Securing Internet services on your home network
On the Client
If you are familiar with WireGuard already, you will probably notice the similarity between WireGuards's configuration file wg0.conf
and the configuration file used on Mistborn. Hence the first step on the client is to install WireGuard. For Ubuntu up to and including version 19.10, the integration of a Personal Package Archive (PPA) is required [6]; you can retrieve the software directly from the Focal Fossa repository using Apt. This method also works for many other distributions.
The next step is to copy the configuration file from the server terminal and store it as wg_admin.conf
on the client in the previously created /etc/wireguard/
directory. Listing 2 shows an example; after this, start the virtual network interface via systemd (Listing 3, first two lines).
Listing 2
Example wg_admin.conf
# "10.15.91.2" - WireGuard Client Profile [Interface] Address = 10.15.91.2/32 # The use of DNS below effectively expands to: # PostUp = echo nameserver 10.15.91.1 | resolvconf -a tun.%i -m 0 -x # PostDown = resolvconf -d tun.%i # If the use of resolvconf is not desirable, simply remove the DNS line # and use a variant of the PostUp/PostDown lines above. # The IP address of the DNS server that is available via the encrypted # WireGuard interface is 10.15.91.1 DNS = 10.15.91.1 PrivateKey = cPPflVGsxVFw2/lMmhiFTXMmH345bGqoqArD/NgjiXU= [Peer] PublicKey = DfIV1urYZXqXKiU4rOSfO0Iu589pEO+59dHV5w5N0mU= PresharedKey = Z1SO5NuAnZ7JhzVCuUnYOQLWOQYmMoqG0pG1SNXUlh0= AllowedIPs = 0.0.0.0/0,::/0 Endpoint = <Mistborn public IP address>:39207
Listing 3
Starting the Virtual Network Interface
$ sudo systemctl start wg-quick@wg_admin $ sudo systemctl enable wg-quick@wg_admin $ sudo systemctl status wg-quick@wg_admin
If you get an error message with the first command, follow up with the command from the last line of Listing 3. If the output complains that resolvconf
was not found, just install the openresolv package retroactively.
If everything worked, now call up the interface in a web browser on http://home.mistborn. Depending on the hardware, it may take a few minutes to connect to the server, as it first has to create the containers.
Getting Around
The default view after starting Mistborn is the Profile view where you can create new users, set up a gateway (more about this later), or set up new clients and profiles (Figure 5). Click on System in the left-hand sidebar. This takes you to the Pi-hole view (Figure 6) – Pi-hole is enabled by default – or the Cockpit administration interface. All services open in a separate tab.
Next up in the sidebar is Coppercloud, which lets you block or grant access to a given set of IP addresses via iptables. Lists entered here are converted to iptables rules at system startup and then executed.
Under Manage Extra Services (Figure 7), you will find all the third-party services that Mistborn securely supports. Additional services like the Matrix messenger, GitLab, or various game servers are in development.
All of these services can be set up with the push of a button. As soon as you start a service, a green line appears to inform you that the start-up may take a few minutes. Using a Rasp Pi as the server, it took up to three minutes until a service was ready, depending on the complexity of the application.
Currently you have to update the web page manually to see if the service is ready. After updating, you can start and use the respective application. You only need to start services once. After a restart, you can open them directly.
Finally, you'll find Metrics and Tests in the sidebar. Metrics provides an overview of the firewall's performance, while Tests provides port scanning, runs a DNS leak test, and displays the public IP address.
Gateway
For services like Netflix that do not work well with WireGuard, you can add a gateway. A gateway is another client that sits upstream of the VPN and makes proprietary services like Netflix think they are seeing the public IP address of the device running Netflix.
Mistborn does most of the setup for a gateway. As with other clients, you only need to store the configuration created by Mistborn in /etc/wireguard/gateway.conf
on the client (Figure 8).
The configuration is created on the profile page below Gateways, where you first assign a name. Then press the Create button to create a profile, select the profile, and then copy the configuration file.
For mobile devices, you do this by scanning the displayed QR code. The setup for the gateway client is described in the documentation [7]. To get Mistborn running on Android devices, see the "Mistborn on Android" box. There is currently no viable solution for iOS.
Mistborn on Android
We also tested Mistborn on Android. The procedure is similar to that for other clients. First you create a new client with Mistborn. After you have installed WireGuard on your Android device, open the application and click on the plus sign in the lower right corner. In the menu that now appears, select Scan from QR Code and load the configuration directly. After you start WireGuard, you can start Mistborn in your browser.
There is one more hurdle with Android. Some of the services in Extras require Transport Layer Security (TLS). To satisfy this request, Mistborn creates a certificate with a 10-year validity period during the installation on the server. You can import this to your Android device by tapping on Security | Additional settings | Encryption and credentials to Install from store and import the certificate found at /opt/mistborn_volumes/base/tls/cert.crt
. The developer has promised a download button for the certificate soon.
« Previous 1 2 3 Next »
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.