Deploying Mistborn

Introduction

Mistborn is a comprehensive self-hosted security platform that bundles essential privacy and security services into a single, manageable deployment. It combines WireGuard VPN, Pi-hole ad-blocking, firewall management, and additional services to create a secure gateway for personal or organizational use.

The platform provides a web-based control panel for managing all integrated services, making it accessible to users without deep networking expertise. Mistborn handles the complexity of configuring secure communications, DNS filtering, and network protection behind an intuitive interface.

Key highlights of Mistborn:

WireGuard VPN: Modern, fast VPN protocol for secure remote access
Pi-hole Integration: Network-wide ad blocking and tracking protection
Firewall Management: Simplified iptables configuration through web UI
DNS-over-HTTPS: Encrypted DNS queries for privacy
Secure Gateway: Single point of entry for all self-hosted services
User Management: Create and manage VPN users with individual keys
Mobile Support: QR code configuration for WireGuard mobile apps
Service Proxying: Securely expose services only through VPN
Automatic Updates: Keep security components current
Web Dashboard: Central management for all features
Open Source: Fully auditable security implementation

This guide covers deploying Mistborn on Klutch.sh, configuring VPN access, and managing the integrated security services.

Why Deploy Mistborn on Klutch.sh

Deploying Mistborn on Klutch.sh provides key advantages:

Simplified Deployment: Klutch.sh handles the Docker deployment complexity. Push to GitHub, and your secure gateway deploys automatically.

Persistent Storage: Attach volumes for VPN configurations, user data, and Pi-hole blocklists that persist across updates.

HTTPS by Default: Klutch.sh provides automatic SSL certificates for secure access to the management dashboard.

Scalable Resources: Allocate CPU and memory based on connected clients and DNS query volume.

GitHub Integration: Connect your repository for automatic deployments and updates.

Environment Variable Management: Securely store admin credentials and configuration secrets.

Always-On Availability: Your secure gateway remains accessible 24/7 for VPN connections.

Prerequisites

Before deploying Mistborn on Klutch.sh, ensure you have:

A Klutch.sh account
A GitHub account with a repository for your configuration
Basic familiarity with Docker and networking concepts
Understanding of VPN and firewall principles
(Optional) A custom domain for your Mistborn instance

Understanding Mistborn Architecture

Mistborn integrates several components:

Mistborn Core: The main orchestration service managing all components.

WireGuard: Modern VPN protocol providing secure tunnels for remote access.

Pi-hole: DNS sinkhole that blocks ads and trackers at the network level.

Traefik: Reverse proxy handling routing and SSL termination.

PostgreSQL: Database storing user accounts and configuration.

Redis: Caching layer for performance optimization.

Preparing Your Repository

Repository Structure

mistborn-deploy/
├── Dockerfile
├── README.md
└── .dockerignore

Creating the Dockerfile

Create a Dockerfile:

FROM cybertechniques/mistborn:latest

# Set environment variables
ENV MISTBORN_ADMIN_EMAIL=${MISTBORN_ADMIN_EMAIL}
ENV MISTBORN_ADMIN_PASSWORD=${MISTBORN_ADMIN_PASSWORD}
ENV MISTBORN_HOST=${MISTBORN_HOST}
ENV MISTBORN_DNS_PRIMARY=${MISTBORN_DNS_PRIMARY:-1.1.1.1}
ENV MISTBORN_DNS_SECONDARY=${MISTBORN_DNS_SECONDARY:-8.8.8.8}

# Create data directories
RUN mkdir -p /opt/mistborn/data /opt/mistborn/wireguard

# Expose ports
# 80/443 - Web interface
# 51820 - WireGuard VPN
# 53 - DNS (Pi-hole)
EXPOSE 80 443 51820/udp 53/tcp 53/udp

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 \
  CMD curl -f http://localhost/health || exit 1

Environment Variables Reference

Variable	Required	Default	Description
`MISTBORN_ADMIN_EMAIL`	Yes	-	Admin account email
`MISTBORN_ADMIN_PASSWORD`	Yes	-	Admin account password
`MISTBORN_HOST`	Yes	-	Public hostname for the server
`MISTBORN_DNS_PRIMARY`	No	1.1.1.1	Upstream DNS server
`MISTBORN_DNS_SECONDARY`	No	8.8.8.8	Backup DNS server
`WIREGUARD_PORT`	No	51820	WireGuard VPN port

Deploying Mistborn on Klutch.sh

Generate Secure Admin Password

Create a strong admin password:

openssl rand -base64 24

Push Your Repository to GitHub

git init
git add Dockerfile .dockerignore README.md
git commit -m "Initial Mistborn deployment"
git remote add origin https://github.com/yourusername/mistborn-deploy.git
git push -u origin main

Create a New Project on Klutch.sh

Navigate to the Klutch.sh dashboard and create a project named “mistborn” or “secure-gateway”.

Create a New App

Create a new app and connect your GitHub repository.

Configure HTTP Traffic

In deployment settings:

Select HTTP as the traffic type
Set the internal port to 80 or 443
Note: UDP port 51820 is needed for WireGuard VPN

Set Environment Variables

Configure your environment:

Variable	Value
`MISTBORN_ADMIN_EMAIL`	Your admin email
`MISTBORN_ADMIN_PASSWORD`	Your secure password
`MISTBORN_HOST`	`your-app-name.klutch.sh`
`MISTBORN_DNS_PRIMARY`	`1.1.1.1`
`MISTBORN_DNS_SECONDARY`	`8.8.8.8`

Attach Persistent Volumes

Add volumes for persistent data:

Mount Path	Recommended Size	Purpose
`/opt/mistborn/data`	5 GB	Application data and database
`/opt/mistborn/wireguard`	1 GB	WireGuard configurations
`/etc/pihole`	1 GB	Pi-hole configuration

Deploy Your Application

Click Deploy to build and launch Mistborn.

Access Dashboard

Navigate to https://your-app-name.klutch.sh and log in with your admin credentials.

Configuring WireGuard VPN

Creating VPN Users

Log into the Mistborn dashboard
Navigate to WireGuard section
Click Add Client
Enter client name (e.g., “laptop”, “phone”)
Download configuration file or scan QR code

Client Configuration

For desktop clients:

Install WireGuard client
Import the downloaded .conf file
Connect to the VPN

For mobile devices:

Install WireGuard app (iOS/Android)
Scan the QR code from dashboard
Enable the VPN connection

VPN Settings

Configure VPN behavior:

Allowed IPs: Networks accessible through VPN
DNS: Use Pi-hole for DNS filtering
Persistent Keepalive: Maintain connections through NAT

Pi-hole Ad Blocking

Accessing Pi-hole

Pi-hole admin panel is available through the Mistborn dashboard or directly at /admin.

Blocklist Management

Configure ad blocking:

Navigate to Settings > Blocklists
Add custom blocklists or use defaults
Update gravity database

DNS Configuration

Point devices to use Pi-hole:

Through VPN: Automatic when connected
Local network: Set Pi-hole as DNS server

Query Analytics

Monitor DNS activity:

View query logs
See blocked domains
Identify top clients

Firewall Management

Understanding Mistborn Firewall

Mistborn provides simplified firewall management:

Default Deny: Block all incoming by default
VPN Access: Allow traffic through WireGuard
Service Rules: Selectively expose services

Creating Firewall Rules

Navigate to Firewall section
Click Add Rule
Configure source, destination, and action
Apply changes

Best Practices

Only expose necessary ports
Use VPN for service access when possible
Regularly review active rules

Service Integration

Adding Services Behind VPN

Protect self-hosted services:

Deploy service on internal network
Configure routing through Mistborn
Access only via VPN connection

DNS-Based Routing

Use internal DNS for service discovery:

Configure custom DNS records in Pi-hole
Access services by name through VPN

Troubleshooting

VPN Connection Issues

Verify UDP port 51820 is accessible
Check client configuration matches server
Ensure keys are correctly paired

DNS Not Working

Verify Pi-hole is running
Check upstream DNS servers
Review blocklist conflicts

Dashboard Inaccessible

Check container health status
Verify port mappings
Review application logs

Performance Issues

Monitor resource usage
Check connected client count
Review DNS query volume

Additional Resources

Conclusion

Mistborn on Klutch.sh provides a comprehensive security platform combining VPN access, ad blocking, and firewall management in one deployment. The integrated approach simplifies securing your digital life while the web dashboard makes management accessible. Whether protecting personal browsing or securing organizational access to self-hosted services, Mistborn delivers the tools needed for robust network security.