Private DNS
Trust CA
In order to connect to internal Minds services using the Firezone VPN, you will need to first configure your system to trust our private Certificate Authority (CA). The steps are slighly different depending on which operating system and web brower you are using. In many cases, you can probably get away with only trusting the CA in your browser.
NOTE: First off, you will need to download the public key for our root CA from Bitwarden. It will be labeled as "Minds Private CA (Public key)".
Web Browsers
Most browsers use their own truststore rather than the system's. First, let's configure our browser to trust our CA.
Firefox
- Click on the pancake menu in the top right, and click on
Settings
. - Click on
Privacy and Security
in the left menu, then scroll down toCertificates
in theSecurity
section. - Click on
View certificates
, and click on theAuthorities
tab in the top bar. - Click on
Import...
and navigate to the PEM file you downloaded previously. - Import the CA.
That's all! Now Firefox should recognize the certs for our private services as valid.
NOTE: In order to resolve private hostnames when connected to the VPN, you will need to configure Firefox to use your system DNS rather than CloudFlare's DNS over HTTPS (DoH) provider.
- Click on the pancake menu in the top right, and click on
Settings
. - Click on
Privacy and Security
in the left menu, then scroll down toDNS over HTTPS
. - The simplest solution is to simply disable DoH by clicking
Off
.
NOTE: If you want to use DoH where possible you can also add exceptions for each private Minds service that you want to consume.
Chromium (Google Chrome, Brave, Opera)
- Click on the pancake menu in the top right, and click on
Settings
. - Click on
Privacy and security
in the left menu, then scroll down and click onManage certificates
. - Click on the
Authorities
tab in the top bar. - Click on
Import
and navigate to the PEM file you downloaded previously. - Import the CA.
That's all! Now this Chromium-based browser should recognize the certs for our private services as valid.
Operating Systems
Ubuntu
Note: Tested on Ubuntu 22.04, the process may be different for your Linux distribution.
- Copy the PEM file you downloaded to the
/usr/local/share/ca-certificates
folder.- NOTE: Make sure to use a
.crt
file extension. For example:cp minds-private-ca.pem /usr/local/share/ca-certificates/minds-private-ca.crt
- NOTE: Make sure to use a
- Run
sudo update-ca-certificates
. - Test connecting to a private service with
curl
or some other tool.
macOS
- Click on the certificate.
- Select the
System
keychain, and clickOk
. - Test connecting to a private service with
curl
or some other tool.