merge org branch into main

1 files changed, 143 insertions, 0 deletions

diff --git a/content/blog/2023-07-12-wireguard-lan.org b/content/blog/2023-07-12-wireguard-lan.org
new file mode 100644
index 0000000..17696de
--- /dev/null
+++ b/content/blog/2023-07-12-wireguard-lan.org
@@ -0,0 +1,143 @@
+#+title: Enable LAN Access in Mullvad Wireguard Conf Files
+#+date: 2023-07-12
+#+description: Learn how to enable LAN access manually in Mullvad configuration files.
+#+filetags: :linux:
+
+* Download Configuration Files from Mullvad
+To begin, you'll need
+[[https://mullvad.net/account/wireguard-config][Wireguard configuration
+files from Mullvad]]. You can choose any of the options as you download
+them. For example, I enabled the kill switch, selected all countries,
+and selected a few content filters.
+
+Once downloaded, unzip the files and move them to the Wireguard folder
+on your system.
+
+#+begin_src sh
+cd ~/Downloads
+unzip mullvad_wireguard_linux_all_all.zip
+doas mv *.conf /etc/wireguard/
+#+end_src
+
+** Configuration File Layout
+The default configuration files will look something like this:
+
+#+begin_src conf
+[Interface]
+# Device: <redacted>
+PrivateKey = <redacted>
+Address = <redacted>
+DNS = <redacted>
+PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+
+[Peer]
+PublicKey = <redacted>
+AllowedIPs = <redacted>
+Endpoint = <redacted>
+#+end_src
+
+#+begin_quote
+Note: If you didn't select the kill switch option, you won't see the
+=PostUp= and =PreDown= lines. In this case, you'll need to modify the
+script below to simply append those lines to the =[Interface]= block.
+#+end_quote
+
+* Editing the Configuration Files
+Once you have the files, you'll need to edit them and replace the
+=PostUp= and =PreDown= lines to enable LAN access.
+
+I recommend that you do this process as root, since you'll need to be
+able to access files in =/etc/wireguard=, which are generally owned by
+root. You can also try using =sudo= or =doas=, but I didn't test that
+scenario so you may need to adjust, as necessary.
+
+#+begin_src sh
+su
+#+end_src
+
+Create the Python file that we'll be using to update the Wireguard
+configuration files.
+
+#+begin_src sh
+nano replace.py
+#+end_src
+
+Within the Python file, copy and paste the logic below. This script will
+open a directory, loop through every configuration file within the
+directory, and replace the =PostUp= and =PreDown= lines with the new
+LAN-enabled iptables commands.
+
+#+begin_quote
+Note: If your LAN is on a subnet other than =192.168.1.0/24=, you'll
+need to update the Python script below appropriately.
+
+#+end_quote
+
+#+begin_src python
+import os
+import fileinput
+
+print("--- starting ---")
+
+dir = "/etc/wireguard/"
+
+for file in os.listdir(dir):
+    print(os.path.join(dir, file))
+    for line in fileinput.input(os.path.join(dir, file), inplace=True):
+        if "PostUp" in line:
+            print("PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT")
+        elif "PreDown" in line:
+            print("PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT")
+        else:
+            print(line, end="")
+
+print("--- done ---")
+#+end_src
+
+Once you're done, save and close the file. You can now run the Python
+script and watch as each file is updated.
+
+#+begin_src sh
+python3 replace.py
+#+end_src
+
+To confirm it worked, you can =cat= one of the configuration files to
+inspect the new logic and connect to one to test it out.
+
+#+begin_src sh
+cat /etc/wireguard/us-chi-wg-001.conf
+#+end_src
+
+The configuration files should now look like this:
+
+#+begin_src conf
+[Interface]
+# Device: <redacted>
+PrivateKey = <redacted>
+Address = <redacted>
+DNS = <redacted>
+PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+
+[Peer]
+PublicKey = <redacted>
+AllowedIPs = <redacted>
+Endpoint = <redacted>
+#+end_src
+
+If you connect to a Wireguard interface, such as =us-chi-wg-001=, you
+can test your SSH functionality and see that it works even while on the
+VPN.
+
+#+begin_src sh
+wg-quick up us-chi-wg-001
+ssh user@lan-host
+#+end_src
+
+To confirm your VPN connection, you can curl Mullvad's connection API:
+
+#+begin_src sh
+curl https://am.i.mullvad.net/connected
+# You are connected to Mullvad (server us-chi-wg-001). Your IP address is <redacted>
+#+end_src