diff options
| author | Christian Cleberg <hello@cleberg.net> | 2023-12-02 11:23:08 -0600 |
|---|---|---|
| committer | Christian Cleberg <hello@cleberg.net> | 2023-12-02 11:23:08 -0600 |
| commit | caccd81c3eb7954662d20cab10cc3afeeabca615 (patch) | |
| tree | 567ed10350c1ee319c178952ab6aa48265977e58 /blog/2023-07-12-mullvad-wireguard-lan.org | |
| download | cleberg.net-caccd81c3eb7954662d20cab10cc3afeeabca615.tar.gz cleberg.net-caccd81c3eb7954662d20cab10cc3afeeabca615.tar.bz2 cleberg.net-caccd81c3eb7954662d20cab10cc3afeeabca615.zip | |
initial commit
Diffstat (limited to 'blog/2023-07-12-mullvad-wireguard-lan.org')
| -rw-r--r-- | blog/2023-07-12-mullvad-wireguard-lan.org | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/blog/2023-07-12-mullvad-wireguard-lan.org b/blog/2023-07-12-mullvad-wireguard-lan.org new file mode 100644 index 0000000..ef6a045 --- /dev/null +++ b/blog/2023-07-12-mullvad-wireguard-lan.org @@ -0,0 +1,142 @@ ++++ +date = 2023-07-12T19:31:00 +title = "Enabling LAN Access in Mullvad Wireguard Conf Files" +description = "" ++++ + +## Download Configuration Files from Mullvad + +To begin, you'll need [Wireguard configuration files from +Mullvad](https://mullvad.net/account/wireguard-config). +You can choose any of the options as you download them. +For example, I enabled the kill switch, selected all countries, and selected a +few content filters. + +Once downloaded, unzip the files and move them to the Wireguard folder on your +system. + +```sh +cd ~/Downloads +unzip mullvad_wireguard_linux_all_all.zip +doas mv *.conf /etc/wireguard/ +``` + +### Configuration File Layout + +The default configuration files will look something like this: + +```conf +[Interface] +# Device: <redacted> +PrivateKey = <redacted> +Address = <redacted> +DNS = <redacted> +PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT +PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + +[Peer] +PublicKey = <redacted> +AllowedIPs = <redacted> +Endpoint = <redacted> +``` + +> Note: If you didn't select the kill switch option, you won't see the `PostUp` +> and `PreDown` lines. +> In this case, you'll need to modify the script below to simply append those +> lines to the `[Interface]` block. + +## Editing the Configuration Files + +Once you have the files, you'll need to edit them and replace the `PostUp` and +`PreDown` lines to enable LAN access. + +I recommend that you do this process as root, since you'll need to be able to +access files in `/etc/wireguard`, which are generally owned by root. +You can also try using `sudo` or `doas`, but I didn't test that scenario so you +may need to adjust, as necessary. + +```sh +su +``` + +Create the Python file that we'll be using to update the Wireguard configuration +files. + +```sh +nano replace.py +``` + +Within the Python file, copy and paste the logic below. +This script will open a directory, loop through every configuration file within +the directory, and replace the `PostUp` and `PreDown` lines with the new +LAN-enabled iptables commands. + +> Note: If your LAN is on a subnet other than `192.168.1.0/24`, you'll need to +> update the Python script below appropriately. + +```python +import os +import fileinput + +print("--- starting ---") + +dir = "/etc/wireguard/" + +for file in os.listdir(dir): + print(os.path.join(dir, file)) + for line in fileinput.input(os.path.join(dir, file), inplace=True): + if "PostUp" in line: + print("PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") + elif "PreDown" in line: + print("PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") + else: + print(line, end="") + +print("--- done ---") +``` + +Once you're done, save and close the file. You can now run the Python script +and watch as each file is updated. + +```sh +python3 replace.py +``` + +To confirm it worked, you can `cat` one of the configuration files to inspect +the new logic and connect to one to test it out. + +```sh +cat /etc/wireguard/us-chi-wg-001.conf +``` + +The configuration files should now look like this: + +```conf +[Interface] +# Device: <redacted> +PrivateKey = <redacted> +Address = <redacted> +DNS = <redacted> +PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT +PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + +[Peer] +PublicKey = <redacted> +AllowedIPs = <redacted> +Endpoint = <redacted> +``` + +If you connect to a Wireguard interface, such as `us-chi-wg-001`, you can test +your SSH functionality and see that it works even while on the VPN. + +```sh +wg-quick up us-chi-wg-001 +ssh user@lan-host +``` + +To confirm your VPN connection, you can curl Mullvad's connection API: + +```sh +curl https://am.i.mullvad.net/connected +# You are connected to Mullvad (server us-chi-wg-001). Your IP address is <redacted> +``` |