Skip to content
This repository has been archived by the owner on Jul 11, 2024. It is now read-only.
/ mull-wg Public archive

Mullvad VPN wireguard inclusive split-tunnel via linux namespaces

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Lcchy/mull-wg

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
scripts
scripts
 
 
systemd
systemd
 
 
.envrc
.envrc
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
default.nix
default.nix
 
 
install.sh
install.sh
 
 
login.sh
login.sh
 
 
module.nix
module.nix
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

ARCHIVED: integrated into dotfiles nixOS configuration.

Mullvad VPN wireguard split-tunnel via linux namespaces

Disclaimer: This is a personal project, use at your own risk.

The advantage of this approach is that, once set up, routing a program through the vpn can be done without root access. DNS requests go to the connected Mullvad server Default Mullvad server is de-ber-wg-005. The wireguard private key is generated locally and never shared.

Install (NixOS):

Install (standard way):

  • Install scripts and services: ./install.sh

Usage:

  • Generate wireguard key and register it with Mullvad: ./login.sh
  • Run a program through the vpn with firejail --noprofile --netns=mull-wg-ns example_cmd
  • Choose a different vpn server by writing its hostname (find them as /var/tmp/mull-wg/servers/.conf) in /var/tmp/mull-wg/loc. The systemd filesystem watcher will reload the namespace accordingly.

Namespace setup summary:

We initiate the wireguard interface in init (global) namespace and then move it to our custom namespace so that it remembers to route through init. We then set up the connection via wg, wg-quick seems inapropriate because of its own routing setup. Debug with: sudo ip netns exec mull-wg-ns wg show sudo ip netns exec mull-wg-ns ping wireguard.com

File structure after install:

In /var/tmp/mullvad-wg:

  • key : contains mullvad wg private key for device, root access.
  • device_ip : Assigned Mullvad interface ip for current device, root access.
  • servers/*.conf : mullvad wg server infos, unprotected, set by mull-wg-serv.service
  • loc : current server setting hostname, unprotected, set by user (or get_device_loc.py, wip)
  • scripts/* : program scripts, protected. start_mull_ns.sh then assembles the above to setup the namespace and connection

TODO:

  • Look into nsenter to replace firejail
  • Look into speedtests for server choice

Useful links:

About

Mullvad VPN wireguard inclusive split-tunnel via linux namespaces

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages