Mullvad - full files. Fix typo in install script

2025-01-23 05:01:01 -05:00 · 2022-11-29 14:03:45 +00:00 · 2022-11-29 14:03:45 +00:00 · 0e1c255aeb
commit 0e1c255aeb
parent 97fa742c74
6 changed files with 110 additions and 3 deletions
--- a/mullvad.spec
+++ b/mullvad.spec
@ -1,5 +1,5 @@
 Name:           3isec-qubes-mullvad-vpn
-Version:       	1.0
+Version:       	1.1
 Release:        1%{?dist}
 Summary:        Set up a Mullvad wireguard proxy in Qubes

@ -44,7 +44,11 @@ You can, of course, use template-mullvad to create other VPN gateways.
 %install
 rm -rf %{buildroot}
 mkdir -p %{buildroot}/srv/salt
+mkdir -p %{buildroot}/usr/bin
+mkdir -p %{buildroot}/usr/share/applications
 cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
+cp -rv %{SOURCE0}/qubes-setup-MullvadVPN.desktop %{buildroot}/usr/share/applications
+cp -rv %{SOURCE0}/setup_MullvadVPN.sh %{buildroot}/usr/bin/setup_MullvadVPN.sh

 %files
 %defattr(-,root,root,-)
@ -52,9 +56,8 @@ cp -rv %{SOURCE0}/  %{buildroot}/srv/salt

 %post
 if [ $1 -eq 1 ]; then
-  qubesctl state.apply mullvad.clone
-  qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.install
  qubesctl state.apply mullvad.create
+  qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.install
  qubesctl --skip-dom0 --targets=MullvadVPN state.apply mullvad.configure
 fi

@ -66,5 +69,7 @@ if [ $1 -eq 0 ]; then
 fi

 %changelog
+* Mon Nov 28 2022 unman <unman@thirdeyesecurity.org> - 1.1
+- Fix wireshark typo
 * Mon Aug 08 2022 unman <unman@thirdeyesecurity.org> - 1.0
 - First Build
--- a/mullvad/dns_hijack.sh
+++ b/mullvad/dns_hijack.sh
@ -0,0 +1,11 @@
+virtualif=`ip -o -4  addr show eth0|awk '{ print $4}'`
+vpndns1=10.8.0.1
+vpndns2=10.14.0.1
+iptables -F OUTPUT
+iptables -I FORWARD -o eth0 -j DROP
+iptables -I FORWARD -i eth0 -j DROP
+iptables -F PR-QBS -t nat
+iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
+iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1
+iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2
+iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2
--- a/mullvad/firewall.sh
+++ b/mullvad/firewall.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+#    Block forwarding of connections through upstream network device
+#    (in case the vpn tunnel breaks):
+iptables -I FORWARD -o eth0 -j DROP
+iptables -I FORWARD -i eth0 -j DROP
+ip6tables -I FORWARD -o eth0 -j DROP
+ip6tables -I FORWARD -i eth0 -j DROP
+
+#    Accept traffic to VPN
+iptables -P OUTPUT DROP
+iptables -F OUTPUT
+iptables -I OUTPUT -o lo -j ACCEPT
+
+#    Add the `qvpn` group to system, if it doesn't already exist
+if ! grep -q "^qvpn:" /etc/group ; then
+     groupadd -rf qvpn
+     sync
+fi
+sleep 2s
+
+#    Block non-VPN traffic to clearnet
+iptables -I OUTPUT -o eth0 -j DROP
+#    Allow traffic from the `qvpn` group to the uplink interface (eth0);
+#    Our VPN client will run with group `qvpn`.
+iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
+iptables -I OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
--- a/mullvad/install.sh
+++ b/mullvad/install.sh
@ -0,0 +1,38 @@
+#!/usr/bin/bash
+if [ "`id -u`" -ne 0 ]; then
+  exec sudo "$0"
+  exit 99
+fi
+target_file='/rw/config/wireguard.conf'
+cd /rw/config/vpn
+zenity --question --text="Do you have a zip file from Mullvad?" --ok-label="Yes" --cancel-label="No"
+if [ $? = 0 ] ; then
+  client_file=`zenity --file-selection`
+  if  [ $(mimetype -b $client_file) == "application/zip" ]; then
+    unzip -j -d /rw/config/vpn "$client_file"
+  else
+    zenity --error --text="That doesn't look like a zip file"
+    exit
+    fi
+fi
+zenity --question --text="Have you copied the wireguard config file to /rw/config/vpn/ ?" --ok-label="Yes" --cancel-label="No"
+if [ $? = 0 ] ; then
+  zenity --question --text="Please select the wireguard configuration file you want to use" --ok-label="OK" --cancel-label="No"
+  if [ $? = 0 ] ; then
+    client_file=`zenity --file-selection`
+    if grep -q '^PrivateKey' "$client_file" ; then
+      if [ "$client_file" != "$target_file" ]; then
+        cp $client_file $target_file
+      fi
+      zenity --info --text="Restart this qube. The VPN service will start automatically."
+    else
+     zenity --error --text="That doesn't look like a client config file"
+     exit
+    fi
+  else
+    zenity --error --text="You need a config file\nCheck with Mullvad VPN"
+    exit
+  fi
+else
+  exit
+fi
--- a/mullvad/qubes-setup-MullvadVPN.desktop
+++ b/mullvad/qubes-setup-MullvadVPN.desktop
@ -0,0 +1,10 @@
+[Desktop Entry]
+Type=Application
+Exec=setup_MullvadVPN.sh
+Path=/usr/bin
+Icon=qubes-manager
+Terminal=false
+Name=Setup Mullvad VPN
+GenericName=Setup Mullvad VPN
+StartupNotify=false
+Categories=Settings;X-XFCE-SettingsDialog
--- a/mullvad/setup_MullvadVPN.sh
+++ b/mullvad/setup_MullvadVPN.sh
@ -0,0 +1,17 @@
+#!/usr/bin/bash
+qvm-run MullvadVPN /home/user/install.sh
+if ! (qvm-firewall MullvadVPN|tail -n1 |grep -q '.*drop.*-.*-'.*-);then
+qvm-firewall MullvadVPN add --before 0 drop && qvm-firewall MullvadVPN del --rule-no 1
+fi
+endpoint=$(qvm-run -p MullvadVPN 'awk "/Endpoint/{print \$3}" /rw/config/wireguard.conf')
+IFS=":" read -r server_ip server_port  PORT <<< $endpoint
+if ! (qvm-firewall MullvadVPN |grep -q 'accept.*-.*tcp.*53'); then
+qvm-firewall MullvadVPN add --before 0 proto=tcp dstports=53 accept
+fi
+if ! (qvm-firewall MullvadVPN |grep -q 'accept.*-.*udp.*53'); then
+qvm-firewall MullvadVPN add --before 0 proto=udp dstports=53 accept
+fi
+if ! (qvm-firewall MullvadVPN |grep -q "$server_ip");then
+qvm-firewall MullvadVPN add --before 0 dsthost=$server_ip proto=udp dstports=$server_port accept
+fi
+