From 804b78881418e9336ff42aacd8f22467cb1e4d5c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 1 Apr 2020 14:14:56 -0400 Subject: [PATCH 1/5] restart unless-stopped --- base.yml | 8 ++++++++ extra/jitsi-meet.yml | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/base.yml b/base.yml index b0c3bb7..71b3aa9 100644 --- a/base.yml +++ b/base.yml @@ -22,6 +22,7 @@ services: - ../mistborn_volumes/base/media:/mistborn-media - ../mistborn_volumes/base/private_media:/mistborn-private-media command: /start + restart: unless-stopped postgres: build: @@ -34,6 +35,7 @@ services: - production_postgres_data_backups:/backups env_file: - ./.envs/.production/.postgres + restart: unless-stopped traefik: build: @@ -50,10 +52,12 @@ services: ports: - "0.0.0.0:80:80/tcp" - "0.0.0.0:443:443/tcp" + restart: unless-stopped redis: image: redis:5.0 container_name: mistborn_production_redis + restart: unless-stopped celeryworker: image: cyber5k/mistborn:latest @@ -76,6 +80,7 @@ services: - traefik - pihole command: /start-celeryworker + restart: unless-stopped celeryworker-low-priority: image: cyber5k/mistborn:latest @@ -98,6 +103,7 @@ services: - traefik - pihole command: /start-celeryworker-low-priority + restart: unless-stopped celerybeat: image: cyber5k/mistborn:latest @@ -106,6 +112,7 @@ services: - ./.envs/.production/.django - ./.envs/.production/.postgres command: /start-celerybeat + restart: unless-stopped flower: @@ -114,6 +121,7 @@ services: ports: - "5555:5555/tcp" command: /start-flower + restart: unless-stopped pihole: container_name: mistborn_production_pihole diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index 83a29a6..cc86c8f 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -47,6 +47,7 @@ services: meet.jitsi: aliases: - ${XMPP_DOMAIN} + restart: unless-stopped # XMPP server jitsi-prosody: @@ -112,6 +113,7 @@ services: meet.jitsi: aliases: - ${XMPP_SERVER} + restart: unless-stopped # Focus component jitsi-jicofo: @@ -139,6 +141,7 @@ services: - jitsi-prosody networks: meet.jitsi: + restart: unless-stopped # Video bridge jitsi-jvb: @@ -168,6 +171,7 @@ services: - jitsi-prosody networks: meet.jitsi: + restart: unless-stopped # Custom network so all services can communicate using a FQDN networks: From 52c8f19e9859365a401e87410b0a47ee4979e846 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 1 Apr 2020 14:24:41 -0400 Subject: [PATCH 2/5] envs flower --- base.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/base.yml b/base.yml index 71b3aa9..422c966 100644 --- a/base.yml +++ b/base.yml @@ -118,6 +118,9 @@ services: flower: image: cyber5k/mistborn:latest container_name: mistborn_production_flower + env_file: + - ./.envs/.production/.django + - ./.envs/.production/.postgres ports: - "5555:5555/tcp" command: /start-flower From 11e19d87aa3d7fa3ae157b3e8cdf05ec14d80c30 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 1 Apr 2020 16:56:53 -0400 Subject: [PATCH 3/5] adding gateway to README --- README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/README.md b/README.md index cd8f12c..dd710af 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,17 @@ Mistborn protects your data in a variety of ways: - The Mistborn firewall blocks unsolicited incoming internet packets - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) +# Gateways +I was getting frustrated at being forced to choose between being connected to my VPN and using streaming services that I have paid for. + +![Netflix blocked](https://gitlab.com/cyber5k/public/-/raw/master/graphics/netflix_blocked.png)*Netflix blocking my connections that it sees coming from a DigitalOcean droplet* + +In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home, then all VPN profiles created with this Gateway will apear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible). + +![Mistborn Gateway Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/gateway_network.png) + +The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads. + # Installation Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). @@ -147,6 +158,25 @@ Mistborn uses the following domains (that can be reached by all Wireguard client | OnlyOffice | onlyoffice.mistborn | Off | | Jitsi | jitsi.mistborn | Off | +# Gateway Setup +Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand: + +## Gateway Requirements +- Wireguard (you can run the Mistborn Wireguard installer: `sudo bash /opt/mistborn/scripts/subinstallers/wireguard.sh`) +- Openresolv (a Wireguard dependency that is installed via the Mistborn Wireguard installer) +- Fail2ban + +## Install Gateway Wireguard config file +On Mistborn: +- Click `View Config` on the Gateways tab in Mistborn +- Highlight the config +- Copy (Ctrl-C) + +On Gateway: +- Paste the config to `/etc/wireguard/gateway.conf` +- Run `sudo systemctl start wg-quick@gateway` +- Run `sudo systemctl enable wg-quick@gateway` + # Troubleshooting Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues: From 5f59a5661f7f6bddac90bd3d10039ce25e4309f2 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 1 Apr 2020 16:59:37 -0400 Subject: [PATCH 4/5] formatting --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dd710af..e6ef79f 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,8 @@ Mistborn protects your data in a variety of ways: # Gateways I was getting frustrated at being forced to choose between being connected to my VPN and using streaming services that I have paid for. -![Netflix blocked](https://gitlab.com/cyber5k/public/-/raw/master/graphics/netflix_blocked.png)*Netflix blocking my connections that it sees coming from a DigitalOcean droplet* +![Netflix blocked](https://gitlab.com/cyber5k/public/-/raw/master/graphics/netflix_blocked.png) +*Netflix blocking my connections that it sees coming from a DigitalOcean droplet* In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home, then all VPN profiles created with this Gateway will apear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible). From e33891700df6a43cdcba5e8cfbf7b709af526a14 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 1 Apr 2020 17:00:09 -0400 Subject: [PATCH 5/5] formatting --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e6ef79f..1c54872 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ Mistborn protects your data in a variety of ways: I was getting frustrated at being forced to choose between being connected to my VPN and using streaming services that I have paid for. ![Netflix blocked](https://gitlab.com/cyber5k/public/-/raw/master/graphics/netflix_blocked.png) + *Netflix blocking my connections that it sees coming from a DigitalOcean droplet* In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home, then all VPN profiles created with this Gateway will apear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible).