Introduction (to this post)
A week ago there was a discussion on Lemmy shitpost community mentioning Obscura.
It acts as first hop to Mullvad. Fairly limited number of its servers.
As someone mentioned, it only supports macOS, iOS, and whatever does Wireguard.
So I tried to pay for it.
First, I am displeased that there’s no way to just upload public key, but instead it generates entire config along with private key in browser.
Second, I can’t see list of servers and ports like on Mullvad’s site, and the reason is…
Third, only one combination of entry + exit node per config is possible. It seems to just assign a port on selected entry node to forward it to specified Mullvad exit node.
And there’s just 3 slots!!!
I can use same key with other config’s combination, but if I remove the config, that port gets closed. So yeah, I can’t just have many configs saved for different servers with the same private key.
But then I thought, is the public key allowed on all Mullvad servers? Yes it is.
After all, it should be just a hop through them.
Setting up Mullvad VPN client for Obscura
First, once you have Mullvad VPN installed, open the GUI, and create an account. Perhaps this step can be skipped, but that’s a simple way to get the config created.
Next, quit the GUI and stop mullvad-daemon:
sudo systemctl stop mullvad-daemon
Now, open your Obscura Wireguard config in some text editor that you can copy from.
Next, open /etc/mullvad-vpn/device.json as root. E.g.:
sudo vim /etc/mullvad-vpn/device.json
Remove the account number, private key, IPv4, and IPv6 field values. I also removed the “id”, though I don’t know if that one would have caused issues.
If you keep the account number, you will just get expiration message.
Next, replace the private key, IPv4 and IPv6 with those from Obscura Wireguard config.
Here’s an example of how that may look (data in example is invalid):
WG config:
# Exit: Mullvad ca-tor-wg-002 in Toronto, CA
[Interface]
PrivateKey = eNZ0Lr3jpE18o/KSVISHCi/wDWW5DgD6VCCEduKgkFI=
Address = 10.0.0.1/32, fc00:bbbb:bbbb:0:0:0:0:1/128
DNS = 10.64.0.1
[Peer]
PublicKey = iqZSgVlU9H67x/uYE5xsnzLCDXf7FL9iMfyKfl6WsV8=
AllowedIPs = 0.0.0.0/0, ::0/0
Endpoint = 95.173.193.232:46906
PersistentKeepalive = 15
Mullvad device.json:
{
"logged_in": {
"account_number": "",
"device": {
"id": "",
"name": "obscura key",
"wg_data": {
"private_key": "eNZ0Lr3jpE18o/KSVISHCi/wDWW5DgD6VCCEduKgkFI=",
"addresses": {
"ipv4_address": "10.0.0.1/32",
"ipv6_address": "fc00:bbbb:bbbb:0:0:0:0:1/128"
},
"created": "1970-01-01T00:00:00.000000000Z"
},
"hijack_dns": false,
"created": "1970-01-01T00:00:00Z"
}
}
}
The name has no effect in this case, it’s just what you see in the app. If the other fields matter, I don’t know. I left them as they were.
Now you can once again start mullvad-daemon.
sudo systemctl start mullvad-daemon
You should now be able to connect to servers just as usual. But we have yet to add the Obscura server. The account page won’t work, as there’s no account.
Following the example above, we add an IP override for our exit node:
mullvad relay override set ipv4 ca-tor-wg-002 95.173.193.232
Lastly, we need to use the correct port. As per our example, in Mullvad app go to Settings -> VPN Settings -> Anti-censorship -> Wireguard port -> Custom -> enter 46906
Thankfully, these ports are also valid for Mullvad, so no extra switching will be needed.
You should now be able to connect to the Mullvad exit node via Obscura server, with Obscura account.
Multi-hop within Mullvad (a 3rd hop)
As the port for Obscura’s server matters, we can only use it as an entry node. But yes, you can do that too.
Hopping madness
There’s no point, but it’s possible.
The Mullvad SOCKS5 will allow for, yes, a 4th hop.
And you can add TOR, for 7 hops (to regular sites)
What does that do? From this:
All the way to network quality of your teammates:
So, basically, it’s a TOR-like setup, but without the middle node. Interesting.