
 - Support for adding and removing listeners and multicast interfaces when reloading configuration during runtime
 - Yggdrasil will now attempt to clean up UNIX admin sockets on startup if left behind by a previous crash
 - Admin socket `getTunnelRouting` and `setTunnelRouting` calls for enabling and disabling crypto-key routing during runtime
 - On macOS, Yggdrasil will now try to wake up AWDL on start-up when `awdl0` is a configured multicast interface, to keep it awake after system sleep, and to stop waking it when no longer needed
 - Added `LinkLocalTCPPort` option for controlling the port number that link-local TCP listeners will listen on by default when setting up `MulticastInterfaces` (a node restart is currently required for changes to `LinkLocalTCPPort` to take effect - it cannot be updated by reloading config during runtime)
 ### Changed
 - The `Listen` configuration statement is now an array instead of a string
 - The `Listen` configuration statement should now conform to the same formatting as peers with the protocol prefix, e.g. `tcp://[::]:0`
 - Session workers are now non-blocking
 - Multicast interval is now fixed at every 15 seconds and network interfaces are reevaluated for eligibility on each interval (where before the interval depended upon the number of configured multicast interfaces and evaluation only took place at startup)
 - Dead connections are now closed in the link handler as opposed to the switch
 - Peer forwarding is now prioritised instead of randomised
 ### Fixed
 - Admin socket `getTunTap` call now returns properly instead of claiming no interface is enabled in all cases
 - Handling of `getRoutes` etc in `yggdrasilctl` is now working
 - Local interface names are no longer leaked in multicast packets
 - Link-local TCP connections, particularly those initiated because of multicast beacons, are now always correctly scoped for the target interface
 - Yggdrasil now correctly responds to multicast interfaces going up and down during runtime
 ## [0.3.3] - 2019-02-18
 ### Added
 - Dynamic reconfiguration, which allows reloading the configuration file to make changes during runtime by sending a `SIGHUP` signal (note: this only works with `-useconffile` and not `-useconf` and currently reconfiguring TUN/TAP is not supported)
 - Support for building Yggdrasil as an iOS or Android framework if the appropriate tools (e.g. `gomobile`/`gobind` + SDKs) are available
--- a/README.md
+++ b/README.md
@ -3,149 +3,122 @@
 [![CircleCI](https://circleci.com/gh/yggdrasil-network/yggdrasil-go.svg?style=shield&circle-token=:circle-token
 )](https://circleci.com/gh/yggdrasil-network/yggdrasil-go)
-## What is it?
+## Introduction
-This is a toy implementation of an encrypted IPv6 network, with many good ideas stolen from [cjdns](https://github.com/cjdelisle/cjdns), which was written to test a particular routing scheme that was cobbled together one random afternoon.
+Yggdrasil is an early-stage implementation of a fully end-to-end encrypted IPv6
-It's notably not a shortest path routing scheme, with the goal of scalable name-independent routing on dynamic networks with an internet-like topology.
+network. It is lightweight, self-arranging, supported on multiple platforms and
-It's named Yggdrasil after the world tree from Norse mythology, because that seemed like the obvious name given how it works.
+allows pretty much any IPv6-capable application to communicate securely with
-More information is available at <https://yggdrasil-network.github.io/>.
+other Yggdrasil nodes. Yggdrasil does not require you to have IPv6 Internet
 connectivity - it also works over IPv4.
-This is a toy / proof-of-principle, and considered alpha quality by the developers. It's not expected to be feature complete, and future updates may not be backwards compatible, though it should warn you if it sees a connection attempt with a node running a newer version.
+Although Yggdrasil shares many similarities with
-You're encouraged to play with it, but it is strongly advised not to use it for anything mission critical.
+[cjdns](https://github.com/cjdelisle/cjdns), it employs a different routing
 algorithm based on a globally-agreed spanning tree and greedy routing in a
 metric space, and aims to implement some novel local backpressure routing
 techniques. In theory, Yggdrasil should scale well on networks with
 internet-like topologies.
 ## Supported Platforms
 We actively support the following platforms, and packages are available for
 some of the below:
 - Linux
  - `.deb` and `.rpm` packages are built by CI for Debian and Red Hat-based
    distributions
  - Void and Arch packages also available within their respective repositories
 - macOS
  - `.pkg` packages are built by CI
 - Ubiquiti EdgeOS
  - `.deb` Vyatta packages are built by CI
 - Windows
 - FreeBSD
 - OpenBSD
 - NetBSD
 - OpenWrt
 Please see our [Platforms](https://yggdrasil-network.github.io/) pages for more
 specific information about each of our supported platforms, including
 installation steps and caveats.
 You may also find other platform-specific wrappers, scripts or tools in the
 `contrib` folder.
 ## Building
-1. Install Go (requires 1.11 or later, [godeb](https://github.com/niemeyer/godeb) is recommended for Debian-based Linux distributions).
+If you want to build from source, as opposed to installing one of the pre-built
-2. Clone this repository.
+packages:
 2. `./build`
-Note that you can cross-compile for other platforms and architectures by specifying the `$GOOS` and `$GOARCH` environment variables, for example, `GOOS=windows ./build` or `GOOS=linux GOARCH=mipsle ./build`.
+1. Install [Go](https://golang.org) (requires Go 1.11 or later)
 2. Clone this repository
 2. Run `./build`
-The build script sets its own `$GOPATH`, so the build environment is self-contained.
+Note that you can cross-compile for other platforms and architectures by
 specifying the `GOOS` and `GOARCH` environment variables, e.g. `GOOS=windows
 ./build` or `GOOS=linux GOARCH=mipsle ./build`.
 ## Running
-To run the program, you'll need permission to create a `tun` device and configure it using `ip`.
+### Generate configuration
 If you don't want to mess with capabilities for the `tun` device, then using `sudo` should work, with the usual security caveats about running a program as root.
-To run with default settings:
+To generate static configuration, either generate a HJSON file (human-friendly,
 complete with comments):
 1. `./yggdrasil --autoconf`
 That will generate a new set of keys (and an IP address) each time the program is run.
 The program will bind to all addresses on a random port and listen for incoming connections.
 It will send announcements over IPv6 link-local multicast, and it will attempt to start a connection if it hears an announcement from another device.
 In practice, you probably want to run this instead:
 1. `./yggdrasil --genconf > conf.json`
 2. `./yggdrasil --useconf < conf.json`
 This keeps a persistent set of keys (and by extension, IP address) and gives you the option of editing the configuration file.
 If you want to use it as an overlay network on top of e.g. the internet, then you can do so by adding the remote devices domain/address and port (as a string, e.g. `"1.2.3.4:5678"`) to the list of `Peers` in the configuration file.
 By default, it peers over TCP (which can be forced with `"tcp://1.2.3.4:5678"` syntax), but it's also possible to connect over a socks proxy (`"socks://socksHost:socksPort/1.2.3.4:5678"`).
 The socks proxy approach is useful for e.g. [peering over tor hidden services](https://github.com/yggdrasil-network/public-peers/blob/master/other/tor.md).
 UDP support was removed as part of v0.2, and may be replaced by a better implementation at a later date.
 ### Platforms
 #### Linux
 - Should work out of the box on most Linux distributions with `iproute2` installed.
 - systemd service scripts are included in the `contrib/systemd/` folder so that it runs automatically in the background (using `/etc/yggdrasil.conf` for configuration), copy the service files into `/etc/systemd/system`, copy `yggdrasil` into your `$PATH`, i.e. `/usr/bin`, and then enable the service:
 ```
-systemctl enable yggdrasil
+./yggdrasil -genconf > /path/to/yggdrasil.conf
 systemctl start yggdrasil
 ```
 - Once installed as a systemd service, you can read the `yggdrasil` output:
 ```
 systemctl status yggdrasil
 journalctl -u yggdrasil
 ```
-#### macOS
+... or generate a plain JSON file (which is easy to manipulate
 programmatically):
 - Tested and working out of the box on macOS 10.13 High Sierra.
 - May work in theory on any macOS version with `utun` support (which was added in macOS 10.7 Lion), although this is untested at present.
 - TAP mode is not supported on macOS.
 #### FreeBSD, NetBSD
 - Works in TAP mode, but currently doesn't work in TUN mode.
 - You may need to create the TAP adapter first if it doesn't already exist, i.e. `ifconfig tap0 create`.
 #### OpenBSD
 - Works in TAP mode, but currently doesn't work in TUN mode.
 - You may need to create the TAP adapter first if it doesn't already exist, i.e. `ifconfig tap0 create`.
 - OpenBSD is not capable of listening on both IPv4 and IPv6 at the same time on the same socket (unlike FreeBSD and NetBSD). This affects the `Listen` and `AdminListen` configuration options. You will need to set `Listen` and `AdminListen` to use either an IPv4 or an IPv6 address.
 - You may consider using [relayd](https://man.openbsd.org/relayd.8) to allow incoming Yggdrasil connections on both IPv4 and IPv6 simultaneously.
 #### Windows
 - Tested and working on Windows 7 and Windows 10, and should work on any recent versions of Windows, but it depends on the [OpenVPN TAP driver](https://openvpn.net/index.php/open-source/downloads.html) being installed first.
 - Has been proven to work with both the [NDIS 5](https://swupdate.openvpn.org/community/releases/tap-windows-9.9.2_3.exe) (`tap-windows-9.9.2_3`) driver and the [NDIS 6](https://swupdate.openvpn.org/community/releases/tap-windows-9.21.2.exe) (`tap-windows-9.21.2`) driver, however there are substantial performance issues with the NDIS 6 driver therefore it is recommended to use the NDIS 5 driver instead.
 - Be aware that connectivity issues can occur on Windows if multiple IPv6 addresses from the `200::/7` prefix are assigned to the TAP interface. If this happens, then you may need to manually remove the old/unused addresses from the interface (though the code has a workaround in place to do this automatically in some cases).
 - TUN mode is not supported on Windows.
 - Yggdrasil can be installed as a Windows service so that it runs automatically in the background. From an Administrator Command Prompt:
 ```
-sc create yggdrasil binpath= "\"C:\path\to\yggdrasil.exe\" -useconffile \"C:\path\to\yggdrasil.conf\""
+./yggdrasil -genconf -json > /path/to/yggdrasil.conf
 sc config yggdrasil displayname= "Yggdrasil Service"
 sc config yggdrasil start= "auto"
 sc start yggdrasil
 ```
 - Alternatively, if you want the service to autoconfigure instead of using an `yggdrasil.conf`, replace the `sc create` line from above with:
 ```
 sc create yggdrasil binpath= "\"C:\path\to\yggdrasil.exe\" -autoconf"
 ```
-#### EdgeRouter
+You will need to edit the `yggdrasil.conf` file to add or remove peers, modify
 other configuration such as listen addresses or multicast addresses, etc.
- Tested and working on the EdgeRouter X, using the [vyatta-yggdrasil](https://github.com/neilalexander/vyatta-yggdrasil) wrapper package.
+### Run Yggdrasil
-## Optional: advertise a prefix locally
+To run with the generated static configuration:
 Suppose a node has generated the address: `200:1111:2222:3333:4444:5555:6666:7777`
 Then the node may also use addresses from the prefix: `300:1111:2222:3333::/64` (note the `200` changed to `300`, a separate `/8` is used for prefixes, but the rest of the first 64 bits are the same).
 To advertise this prefix and a route to `200::/7`, the following seems to work on the developers' networks:
 1. Enable IPv6 forwarding (e.g. `sysctl -w net.ipv6.conf.all.forwarding=1` or add it to sysctl.conf).
 2. `ip addr add 300:1111:2222:3333::1/64 dev eth0` or similar, to assign an address for the router to use in that prefix, where the LAN is reachable through `eth0`.
 3. Install/run `radvd` with something like the following in `/etc/radvd.conf`:
 ```
-interface eth0
+./yggdrasil -useconffile /path/to/yggdrasil.conf
 {
        AdvSendAdvert on;
        prefix 300:1111:2222:3333::/64 {
            AdvOnLink on;
            AdvAutonomous on;
        };
        route 200::/7 {};
 };
 ```
-This is enough to give unsupported devices on the LAN access to the yggdrasil network. See the [configuration](https://yggdrasil-network.github.io/configuration.html) page for more info.
+To run in auto-configuration mode (which will use sane defaults and random keys
 at each startup, instead of using a static configuration file):
-## How does it work?
+```
 ./yggdrasil -autoconf
 ```
-I'd rather not try to explain in the readme, but it is described further on the [about](https://yggdrasil-network.github.io/about.html) page, so you can check there if you're interested.
+You will likely need to run Yggdrasil as a privileged user or under `sudo`,
-Be warned that it's still not a very good explanation, but it at least gives a high-level overview and links to some relevant work by other people.
+unless you have permission to create TUN/TAP adapters. On Linux this can be done
 by giving the Yggdrasil binary the `CAP_NET_ADMIN` capability.
-## Obligatory performance propaganda
+## Documentation
-A [simplified model](misc/sim/treesim-forward.py) of this routing scheme has been tested in simulation on the 9204-node [skitter](https://www.caida.org/tools/measurement/skitter/) network topology dataset from [caida](https://www.caida.org/), and compared with results in [arxiv:0708.2309](https://arxiv.org/abs/0708.2309).
+Documentation is available on our [GitHub
-Using the routing scheme as implemented in this code, the average multiplicative stretch is observed to be about 1.08, with an average routing table size of 6 for a name-dependent scheme, and approximately 30 additional (but smaller) entries needed for the name-independent routing table.
+Pages](https://yggdrasil-network.github.io) site, or in the base submodule
-The number of name-dependent routing table entries needed is proportional to node degree, so that 6 is the mean of a distribution with a long tail, but this may be an acceptable tradeoff(it's at least worth trying, hence this code).
+repository within `doc/yggdrasil-network.github.io`.
-The size of name-dependent routing table entries is relatively large, due to cryptographic signatures associated with routing table updates, but in the absence of cryptographic overhead, each entry should otherwise be comparable in size to the BC routing scheme described in the above paper.
+
-A modified version of this scheme, with the same resource requirements, achieves a multiplicative stretch of 1.02, which drops to 1.01 if source routing is used.
+- [Configuration file options](https://yggdrasil-network.github.io/configuration.html)
-Both of these optimizations are not present in the current implementation, as the former depends on network state information that appears difficult to cryptographically secure, and the latter optimization is both tedious to implement and would make debugging other aspects of the implementation more difficult.
+- [Platform-specific documentation](https://yggdrasil-network.github.io/platforms.html)
 - [Frequently asked questions](https://yggdrasil-network.github.io/faq.html)
 - [Admin API documentation](https://yggdrasil-network.github.io/admin.html)
 - [Version changelog](CHANGELOG.md)
 ## Community
 Feel free to join us on our [Matrix
 channel](https://matrix.to/#/#yggdrasil:matrix.org) at `#yggdrasil:matrix.org`
 or in the `#yggdrasil` IRC channel on Freenode.
 ## License
-This code is released under the terms of the LGPLv3, but with an added exception that was shamelessly taken from [godeb](https://github.com/niemeyer/godeb).
+This code is released under the terms of the LGPLv3, but with an added exception
-Under certain circumstances, this exception permits distribution of binaries that are (statically or dynamically) linked with this code, without requiring the distribution of Minimal Corresponding Source or Minimal Application Code.
+that was shamelessly taken from [godeb](https://github.com/niemeyer/godeb).
 Under certain circumstances, this exception permits distribution of binaries
 that are (statically or dynamically) linked with this code, without requiring
 the distribution of Minimal Corresponding Source or Minimal Application Code.
 For more details, see: [LICENSE](LICENSE).
--- a/cmd/yggdrasil/main.go
+++ b/cmd/yggdrasil/main.go
@ -62,7 +62,7 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *nodeCo
 	// then parse the configuration we loaded above on top of it. The effect
 	// of this is that any configuration item that is missing from the provided
 	// configuration will use a sane default.
-	cfg := config.GenerateConfig(false)
+	cfg := config.GenerateConfig()
 	var dat map[string]interface{}
 	if err := hjson.Unmarshal(conf, &dat); err != nil {
 		panic(err)
@ -134,19 +134,27 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *nodeCo
 			}
 		}
 	}
 	// Do a quick check for old-format Listen statement so that mapstructure
 	// doesn't fail and crash
 	if listen, ok := dat["Listen"].(string); ok {
 		if strings.HasPrefix(listen, "tcp://") {
 			dat["Listen"] = []string{listen}
 		} else {
 			dat["Listen"] = []string{"tcp://" + listen}
 		}
 	}
 	// Overlay our newly mapped configuration onto the autoconf node config that
 	// we generated above.
 	if err = mapstructure.Decode(dat, &cfg); err != nil {
 		panic(err)
 	}
 	return cfg
 }
 // Generates a new configuration and returns it in HJSON format. This is used
 // with -genconf.
 func doGenconf(isjson bool) string {
-	cfg := config.GenerateConfig(false)
+	cfg := config.GenerateConfig()
 	var bs []byte
 	var err error
 	if isjson {
@ -183,7 +191,7 @@ func main() {
 	case *autoconf:
 		// Use an autoconf-generated config, this will give us random keys and
 		// port numbers, and will use an automatically selected TUN/TAP interface.
-		cfg = config.GenerateConfig(true)
+		cfg = config.GenerateConfig()
 	case *useconffile != "" || *useconf:
 		// Read the configuration from either stdin or from the filesystem
 		cfg = readConfig(useconf, useconffile, normaliseconf)
--- a/cmd/yggdrasilctl/main.go
+++ b/cmd/yggdrasilctl/main.go
@ -388,16 +388,30 @@ func main() {
 				}
 			}
 		case "getroutes":
-			if _, ok := res["routes"]; !ok {
+			if routes, ok := res["routes"].(map[string]interface{}); !ok {
 				fmt.Println("No routes found")
-			} else if res["routes"] == nil {
+			} else {
 				if res["routes"] == nil || len(routes) == 0 {
 					fmt.Println("No routes found")
 				} else {
 					fmt.Println("Routes:")
-				for _, v := range res["routes"].([]interface{}) {
+					for k, v := range routes {
-					fmt.Println("-", v)
+						if pv, ok := v.(string); ok {
 							fmt.Println("-", k, " via ", pv)
 						}
 					}
 				}
 			}
 		case "settunnelrouting":
 			fallthrough
 		case "gettunnelrouting":
 			if enabled, ok := res["enabled"].(bool); !ok {
 				fmt.Println("Tunnel routing is disabled")
 			} else if !enabled {
 				fmt.Println("Tunnel routing is disabled")
 			} else {
 				fmt.Println("Tunnel routing is enabled")
 			}
 		default:
 			if json, err := json.MarshalIndent(recv["response"], "", "  "); err == nil {
 				fmt.Println(string(json))
--- a/contrib/apparmor/usr.bin.yggdrasil
+++ b/contrib/apparmor/usr.bin.yggdrasil
@ -0,0 +1,23 @@
 # Last Modified: Sat Mar  9 06:08:02 2019
 #include <tunables/global>
 /usr/bin/yggdrasil {
  #include <abstractions/base>
  capability net_admin,
  network inet stream,
  network inet dgram,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,
  /lib/@{multiarch}/ld-*.so mr,
  /proc/sys/net/core/somaxconn r,
  /dev/net/tun rw,
  /usr/bin/yggdrasil mr,
  /etc/yggdrasil.conf rw,
  /run/yggdrasil.sock rw,
 }
--- a/contrib/busybox-init/S42yggdrasil
+++ b/contrib/busybox-init/S42yggdrasil
@ -34,8 +34,8 @@ start() {
 	fi
 	printf 'Starting yggdrasil: '
-	if start-stop-daemon -S -b -x /usr/bin/yggdrasil \
+	if start-stop-daemon -S -q -b -x /usr/bin/yggdrasil \
-		-- --useconf < "$CONFFILE"; then
+		-- -useconffile "$CONFFILE"; then
 		echo "OK"
 	else
 		echo "FAIL"
@ -51,20 +51,26 @@ stop() {
 	fi
 }
 reload() {
 	printf "Reloading yggdrasil: "
 	if start-stop-daemon -K -q -s HUP -x /usr/bin/yggdrasil; then
 		echo "OK"
 	else
 		echo "FAIL"
 		start
 	fi
 }
 restart() {
 	stop
 	start
 }
 reload() {
 	restart
 }
 case "$1" in
 	start|stop|restart|reload)
 		"$1";;
 	*)
-		echo "Usage: $0 {start|stop|restart}"
+		echo "Usage: $0 {start|stop|restart|reload}"
 		exit 1
 esac
--- a/contrib/macos/yggdrasil.plist
+++ b/contrib/macos/yggdrasil.plist
@ -8,7 +8,7 @@
    <array>
      <string>sh</string>
      <string>-c</string>
-      <string>/usr/local/bin/yggdrasil -useconf &lt; /etc/yggdrasil.conf</string>
+      <string>/usr/local/bin/yggdrasil -useconffile /etc/yggdrasil.conf</string>
    </array>
    <key>KeepAlive</key>
    <true/>
--- a/contrib/openrc/yggdrasil
+++ b/contrib/openrc/yggdrasil
@ -0,0 +1,55 @@
 #!/sbin/openrc-run
 description="An experiment in scalable routing as an encrypted IPv6 overlay network."
 CONFFILE="/etc/yggdrasil.conf"
 pidfile="/run/${RC_SVCNAME}.pid"
 command="/usr/bin/yggdrasil"
 extra_started_commands="reload"
 depend() {
 	use net dns logger
 }
 start_pre() {
 	if [ ! -f "${CONFFILE}" ]; then
 		ebegin "Generating new configuration file into ${CONFFILE}"
 		if ! eval ${command} -genconf > ${CONFFILE}; then
 			eerror "Failed to generate configuration file"
 			exit 1
 		fi
 	fi
 	if [ ! -e /dev/net/tun ]; then
 		ebegin "Inserting TUN module"
 		if ! modprobe tun;  then
 			eerror "Failed to insert TUN kernel module"
 			exit 1
 		fi
 	fi
 }
 start() {
 	ebegin "Starting ${RC_SVCNAME}"
 	start-stop-daemon --start --quiet \
 		--pidfile "${pidfile}" \
 		--make-pidfile \
 		--background \
 		--stdout /var/log/yggdrasil.stdout.log \
 		--stderr /var/log/yggdrasil.stderr.log \
 		--exec "${command}" -- -useconffile "${CONFFILE}"
 	eend $?
 }
 reload() {
 	ebegin "Reloading ${RC_SVCNAME}"
 	start-stop-daemon --signal HUP --pidfile "${pidfile}"
 	eend $?
 }
 stop() {
 	ebegin "Stopping ${RC_SVCNAME}"
 	start-stop-daemon --stop --pidfile "${pidfile}" --exec "${command}"
 	eend $?
 }
--- a/doc/yggdrasil-network.github.io
+++ b/doc/yggdrasil-network.github.io
@ -0,0 +1 @@
 Subproject commit 10672210f2fdce97dd5c301dfeed47284d4a28f2
--- a/src/config/config.go
+++ b/src/config/config.go
@ -2,9 +2,6 @@ package config
 import (
 	"encoding/hex"
 	"fmt"
 	"math/rand"
 	"time"
 	"github.com/yggdrasil-network/yggdrasil-go/src/crypto"
 	"github.com/yggdrasil-network/yggdrasil-go/src/defaults"
@ -12,16 +9,17 @@ import (
 // NodeConfig defines all configuration values needed to run a signle yggdrasil node
 type NodeConfig struct {
-	Listen                      string                 `comment:"Listen address for peer connections. Default is to listen for all\nTCP connections over IPv4 and IPv6 with a random port."`
+	Peers                       []string               `comment:"List of connection strings for outbound peer connections in URI format,\ne.g. tcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j. These connections\nwill obey the operating system routing table, therefore you should\nuse this section when you may connect via different interfaces."`
 	InterfacePeers              map[string][]string    `comment:"List of connection strings for outbound peer connections in URI format,\narranged by source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }.\nNote that SOCKS peerings will NOT be affected by this option and should\ngo in the \"Peers\" section instead."`
 	Listen                      []string               `comment:"Listen addresses for incoming connections. You will need to add\nlisteners in order to accept incoming peerings from non-local nodes.\nMulticast peer discovery will work regardless of any listeners set\nhere. Each listener should be specified in URI format as above, e.g.\ntcp://0.0.0.0:0 or tcp://[::]:0 to listen on all interfaces."`
 	AdminListen                 string                 `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."`
-	Peers                       []string               `comment:"List of connection strings for static peers in URI format, e.g.\ntcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j."`
+	MulticastInterfaces         []string               `comment:"Regular expressions for which interfaces multicast peer discovery\nshould be enabled on. If none specified, multicast peer discovery is\ndisabled. The default value is .* which uses all interfaces."`
-	InterfacePeers              map[string][]string    `comment:"List of connection strings for static peers in URI format, arranged\nby source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }. Note that\nSOCKS peerings will NOT be affected by this option and should go in\nthe \"Peers\" section instead."`
+	AllowedEncryptionPublicKeys []string               `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings, nor\ndoes it affect link-local peers discovered via multicast."`
 	AllowedEncryptionPublicKeys []string               `comment:"List of peer encryption public keys to allow or incoming TCP\nconnections from. If left empty/undefined then all connections\nwill be allowed by default."`
 	EncryptionPublicKey         string                 `comment:"Your public encryption key. Your peers may ask you for this to put\ninto their AllowedEncryptionPublicKeys configuration."`
 	EncryptionPrivateKey        string                 `comment:"Your private encryption key. DO NOT share this with anyone!"`
 	SigningPublicKey            string                 `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."`
 	SigningPrivateKey           string                 `comment:"Your private signing key. DO NOT share this with anyone!"`
-	MulticastInterfaces         []string               `comment:"Regular expressions for which interfaces multicast peer discovery\nshould be enabled on. If none specified, multicast peer discovery is\ndisabled. The default value is .* which uses all interfaces."`
+	LinkLocalTCPPort            uint16                 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."`
 	IfName                      string                 `comment:"Local network interface name for TUN/TAP adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN/TAP."`
 	IfTAPMode                   bool                   `comment:"Set local network interface to TAP mode rather than TUN mode if\nsupported by your platform - option will be ignored if not."`
 	IfMTU                       int                    `comment:"Maximux Transmission Unit (MTU) size for your local TUN/TAP interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
@ -30,13 +28,6 @@ type NodeConfig struct {
 	SwitchOptions               SwitchOptions          `comment:"Advanced options for tuning the switch. Normally you will not need\nto edit these options."`
 	NodeInfoPrivacy             bool                   `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."`
 	NodeInfo                    map[string]interface{} `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
 	//Net                         NetConfig `comment:"Extended options for connecting to peers over other networks."`
 }
 // NetConfig defines network/proxy related configuration values
 type NetConfig struct {
 	Tor TorConfig `comment:"Experimental options for configuring peerings over Tor."`
 	I2P I2PConfig `comment:"Experimental options for configuring peerings over I2P."`
 }
 // SessionFirewall controls the session firewall configuration
@ -70,20 +61,13 @@ type SwitchOptions struct {
 // or whether to generate a random port number. The only side effect of setting
 // isAutoconf is that the TCP and UDP ports will likely end up with different
 // port numbers.
-func GenerateConfig(isAutoconf bool) *NodeConfig {
+func GenerateConfig() *NodeConfig {
 	// Create a new core.
 	//core := Core{}
 	// Generate encryption keys.
 	bpub, bpriv := crypto.NewBoxKeys()
 	spub, spriv := crypto.NewSigKeys()
 	// Create a node configuration and populate it.
 	cfg := NodeConfig{}
-	if isAutoconf {
+	cfg.Listen = []string{}
 		cfg.Listen = "[::]:0"
 	} else {
 		r1 := rand.New(rand.NewSource(time.Now().UnixNano()))
 		cfg.Listen = fmt.Sprintf("[::]:%d", r1.Intn(65534-32768)+32768)
 	}
 	cfg.AdminListen = defaults.GetDefaults().DefaultAdminListen
 	cfg.EncryptionPublicKey = hex.EncodeToString(bpub[:])
 	cfg.EncryptionPrivateKey = hex.EncodeToString(bpriv[:])
@ -99,6 +83,7 @@ func GenerateConfig(isAutoconf bool) *NodeConfig {
 	cfg.SessionFirewall.Enable = false
 	cfg.SessionFirewall.AllowFromDirect = true
 	cfg.SessionFirewall.AllowFromRemote = true
 	cfg.SessionFirewall.AlwaysAllowOutbound = true
 	cfg.SwitchOptions.MaxTotalQueueSize = 4 * 1024 * 1024
 	cfg.NodeInfoPrivacy = false
--- a/src/config/i2p.go
+++ b/src/config/i2p.go
@ -1,8 +0,0 @@
 package config
 // I2PConfig is the configuration structure for i2p related configuration
 type I2PConfig struct {
 	Keyfile string // private key file or empty string for ephemeral keys
 	Addr    string // address of i2p api connector
 	Enabled bool
 }
--- a/src/config/tor.go
+++ b/src/config/tor.go
@ -1,8 +0,0 @@
 package config
 // TorConfig is the configuration structure for Tor Proxy related values
 type TorConfig struct {
 	OnionKeyfile string // hidden service private key for ADD_ONION (currently unimplemented)
 	ControlAddr  string // tor control port address
 	Enabled      bool
 }
--- a/src/util/util.go
+++ b/src/util/util.go
@ -76,3 +76,20 @@ func FuncTimeout(f func(), timeout time.Duration) bool {
 		return false
 	}
 }
 // This calculates the difference between two arrays and returns items
 // that appear in A but not in B - useful somewhat when reconfiguring
 // and working out what configuration items changed
 func Difference(a, b []string) []string {
 	ab := []string{}
 	mb := map[string]bool{}
 	for _, x := range b {
 		mb[x] = true
 	}
 	for _, x := range a {
 		if !mb[x] {
 			ab = append(ab, x)
 		}
 	}
 	return ab
 }
--- a/src/yggdrasil/admin.go
+++ b/src/yggdrasil/admin.go
@ -173,9 +173,10 @@ func (a *admin) init(c *Core) {
 	})
 	a.addHandler("getTunTap", []string{}, func(in admin_info) (r admin_info, e error) {
 		defer func() {
-			recover()
+			if err := recover(); err != nil {
 				r = admin_info{"none": admin_info{}}
 				e = nil
 			}
 		}()
 		return admin_info{
@ -251,6 +252,23 @@ func (a *admin) init(c *Core) {
 			}, errors.New("Failed to remove allowed key")
 		}
 	})
 	a.addHandler("getTunnelRouting", []string{}, func(in admin_info) (admin_info, error) {
 		enabled := false
 		a.core.router.doAdmin(func() {
 			enabled = a.core.router.cryptokey.isEnabled()
 		})
 		return admin_info{"enabled": enabled}, nil
 	})
 	a.addHandler("setTunnelRouting", []string{"enabled"}, func(in admin_info) (admin_info, error) {
 		enabled := false
 		if e, ok := in["enabled"].(bool); ok {
 			enabled = e
 		}
 		a.core.router.doAdmin(func() {
 			a.core.router.cryptokey.setEnabled(enabled)
 		})
 		return admin_info{"enabled": enabled}, nil
 	})
 	a.addHandler("addSourceSubnet", []string{"subnet"}, func(in admin_info) (admin_info, error) {
 		var err error
 		a.core.router.doAdmin(func() {
@ -402,7 +420,18 @@ func (a *admin) listen() {
 		switch strings.ToLower(u.Scheme) {
 		case "unix":
 			if _, err := os.Stat(a.listenaddr[7:]); err == nil {
-				a.core.log.Warnln("WARNING:", a.listenaddr[7:], "already exists and may be in use by another process")
+				a.core.log.Debugln("Admin socket", a.listenaddr[7:], "already exists, trying to clean up")
 				if _, err := net.DialTimeout("unix", a.listenaddr[7:], time.Second*2); err == nil || err.(net.Error).Timeout() {
 					a.core.log.Errorln("Admin socket", a.listenaddr[7:], "already exists and is in use by another process")
 					os.Exit(1)
 				} else {
 					if err := os.Remove(a.listenaddr[7:]); err == nil {
 						a.core.log.Debugln(a.listenaddr[7:], "was cleaned up")
 					} else {
 						a.core.log.Errorln(a.listenaddr[7:], "already exists and was not cleaned up:", err)
 						os.Exit(1)
 					}
 				}
 			}
 			a.listener, err = net.Listen("unix", a.listenaddr[7:])
 			if err == nil {
@ -562,18 +591,9 @@ func (a *admin) printInfos(infos []admin_nodeInfo) string {
 // addPeer triggers a connection attempt to a node.
 func (a *admin) addPeer(addr string, sintf string) error {
-	u, err := url.Parse(addr)
+	err := a.core.link.call(addr, sintf)
-	if err == nil {
+	if err != nil {
-		switch strings.ToLower(u.Scheme) {
+		return err
 		case "tcp":
 			a.core.tcp.connect(u.Host, sintf)
 		case "socks":
 			a.core.tcp.connectSOCKS(u.Host, u.Path[1:])
 		default:
 			return errors.New("invalid peer: " + addr)
 		}
 	} else {
 		return errors.New("invalid peer: " + addr)
 	}
 	return nil
 }
@ -655,7 +675,8 @@ func (a *admin) getData_getPeers() []admin_nodeInfo {
 			{"uptime", int(time.Since(p.firstSeen).Seconds())},
 			{"bytes_sent", atomic.LoadUint64(&p.bytesSent)},
 			{"bytes_recvd", atomic.LoadUint64(&p.bytesRecvd)},
-			{"endpoint", p.endpoint},
+			{"proto", p.intf.info.linkType},
 			{"endpoint", p.intf.name},
 			{"box_pub_key", hex.EncodeToString(p.box[:])},
 		}
 		peerInfos = append(peerInfos, info)
@ -681,7 +702,8 @@ func (a *admin) getData_getSwitchPeers() []admin_nodeInfo {
 			{"port", elem.port},
 			{"bytes_sent", atomic.LoadUint64(&peer.bytesSent)},
 			{"bytes_recvd", atomic.LoadUint64(&peer.bytesRecvd)},
-			{"endpoint", peer.endpoint},
+			{"proto", peer.intf.info.linkType},
 			{"endpoint", peer.intf.info.remote},
 			{"box_pub_key", hex.EncodeToString(peer.box[:])},
 		}
 		peerInfos = append(peerInfos, info)
--- a/src/yggdrasil/awdl.go
+++ b/src/yggdrasil/awdl.go
@ -8,6 +8,7 @@ import (
 type awdl struct {
 	link        *link
 	reconfigure chan chan error
 	mutex       sync.RWMutex // protects interfaces below
 	interfaces  map[string]*awdlInterface
 }
@ -49,8 +50,15 @@ func (a *awdl) init(l *link) error {
 	a.link = l
 	a.mutex.Lock()
 	a.interfaces = make(map[string]*awdlInterface)
 	a.reconfigure = make(chan chan error, 1)
 	a.mutex.Unlock()
 	go func() {
 		for e := range a.reconfigure {
 			e <- nil
 		}
 	}()
 	return nil
 }
--- a/src/yggdrasil/core.go
+++ b/src/yggdrasil/core.go
@ -44,7 +44,6 @@ type Core struct {
 	admin       admin
 	searches    searches
 	multicast   multicast
 	tcp         tcpInterface
 	link        link
 	log         *log.Logger
 }
@ -144,7 +143,7 @@ func (c *Core) UpdateConfig(config *config.NodeConfig) {
 		c.router.tun.reconfigure,
 		c.router.cryptokey.reconfigure,
 		c.switchTable.reconfigure,
-		c.tcp.reconfigure,
+		c.link.reconfigure,
 		c.multicast.reconfigure,
 	}
@ -205,11 +204,6 @@ func (c *Core) Start(nc *config.NodeConfig, log *log.Logger) error {
 	c.init()
 	if err := c.tcp.init(c); err != nil {
 		c.log.Errorln("Failed to start TCP interface")
 		return err
 	}
 	if err := c.link.init(c); err != nil {
 		c.log.Errorln("Failed to start link interfaces")
 		return err
--- a/src/yggdrasil/debug.go
+++ b/src/yggdrasil/debug.go
@ -97,7 +97,15 @@ func (c *Core) DEBUG_getPeers() *peers {
 }
 func (ps *peers) DEBUG_newPeer(box crypto.BoxPubKey, sig crypto.SigPubKey, link crypto.BoxSharedKey) *peer {
-	return ps.newPeer(&box, &sig, &link, "(simulator)", nil)
+	sim := linkInterface{
 		name: "(simulator)",
 		info: linkInfo{
 			local:    "(simulator)",
 			remote:   "(simulator)",
 			linkType: "sim",
 		},
 	}
 	return ps.newPeer(&box, &sig, &link, &sim, nil)
 }
 /*
@ -449,19 +457,19 @@ func (c *Core) DEBUG_addSOCKSConn(socksaddr, peeraddr string) {
 //*
 func (c *Core) DEBUG_setupAndStartGlobalTCPInterface(addrport string) {
-	c.config.Listen = addrport
+	c.config.Listen = []string{addrport}
-	if err := c.tcp.init(c /*, addrport, 0*/); err != nil {
+	if err := c.link.init(c); err != nil {
-		c.log.Println("Failed to start TCP interface:", err)
+		c.log.Println("Failed to start interfaces:", err)
 		panic(err)
 	}
 }
 func (c *Core) DEBUG_getGlobalTCPAddr() *net.TCPAddr {
-	return c.tcp.serv.Addr().(*net.TCPAddr)
+	return c.link.tcp.getAddr()
 }
 func (c *Core) DEBUG_addTCPConn(saddr string) {
-	c.tcp.call(saddr, nil, "")
+	c.link.tcp.call(saddr, nil, "")
 }
 //*/
--- a/src/yggdrasil/link.go
+++ b/src/yggdrasil/link.go
@ -6,8 +6,10 @@ import (
 	"fmt"
 	"io"
 	"net"
 	"net/url"
 	"strings"
 	"sync"
 	//"sync/atomic"
 	"time"
@ -18,9 +20,11 @@ import (
 type link struct {
 	core        *Core
 	reconfigure chan chan error
 	mutex       sync.RWMutex // protects interfaces below
 	interfaces  map[linkInfo]*linkInterface
 	awdl        awdl // AWDL interface support
 	tcp         tcp  // TCP interface support
 	// TODO timeout (to remove from switch), read from config.ReadTimeout
 }
@ -56,16 +60,72 @@ func (l *link) init(c *Core) error {
 	l.core = c
 	l.mutex.Lock()
 	l.interfaces = make(map[linkInfo]*linkInterface)
 	l.reconfigure = make(chan chan error)
 	l.mutex.Unlock()
-	if err := l.awdl.init(l); err != nil {
+	if err := l.tcp.init(l); err != nil {
-		l.core.log.Errorln("Failed to start AWDL interface")
+		c.log.Errorln("Failed to start TCP interface")
 		return err
 	}
 	if err := l.awdl.init(l); err != nil {
 		c.log.Errorln("Failed to start AWDL interface")
 		return err
 	}
 	go func() {
 		for {
 			e := <-l.reconfigure
 			tcpresponse := make(chan error)
 			awdlresponse := make(chan error)
 			l.tcp.reconfigure <- tcpresponse
 			if err := <-tcpresponse; err != nil {
 				e <- err
 				continue
 			}
 			l.awdl.reconfigure <- awdlresponse
 			if err := <-awdlresponse; err != nil {
 				e <- err
 				continue
 			}
 			e <- nil
 		}
 	}()
 	return nil
 }
 func (l *link) call(uri string, sintf string) error {
 	u, err := url.Parse(uri)
 	if err != nil {
 		return err
 	}
 	pathtokens := strings.Split(strings.Trim(u.Path, "/"), "/")
 	switch u.Scheme {
 	case "tcp":
 		l.tcp.call(u.Host, nil, sintf)
 	case "socks":
 		l.tcp.call(pathtokens[0], u.Host, sintf)
 	default:
 		return errors.New("unknown call scheme: " + u.Scheme)
 	}
 	return nil
 }
 func (l *link) listen(uri string) error {
 	u, err := url.Parse(uri)
 	if err != nil {
 		return err
 	}
 	switch u.Scheme {
 	case "tcp":
 		_, err := l.tcp.listen(u.Host)
 		return err
 	default:
 		return errors.New("unknown listen scheme: " + u.Scheme)
 	}
 }
 func (l *link) create(msgIO linkInterfaceMsgIO, name, linkType, local, remote string, incoming, force bool) (*linkInterface, error) {
 	// Technically anything unique would work for names, but lets pick something human readable, just for debugging
 	intf := linkInterface{
@ -115,8 +175,8 @@ func (intf *linkInterface) handler() error {
 		return errors.New("failed to connect: wrong version")
 	}
 	// Check if we're authorized to connect to this key / IP
-	if !intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) {
+	if intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) {
-		intf.link.core.log.Warnf("%s connection to %s forbidden: AllowedEncryptionPublicKeys does not contain key %s",
+		intf.link.core.log.Warnf("%s connection from %s forbidden: AllowedEncryptionPublicKeys does not contain key %s",
 			strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.box[:]))
 		intf.msgIO.close()
 		return nil
@ -147,7 +207,7 @@ func (intf *linkInterface) handler() error {
 	intf.link.mutex.Unlock()
 	// Create peer
 	shared := crypto.GetSharedKey(myLinkPriv, &meta.link)
-	intf.peer = intf.link.core.peers.newPeer(&meta.box, &meta.sig, shared, intf.name, func() { intf.msgIO.close() })
+	intf.peer = intf.link.core.peers.newPeer(&meta.box, &meta.sig, shared, intf, func() { intf.msgIO.close() })
 	if intf.peer == nil {
 		return errors.New("failed to create peer")
 	}
@ -174,6 +234,9 @@ func (intf *linkInterface) handler() error {
 	signalReady := make(chan struct{}, 1)
 	signalSent := make(chan bool, 1)
 	sendAck := make(chan struct{}, 1)
 	sendBlocked := time.NewTimer(time.Second)
 	defer util.TimerStop(sendBlocked)
 	util.TimerStop(sendBlocked)
 	go func() {
 		defer close(signalReady)
 		defer close(signalSent)
@ -181,7 +244,9 @@ func (intf *linkInterface) handler() error {
 		tcpTimer := time.NewTimer(interval) // used for backwards compat with old tcp
 		defer util.TimerStop(tcpTimer)
 		send := func(bs []byte) {
 			sendBlocked.Reset(time.Second)
 			intf.msgIO.writeMsg(bs)
 			util.TimerStop(sendBlocked)
 			select {
 			case signalSent <- len(bs) > 0:
 			default:
@ -201,15 +266,15 @@ func (intf *linkInterface) handler() error {
 			// Now block until something is ready or the timer triggers keepalive traffic
 			select {
 			case <-tcpTimer.C:
-				intf.link.core.log.Debugf("Sending (legacy) keep-alive to %s: %s, source %s",
+				intf.link.core.log.Tracef("Sending (legacy) keep-alive to %s: %s, source %s",
 					strings.ToUpper(intf.info.linkType), themString, intf.info.local)
 				send(nil)
 			case <-sendAck:
-				intf.link.core.log.Debugf("Sending ack to %s: %s, source %s",
+				intf.link.core.log.Tracef("Sending ack to %s: %s, source %s",
 					strings.ToUpper(intf.info.linkType), themString, intf.info.local)
 				send(nil)
 			case msg := <-intf.peer.linkOut:
-				intf.msgIO.writeMsg(msg)
+				send(msg)
 			case msg, ok := <-out:
 				if !ok {
 					return
@ -220,7 +285,7 @@ func (intf *linkInterface) handler() error {
 				case signalReady <- struct{}{}:
 				default:
 				}
-				//intf.link.core.log.Debugf("Sending packet to %s: %s, source %s",
+				//intf.link.core.log.Tracef("Sending packet to %s: %s, source %s",
 				//	strings.ToUpper(intf.info.linkType), themString, intf.info.local)
 			}
 		}
@ -271,7 +336,7 @@ func (intf *linkInterface) handler() error {
 					sendTimerRunning = true
 				}
 				if !gotMsg {
-					intf.link.core.log.Debugf("Received ack from %s: %s, source %s",
+					intf.link.core.log.Tracef("Received ack from %s: %s, source %s",
 						strings.ToUpper(intf.info.linkType), themString, intf.info.local)
 				}
 			case sentMsg, ok := <-signalSent:
@ -300,6 +365,10 @@ func (intf *linkInterface) handler() error {
 					intf.link.core.switchTable.idleIn <- intf.peer.port
 					isReady = true
 				}
 			case <-sendBlocked.C:
 				// We blocked while trying to send something
 				isReady = false
 				intf.link.core.switchTable.blockPeer(intf.peer.port)
 			case <-sendTimer.C:
 				// We haven't sent anything, so signal a send of a 0 packet to let them know we're alive
 				select {
@ -309,6 +378,7 @@ func (intf *linkInterface) handler() error {
 			case <-recvTimer.C:
 				// We haven't received anything, so assume there's a problem and don't return this node to the switch until they start responding
 				isAlive = false
 				intf.link.core.switchTable.blockPeer(intf.peer.port)
 			case <-closeTimer.C:
 				// We haven't received anything in a really long time, so things have died at the switch level and then some...
 				// Just close the connection at this point...
--- a/src/yggdrasil/mobile.go
+++ b/src/yggdrasil/mobile.go
@ -45,7 +45,7 @@ func (c *Core) addStaticPeers(cfg *config.NodeConfig) {
 func (c *Core) StartAutoconfigure() error {
 	mobilelog := MobileLogger{}
 	logger := log.New(mobilelog, "", 0)
-	nc := config.GenerateConfig(true)
+	nc := config.GenerateConfig()
 	nc.IfName = "dummy"
 	nc.AdminListen = "tcp://localhost:9001"
 	nc.Peers = []string{}
@ -64,7 +64,7 @@ func (c *Core) StartAutoconfigure() error {
 func (c *Core) StartJSON(configjson []byte) error {
 	mobilelog := MobileLogger{}
 	logger := log.New(mobilelog, "", 0)
-	nc := config.GenerateConfig(false)
+	nc := config.GenerateConfig()
 	var dat map[string]interface{}
 	if err := hjson.Unmarshal(configjson, &dat); err != nil {
 		return err
@ -82,7 +82,7 @@ func (c *Core) StartJSON(configjson []byte) error {
 // Generates mobile-friendly configuration in JSON format.
 func GenerateConfigJSON() []byte {
-	nc := config.GenerateConfig(false)
+	nc := config.GenerateConfig()
 	nc.IfName = "dummy"
 	if json, err := json.Marshal(nc); err == nil {
 		return json
--- a/src/yggdrasil/multicast.go
+++ b/src/yggdrasil/multicast.go
@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net"
 	"regexp"
 	"sync"
 	"time"
 	"golang.org/x/net/ipv6"
@ -16,19 +15,20 @@ type multicast struct {
 	reconfigure chan chan error
 	sock        *ipv6.PacketConn
 	groupAddr   string
-	myAddr      *net.TCPAddr
+	listeners   map[string]*tcpListener
-	myAddrMutex sync.RWMutex
+	listenPort  uint16
 }
 func (m *multicast) init(core *Core) {
 	m.core = core
 	m.reconfigure = make(chan chan error, 1)
 	m.listeners = make(map[string]*tcpListener)
 	m.core.configMutex.RLock()
 	m.listenPort = m.core.config.LinkLocalTCPPort
 	m.core.configMutex.RUnlock()
 	go func() {
 		for {
 			e := <-m.reconfigure
 			m.myAddrMutex.Lock()
 			m.myAddr = m.core.tcp.getAddr()
 			m.myAddrMutex.Unlock()
 			e <- nil
 		}
 	}()
@ -61,20 +61,20 @@ func (m *multicast) start() error {
 			// Windows can't set this flag, so we need to handle it in other ways
 		}
-		m.multicastWake()
+		go m.multicastStarted()
 		go m.listen()
 		go m.announce()
 	}
 	return nil
 }
-func (m *multicast) interfaces() []net.Interface {
+func (m *multicast) interfaces() map[string]net.Interface {
 	// Get interface expressions from config
 	m.core.configMutex.RLock()
 	exprs := m.core.config.MulticastInterfaces
 	m.core.configMutex.RUnlock()
 	// Ask the system for network interfaces
-	var interfaces []net.Interface
+	interfaces := make(map[string]net.Interface)
 	allifaces, err := net.Interfaces()
 	if err != nil {
 		panic(err)
@ -94,12 +94,14 @@ func (m *multicast) interfaces() []net.Interface {
 			continue
 		}
 		for _, expr := range exprs {
 			// Compile each regular expression
 			e, err := regexp.Compile(expr)
 			if err != nil {
 				panic(err)
 			}
 			// Does the interface match the regular expression? Store it if so
 			if e.MatchString(iface.Name) {
-				interfaces = append(interfaces, iface)
+				interfaces[iface.Name] = iface
 			}
 		}
 	}
@ -107,10 +109,6 @@ func (m *multicast) interfaces() []net.Interface {
 }
 func (m *multicast) announce() {
 	var anAddr net.TCPAddr
 	m.myAddrMutex.Lock()
 	m.myAddr = m.core.tcp.getAddr()
 	m.myAddrMutex.Unlock()
 	groupAddr, err := net.ResolveUDPAddr("udp6", m.groupAddr)
 	if err != nil {
 		panic(err)
@ -120,33 +118,106 @@ func (m *multicast) announce() {
 		panic(err)
 	}
 	for {
-		for _, iface := range m.interfaces() {
+		interfaces := m.interfaces()
-			m.sock.JoinGroup(&iface, groupAddr)
+		// There might be interfaces that we configured listeners for but are no
 		// longer up - if that's the case then we should stop the listeners
 		for name, listener := range m.listeners {
 			// Prepare our stop function!
 			stop := func() {
 				listener.stop <- true
 				delete(m.listeners, name)
 				m.core.log.Debugln("No longer multicasting on", name)
 			}
 			// If the interface is no longer visible on the system then stop the
 			// listener, as another one will be started further down
 			if _, ok := interfaces[name]; !ok {
 				stop()
 				continue
 			}
 			// It's possible that the link-local listener address has changed so if
 			// that is the case then we should clean up the interface listener
 			found := false
 			listenaddr, err := net.ResolveTCPAddr("tcp6", listener.listener.Addr().String())
 			if err != nil {
 				stop()
 				continue
 			}
 			// Find the interface that matches the listener
 			if intf, err := net.InterfaceByName(name); err == nil {
 				if addrs, err := intf.Addrs(); err == nil {
 					// Loop through the addresses attached to that listener and see if any
 					// of them match the current address of the listener
 					for _, addr := range addrs {
 						if ip, _, err := net.ParseCIDR(addr.String()); err == nil {
 							// Does the interface address match our listener address?
 							if ip.Equal(listenaddr.IP) {
 								found = true
 								break
 							}
 						}
 					}
 				}
 			}
 			// If the address has not been found on the adapter then we should stop
 			// and clean up the TCP listener. A new one will be created below if a
 			// suitable link-local address is found
 			if !found {
 				stop()
 			}
 		}
 		// Now that we have a list of valid interfaces from the operating system,
 		// we can start checking if we can send multicasts on them
 		for _, iface := range interfaces {
 			// Find interface addresses
 			addrs, err := iface.Addrs()
 			if err != nil {
 				panic(err)
 			}
 			m.myAddrMutex.RLock()
 			anAddr.Port = m.myAddr.Port
 			m.myAddrMutex.RUnlock()
 			for _, addr := range addrs {
 				addrIP, _, _ := net.ParseCIDR(addr.String())
 				// Ignore IPv4 addresses
 				if addrIP.To4() != nil {
 					continue
-				} // IPv6 only
+				}
 				// Ignore non-link-local addresses
 				if !addrIP.IsLinkLocalUnicast() {
 					continue
 				}
-				anAddr.IP = addrIP
+				// Join the multicast group
-				anAddr.Zone = iface.Name
+				m.sock.JoinGroup(&iface, groupAddr)
 				// Try and see if we already have a TCP listener for this interface
 				var listener *tcpListener
 				if l, ok := m.listeners[iface.Name]; !ok || l.listener == nil {
 					// No listener was found - let's create one
 					listenaddr := fmt.Sprintf("[%s%%%s]:%d", addrIP, iface.Name, m.listenPort)
 					if li, err := m.core.link.tcp.listen(listenaddr); err == nil {
 						m.core.log.Debugln("Started multicasting on", iface.Name)
 						// Store the listener so that we can stop it later if needed
 						m.listeners[iface.Name] = li
 						listener = li
 					} else {
 						m.core.log.Warnln("Not multicasting on", iface.Name, "due to error:", err)
 					}
 				} else {
 					// An existing listener was found
 					listener = m.listeners[iface.Name]
 				}
 				// Make sure nothing above failed for some reason
 				if listener == nil {
 					continue
 				}
 				// Get the listener details and construct the multicast beacon
 				lladdr := listener.listener.Addr().String()
 				if a, err := net.ResolveTCPAddr("tcp6", lladdr); err == nil {
 					a.Zone = ""
 					destAddr.Zone = iface.Name
-				msg := []byte(anAddr.String())
+					msg := []byte(a.String())
 					m.sock.WriteTo(msg, nil, destAddr)
 				}
 				break
 			}
 			time.Sleep(time.Second)
 		}
-		time.Sleep(time.Second)
+		time.Sleep(time.Second * 15)
 	}
 }
@ -181,8 +252,9 @@ func (m *multicast) listen() {
 		if addr.IP.String() != from.IP.String() {
 			continue
 		}
-		addr.Zone = from.Zone
+		addr.Zone = ""
-		saddr := addr.String()
+		if err := m.core.link.call("tcp://"+addr.String(), from.Zone); err != nil {
-		m.core.tcp.connect(saddr, addr.Zone)
+			m.core.log.Debugln("Call from multicast failed:", err)
 		}
 	}
 }
--- a/src/yggdrasil/multicast_darwin.go
+++ b/src/yggdrasil/multicast_darwin.go
@ -6,25 +6,47 @@ package yggdrasil
 #cgo CFLAGS: -x objective-c
 #cgo LDFLAGS: -framework Foundation
 #import <Foundation/Foundation.h>
 void WakeUpAWDL() {
 NSNetServiceBrowser *serviceBrowser;
-
+void StartAWDLBrowsing() {
 	if (serviceBrowser == nil) {
 		serviceBrowser = [[NSNetServiceBrowser alloc] init];
 		serviceBrowser.includesPeerToPeer = YES;
 	}
 	[serviceBrowser searchForServicesOfType:@"_yggdrasil._tcp" inDomain:@""];
 }
 void StopAWDLBrowsing() {
 	if (serviceBrowser == nil) {
 		return;
 	}
 	[serviceBrowser stop];
 }
 */
 import "C"
-import "syscall"
+import (
-import "golang.org/x/sys/unix"
+	"syscall"
 	"time"
-func (m *multicast) multicastWake() {
+	"golang.org/x/sys/unix"
 )
 var awdlGoroutineStarted bool
 func (m *multicast) multicastStarted() {
 	if awdlGoroutineStarted {
 		return
 	}
 	m.core.log.Infoln("Multicast discovery will wake up AWDL if required")
 	awdlGoroutineStarted = true
 	for {
 		C.StopAWDLBrowsing()
 		for _, intf := range m.interfaces() {
 			if intf.Name == "awdl0" {
-			m.core.log.Infoln("Multicast discovery is waking up AWDL")
+				C.StartAWDLBrowsing()
-			C.WakeUpAWDL()
+				break
 			}
 		}
 		time.Sleep(time.Minute)
 	}
 }
 func (m *multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
--- a/src/yggdrasil/multicast_other.go
+++ b/src/yggdrasil/multicast_other.go
@ -4,7 +4,7 @@ package yggdrasil
 import "syscall"
-func (m *multicast) multicastWake() {
+func (m *multicast) multicastStarted() {
 }
--- a/src/yggdrasil/multicast_unix.go
+++ b/src/yggdrasil/multicast_unix.go
@ -5,7 +5,7 @@ package yggdrasil
 import "syscall"
 import "golang.org/x/sys/unix"
-func (m *multicast) multicastWake() {
+func (m *multicast) multicastStarted() {
 }
--- a/src/yggdrasil/multicast_windows.go
+++ b/src/yggdrasil/multicast_windows.go
@ -5,7 +5,7 @@ package yggdrasil
 import "syscall"
 import "golang.org/x/sys/windows"
-func (m *multicast) multicastWake() {
+func (m *multicast) multicastStarted() {
 }
--- a/src/yggdrasil/peer.go
+++ b/src/yggdrasil/peer.go
@ -98,6 +98,7 @@ type peer struct {
 	bytesRecvd uint64 // To track bandwidth usage for getPeers
 	// BUG: sync/atomic, 32 bit platforms need the above to be the first element
 	core       *Core
 	intf       *linkInterface
 	port       switchPort
 	box        crypto.BoxPubKey
 	sig        crypto.SigPubKey
@ -113,18 +114,19 @@ type peer struct {
 }
 // Creates a new peer with the specified box, sig, and linkShared keys, using the lowest unoccupied port number.
-func (ps *peers) newPeer(box *crypto.BoxPubKey, sig *crypto.SigPubKey, linkShared *crypto.BoxSharedKey, endpoint string, closer func()) *peer {
+func (ps *peers) newPeer(box *crypto.BoxPubKey, sig *crypto.SigPubKey, linkShared *crypto.BoxSharedKey, intf *linkInterface, closer func()) *peer {
 	now := time.Now()
 	p := peer{box: *box,
 		sig:        *sig,
 		shared:     *crypto.GetSharedKey(&ps.core.boxPriv, box),
 		linkShared: *linkShared,
 		endpoint:   endpoint,
 		firstSeen:  now,
 		doSend:     make(chan struct{}, 1),
 		dinfo:      make(chan *dhtInfo, 1),
 		close:      closer,
-		core:       ps.core}
+		core:       ps.core,
 		intf:       intf,
 	}
 	ps.mutex.Lock()
 	defer ps.mutex.Unlock()
 	oldPorts := ps.getPorts()
--- a/src/yggdrasil/router.go
+++ b/src/yggdrasil/router.go
@ -67,7 +67,15 @@ func (r *router) init(core *Core) {
 	r.addr = *address.AddrForNodeID(&r.core.dht.nodeID)
 	r.subnet = *address.SubnetForNodeID(&r.core.dht.nodeID)
 	in := make(chan []byte, 1) // TODO something better than this...
-	p := r.core.peers.newPeer(&r.core.boxPub, &r.core.sigPub, &crypto.BoxSharedKey{}, "(self)", nil)
+	self := linkInterface{
 		name: "(self)",
 		info: linkInfo{
 			local:    "(self)",
 			remote:   "(self)",
 			linkType: "self",
 		},
 	}
 	p := r.core.peers.newPeer(&r.core.boxPub, &r.core.sigPub, &crypto.BoxSharedKey{}, &self, nil)
 	p.out = func(packet []byte) { in <- packet }
 	r.in = in
 	out := make(chan []byte, 32)
--- a/src/yggdrasil/switch.go
+++ b/src/yggdrasil/switch.go
@ -131,6 +131,7 @@ type peerInfo struct {
 	faster  map[switchPort]uint64 // Counter of how often a node is faster than the current parent, penalized extra if slower
 	port    switchPort            // Interface number of this peer
 	msg     switchMsg             // The wire switchMsg used
 	blocked bool                  // True if the link is blocked, used to avoid parenting a blocked link
 }
 // This is just a uint64 with a named type for clarity reasons.
@ -256,6 +257,29 @@ func (t *switchTable) cleanRoot() {
 	}
 }
 // Blocks and, if possible, unparents a peer
 func (t *switchTable) blockPeer(port switchPort) {
 	t.mutex.Lock()
 	defer t.mutex.Unlock()
 	peer, isIn := t.data.peers[port]
 	if !isIn {
 		return
 	}
 	peer.blocked = true
 	t.data.peers[port] = peer
 	if port != t.parent {
 		return
 	}
 	t.parent = 0
 	for _, info := range t.data.peers {
 		if info.port == port {
 			continue
 		}
 		t.unlockedHandleMsg(&info.msg, info.port, true)
 	}
 	t.unlockedHandleMsg(&peer.msg, peer.port, true)
 }
 // Removes a peer.
 // Must be called by the router mainLoop goroutine, e.g. call router.doAdmin with a lambda that calls this.
 // If the removed peer was this node's parent, it immediately tries to find a new parent.
@ -395,6 +419,7 @@ func (t *switchTable) unlockedHandleMsg(msg *switchMsg, fromPort switchPort, rep
 	if reprocessing {
 		sender.faster = oldSender.faster
 		sender.time = oldSender.time
 		sender.blocked = oldSender.blocked
 	} else {
 		sender.faster = make(map[switchPort]uint64, len(oldSender.faster))
 		for port, peer := range t.data.peers {
@ -454,6 +479,11 @@ func (t *switchTable) unlockedHandleMsg(msg *switchMsg, fromPort switchPort, rep
 	case sender.faster[t.parent] >= switch_faster_threshold:
 		// The is reliably faster than the current parent.
 		updateRoot = true
 	case !sender.blocked && oldParent.blocked:
 		// Replace a blocked parent
 		updateRoot = true
 	case reprocessing && sender.blocked && !oldParent.blocked:
 		// Don't replace an unblocked parent when reprocessing
 	case reprocessing && sender.faster[t.parent] > oldParent.faster[sender.port]:
 		// The sender seems to be reliably faster than the current parent, so switch to them instead.
 		updateRoot = true
@ -616,7 +646,7 @@ func (t *switchTable) bestPortForCoords(coords []byte) switchPort {
 // Handle an incoming packet
 // Either send it to ourself, or to the first idle peer that's free
 // Returns true if the packet has been handled somehow, false if it should be queued
-func (t *switchTable) handleIn(packet []byte, idle map[switchPort]struct{}) bool {
+func (t *switchTable) handleIn(packet []byte, idle map[switchPort]time.Time) bool {
 	coords := switch_getPacketCoords(packet)
 	closer := t.getCloser(coords)
 	if len(closer) == 0 {
@ -624,15 +654,13 @@ func (t *switchTable) handleIn(packet []byte, idle map[switchPort]struct{}) bool
 		t.toRouter <- packet
 		return true
 	}
 	table := t.getTable()
 	var best *peer
 	var bestDist int
-	var bestCoordLen int
+	var bestTime time.Time
 	ports := t.core.peers.getPorts()
 	for port, dist := range closer {
 		to := ports[port]
-		_, isIdle := idle[port]
+		thisTime, isIdle := idle[port]
 		coordLen := len(table.elems[port].locator.coords)
 		var update bool
 		switch {
 		case to == nil:
@ -645,21 +673,15 @@ func (t *switchTable) handleIn(packet []byte, idle map[switchPort]struct{}) bool
 			update = true
 		case dist > bestDist:
 			//nothing
-		case coordLen < bestCoordLen:
+		case thisTime.Before(bestTime):
 			update = true
 			/*
 				case coordLen > bestCoordLen:
 					//nothing
 				case port < best.port:
 					update = true
 			*/
 		default:
 			//nothing
 		}
 		if update {
 			best = to
 			bestDist = dist
-			bestCoordLen = coordLen
+			bestTime = thisTime
 		}
 	}
 	if best != nil {
@ -806,7 +828,7 @@ func (t *switchTable) doWorker() {
 	}()
 	t.queues.switchTable = t
 	t.queues.bufs = make(map[string]switch_buffer) // Packets per PacketStreamID (string)
-	idle := make(map[switchPort]struct{})          // this is to deduplicate things
+	idle := make(map[switchPort]time.Time)         // this is to deduplicate things
 	for {
 		//t.core.log.Debugf("Switch state: idle = %d, buffers = %d", len(idle), len(t.queues.bufs))
 		select {
@ -839,7 +861,7 @@ func (t *switchTable) doWorker() {
 			// Try to find something to send to this peer
 			if !t.handleIdle(port) {
 				// Didn't find anything ready to send yet, so stay idle
-				idle[port] = struct{}{}
+				idle[port] = time.Now()
 			}
 		case f := <-t.admin:
 			f()
--- a/src/yggdrasil/tcp.go
+++ b/src/yggdrasil/tcp.go
@ -19,40 +19,35 @@ import (
 	"fmt"
 	"math/rand"
 	"net"
 	"strings"
 	"sync"
 	"time"
 	"golang.org/x/net/proxy"
-	"github.com/yggdrasil-network/yggdrasil-go/src/crypto"
+	"github.com/yggdrasil-network/yggdrasil-go/src/util"
 )
 const default_timeout = 6 * time.Second
 const tcp_ping_interval = (default_timeout * 2 / 3)
 // The TCP listener and information about active TCP connections, to avoid duplication.
-type tcpInterface struct {
+type tcp struct {
-	core        *Core
+	link        *link
 	reconfigure chan chan error
 	serv        net.Listener
 	stop        chan bool
 	addr        string
 	mutex       sync.Mutex // Protecting the below
 	listeners   map[string]*tcpListener
 	calls       map[string]struct{}
-	conns       map[tcpInfo](chan struct{})
+	conns       map[linkInfo](chan struct{})
 }
-// This is used as the key to a map that tracks existing connections, to prevent multiple connections to the same keys and local/remote address pair from occuring.
+type tcpListener struct {
-// Different address combinations are allowed, so multi-homing is still technically possible (but not necessarily advisable).
+	listener net.Listener
-type tcpInfo struct {
+	stop     chan bool
 	box        crypto.BoxPubKey
 	sig        crypto.SigPubKey
 	localAddr  string
 	remoteAddr string
 }
 // Wrapper function to set additional options for specific connection types.
-func (iface *tcpInterface) setExtraOptions(c net.Conn) {
+func (t *tcp) setExtraOptions(c net.Conn) {
 	switch sock := c.(type) {
 	case *net.TCPConn:
 		sock.SetNoDelay(true)
@ -62,104 +57,152 @@ func (iface *tcpInterface) setExtraOptions(c net.Conn) {
 }
 // Returns the address of the listener.
-func (iface *tcpInterface) getAddr() *net.TCPAddr {
+func (t *tcp) getAddr() *net.TCPAddr {
-	return iface.serv.Addr().(*net.TCPAddr)
+	// TODO: Fix this, because this will currently only give a single address
 	// to multicast.go, which obviously is not great, but right now multicast.go
 	// doesn't have the ability to send more than one address in a packet either
 	t.mutex.Lock()
 	defer t.mutex.Unlock()
 	for _, l := range t.listeners {
 		return l.listener.Addr().(*net.TCPAddr)
 	}
-
+	return nil
 // Attempts to initiate a connection to the provided address.
 func (iface *tcpInterface) connect(addr string, intf string) {
 	iface.call(addr, nil, intf)
 }
 // Attempst to initiate a connection to the provided address, viathe provided socks proxy address.
 func (iface *tcpInterface) connectSOCKS(socksaddr, peeraddr string) {
 	iface.call(peeraddr, &socksaddr, "")
 }
 // Initializes the struct.
-func (iface *tcpInterface) init(core *Core) (err error) {
+func (t *tcp) init(l *link) error {
-	iface.core = core
+	t.link = l
-	iface.stop = make(chan bool, 1)
+	t.reconfigure = make(chan chan error, 1)
-	iface.reconfigure = make(chan chan error, 1)
+	t.mutex.Lock()
 	t.calls = make(map[string]struct{})
 	t.conns = make(map[linkInfo](chan struct{}))
 	t.listeners = make(map[string]*tcpListener)
 	t.mutex.Unlock()
 	go func() {
 		for {
-			e := <-iface.reconfigure
+			e := <-t.reconfigure
-			iface.core.configMutex.RLock()
+			t.link.core.configMutex.RLock()
-			updated := iface.core.config.Listen != iface.core.configOld.Listen
+			added := util.Difference(t.link.core.config.Listen, t.link.core.configOld.Listen)
-			iface.core.configMutex.RUnlock()
+			deleted := util.Difference(t.link.core.configOld.Listen, t.link.core.config.Listen)
-			if updated {
+			t.link.core.configMutex.RUnlock()
-				iface.stop <- true
+			if len(added) > 0 || len(deleted) > 0 {
-				iface.serv.Close()
+				for _, a := range added {
-				e <- iface.listen()
+					if a[:6] != "tcp://" {
 						continue
 					}
 					if _, err := t.listen(a[6:]); err != nil {
 						e <- err
 						continue
 					}
 				}
 				for _, d := range deleted {
 					if d[:6] != "tcp://" {
 						continue
 					}
 					t.mutex.Lock()
 					if listener, ok := t.listeners[d[6:]]; ok {
 						t.mutex.Unlock()
 						listener.stop <- true
 					} else {
 						t.mutex.Unlock()
 					}
 				}
 				e <- nil
 			} else {
 				e <- nil
 			}
 		}
 	}()
-	return iface.listen()
+	t.link.core.configMutex.RLock()
 	defer t.link.core.configMutex.RUnlock()
 	for _, listenaddr := range t.link.core.config.Listen {
 		if listenaddr[:6] != "tcp://" {
 			continue
 		}
 		if _, err := t.listen(listenaddr[6:]); err != nil {
 			return err
 		}
 	}
 func (iface *tcpInterface) listen() error {
 	var err error
 	iface.core.configMutex.RLock()
 	iface.addr = iface.core.config.Listen
 	iface.core.configMutex.RUnlock()
 	ctx := context.Background()
 	lc := net.ListenConfig{
 		Control: iface.tcpContext,
 	}
 	iface.serv, err = lc.Listen(ctx, "tcp", iface.addr)
 	if err == nil {
 		iface.mutex.Lock()
 		iface.calls = make(map[string]struct{})
 		iface.conns = make(map[tcpInfo](chan struct{}))
 		iface.mutex.Unlock()
 		go iface.listener()
 	return nil
 }
-	return err
+func (t *tcp) listen(listenaddr string) (*tcpListener, error) {
 	var err error
 	ctx := context.Background()
 	lc := net.ListenConfig{
 		Control: t.tcpContext,
 	}
 	listener, err := lc.Listen(ctx, "tcp", listenaddr)
 	if err == nil {
 		l := tcpListener{
 			listener: listener,
 			stop:     make(chan bool),
 		}
 		go t.listener(&l, listenaddr)
 		return &l, nil
 	}
 	return nil, err
 }
 // Runs the listener, which spawns off goroutines for incoming connections.
-func (iface *tcpInterface) listener() {
+func (t *tcp) listener(l *tcpListener, listenaddr string) {
-	defer iface.serv.Close()
+	if l == nil {
-	iface.core.log.Infoln("Listening for TCP on:", iface.serv.Addr().String())
+		return
 	}
 	// Track the listener so that we can find it again in future
 	t.mutex.Lock()
 	if _, isIn := t.listeners[listenaddr]; isIn {
 		t.mutex.Unlock()
 		l.listener.Close()
 		return
 	} else {
 		t.listeners[listenaddr] = l
 		t.mutex.Unlock()
 	}
 	// And here we go!
 	accepted := make(chan bool)
 	defer func() {
 		t.link.core.log.Infoln("Stopping TCP listener on:", l.listener.Addr().String())
 		l.listener.Close()
 		t.mutex.Lock()
 		delete(t.listeners, listenaddr)
 		t.mutex.Unlock()
 	}()
 	t.link.core.log.Infoln("Listening for TCP on:", l.listener.Addr().String())
 	for {
-		sock, err := iface.serv.Accept()
+		var sock net.Conn
-		if err != nil {
+		var err error
-			iface.core.log.Errorln("Failed to accept connection:", err)
+		// Listen in a separate goroutine, as that way it does not block us from
-			return
+		// receiving "stop" events
-		}
+		go func() {
 			sock, err = l.listener.Accept()
 			accepted <- true
 		}()
 		// Wait for either an accepted connection, or a message telling us to stop
 		// the TCP listener
 		select {
-		case <-iface.stop:
+		case <-accepted:
 			iface.core.log.Errorln("Stopping listener")
 			return
 		default:
 			if err != nil {
-				panic(err)
+				t.link.core.log.Errorln("Failed to accept connection:", err)
 				return
 			}
-			go iface.handler(sock, true)
+			go t.handler(sock, true, nil)
 		case <-l.stop:
 			return
 		}
 	}
 }
 // Checks if we already have a connection to this node
 func (iface *tcpInterface) isAlreadyConnected(info tcpInfo) bool {
 	iface.mutex.Lock()
 	defer iface.mutex.Unlock()
 	_, isIn := iface.conns[info]
 	return isIn
 }
 // Checks if we already are calling this address
-func (iface *tcpInterface) isAlreadyCalling(saddr string) bool {
+func (t *tcp) isAlreadyCalling(saddr string) bool {
-	iface.mutex.Lock()
+	t.mutex.Lock()
-	defer iface.mutex.Unlock()
+	defer t.mutex.Unlock()
-	_, isIn := iface.calls[saddr]
+	_, isIn := t.calls[saddr]
 	return isIn
 }
@ -168,34 +211,39 @@ func (iface *tcpInterface) isAlreadyCalling(saddr string) bool {
 // If the dial is successful, it launches the handler.
 // When finished, it removes the outgoing call, so reconnection attempts can be made later.
 // This all happens in a separate goroutine that it spawns.
-func (iface *tcpInterface) call(saddr string, socksaddr *string, sintf string) {
+func (t *tcp) call(saddr string, options interface{}, sintf string) {
 	go func() {
 		callname := saddr
 		if sintf != "" {
 			callname = fmt.Sprintf("%s/%s", saddr, sintf)
 		}
-		if iface.isAlreadyCalling(callname) {
+		if t.isAlreadyCalling(callname) {
 			return
 		}
-		iface.mutex.Lock()
+		t.mutex.Lock()
-		iface.calls[callname] = struct{}{}
+		t.calls[callname] = struct{}{}
-		iface.mutex.Unlock()
+		t.mutex.Unlock()
 		defer func() {
 			// Block new calls for a little while, to mitigate livelock scenarios
 			time.Sleep(default_timeout)
 			time.Sleep(time.Duration(rand.Intn(1000)) * time.Millisecond)
-			iface.mutex.Lock()
+			t.mutex.Lock()
-			delete(iface.calls, callname)
+			delete(t.calls, callname)
-			iface.mutex.Unlock()
+			t.mutex.Unlock()
 		}()
 		var conn net.Conn
 		var err error
-		if socksaddr != nil {
+		socksaddr, issocks := options.(string)
 		if issocks {
 			if sintf != "" {
 				return
 			}
 			dialerdst, er := net.ResolveTCPAddr("tcp", socksaddr)
 			if er != nil {
 				return
 			}
 			var dialer proxy.Dialer
-			dialer, err = proxy.SOCKS5("tcp", *socksaddr, nil, proxy.Direct)
+			dialer, err = proxy.SOCKS5("tcp", dialerdst.String(), nil, proxy.Direct)
 			if err != nil {
 				return
 			}
@ -210,9 +258,20 @@ func (iface *tcpInterface) call(saddr string, socksaddr *string, sintf string) {
 					addr:    saddr,
 				},
 			}
 			t.handler(conn, false, dialerdst.String())
 		} else {
 			dst, err := net.ResolveTCPAddr("tcp", saddr)
 			if err != nil {
 				return
 			}
 			if dst.IP.IsLinkLocalUnicast() {
 				dst.Zone = sintf
 				if dst.Zone == "" {
 					return
 				}
 			}
 			dialer := net.Dialer{
-				Control: iface.tcpContext,
+				Control: t.tcpContext,
 			}
 			if sintf != "" {
 				ief, err := net.InterfaceByName(sintf)
@ -224,10 +283,6 @@ func (iface *tcpInterface) call(saddr string, socksaddr *string, sintf string) {
 				}
 				addrs, err := ief.Addrs()
 				if err == nil {
 					dst, err := net.ResolveTCPAddr("tcp", saddr)
 					if err != nil {
 						return
 					}
 					for addrindex, addr := range addrs {
 						src, _, err := net.ParseCIDR(addr.String())
 						if err != nil {
@ -261,31 +316,39 @@ func (iface *tcpInterface) call(saddr string, socksaddr *string, sintf string) {
 					}
 				}
 			}
-
+			conn, err = dialer.Dial("tcp", dst.String())
 			conn, err = dialer.Dial("tcp", saddr)
 			if err != nil {
 				t.link.core.log.Debugln("Failed to dial TCP:", err)
 				return
 			}
 			t.handler(conn, false, nil)
 		}
 		iface.handler(conn, false)
 	}()
 }
-func (iface *tcpInterface) handler(sock net.Conn, incoming bool) {
+func (t *tcp) handler(sock net.Conn, incoming bool, options interface{}) {
 	defer sock.Close()
-	iface.setExtraOptions(sock)
+	t.setExtraOptions(sock)
 	stream := stream{}
 	stream.init(sock)
 	local, _, _ := net.SplitHostPort(sock.LocalAddr().String())
 	remote, _, _ := net.SplitHostPort(sock.RemoteAddr().String())
-	remotelinklocal := net.ParseIP(remote).IsLinkLocalUnicast()
+	force := net.ParseIP(strings.Split(remote, "%")[0]).IsLinkLocalUnicast()
-	name := "tcp://" + sock.RemoteAddr().String()
+	var name string
-	link, err := iface.core.link.create(&stream, name, "tcp", local, remote, incoming, remotelinklocal)
+	var proto string
 	if socksaddr, issocks := options.(string); issocks {
 		name = "socks://" + socksaddr + "/" + sock.RemoteAddr().String()
 		proto = "socks"
 	} else {
 		name = "tcp://" + sock.RemoteAddr().String()
 		proto = "tcp"
 	}
 	link, err := t.link.core.link.create(&stream, name, proto, local, remote, incoming, force)
 	if err != nil {
-		iface.core.log.Println(err)
+		t.link.core.log.Println(err)
 		panic(err)
 	}
-	iface.core.log.Debugln("DEBUG: starting handler for", name)
+	t.link.core.log.Debugln("DEBUG: starting handler for", name)
 	err = link.handler()
-	iface.core.log.Debugln("DEBUG: stopped handler for", name, err)
+	t.link.core.log.Debugln("DEBUG: stopped handler for", name, err)
 }
--- a/src/yggdrasil/tcp_darwin.go
+++ b/src/yggdrasil/tcp_darwin.go
@ -10,7 +10,7 @@ import (
 // WARNING: This context is used both by net.Dialer and net.Listen in tcp.go
-func (iface *tcpInterface) tcpContext(network, address string, c syscall.RawConn) error {
+func (t *tcp) tcpContext(network, address string, c syscall.RawConn) error {
 	var control error
 	var recvanyif error
--- a/src/yggdrasil/tcp_other.go
+++ b/src/yggdrasil/tcp_other.go
@ -8,6 +8,6 @@ import (
 // WARNING: This context is used both by net.Dialer and net.Listen in tcp.go
-func (iface *tcpInterface) tcpContext(network, address string, c syscall.RawConn) error {
+func (t *tcp) tcpContext(network, address string, c syscall.RawConn) error {
 	return nil
 }
		`@ -0,0 +1 @@`
							`Subproject commit 10672210f2fdce97dd5c301dfeed47284d4a28f2`