Mistborn Installation

What is Mistborn?

Mistborn is your own virtual private cloud platform and WebUI that manages self hosted services, and secures them with firewall, Wireguard VPN w/ PiHole-DNSCrypt, and IP filtering. Optional SIEM+IDS. Supports 2FA, Nextcloud, Jitsi, Home Assistant, +

Mistborn is the project of a man who wanted to provide a more secure browsing and online experience for himself and his family. Mistborn is not just a WireGuard server UI, but a host of open source, self hosted applications that you can run in connection with the WireGuard network it sets up.

Visit Mistborn project on this link.

Read the blog post Zero Trust VPN Suite Mistborn.

Get 20€ in cloud credits to get started with Hetzner on this link.

Installation

Please use only Debian 12 as operating system!

Mistborn is really simple to install with just 1 click command. Follow along the video.

git clone https://gitlab.com/cyber5k/mistborn.git
sudo -E bash ./mistborn/scripts/install.sh

Make sure to setup only alphanumeric password!

To set up root password, type passwd and confirm twice!

Video Walkthrough

Configuration

The best part comes with configuring Mistborn. In this section we will setup our DNS resolver and setup some advanced Pihole adlists.

Cloudflare DoH

DNS over HTTPS (DoH) is a protocol for performing Domain Name System (DNS) resolution via the HTTPS protocol. DNS is the system that translates human-readable domain names (e.g., www.example.com) into IP addresses (e.g., 192.0.2.1) that computers use to identify each other on the internet. Traditionally, DNS queries and responses are sent in plaintext over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP), which can be susceptible to eavesdropping, interception, and manipulation by attackers.

Cloudflare DNS is the fastest resolver in the world.

DoH aims to improve the privacy and security of DNS communications by encrypting DNS queries and responses with HTTPS. This encryption helps protect users' privacy by preventing third parties, such as internet service providers (ISPs) or malicious actors, from easily monitoring or manipulating the websites they visit.

DoH wraps DNS requests within HTTPS requests, allowing them to be sent over the same secure connection as other web traffic. This can help bypass censorship and filtering, as well as provide better resilience against certain types of cyberattacks. However, it is important to note that DoH is not a comprehensive privacy solution, as other metadata (like the IP address of the server you're connecting to) can still be observed by network operators or attackers.

Setting up DoH

To setup DoH in Mistborn, you will need to edit base.yml config file.

nano /opt/mistborn/base.yml

and scroll almost at the bottom of the file and when you see dnscrypt-proxy service. On the line DNSCRYPT_SERVER_NAMES= remove everything and keep only ['cloudflare'].

Save and exit config file and perfrom server reboot.

reboot

Test your DNS

You can check your DNS connection to Cloudflare at this page by Cloudflare.

Pihole Configuration

Pi-hole is a popular network-wide ad blocker and DNS sinkhole that acts as a private DNS server, filtering out unwanted content, such as ads, tracking, and malware domains. It works by intercepting DNS queries from devices on your network and blocking requests to known ad and tracking domains. One of the core components of Pi-hole's filtering capabilities is its blacklists.

Blacklists are lists of domain names that are known to serve ads, tracking scripts, or malicious content. These lists are maintained by the Pi-hole community or third-party providers and are regularly updated to ensure their effectiveness. When a device on your network makes a DNS request, Pi-hole checks the requested domain against its blacklists. If the domain is found on one of the blacklists, Pi-hole blocks the request and prevents the content from being loaded.

Adding Blacklists

Following blacklists are tested and I am using them on all installation. There is no need to add more, unless you need more specific ones. Just search google pihole blacklists to find more.

OISD Blacklist

OISD (Origin-Isolation-Security-Domain) blacklist is a curated and well-maintained blocklist designed for use with DNS-based ad blockers like Pi-hole. The primary goal of the OISD blacklist is to provide an effective and efficient blocklist that focuses on minimizing false positives while still blocking ads, tracking, and malicious domains.

The OISD blacklist is the result of continuous efforts by its maintainer to compile a comprehensive list of domains to block. It combines data from multiple sources, including other popular blacklists, user submissions, and the maintainer's own research. By consolidating information from various sources and actively filtering out false positives, the OISD blacklist aims to deliver a high-quality, low-maintenance solution for users.

Some key features of the OISD blacklist include:

• Broad coverage: The OISD blacklist blocks a wide range of unwanted content, including ads, tracking, malware, and phishing domains. This makes it suitable for users who want a single, comprehensive blocklist for their ad blocker.

• Minimal false positives: The maintainer of the OISD blacklist puts significant effort into minimizing false positives, which are legitimate domains mistakenly included in the list. This helps reduce the likelihood of accidentally blocking essential or harmless content.

• Regular updates: The OISD blacklist is updated frequently to ensure that it remains effective against new and evolving threats. Users can subscribe to the list and receive automatic updates to stay protected.

• Compatibility: The OISD blacklist is compatible with various DNS-based ad blockers, including Pi-hole, AdGuard Home, and others. Users can easily integrate the list into their existing ad-blocking setup.

To use the OISD blacklist with Pi-hole, you'll need to add the URL of the list to your Pi-hole's blocklist configuration. This will allow Pi-hole to download and utilize the OISD blacklist for filtering DNS queries on your network.

https://big.oisd.nl/domains

The Blocklist Project

The Blocklist Project is an initiative that provides various blocklists designed to improve online security and privacy by blocking access to harmful or unwanted content. These blocklists are compatible with DNS-based ad blockers like Pi-hole, AdGuard Home, and other similar applications. The main goal of the Blocklist Project is to create and maintain high-quality lists targeting different categories of online threats and nuisances.

The blocklists provided by the Blocklist Project are divided into several categories, each focusing on specific types of unwanted content:

• Ads: This blocklist contains domains known for serving advertisements, helping users to enjoy an ad-free browsing experience.

• Tracking and telemetry: This blocklist targets domains associated with tracking, analytics, and data collection, aiming to protect user privacy while browsing the internet.

• Malware: This blocklist focuses on domains that host or distribute malware, helping to protect users from various online threats, such as viruses, trojans, and ransomware.

• Phishing: This blocklist includes domains associated with phishing scams, which attempt to deceive users into revealing sensitive information, such as login credentials or financial data.

• ryptomining: This blocklist targets domains involved in browser-based cryptomining, which can use a user's device resources without their consent to mine cryptocurrency.

• Piracy: This blocklist contains domains associated with illegal file-sharing or copyright-infringing content.

• Social media and gaming: These blocklists include domains related to social media platforms and online gaming, which some users may want to block for productivity or parental control purposes.

In this case, we want everything, so add following URL into AdList:

https://blocklistproject.github.io/Lists/everything.txt

Adding Whitelist

To add domain to global whitelist is pretty easy, just add domain as a wildcard and save to whitelist.

About Webnestify

Imagine a world where you can focus on your business and less time maintaining your cloud infrastrucure. With Webnestify cloud based solutions, we provide customized solutions for all types of companies to meet their needs; no matter how big or small they may be!

Read our reviews on Trustpilot!

Subscribe to our YouTube channel!

If you need to setup your own Docker instances or need help with security, visit our Docker deployment service.