On the Client

If you are familiar with WireGuard already, you will probably notice the similarity between WireGuards's configuration file wg0.conf and the configuration file used on Mistborn. Hence the first step on the client is to install WireGuard. For Ubuntu up to and including version 19.10, the integration of a Personal Package Archive (PPA) is required [6]; you can retrieve the software directly from the Focal Fossa repository using Apt. This method also works for many other distributions.

The next step is to copy the configuration file from the server terminal and store it as wg_admin.conf on the client in the previously created /etc/wireguard/ directory. Listing 2 shows an example; after this, start the virtual network interface via systemd (Listing 3, first two lines).

# "10.15.91.2" - WireGuard Client Profile
[Interface]
Address = 10.15.91.2/32
# The use of DNS below effectively expands to:
# PostUp = echo nameserver 10.15.91.1 | resolvconf -a tun.%i -m 0 -x
# PostDown = resolvconf -d tun.%i
# If the use of resolvconf is not desirable, simply remove the DNS line
# and use a variant of the PostUp/PostDown lines above.
# The IP address of the DNS server that is available via the encrypted
# WireGuard interface is 10.15.91.1
DNS = 10.15.91.1
PrivateKey = cPPflVGsxVFw2/lMmhiFTXMmH345bGqoqArD/NgjiXU=
[Peer]
PublicKey = DfIV1urYZXqXKiU4rOSfO0Iu589pEO+59dHV5w5N0mU=
PresharedKey = Z1SO5NuAnZ7JhzVCuUnYOQLWOQYmMoqG0pG1SNXUlh0=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = <Mistborn public IP address>:39207

$ sudo systemctl start wg-quick@wg_admin
$ sudo systemctl enable wg-quick@wg_admin
$ sudo systemctl status wg-quick@wg_admin

If you get an error message with the first command, follow up with the command from the last line of Listing 3. If the output complains that resolvconf was not found, just install the openresolv package retroactively.

If everything worked, now call up the interface in a web browser on http://home.mistborn. Depending on the hardware, it may take a few minutes to connect to the server, as it first has to create the containers.

Getting Around

The default view after starting Mistborn is the Profile view where you can create new users, set up a gateway (more about this later), or set up new clients and profiles (Figure 5). Click on System in the left-hand sidebar. This takes you to the Pi-hole view (Figure 6) – Pi-hole is enabled by default – or the Cockpit administration interface. All services open in a separate tab.

Figure 5: Immediately after starting the web interface, you can create new users and WireGuard profiles for additional clients or gateways. For mobile clients, simply scan the configuration as a QR code.

Figure 6: The server-side tracking and advertising blocker Pi-hole, which is enabled by default, is ideally suited for use on the Rasp Pi. It runs as a DNS server and thus blocks undesirable requests on all devices on the network using lists that have already been included or created by the user.

Next up in the sidebar is Coppercloud, which lets you block or grant access to a given set of IP addresses via iptables. Lists entered here are converted to iptables rules at system startup and then executed.

Under Manage Extra Services (Figure 7), you will find all the third-party services that Mistborn securely supports. Additional services like the Matrix messenger, GitLab, or various game servers are in development.

Figure 7: Manage Extra Services lists all the previously installed services. Clicking on Start lets you set up and then start the service in a few minutes. All services work in their own containers and use the WireGuard tunnel.

All of these services can be set up with the push of a button. As soon as you start a service, a green line appears to inform you that the start-up may take a few minutes. Using a Rasp Pi as the server, it took up to three minutes until a service was ready, depending on the complexity of the application.

Currently you have to update the web page manually to see if the service is ready. After updating, you can start and use the respective application. You only need to start services once. After a restart, you can open them directly.

Finally, you'll find Metrics and Tests in the sidebar. Metrics provides an overview of the firewall's performance, while Tests provides port scanning, runs a DNS leak test, and displays the public IP address.

Gateway

For services like Netflix that do not work well with WireGuard, you can add a gateway. A gateway is another client that sits upstream of the VPN and makes proprietary services like Netflix think they are seeing the public IP address of the device running Netflix.

Mistborn does most of the setup for a gateway. As with other clients, you only need to store the configuration created by Mistborn in /etc/wireguard/gateway.conf on the client (Figure 8).

Figure 8: A gateway is another client that also uses the WireGuard tunnel, but makes proprietary services like Netflix think that there is a direct connection. © 2019, Steven Foerster

The configuration is created on the profile page below Gateways, where you first assign a name. Then press the Create button to create a profile, select the profile, and then copy the configuration file.

For mobile devices, you do this by scanning the displayed QR code. The setup for the gateway client is described in the documentation [7]. To get Mistborn running on Android devices, see the "Mistborn on Android" box. There is currently no viable solution for iOS.