A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and multi-factor Wireguard VPN access
A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and multi-factor Wireguard VPN access
*Wireguard Management in Mistborn*
# Table of Contents
# Table of Contents
[[_TOC_]]
[[_TOC_]]
@ -48,7 +50,12 @@ Tested Operating Systems (in order of thoroughness):
- Ubuntu 20.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 18.04 LTS
- Debian 10 (Buster)
- Debian 10 (Buster)
- Raspbian Buster
- Raspberry Pi OS (formerly Raspbian) Buster
**Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing).
Tested Browsers:
- Firefox
The default tests are run on DigitalOcean Droplets: 2GB RAM, 1 CPU, 50GB hard disk.
The default tests are run on DigitalOcean Droplets: 2GB RAM, 1 CPU, 50GB hard disk.
@ -56,22 +63,22 @@ The Mistborn docker images exist for these architectures:
@ -106,19 +113,24 @@ We were getting frustrated at being forced to choose between being connected to
*Netflix blocking my connections that it sees coming from a DigitalOcean droplet*
*Netflix blocking my connections that it sees coming from a DigitalOcean droplet*
In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home (Mistborn on DigitalOcean) then all Wireguard profiles created with this Gateway will appear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible).
In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home (Raspberry Pi with `wireguard` and `openresolv` installed) and with our Mistborn on DigitalOcean, all Wireguard profiles created with this Gateway will appear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible).
The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads.
The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads.
# Client to client communication
By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle.
Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). Additionally tested on Ubuntu 20.04 LTS.
Mistborn is regularly tested on Ubuntu 20.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). Make sure to install OS updates and restart before installing Mistborn (Wireguard installs differently on recent kernels).
Clone the git repository and run the install script:
Clone the git repository and run the install script:
```
```
git clone https://gitlab.com/cyber5k/mistborn.git
git clone https://gitlab.com/cyber5k/mistborn.git
sudo bash ./mistborn/scripts/install.sh
sudo -E bash ./mistborn/scripts/install.sh
```
```
Running `install.sh` will do the following:
Running `install.sh` will do the following:
@ -129,8 +141,8 @@ Running `install.sh` will do the following:
- install Docker
- install Docker
- install OpenSSH
- install OpenSSH
- install Wireguard
- install Wireguard
- install Cockpit
- install Cockpit (optional)
- create a `cockpit` system user
- create a `cockpit` system user (if Cockpit is installed)
- configure unattended-upgrades
- configure unattended-upgrades
- generate a self-signed TLS certificate/key (WebRTC functionality requires TLS)
- generate a self-signed TLS certificate/key (WebRTC functionality requires TLS)
- create and populate traefik.toml
- create and populate traefik.toml
@ -152,7 +164,7 @@ See the environment variables needed in `./scripts/noninteractive/.install_bareb
This will perform a noninteractive install with the default environment variables set in `.install_barebones`.
This will perform a noninteractive install with the default environment variables set in `.install_barebones`.
You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/`
# Gateway Setup
# Gateway Setup
Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand:
Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand:
@ -312,7 +326,7 @@ But wait, there's more! You can:
Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings.
Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away.
The TLS certificate can be found here:
The TLS certificate can be found here:
```
```
@ -341,17 +355,48 @@ If Mistborn is installed via SSH then an iptables rule is added allowing externa
SSH is permitted from any device connected to Mistborn by Wireguard.
SSH is permitted from any device connected to Mistborn by Wireguard.
Password authentication in enabled. Mistborn disables password authentication for root. Fail2ban blocks IPs with excessive failed login attempts.
Password authentication in enabled. Fail2ban blocks IPs with excessive failed login attempts.
You can SSH using the Mistborn domain when connected by Wireguard:
You can SSH using the Mistborn domain when connected by Wireguard:
```
```
ssh user@home.mistborn
ssh user@home.mistborn
```
```
## How do I change the upstream DNSCrypt servers?
The upstream servers used by dnscrypt-proxy are set in:
`base.yml`:
```
services:
...
dnscrypt-proxy:
...
environment:
...
- DNSCRYPT_SERVER_NAMES=[...]
```
The available options are here: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
# Troubleshooting
# Troubleshooting
Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so there's usually no need to bother with TLS certs (WebRTC functionality and some mobile apps require TLS so it is available). Here are some things to check if you have issues:
Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so there's usually no need to bother with TLS certs (WebRTC functionality and some mobile apps require TLS so it is available). Here are some things to check if you have issues:
Check if you can ping an external IP address:
```
ping 1.1.1.1
```
Check if you can resolve local DNS queries:
```
dig home.mistborn
```
Check if you can resolve external DNS queries:
```
dig cyber5k.com
```
See if any docker containers are stopped:
See if any docker containers are stopped:
```
```
sudo docker container ls -a
sudo docker container ls -a
@ -378,6 +423,9 @@ The `dev/` folder contains a script for completing a hard reset: destroying and
sudo ./dev/rebuild.sh
sudo ./dev/rebuild.sh
```
```
## Troubleshooting Wireguard
Ensure that your public IP address in your client profile (e.g. `Endpoint = <Mistborn public IP address>:<random port>`) is actually publicly available (not in 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) if you are attempting to access Mistborn across the internet.
## Troubleshooting Extra Services
## Troubleshooting Extra Services
Each extra service has its own systemd process which can be monitored:
Each extra service has its own systemd process which can be monitored:
```
```
@ -434,14 +482,14 @@ These are some notes regarding the technical design and implementations of Mistb
## Firewall
## Firewall
- **IPtables**: Iptables rules and chains are manipulated directly. If UFW is present it is disabled. IPtables-persistent is used to save a simple set of secure default rules (most importantly setting the INPUT and FORWARD policies to DROP and allowing ESTABLISHED and RELATED traffic) that will be effective immediately upon system startup. Additional rules and chains are created by Docker on startup. Mistborn also creates some iptables chains during installation that are saved in the persistent rules. Mistborn iptables chains and rules are designed to work with Docker's with logic that is easy to follow. A power cycle will always result in a working state.
- **IPtables**: Iptables rules and chains are manipulated directly. If UFW is present it is disabled. IPtables-persistent is used to save a simple set of secure default rules (most importantly setting the INPUT and FORWARD policies to DROP and allowing ESTABLISHED and RELATED traffic) that will be effective immediately upon system startup. Additional rules and chains are created by Docker on startup. Mistborn also creates some iptables chains during installation that are saved in the persistent rules. Mistborn iptables chains and rules are designed to work with Docker's with logic that is easy to follow. A power cycle will always result in a working state.
- **PostUp/PostDown**: Wireguard configuration files on Mistborn include PostUp and PostDown directives that set routes and iptables rules for each Wireguard client individually.
- **PostUp/PostDown**: Wireguard configuration files on Mistborn include PostUp and PostDown directives that set routes and iptables rules for each Wireguard client individually.
- **Wireguard**: There is a one-to-one mapping between each Wireguard client and server instance listening on Mistborn. By design Wireguard clients cannot talk directly to each other but can use shared services and resources on Mistborn (e.g. Syncthing, Nextcloud, Jitisi, etc.)
- **Wireguard**: There is a one-to-one mapping between each Wireguard client and server instance listening on Mistborn. By default Wireguard clients cannot talk directly to each other but can use shared services and resources on Mistborn (e.g. Syncthing, Nextcloud, Jitisi, etc). Toggling the "client-to-client" option will enable direct client-to-client communication.
- **Metrics**: In addition to the iptables INPUT policy set to DROP, an iptables chain exists that logs the packet meta data before dropping it. Mistborn redirects packets that will be dropped to this chain instead. A summary of the data about these dropped packets (unsolicited network traffic) can be found on the Metrics page.
- **Metrics**: In addition to the iptables INPUT policy set to DROP, an iptables chain exists that logs the packet meta data before dropping it. Mistborn redirects packets that will be dropped to this chain instead. A summary of the data about these dropped packets (unsolicited network traffic) can be found on the Metrics page.
- **Coppercloud**: Coppercloud works by populating ipsets with the ipset module in iptables to DROP (blacklist) or ACCEPT (whitelist) a given set of IP addresses. Upon system startup a celery task will compile the IP addresses, create the ipsets, and iptables rules.
- **Coppercloud**: Coppercloud works by populating ipsets with the ipset module in iptables to DROP (blacklist) or ACCEPT (whitelist) a given set of IP addresses. Upon system startup a celery task will compile the IP addresses, create the ipsets, and iptables rules.
## Additonal Notes
## Additonal Notes
- Interface names are not hardcoded anywhere in Mistborn. Two commands that are used in different circumstances to determine the default network interface and the interface that would route a public IP address are: `ip -o -4 route show to default` and `ip -o -4 route get 1.1.1.1`.
- Interface names are not hardcoded anywhere in Mistborn. Two commands that are used in different circumstances to determine the default network interface and the interface that would route a public IP address are: `ip -o -4 route show to default` and `ip -o -4 route get 1.1.1.1`.
- The "Update" button will pull updated Docker images for mistborn, postgresql, redis, pihole, and dnscrypt. Those services will then be restarted.
- The "Update" button will pull updated Docker images for mistborn, postgresql, redis, pihole, and dnscrypt. Those services will then be restarted.
- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 10 years. The nanny at Apple has decided to restrict the kinds of certificates iOS users may choose to manually trust and so you may have issues with TLS on an Apple device for now.
- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days.
- Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked.
- Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked.
- Unattended upgrades are set to automatically install operating system security updates.
- Unattended upgrades are set to automatically install operating system security updates.
@ -457,6 +505,9 @@ Many features and refinements are in the works at various stages including:
- Internal network scan tool and feedback
- Internal network scan tool and feedback
- Anomaly detection in network traffic
- Anomaly detection in network traffic
# Follow
You can find recent bugfixes, functional additions, some extra documentation and more at the Cyber5K Patreon page: [https://www.patreon.com/cyber5k](https://www.patreon.com/cyber5k)
# Contact
# Contact
Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)
Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)
@ -465,4 +516,5 @@ Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)
Please consider supporting the project via:
Please consider supporting the project via:
- [Paypal.me](https://paypal.me/cyber5k)
- [Paypal.me](https://paypal.me/cyber5k)
- [Buy me a drink](https://www.buymeacoffee.com/cyber5k)
read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface)? [Y/n]: " MISTBORN_INSTALL_COCKPIT
read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT
sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/""$JITSI_PROD_FILE"
sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/""$JITSI_PROD_FILE"
sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/""$JITSI_PROD_FILE"
sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/""$JITSI_PROD_FILE"
sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/""$JITSI_PROD_FILE"
sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/""$JITSI_PROD_FILE"
Steven Foerster
5 years ago