From 11e19d87aa3d7fa3ae157b3e8cdf05ec14d80c30 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 1 Apr 2020 16:56:53 -0400 Subject: [PATCH] adding gateway to README --- README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/README.md b/README.md index cd8f12c..dd710af 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,17 @@ Mistborn protects your data in a variety of ways: - The Mistborn firewall blocks unsolicited incoming internet packets - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) +# Gateways +I was getting frustrated at being forced to choose between being connected to my VPN and using streaming services that I have paid for. + +![Netflix blocked](https://gitlab.com/cyber5k/public/-/raw/master/graphics/netflix_blocked.png)*Netflix blocking my connections that it sees coming from a DigitalOcean droplet* + +In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home, then all VPN profiles created with this Gateway will apear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible). + +![Mistborn Gateway Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/gateway_network.png) + +The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads. + # Installation Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). @@ -147,6 +158,25 @@ Mistborn uses the following domains (that can be reached by all Wireguard client | OnlyOffice | onlyoffice.mistborn | Off | | Jitsi | jitsi.mistborn | Off | +# Gateway Setup +Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand: + +## Gateway Requirements +- Wireguard (you can run the Mistborn Wireguard installer: `sudo bash /opt/mistborn/scripts/subinstallers/wireguard.sh`) +- Openresolv (a Wireguard dependency that is installed via the Mistborn Wireguard installer) +- Fail2ban + +## Install Gateway Wireguard config file +On Mistborn: +- Click `View Config` on the Gateways tab in Mistborn +- Highlight the config +- Copy (Ctrl-C) + +On Gateway: +- Paste the config to `/etc/wireguard/gateway.conf` +- Run `sudo systemctl start wg-quick@gateway` +- Run `sudo systemctl enable wg-quick@gateway` + # Troubleshooting Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues: