diff --git a/mullvad.spec b/mullvad.spec index 262067d..b749e10 100644 --- a/mullvad.spec +++ b/mullvad.spec @@ -1,5 +1,5 @@ Name: 3isec-qubes-mullvad-vpn -Version: 1.0 +Version: 1.1 Release: 1%{?dist} Summary: Set up a Mullvad wireguard proxy in Qubes @@ -44,7 +44,11 @@ You can, of course, use template-mullvad to create other VPN gateways. %install rm -rf %{buildroot} mkdir -p %{buildroot}/srv/salt +mkdir -p %{buildroot}/usr/bin +mkdir -p %{buildroot}/usr/share/applications cp -rv %{SOURCE0}/ %{buildroot}/srv/salt +cp -rv %{SOURCE0}/qubes-setup-MullvadVPN.desktop %{buildroot}/usr/share/applications +cp -rv %{SOURCE0}/setup_MullvadVPN.sh %{buildroot}/usr/bin/setup_MullvadVPN.sh %files %defattr(-,root,root,-) @@ -52,9 +56,8 @@ cp -rv %{SOURCE0}/ %{buildroot}/srv/salt %post if [ $1 -eq 1 ]; then - qubesctl state.apply mullvad.clone - qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.install qubesctl state.apply mullvad.create + qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.install qubesctl --skip-dom0 --targets=MullvadVPN state.apply mullvad.configure fi @@ -66,5 +69,7 @@ if [ $1 -eq 0 ]; then fi %changelog +* Mon Nov 28 2022 unman - 1.1 +- Fix wireshark typo * Mon Aug 08 2022 unman - 1.0 - First Build diff --git a/mullvad/dns_hijack.sh b/mullvad/dns_hijack.sh new file mode 100644 index 0000000..7106201 --- /dev/null +++ b/mullvad/dns_hijack.sh @@ -0,0 +1,11 @@ +virtualif=`ip -o -4 addr show eth0|awk '{ print $4}'` +vpndns1=10.8.0.1 +vpndns2=10.14.0.1 +iptables -F OUTPUT +iptables -I FORWARD -o eth0 -j DROP +iptables -I FORWARD -i eth0 -j DROP +iptables -F PR-QBS -t nat +iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1 +iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1 +iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2 +iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2 diff --git a/mullvad/firewall.sh b/mullvad/firewall.sh new file mode 100644 index 0000000..e404a5e --- /dev/null +++ b/mullvad/firewall.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# Block forwarding of connections through upstream network device +# (in case the vpn tunnel breaks): +iptables -I FORWARD -o eth0 -j DROP +iptables -I FORWARD -i eth0 -j DROP +ip6tables -I FORWARD -o eth0 -j DROP +ip6tables -I FORWARD -i eth0 -j DROP + +# Accept traffic to VPN +iptables -P OUTPUT DROP +iptables -F OUTPUT +iptables -I OUTPUT -o lo -j ACCEPT + +# Add the `qvpn` group to system, if it doesn't already exist +if ! grep -q "^qvpn:" /etc/group ; then + groupadd -rf qvpn + sync +fi +sleep 2s + +# Block non-VPN traffic to clearnet +iptables -I OUTPUT -o eth0 -j DROP +# Allow traffic from the `qvpn` group to the uplink interface (eth0); +# Our VPN client will run with group `qvpn`. +iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT +iptables -I OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT diff --git a/mullvad/install.sh b/mullvad/install.sh new file mode 100755 index 0000000..e74898c --- /dev/null +++ b/mullvad/install.sh @@ -0,0 +1,38 @@ +#!/usr/bin/bash +if [ "`id -u`" -ne 0 ]; then + exec sudo "$0" + exit 99 +fi +target_file='/rw/config/wireguard.conf' +cd /rw/config/vpn +zenity --question --text="Do you have a zip file from Mullvad?" --ok-label="Yes" --cancel-label="No" +if [ $? = 0 ] ; then + client_file=`zenity --file-selection` + if [ $(mimetype -b $client_file) == "application/zip" ]; then + unzip -j -d /rw/config/vpn "$client_file" + else + zenity --error --text="That doesn't look like a zip file" + exit + fi +fi +zenity --question --text="Have you copied the wireguard config file to /rw/config/vpn/ ?" --ok-label="Yes" --cancel-label="No" +if [ $? = 0 ] ; then + zenity --question --text="Please select the wireguard configuration file you want to use" --ok-label="OK" --cancel-label="No" + if [ $? = 0 ] ; then + client_file=`zenity --file-selection` + if grep -q '^PrivateKey' "$client_file" ; then + if [ "$client_file" != "$target_file" ]; then + cp $client_file $target_file + fi + zenity --info --text="Restart this qube. The VPN service will start automatically." + else + zenity --error --text="That doesn't look like a client config file" + exit + fi + else + zenity --error --text="You need a config file\nCheck with Mullvad VPN" + exit + fi +else + exit +fi diff --git a/mullvad/qubes-setup-MullvadVPN.desktop b/mullvad/qubes-setup-MullvadVPN.desktop new file mode 100644 index 0000000..860fe1e --- /dev/null +++ b/mullvad/qubes-setup-MullvadVPN.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Type=Application +Exec=setup_MullvadVPN.sh +Path=/usr/bin +Icon=qubes-manager +Terminal=false +Name=Setup Mullvad VPN +GenericName=Setup Mullvad VPN +StartupNotify=false +Categories=Settings;X-XFCE-SettingsDialog diff --git a/mullvad/setup_MullvadVPN.sh b/mullvad/setup_MullvadVPN.sh new file mode 100755 index 0000000..d03b618 --- /dev/null +++ b/mullvad/setup_MullvadVPN.sh @@ -0,0 +1,17 @@ +#!/usr/bin/bash +qvm-run MullvadVPN /home/user/install.sh +if ! (qvm-firewall MullvadVPN|tail -n1 |grep -q '.*drop.*-.*-'.*-);then +qvm-firewall MullvadVPN add --before 0 drop && qvm-firewall MullvadVPN del --rule-no 1 +fi +endpoint=$(qvm-run -p MullvadVPN 'awk "/Endpoint/{print \$3}" /rw/config/wireguard.conf') +IFS=":" read -r server_ip server_port PORT <<< $endpoint +if ! (qvm-firewall MullvadVPN |grep -q 'accept.*-.*tcp.*53'); then +qvm-firewall MullvadVPN add --before 0 proto=tcp dstports=53 accept +fi +if ! (qvm-firewall MullvadVPN |grep -q 'accept.*-.*udp.*53'); then +qvm-firewall MullvadVPN add --before 0 proto=udp dstports=53 accept +fi +if ! (qvm-firewall MullvadVPN |grep -q "$server_ip");then +qvm-firewall MullvadVPN add --before 0 dsthost=$server_ip proto=udp dstports=$server_port accept +fi +