Merge branch 'master' into 53-wifi

README.md

@@ -1,5 +1,5 @@
 # Mistborn
-A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and Wireguard VPN access
+A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and multi-factor Wireguard VPN access
 
 # Table of Contents
 [[_TOC_]]
@@ -13,6 +13,7 @@ Ideal for teams who:
 - hate internet ads
 - need to be protected from malicious internet domains
 - need to collaborate securely
+- need multi-factor authentication for Wireguard
 - want to retain sole ownership of their data
 - want to easily grant and revoke access to people and devices via a simple web interface
 - want secure internet access wherever they are
@@ -214,6 +215,30 @@ Mistborn makes extra services available.
 Mistborn functions as a network firewall and provides metrics on blocked probes from the internet.
 ![Mistborn Metrics](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_metrics.png)*Mistborn Firewall Metrics*
 
+# Authentication
+There are multiple ways to authenticate and use the system. 
+
+![Mistborn Multi Factor Authentication - Authenticator App Setup](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_qr.png)*Mistborn Multi Factor Authentication - Authenticator App Setup*
+
+## Profile: Wireguard Authentication
+Mistborn always authenticates with Wireguard. You must have a valid Wireguard configuration file associated with the correct internal IP address. A classic Mistborn profile (Wireguard Only) will allow you to access the internet and all services hosted by Mistborn once you have connected via Wireguard. Note: individual services may require passwords or additional authentication.
+
+## Profile: Multi Factor Authentication (MFA)
+In addition to Wireguard, you may create a Mistborn profile enabling multi-factor authentication (MFA). You must first connect to Mistborn via Wireguard. Then all internet traffic will route you to the Mistborn webserver where you must first setup and thereafter authenticate with an app (Google Authenticator, Authy, etc.). You must go to [http://home.mistborn](http://home.mistborn) to complete the authentication process.
+
+![Mistborn Multi Factor Authentication](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa1.png)*Mistborn Multi Factor Authentication Prompt*
+
+### MFA Internet Access
+Internet access is blocked via iptables until authentication is completed for an MFA profile. You must go to [http://home.mistborn](http://home.mistborn) to complete the authentication process. Click "Sign Out" to re-block internet access until authentication completes again.
+
+![Mistborn Multi Factor Authentication - Token Prompt](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_token_enter.png)*Mistborn Multi Factor Authentication - Token Prompt*
+
+### MFA Mistborn Service Access
+Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will redirect you to [http://home.mistborn](http://home.mistborn) where you must complete the authentication process. Click "Sign Out" to re-block access until authentication completes again.
+
+### Notes
+- **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task).
+
 # Mistborn Subdomains
 Mistborn uses the following domains (that can be reached by all Wireguard clients):
 
@@ -389,6 +414,14 @@ DNS = 10.2.3.1
 ```
 Close the config and restart the client Wireguard process.
 
+## Troubleshooting Raspberry Pi OS (Raspbian)
+Be sure to always reboot after updating the kernel. When the kernel is updated the kernel modules are deleted (for the currently running kernel) and you will have issues with any function requiring kernel modules (e.g. `iptables` or `wireguard`).
+
+**Note**: The Raspberry Pi OS 64-bit BETA (versions from May 2020 and prior) have a bug where the os-release info indicates that it is Debian. Mistborn proceeds to install as though it were Debian. Since it's not Debian there are errors.
+
+## Troubleshooting Debian 10
+Run updates and restart before installing Mistborn (`sudo apt-get update && sudo apt-get -y dist-upgrade && sudo shutdown -r now`). Some older Linux kernels will prevent newer Wireguard versions from installing.
+
 # Technical and Security Insights
 These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details.
 

compose/production/traefik/traefik.toml.template

@@ -96,6 +96,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.pihole]
     backend = "pihole"
     passHostHeader = true
+    [frontends.pihole.auth]
+      [frontends.pihole.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.pihole.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.pihole.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.pihole.routes.dr1]
@@ -104,6 +110,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.homeassistant]
     backend = "homeassistant"
     passHostHeader = true
+    [frontends.homeassistant.auth]
+      [frontends.homeassistant.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.homeassistant.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.homeassistant.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.homeassistant.routes.dr1]
@@ -112,6 +124,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.syncthing]
     backend = "syncthing"
     passHostHeader = true
+    [frontends.syncthing.auth]
+      [frontends.syncthing.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.syncthing.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.syncthing.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.syncthing.routes.dr1]
@@ -120,6 +138,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.rocketchat]
     backend = "rocketchat"
     passHostHeader = true
+    [frontends.rocketchat.auth]
+      [frontends.rocketchat.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.rocketchat.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.rocketchat.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.rocketchat.routes.dr1]
@@ -128,6 +152,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.nextcloud]
     backend = "nextcloud"
     passHostHeader = true
+    [frontends.nextcloud.auth]
+      [frontends.nextcloud.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.nextcloud.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.nextcloud.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.nextcloud.routes.dr1]
@@ -136,6 +166,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.onlyoffice]
     backend = "onlyoffice"
     passHostHeader = true
+    [frontends.onlyoffice.auth]
+      [frontends.onlyoffice.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.onlyoffice.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.onlyoffice.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.onlyoffice.routes.dr1]
@@ -144,6 +180,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.bitwarden]
     backend = "bitwarden"
     passHostHeader = true
+    [frontends.bitwarden.auth]
+      [frontends.bitwarden.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.bitwarden.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.bitwarden.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.bitwarden.routes.dr1]
@@ -152,6 +194,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.jellyfin]
     backend = "jellyfin"
     passHostHeader = true
+    [frontends.jellyfin.auth]
+      [frontends.jellyfin.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.jellyfin.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.jellyfin.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.jellyfin.routes.dr1]
@@ -160,6 +208,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.jitsi]
     backend = "jitsi"
     passHostHeader = true
+    [frontends.jitsi.auth]
+      [frontends.jitsi.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.jitsi.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.jitsi.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.jitsi.routes.dr1]
@@ -168,6 +222,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.raspap]
     backend = "raspap"
     passHostHeader = true
+    [frontends.raspap.auth]
+      [frontends.raspap.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.raspap.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.raspap.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.raspap.routes.dr1]
@@ -176,6 +236,12 @@ defaultEntryPoints = ["http", "https"]
   [frontends.cockpit]
     backend = "cockpit"
     passHostHeader = true
+    [frontends.cockpit.auth]
+      [frontends.cockpit.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.cockpit.auth.forward.tls]
+          insecureSkipVerify = true
     [frontends.cockpit.headers]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.cockpit.routes.dr1]

scripts/env/setup.sh

@@ -4,10 +4,10 @@ VAR_FILE=/opt/mistborn/.env
 
 source /opt/mistborn/scripts/subinstallers/platform.sh
 
-MISTBORN_DNS_BIND_IP="0.0.0.0"
-if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
-    MISTBORN_DNS_BIND_IP="10.2.3.1"
-fi
+MISTBORN_DNS_BIND_IP="10.2.3.1"
+#if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
+#    MISTBORN_DNS_BIND_IP="10.2.3.1"
+#fi
 
 echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee ${VAR_FILE}
 sudo chown mistborn:mistborn ${VAR_FILE}

scripts/install.sh

@@ -2,6 +2,8 @@
 
 set -e
 
+export DEBIAN_FRONTEND=noninteractive
+
 ## ensure run as nonroot user
 #if [ "$EUID" -eq 0 ]; then
 MISTBORN_USER="mistborn"
@@ -97,7 +99,7 @@ git submodule update --init --recursive
 sudo apt-get update
 
 # install figlet
-sudo apt-get install -y figlet
+sudo -E apt-get install -y figlet
 
 # get os and distro
 source ./scripts/subinstallers/platform.sh
@@ -114,7 +116,7 @@ fi
 
 
 # SSH Server
-sudo apt-get install -y openssh-server
+sudo -E apt-get install -y openssh-server
 sudo sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
 sudo sed -i 's/PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
 sudo sed -i 's/#PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
@@ -125,13 +127,13 @@ sudo systemctl enable ssh
 sudo systemctl restart ssh
 
 # Additional tools fail2ban
-sudo apt-get install -y dnsutils fail2ban
+sudo -E apt-get install -y dnsutils fail2ban
 
 # Install kernel headers
 if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then
-    sudo apt install -y linux-headers-$(uname -r)
+    sudo -E apt install -y linux-headers-$(uname -r)
 elif [ "$DISTRO" == "raspbian" ]; then
-    sudo apt-get install -y raspberrypi-kernel-headers
+    sudo -E apt install -y raspberrypi-kernel-headers
 fi
 
 # Wireugard
@@ -143,7 +145,7 @@ sudo systemctl enable docker
 sudo systemctl start docker
 
 # Unattended upgrades
-sudo apt-get install -y unattended-upgrades
+sudo -E apt-get install -y unattended-upgrades
 
 # Cockpit
 if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]]
@@ -204,6 +206,7 @@ sudo mkdir -p ../mistborn_volumes/extra
 
 # Traefik final setup (cockpit)
 cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml
+
 # setup tls certs 
 source ./scripts/subinstallers/openssl.sh
 sudo rm -rf ../mistborn_volumes/base/tls

scripts/subinstallers/cockpit.sh

@@ -17,11 +17,11 @@ elif [ "$DISTRO" == "raspbian" ]; then
 
 fi
     
-sudo apt-get install -y cockpit
+sudo -E apt-get install -y cockpit
 
 if $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ; then
     # no longer supported upstream in Ubuntu 20.04
-    sudo apt-get install -y cockpit-docker
+    sudo -E apt-get install -y cockpit-docker
 fi
 
 sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf

scripts/subinstallers/docker.sh

@@ -4,11 +4,11 @@
 figlet "Mistborn: Installing Docker"
 
 sudo apt update
-sudo apt install -y python python3-pip python3-setuptools libffi-dev python3-dev libssl-dev
+sudo -E apt install -y python python3-pip python3-setuptools libffi-dev python3-dev libssl-dev
 
 if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
     echo "Automated Docker install"
-    sudo apt-get install -y docker-compose
+    sudo -E apt-get install -y docker-compose
 else
     echo "Manual Docker installation"
     source ./scripts/subinstallers/docker_manual.sh

scripts/subinstallers/docker_manual.sh

@@ -2,7 +2,7 @@
 
 # dependencies
 echo "Installing Docker dependencies"
-sudo apt-get install -y \
+sudo -E apt-get install -y \
     apt-transport-https \
     ca-certificates \
     curl \
@@ -42,9 +42,9 @@ echo "Installing docker"
 sudo apt-get update
 
 if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then
-    sudo apt-get install -y docker-ce docker-ce-cli containerd.io
+    sudo -E apt-get install -y docker-ce docker-ce-cli containerd.io
 elif [ "$DISTRO" == "raspbian" ]; then
-    sudo apt install -y --no-install-recommends \
+    sudo -E apt install -y --no-install-recommends \
     docker-ce \
     cgroupfs-mount
 fi
@@ -59,7 +59,7 @@ echo "Installing Docker Compose"
 #    sudo chmod +x /usr/local/bin/docker-compose
 #elif [ "$DISTRO" == "raspbian" ]; then
 # Install required packages
-sudo apt install -y python-backports.ssl-match-hostname
+sudo -E apt install -y python-backports.ssl-match-hostname
 
 # Install Docker Compose from pip
 # This might take a while

scripts/subinstallers/gen_prod_env.sh

@@ -20,6 +20,8 @@ echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE
 echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE
 echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE
 echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE
+echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
+echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE
 
 # generate production .env file for postgresql
 POSTGRES_PROD_FILE="./.envs/.production/.postgres"

scripts/subinstallers/iptables.sh

@@ -46,7 +46,8 @@ sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 # if installing over SSH, add SSH rule
 if [ ! -z "${SSH_CLIENT}" ]; then
     SSH_SRC=$(echo $SSH_CLIENT | awk '{print $1}')
-    sudo iptables -A INPUT -p tcp -s $SSH_SRC --dport 22 -j ACCEPT
+    SSH_PRT=$(echo $SSH_CLIENT | awk '{print $3}')
+    sudo iptables -A INPUT -p tcp -s $SSH_SRC --dport $SSH_PRT -j ACCEPT
 fi
 
 # docker rules
@@ -102,7 +103,7 @@ if [ ! "$(dpkg-query -l iptables-persistent)" ]; then
     echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
     
     # install
-    sudo apt-get install -y iptables-persistent ipset
+    sudo -E apt-get install -y iptables-persistent ipset
 else
     echo "Saving iptables rules"
     sudo bash -c "iptables-save > /etc/iptables/rules.v4"

scripts/subinstallers/openssl.sh

@@ -8,7 +8,7 @@ CRT_PATH="$KEY_FOLDER/$CRT_FILE"
 KEY_PATH="$KEY_FOLDER/$KEY_FILE"
 
 # ensure openssl installed
-sudo apt-get install -y openssl
+sudo -E apt-get install -y openssl
 
 # make folder
 mkdir -p $KEY_FOLDER

scripts/subinstallers/wireguard.sh

@@ -11,7 +11,7 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
     # Wireguard
     if [ "$DISTRO" == "raspbian" ]; then
         echo "Adding Wireguard repo keys"
-        sudo apt-get install -y dirmngr
+        sudo -E apt-get install -y dirmngr
         sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
         sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
         sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
@@ -29,4 +29,4 @@ fi
 
 echo "Installing Wireguard"
 sudo apt-get update
-sudo apt-get install -y openresolv wireguard
+sudo -E apt-get install -y openresolv wireguard

scripts/update.sh

@@ -2,17 +2,23 @@
 
 set -e
 
+export DEBIAN_FRONTEND=noninteractive
+
 sudo git -C /opt/mistborn pull
 sudo git -C /opt/mistborn submodule update --init --recursive
 
 # ensure mistborn-cli is installed
 sudo pip3 install -e /opt/mistborn/modules/mistborn-cli
 
+# handle updates to Mistborn systemd scripts
 iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=mistborn/"
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
 
+# handle updates to traefik
+sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml
+
 sudo systemctl daemon-reload
 sudo systemctl enable Mistborn-setup.service
 sudo systemctl restart Mistborn-setup.service