A platform for easily managing your cloud server and Wireguard access
A platform for easily managing your cloud server and Wireguard access
## What is Mistborn
# Table of Contents
[[_TOC_]]
# What is Mistborn
The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-original-trilogy) comes from a type of powerful Allomancer in Brandon Sanderson's Cosmere.
The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-original-trilogy) comes from a type of powerful Allomancer in Brandon Sanderson's Cosmere.
Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free WiFi networks. We needed a way to secure all family devices with a solid VPN (Wireguard). Once we had that we wanted to control DNS to block ads to all devices and block malicious and pornographic websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding services as I go so I made that easy to do.
Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free WiFi networks. We needed a way to secure all family devices with a solid VPN (Wireguard). Once we had that we wanted to control DNS to block ads to all devices and block malicious and pornographic websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding services as I go so I made that easy to do.
@ -18,7 +21,7 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur
- [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered
- [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered
- [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy
- [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy
Within Mistborn is a panel to enable and manage these free extra services, locally hosted in Docker containers:
Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers:
- [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first
- [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first
- [Nextcloud](https://nextcloud.com): Nextcloud offers the industry-leading, on-premises content collaboration platform. It combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs.
- [Nextcloud](https://nextcloud.com): Nextcloud offers the industry-leading, on-premises content collaboration platform. It combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs.
- [BitWarden](https://bitwarden.com): Password manager. The easiest and safest way for individuals, teams, and business organizations to store, share, and sync sensitive data.
- [BitWarden](https://bitwarden.com): Password manager. The easiest and safest way for individuals, teams, and business organizations to store, share, and sync sensitive data.
@ -27,9 +30,18 @@ Within Mistborn is a panel to enable and manage these free extra services, local
- [Rocket.Chat](https://rocket.chat): Free, Open Source, Enterprise Team Chat.
- [Rocket.Chat](https://rocket.chat): Free, Open Source, Enterprise Team Chat.
- [Jellyfin](https://jellyfin.org): The Free Media Software System.
- [Jellyfin](https://jellyfin.org): The Free Media Software System.
- [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy.
- [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy.
- [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing
- All of your devices are protected wherever they go with the Wireguard VPN protocol
- The Mistborn firewall blocks unsolicited incoming internet packets
- Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.)
## Installation
# Installation
Mistborn is regularly tested on Ubuntu 18.04 LTS. It has also been successfully used on Debian and Raspbian systems (though not regularly tested).
Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested).
Clone the git repository and run the install script:
Clone the git repository and run the install script:
@ -48,6 +60,8 @@ Running `install.sh` will do the following:
- install Cockpit
- install Cockpit
- create a `cockpit` system user
- create a `cockpit` system user
- configure unattended-upgrades
- configure unattended-upgrades
- generate a self-signed TLS certificate/key (WebRTC functionality requires TLS)
- create and populate traefik.toml
- create `/opt/mistborn_volumes` and setup folders for services that will be mounted within
- create `/opt/mistborn_volumes` and setup folders for services that will be mounted within
- backup original contents of `/opt/mistborn_volumes` in `/opt/mistborn_backup`
- backup original contents of `/opt/mistborn_volumes` in `/opt/mistborn_backup`
- Pull docker images for base.yml
- Pull docker images for base.yml
@ -56,15 +70,15 @@ Running `install.sh` will do the following:
- copy Mistborn systemd service files to `/etc/systemd/system`
- copy Mistborn systemd service files to `/etc/systemd/system`
- start and enable Mistborn-base
- start and enable Mistborn-base
## Post-Installation
# Post-Installation
When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser along with an accompanying Wireguard configuration file and start the Wireguard service. You can watch all of this happen with:
When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser along with an accompanying Wireguard configuration file and start the Wireguard service. You can watch all of this happen with:
```
```
journalctl -xfu Mistborn-base
sudo journalctl -xfu Mistborn-base
```
```
The client Wireguard configuration file may be obtained via:
The client Wireguard configuration file may be obtained via:
Please notice that the following lines are **NOT** part of the Wireguard config:
Please notice that the following lines are **NOT** part of the Wireguard config:
```
```
@ -102,6 +116,7 @@ Endpoint = <Mistborn public IP address>:39207
- Run `sudo systemctl enable wg-quick@wg_admin`
- Run `sudo systemctl enable wg-quick@wg_admin`
- Open your browser and go to "http://home.mistborn"
- Open your browser and go to "http://home.mistborn"
- Browse your Mistborn system!
- Browse your Mistborn system!
**Note:** The home.mistborn server takes a minute to come up after Mistborn is up (collectstatic on all that frontend JavaScript and CSS)
## Wireguard Management
## Wireguard Management
Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple Wireguard profiles can be created for each user. A non-privileged user can create profiles for themselves.
Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple Wireguard profiles can be created for each user. A non-privileged user can create profiles for themselves.
@ -115,36 +130,58 @@ Mistborn makes extra services available.
Mistborn functions as a network firewall and provides metrics on blocked probes from the internet.
Mistborn functions as a network firewall and provides metrics on blocked probes from the internet.
Mistborn uses the following domains (that can be reached by all Wireguard clients):
| Service | Domain | Default Status |
| ------- | ------ | -------------- |
| **Home** | home.mistborn | On |
| **Pihole** | pihole.mistborn | On |
| **Cockpit** | cockpit.mistborn | On |
| Nextcloud | nextcloud.mistborn | Off |
| Rocket.Chat | chat.mistborn | Off |
| Home Assistant | homeassistant.mistborn | Off |
| Bitwarden | bitwarden.mistborn | Off |
| Jellyfin | jellyfin.mistborn | Off |
| Syncthing | syncthing.mistborn | Off |
| OnlyOffice | onlyoffice.mistborn | Off |
| Jitsi | jitsi.mistborn | Off |
# Troubleshooting
Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues:
Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues:
See if any docker containers are stopped:
See if any docker containers are stopped:
```
```
docker container ls -a
sudo docker container ls -a
```
```
Check the running log for Mistborn-base:
Check the running log for Mistborn-base:
```
```
journalctl -xfu Mistborn-base
sudo journalctl -xfu Mistborn-base
```
```
Mistborn-base is a systemd process and at any time restarting it should get you to a working state:
Mistborn-base is a systemd process and at any time restarting it should get you to a working state:
```
```
systemctl restart Mistborn-base
sudo systemctl restart Mistborn-base
```
```
The Wireguard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running Wireguard interfaces with:
The Wireguard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running Wireguard interfaces with:
```
```
wg show
sudo wg show
```
```
Note the Mistborn naming convention for Wireguard interfaces on the server is wg<listeningport>. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf`
Note the Mistborn naming convention for Wireguard interfaces on the server is wg<listeningport>. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf`
## Contact
The `dev/` folder contains a script for completing a hard reset: destroying and rebuilding the system from the original backup:
```
sudo ./dev/rebuild.sh
```
# Contact
Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)
Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)
Steven Foerster
6 years ago