Securing Internet services on your home network
On the Client
If you are familiar with WireGuard already, you will probably notice the similarity between WireGuards's configuration file wg0.conf
and the configuration file used on Mistborn. Hence the first step on the client is to install WireGuard. For Ubuntu up to and including version 19.10, the integration of a Personal Package Archive (PPA) is required [6]; you can retrieve the software directly from the Focal Fossa repository using Apt. This method also works for many other distributions.
The next step is to copy the configuration file from the server terminal and store it as wg_admin.conf
on the client in the previously created /etc/wireguard/
directory. Listing 2 shows an example; after this, start the virtual network interface via systemd (Listing 3, first two lines).
Listing 2
Example wg_admin.conf
# "10.15.91.2" - WireGuard Client Profile [Interface] Address = 10.15.91.2/32 # The use of DNS below effectively expands to: # PostUp = echo nameserver 10.15.91.1 | resolvconf -a tun.%i -m 0 -x # PostDown = resolvconf -d tun.%i # If the use of resolvconf is not desirable, simply remove the DNS line # and use a variant of the PostUp/PostDown lines above. # The IP address of the DNS server that is available via the encrypted # WireGuard interface is 10.15.91.1 DNS = 10.15.91.1 PrivateKey = cPPflVGsxVFw2/lMmhiFTXMmH345bGqoqArD/NgjiXU= [Peer] PublicKey = DfIV1urYZXqXKiU4rOSfO0Iu589pEO+59dHV5w5N0mU= PresharedKey = Z1SO5NuAnZ7JhzVCuUnYOQLWOQYmMoqG0pG1SNXUlh0= AllowedIPs = 0.0.0.0/0,::/0 Endpoint = <Mistborn public IP address>:39207
Listing 3
Starting the Virtual Network Interface
$ sudo systemctl start wg-quick@wg_admin $ sudo systemctl enable wg-quick@wg_admin $ sudo systemctl status wg-quick@wg_admin
If you get an error message with the first command, follow up with the command from the last line of Listing 3. If the output complains that resolvconf
was not found, just install the openresolv package retroactively.
If everything worked, now call up the interface in a web browser on http://home.mistborn. Depending on the hardware, it may take a few minutes to connect to the server, as it first has to create the containers.
Getting Around
The default view after starting Mistborn is the Profile view where you can create new users, set up a gateway (more about this later), or set up new clients and profiles (Figure 5). Click on System in the left-hand sidebar. This takes you to the Pi-hole view (Figure 6) – Pi-hole is enabled by default – or the Cockpit administration interface. All services open in a separate tab.
Next up in the sidebar is Coppercloud, which lets you block or grant access to a given set of IP addresses via iptables. Lists entered here are converted to iptables rules at system startup and then executed.
Under Manage Extra Services (Figure 7), you will find all the third-party services that Mistborn securely supports. Additional services like the Matrix messenger, GitLab, or various game servers are in development.
All of these services can be set up with the push of a button. As soon as you start a service, a green line appears to inform you that the start-up may take a few minutes. Using a Rasp Pi as the server, it took up to three minutes until a service was ready, depending on the complexity of the application.
Currently you have to update the web page manually to see if the service is ready. After updating, you can start and use the respective application. You only need to start services once. After a restart, you can open them directly.
Finally, you'll find Metrics and Tests in the sidebar. Metrics provides an overview of the firewall's performance, while Tests provides port scanning, runs a DNS leak test, and displays the public IP address.
Gateway
For services like Netflix that do not work well with WireGuard, you can add a gateway. A gateway is another client that sits upstream of the VPN and makes proprietary services like Netflix think they are seeing the public IP address of the device running Netflix.
Mistborn does most of the setup for a gateway. As with other clients, you only need to store the configuration created by Mistborn in /etc/wireguard/gateway.conf
on the client (Figure 8).
The configuration is created on the profile page below Gateways, where you first assign a name. Then press the Create button to create a profile, select the profile, and then copy the configuration file.
For mobile devices, you do this by scanning the displayed QR code. The setup for the gateway client is described in the documentation [7]. To get Mistborn running on Android devices, see the "Mistborn on Android" box. There is currently no viable solution for iOS.
Mistborn on Android
We also tested Mistborn on Android. The procedure is similar to that for other clients. First you create a new client with Mistborn. After you have installed WireGuard on your Android device, open the application and click on the plus sign in the lower right corner. In the menu that now appears, select Scan from QR Code and load the configuration directly. After you start WireGuard, you can start Mistborn in your browser.
There is one more hurdle with Android. Some of the services in Extras require Transport Layer Security (TLS). To satisfy this request, Mistborn creates a certificate with a 10-year validity period during the installation on the server. You can import this to your Android device by tapping on Security | Additional settings | Encryption and credentials to Install from store and import the certificate found at /opt/mistborn_volumes/base/tls/cert.crt
. The developer has promised a download button for the certificate soon.
« Previous 1 2 3 Next »
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.