diff options
Diffstat (limited to 'content/blog/2023-07-12-wireguard-lan.org')
| -rw-r--r-- | content/blog/2023-07-12-wireguard-lan.org | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/content/blog/2023-07-12-wireguard-lan.org b/content/blog/2023-07-12-wireguard-lan.org new file mode 100644 index 0000000..17696de --- /dev/null +++ b/content/blog/2023-07-12-wireguard-lan.org @@ -0,0 +1,143 @@ +#+title: Enable LAN Access in Mullvad Wireguard Conf Files +#+date: 2023-07-12 +#+description: Learn how to enable LAN access manually in Mullvad configuration files. +#+filetags: :linux: + +* Download Configuration Files from Mullvad +To begin, you'll need +[[https://mullvad.net/account/wireguard-config][Wireguard configuration +files from Mullvad]]. You can choose any of the options as you download +them. For example, I enabled the kill switch, selected all countries, +and selected a few content filters. + +Once downloaded, unzip the files and move them to the Wireguard folder +on your system. + +#+begin_src sh +cd ~/Downloads +unzip mullvad_wireguard_linux_all_all.zip +doas mv *.conf /etc/wireguard/ +#+end_src + +** Configuration File Layout +The default configuration files will look something like this: + +#+begin_src conf +[Interface] +# Device: <redacted> +PrivateKey = <redacted> +Address = <redacted> +DNS = <redacted> +PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT +PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + +[Peer] +PublicKey = <redacted> +AllowedIPs = <redacted> +Endpoint = <redacted> +#+end_src + +#+begin_quote +Note: If you didn't select the kill switch option, you won't see the +=PostUp= and =PreDown= lines. In this case, you'll need to modify the +script below to simply append those lines to the =[Interface]= block. +#+end_quote + +* Editing the Configuration Files +Once you have the files, you'll need to edit them and replace the +=PostUp= and =PreDown= lines to enable LAN access. + +I recommend that you do this process as root, since you'll need to be +able to access files in =/etc/wireguard=, which are generally owned by +root. You can also try using =sudo= or =doas=, but I didn't test that +scenario so you may need to adjust, as necessary. + +#+begin_src sh +su +#+end_src + +Create the Python file that we'll be using to update the Wireguard +configuration files. + +#+begin_src sh +nano replace.py +#+end_src + +Within the Python file, copy and paste the logic below. This script will +open a directory, loop through every configuration file within the +directory, and replace the =PostUp= and =PreDown= lines with the new +LAN-enabled iptables commands. + +#+begin_quote +Note: If your LAN is on a subnet other than =192.168.1.0/24=, you'll +need to update the Python script below appropriately. + +#+end_quote + +#+begin_src python +import os +import fileinput + +print("--- starting ---") + +dir = "/etc/wireguard/" + +for file in os.listdir(dir): + print(os.path.join(dir, file)) + for line in fileinput.input(os.path.join(dir, file), inplace=True): + if "PostUp" in line: + print("PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") + elif "PreDown" in line: + print("PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") + else: + print(line, end="") + +print("--- done ---") +#+end_src + +Once you're done, save and close the file. You can now run the Python +script and watch as each file is updated. + +#+begin_src sh +python3 replace.py +#+end_src + +To confirm it worked, you can =cat= one of the configuration files to +inspect the new logic and connect to one to test it out. + +#+begin_src sh +cat /etc/wireguard/us-chi-wg-001.conf +#+end_src + +The configuration files should now look like this: + +#+begin_src conf +[Interface] +# Device: <redacted> +PrivateKey = <redacted> +Address = <redacted> +DNS = <redacted> +PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT +PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + +[Peer] +PublicKey = <redacted> +AllowedIPs = <redacted> +Endpoint = <redacted> +#+end_src + +If you connect to a Wireguard interface, such as =us-chi-wg-001=, you +can test your SSH functionality and see that it works even while on the +VPN. + +#+begin_src sh +wg-quick up us-chi-wg-001 +ssh user@lan-host +#+end_src + +To confirm your VPN connection, you can curl Mullvad's connection API: + +#+begin_src sh +curl https://am.i.mullvad.net/connected +# You are connected to Mullvad (server us-chi-wg-001). Your IP address is <redacted> +#+end_src |