Securing Internet services on your home network

On the Client

If you are familiar with WireGuard already, you will probably notice the similarity between WireGuards's configuration file wg0.conf and the configuration file used on Mistborn. Hence the first step on the client is to install WireGuard. For Ubuntu up to and including version 19.10, the integration of a Personal Package Archive (PPA) is required [6]; you can retrieve the software directly from the Focal Fossa repository using Apt. This method also works for many other distributions.

The next step is to copy the configuration file from the server terminal and store it as wg_admin.conf on the client in the previously created /etc/wireguard/ directory. Listing 2 shows an example; after this, start the virtual network interface via systemd (Listing 3, first two lines).

Listing 2

Example wg_admin.conf

# "" - WireGuard Client Profile
Address =
# The use of DNS below effectively expands to:
# PostUp = echo nameserver | resolvconf -a tun.%i -m 0 -x
# PostDown = resolvconf -d tun.%i
# If the use of resolvconf is not desirable, simply remove the DNS line
# and use a variant of the PostUp/PostDown lines above.
# The IP address of the DNS server that is available via the encrypted
# WireGuard interface is
PrivateKey = cPPflVGsxVFw2/lMmhiFTXMmH345bGqoqArD/NgjiXU=
PublicKey = DfIV1urYZXqXKiU4rOSfO0Iu589pEO+59dHV5w5N0mU=
PresharedKey = Z1SO5NuAnZ7JhzVCuUnYOQLWOQYmMoqG0pG1SNXUlh0=
AllowedIPs =,::/0
Endpoint = <Mistborn public IP address>:39207

Listing 3

Starting the Virtual Network Interface

$ sudo systemctl start wg-quick@wg_admin
$ sudo systemctl enable wg-quick@wg_admin
$ sudo systemctl status wg-quick@wg_admin

If you get an error message with the first command, follow up with the command from the last line of Listing 3. If the output complains that resolvconf was not found, just install the openresolv package retroactively.

If everything worked, now call up the interface in a web browser on http://home.mistborn. Depending on the hardware, it may take a few minutes to connect to the server, as it first has to create the containers.

Getting Around

The default view after starting Mistborn is the Profile view where you can create new users, set up a gateway (more about this later), or set up new clients and profiles (Figure 5). Click on System in the left-hand sidebar. This takes you to the Pi-hole view (Figure 6) – Pi-hole is enabled by default – or the Cockpit administration interface. All services open in a separate tab.

Figure 5: Immediately after starting the web interface, you can create new users and WireGuard profiles for additional clients or gateways. For mobile clients, simply scan the configuration as a QR code.
Figure 6: The server-side tracking and advertising blocker Pi-hole, which is enabled by default, is ideally suited for use on the Rasp Pi. It runs as a DNS server and thus blocks undesirable requests on all devices on the network using lists that have already been included or created by the user.

Next up in the sidebar is Coppercloud, which lets you block or grant access to a given set of IP addresses via iptables. Lists entered here are converted to iptables rules at system startup and then executed.

Under Manage Extra Services (Figure 7), you will find all the third-party services that Mistborn securely supports. Additional services like the Matrix messenger, GitLab, or various game servers are in development.

Figure 7: Manage Extra Services lists all the previously installed services. Clicking on Start lets you set up and then start the service in a few minutes. All services work in their own containers and use the WireGuard tunnel.

All of these services can be set up with the push of a button. As soon as you start a service, a green line appears to inform you that the start-up may take a few minutes. Using a Rasp Pi as the server, it took up to three minutes until a service was ready, depending on the complexity of the application.

Currently you have to update the web page manually to see if the service is ready. After updating, you can start and use the respective application. You only need to start services once. After a restart, you can open them directly.

Finally, you'll find Metrics and Tests in the sidebar. Metrics provides an overview of the firewall's performance, while Tests provides port scanning, runs a DNS leak test, and displays the public IP address.


For services like Netflix that do not work well with WireGuard, you can add a gateway. A gateway is another client that sits upstream of the VPN and makes proprietary services like Netflix think they are seeing the public IP address of the device running Netflix.

Mistborn does most of the setup for a gateway. As with other clients, you only need to store the configuration created by Mistborn in /etc/wireguard/gateway.conf on the client (Figure 8).

Figure 8: A gateway is another client that also uses the WireGuard tunnel, but makes proprietary services like Netflix think that there is a direct connection. © 2019, Steven Foerster

The configuration is created on the profile page below Gateways, where you first assign a name. Then press the Create button to create a profile, select the profile, and then copy the configuration file.

For mobile devices, you do this by scanning the displayed QR code. The setup for the gateway client is described in the documentation [7]. To get Mistborn running on Android devices, see the "Mistborn on Android" box. There is currently no viable solution for iOS.

Mistborn on Android

We also tested Mistborn on Android. The procedure is similar to that for other clients. First you create a new client with Mistborn. After you have installed WireGuard on your Android device, open the application and click on the plus sign in the lower right corner. In the menu that now appears, select Scan from QR Code and load the configuration directly. After you start WireGuard, you can start Mistborn in your browser.

There is one more hurdle with Android. Some of the services in Extras require Transport Layer Security (TLS). To satisfy this request, Mistborn creates a certificate with a 10-year validity period during the installation on the server. You can import this to your Android device by tapping on Security | Additional settings | Encryption and credentials to Install from store and import the certificate found at /opt/mistborn_volumes/base/tls/cert.crt. The developer has promised a download button for the certificate soon.

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tipi

    Tipi gives you complete control of more than 100 applications and services. A mouse click is all it takes to install the apps.

  • WireGuard

    A recent addition to the Linux kernel, WireGuard lets you build a VPN tunnel that relies on encryption to reduce potential security issues.

  • Teaming NICs

    Combining your network adapters can speed up network performance – but a little more testing could lead to better choices.

  • Mozilla VPN Now Available for Linux

    The promised subscription-based VPN service from Mozilla is now available for the Linux platform.

  • Pi-hole

    Supporting browser plug-ins, network-based DNS blockers like Pi-hole help protect you against online tracking and unwanted content.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More