diff options
Diffstat (limited to 'content/blog/2023-07-12-wireguard-lan.org')
| -rw-r--r-- | content/blog/2023-07-12-wireguard-lan.org | 143 |
1 files changed, 0 insertions, 143 deletions
diff --git a/content/blog/2023-07-12-wireguard-lan.org b/content/blog/2023-07-12-wireguard-lan.org deleted file mode 100644 index 17696de..0000000 --- a/content/blog/2023-07-12-wireguard-lan.org +++ /dev/null @@ -1,143 +0,0 @@ -#+title: Enable LAN Access in Mullvad Wireguard Conf Files -#+date: 2023-07-12 -#+description: Learn how to enable LAN access manually in Mullvad configuration files. -#+filetags: :linux: - -* Download Configuration Files from Mullvad -To begin, you'll need -[[https://mullvad.net/account/wireguard-config][Wireguard configuration -files from Mullvad]]. You can choose any of the options as you download -them. For example, I enabled the kill switch, selected all countries, -and selected a few content filters. - -Once downloaded, unzip the files and move them to the Wireguard folder -on your system. - -#+begin_src sh -cd ~/Downloads -unzip mullvad_wireguard_linux_all_all.zip -doas mv *.conf /etc/wireguard/ -#+end_src - -** Configuration File Layout -The default configuration files will look something like this: - -#+begin_src conf -[Interface] -# Device: <redacted> -PrivateKey = <redacted> -Address = <redacted> -DNS = <redacted> -PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT -PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - -[Peer] -PublicKey = <redacted> -AllowedIPs = <redacted> -Endpoint = <redacted> -#+end_src - -#+begin_quote -Note: If you didn't select the kill switch option, you won't see the -=PostUp= and =PreDown= lines. In this case, you'll need to modify the -script below to simply append those lines to the =[Interface]= block. -#+end_quote - -* Editing the Configuration Files -Once you have the files, you'll need to edit them and replace the -=PostUp= and =PreDown= lines to enable LAN access. - -I recommend that you do this process as root, since you'll need to be -able to access files in =/etc/wireguard=, which are generally owned by -root. You can also try using =sudo= or =doas=, but I didn't test that -scenario so you may need to adjust, as necessary. - -#+begin_src sh -su -#+end_src - -Create the Python file that we'll be using to update the Wireguard -configuration files. - -#+begin_src sh -nano replace.py -#+end_src - -Within the Python file, copy and paste the logic below. This script will -open a directory, loop through every configuration file within the -directory, and replace the =PostUp= and =PreDown= lines with the new -LAN-enabled iptables commands. - -#+begin_quote -Note: If your LAN is on a subnet other than =192.168.1.0/24=, you'll -need to update the Python script below appropriately. - -#+end_quote - -#+begin_src python -import os -import fileinput - -print("--- starting ---") - -dir = "/etc/wireguard/" - -for file in os.listdir(dir): - print(os.path.join(dir, file)) - for line in fileinput.input(os.path.join(dir, file), inplace=True): - if "PostUp" in line: - print("PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") - elif "PreDown" in line: - print("PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") - else: - print(line, end="") - -print("--- done ---") -#+end_src - -Once you're done, save and close the file. You can now run the Python -script and watch as each file is updated. - -#+begin_src sh -python3 replace.py -#+end_src - -To confirm it worked, you can =cat= one of the configuration files to -inspect the new logic and connect to one to test it out. - -#+begin_src sh -cat /etc/wireguard/us-chi-wg-001.conf -#+end_src - -The configuration files should now look like this: - -#+begin_src conf -[Interface] -# Device: <redacted> -PrivateKey = <redacted> -Address = <redacted> -DNS = <redacted> -PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT -PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - -[Peer] -PublicKey = <redacted> -AllowedIPs = <redacted> -Endpoint = <redacted> -#+end_src - -If you connect to a Wireguard interface, such as =us-chi-wg-001=, you -can test your SSH functionality and see that it works even while on the -VPN. - -#+begin_src sh -wg-quick up us-chi-wg-001 -ssh user@lan-host -#+end_src - -To confirm your VPN connection, you can curl Mullvad's connection API: - -#+begin_src sh -curl https://am.i.mullvad.net/connected -# You are connected to Mullvad (server us-chi-wg-001). Your IP address is <redacted> -#+end_src |