I use libpam-net to segregate a dedicated system user into a network namespace which can only talk to the outside world through a wireguard interface.
mullvad-wg-netns.sh implements the provisioning of the
wireguard configs (generating privkey, uploading pubkey to mullvad API etc.). It
also supports bringing up the wireguard interface at boot since wg-quick does
not support netns or operating on a pre-existing wg interface.
First we set up dependencies and libpam-net:
$ apt-get install dateutils curl jq wireguard-tools libpam-net
$ pam-auth-update --enable libpam-net-usernet
$ addgroup --system usernet
$ adduser <myuser> usernet
Note we need at least libpam-net 0.3, which is part of Debian bullseye now. Yey!
Now whenever <myuser> logs in, or a service is started as them, it will
be placed in a netns (cf. ip-netns(8)) corresponding to their
username. This netns is created if it doesn't already exist, but the
intention is that you arrange for it to be setup during boot.
Next we provision the wireguard configs:
$ path/to/mullvad-wg-net.sh provision
This will ask you for your mullvad account number, so keep that ready. What this does is associate your mullvad account with the wg private key it generates.
Note: The account number is not stored on the system after provisioning.
We're almost done, now we setup resolv.conf to prevent DNS leaks in the
netns:
$ mkdir -p /etc/netns/<myuser>
$ printf '%s\n' '# Mullvad DNS' 'nameserver 10.64.0.1' > /etc/netns/<myuser>/resolv.conf
$ chattr +i /etc/netns/<myuser>/resolv.conf
I do chattr +i to prevent resolvconf from meddling with this config. I suppose
it would be possible just to change the resolvconf configuration to get it
seperated from the main system, but without changes it will just use the DNS of
the rest of the system.
Finally to start the mullvad wireguard interface you should use the following command:
$ path/to/mullvad-wg-net.sh init <myuser> mullvad-<regioncode>.conf
Replace <regioncode> by whatever mullvad region you want to use, for example
mullvad-at1.conf, you can find the full list in /etc/wireguard/ after
provisioning.
To make this permanent you can simply put it in /etc/rc.local or create a
systemd unit or something if you insist.
In order to make sure this whole setup works and to prevent leaks if something fails I like to check if connectivity is going through mullvad on login. The mullvad guys provide a convinient service for this: https://am.i.mullvad.net and I wrote a convinient shell wrapper for it: am-i-mullvad.sh.
To use it put it in your .bash_profile or simmilar shell startup script:
$ cat >> .bash_profile << EOF
sh path/to/am-i-mullvad.sh || exit 1
EOF
If we're not connected through mullvad it will print an error message and kill the shell after a short timeout so you can still get access by Ctrl-C'ing the script if needed.