COVID-19 has forced many people to work from home, relying on Internet services for file sharing, videoconferencing, and more. In addition to outside threats that exploit the current situation, security risks within the services themselves also pose a problem. For instance, the videoconferencing platform Zoom [1], which has had an influx of users since the beginning of the pandemic, can hardly keep up with the task of closing its security gaps.

To avoid these pitfalls, Steven Foerster, the developer of security software at Cyber5k, needed an easy-to-implement security solution for all his family's Internet activities. The result is the Mistborn [2] project on GitLab, which is exclusively based on free software. (The name comes from the epic fantasy book series of the same name by Brandon Sanderson.)

Mistborn offers the script-controlled setup of a VPN tunnel with WireGuard, as well as ad-blocking with Pi-hole using DNSCrypt [3] (Figure 1). In addition, Mistborn lets you activate and manage other services, such as Nextcloud, Cockpit, Syncthing, Rocket.Chat, Home Assistant, Jellyfin, Bitwarden, ONLYOFFICE, Tor, and Jitsi.

Figure 1: With Mistborn, all traffic runs through a WireGuard tunnel. Access from outside is controlled by the integrated firewall. © 2019, Steven Foerster

Setup

In our lab, we used Mistborn on a Lenovo ThinkPad X220 as the server and a ThinkPad X230 as the client, both with Ubuntu 20.04 LTS (Focal Fossa). You control the software via a web interface from any device.

The developer recommends 1GB RAM and 15GB memory for WireGuard with Pi-hole. If you want to use the Cockpit management tool, you need at least 2GB RAM. If services like Jitsi Meet, Nextcloud, Jellyfin, Rocket.Chat, Home Assistant, or ONLYOFFICE enter into play, you need at least 4GB RAM, which also increases the storage space requirement to around 25GB. For videoconferences with Jitsi Meet, 10GB bandwidth is optimal.

Alternatively, you can run Mistborn in the cloud, as long as the cloud environment supports PostgreSQL databases. Options are available for about one dollar per month.

Static IP and DDNS

If you install Mistborn on a device on your home network, it requires a static IP address [4]. If the services will be available only on your LAN, it is sufficient to give the computer a private static address. This can usually be easily done via the router configuration or the operating system.

The easiest way to obtain a fixed public IP address is to use one of the many dynamic DNS (DDNS) service providers. Some routers, such as the AVM FRITZ!Box, offer DDNS as part of their software.

You can install Mistborn directly or via SSH. If the installation is taking place via SSH, the setup creates an iptables rule that allows future connections via SSH from the same IP address, but blocks all other external connections. The PC continues to accept internal connections via the WireGuard tunnel. The same applies to installation on remote devices via SSH.

All services in Mistborn run in Docker containers. Mistborn automatically sets up and manages the containers for you. It also dynamically creates iptables rules as required to prevent external data traffic via the containers.

Installation

For the basic Mistborn installation, the script does most of the work leaving you little to do besides reading the output in the terminal as a matter of interest. The first two lines in Listing 1 set up the software. The first line downloads the script from GitLab; the second line starts the actual installation (Figure 2). This takes place below /opt/mistborn/.

$ git clone https://gitlab.com/cyber5k/mistborn.git
$ sudo bash ./mistborn/scripts/install.sh
$ sudo mistborn-cli getconf

Figure 2: You can install Mistborn quickly on the server with two commands. After that, you only have to enter a password; the rest is automatic.

On the laptop, the process took about 15 minutes on a fast network (Figure 3). For a list of installation steps, visit Mistborn's GitLab page [5]. When prompted to install the resource-hungry Cockpit management tool on a Raspberry Pi, answer no unless you absolutely need it.

Figure 3: The installation took about 15 minutes on the X220 laptop used as the server. However, if the network connection is slow or you are installing on a Rasp Pi, the process may take longer.

After the installation success message, wait another minute and then create the configuration with the command from the last line of Listing 1 (Figure 4).

Figure 4: During the test phase, the developer replaced the initially complex command for creating a configuration for WireGuard on the client with a simpler command.