OpenBSD Router Boilerplate
an opinionated, best practice, vanilla OpenBSD base configuration for bare-metal, or cloud routers
What would an OpenBSD router configured using examples from the OpenBSD FAQ and Manual pages look like?
Add some find and replace scripts to automate and customize vedetta for your environment/hostname/whatever. A more structured (config managed) approach would likely have taken the same amount of time, but where's the fun in that?
Added test scripts and some infrastructure to run inside Vagrant with some other hosts attached, to observe your changes. I'm hoping to figure out how to use it as an intermedieary between your box and the rest of the network.
Share what you've got, keep what you need:
- acme-client - Automatic Certificate Management Environment (ACME) client
- Configure:
- Usage:
pfctl-f /etc/pf.confacme-client-vAD freedns.afraid.orgusr/local/bin/get-ocsp.shfreedns.afraid.org
- authpf - authenticating gateway user shell
- Configure:
- Usage:
- autoinstall - unattended OpenBSD installation and upgrade (pxeboot and mirror example)
- Configure:
etc/dhcpd.confetc/httpd.confetc/pf.conftftpbootvar/www/htdocs/boot.vedetta.lanmount host:/path/name /var/www/pub
- Usage:
mkdir -p /tftpboot/etccd /tftpboot && ftp https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rdcp /usr/mdec/pxeboot /tftpboot/chmod 555 -R /tftpbootcd /tftpboot && ln -s pxeboot auto_installecho "boot bsd.rd" > /tftpboot/etc/boot.conf && chmod 444 /tftpboot/etc/boot.confpfctl-f /etc/pf.confrcctlset tftpd flags -l boot.vedetta.lan -v /tftpbootrcctlset tftpproxy flags -vrcctlrestart dhcpd httpdtftpdtftpproxy
- Configure:
- dhclient - Dynamic Host Configuration Protocol (DHCP) client
- Configure:
- Usage:
- dhcpd - Dynamic Host Configuration Protocol (DHCP) server
- Configure:
- Usage:
- (optional) wide-dhcpv6 - client and server for the WIDE DHCPv6 protocol
- Configure:
etc/dhcp6s.confetc/dhcp6c.confetc/pf.confetc/rc.d/dhcp6cetc/rc.d/dhcp6setc/rad.conf
- Usage:
- Configure:
- ftp-proxy - Internet File Transfer Protocol proxy daemon
- Configure:
- Usage:
- hostname.if - interface-specific configuration files with Dual IP stack implementation
- hotplugd - devices hot plugging monitor daemon
- Configure:
etc/hotplug/attachetc/hotplug/detachchmod 750 /etc/hotplug/{attach,detach}
- Usage:
- Configure:
- httpd - HTTP daemon as primary, fallback, and autoinstall
- Configure:
- Usage:
- ifstated - Interface State daemon to reconnect, update IP, and log
- Configure:
- Usage:
- IKEv2 VPN (IPv4 and IPv6)
- Configure:
etc/ikedetc/iked.confetc/iked-vedetta.confetc/ipsec.confetc/pf.confetc/ssl/ikeca.cnfetc/ssl/vedetta
- Usage:
ikectlca vedetta createikectlca vedetta installikectlca vedetta certificate freedns.afraid.org createikectlca vedetta certificate freedns.afraid.org installikectlca vedetta certificate mobile.vedetta.lan createcd /etc/iked/exportikectlca vedetta certificate mobile.vedetta.lan exporttar -C /etc/iked/export -xzpf mobile.vedetta.lan.tgzikectlca vedetta certificate mobile.vedetta.lan revokeikectlca vedetta key mobile.vedetta.lan deletepfctl-f /etc/pf.confrcctlenable ipsecrcctlset iked flags -6rcctlstart iked
- Configure:
- IKEv1 VPN (IPv4)
- Configure:
etc/isakmpdetc/ipsec.confetc/ipsec-vedetta.confetc/npppdetc/pf.confetc/ssl/ikeca.cnfetc/ssl/vedetta
- Usage:
ikectlca vedetta createikectlca vedetta install /etc/isakmpdikectlca vedetta certificate freedns.afraid.org createikectlca vedetta certificate freedns.afraid.org install /etc/isakmpdikectlca vedetta certificate mobile.vedetta.lan createcd /etc/isakmpd/exportikectlca vedetta certificate mobile.vedetta.lan exporttar -C /etc/isakmpd/export -xzpf mobile.vedetta.lan.tgzikectlca vedetta certificate mobile.vedetta.lan revokeikectlca vedetta key mobile.vedetta.lan deletepfctl-f /etc/pf.confrcctlenable ipsec npppdrcctlset isakmpd flags -Krcctlstart npppd isakmpdipsecctl-d -f /etc/ipsec-vedetta.conf
- Configure:
- nsd - Name Server Daemon (NSD) as authoritative DNS nameserver for LAN
- Configure:
- Usage:
- ntpd - Network Time Protocol daemon
- Configure:
- Usage:
- pf - packet filter with IP based adblock
- Configure:
- Usage:
- rebound - DNS proxy
- Configure:
- Usage:
pfctl-f /etc/pf.confdig ipv6.google.com aaaa
- relayd - relay daemon for loadbalancing, SSL/TLS acceleration, DNS-sanitizing, SSH gateway, transparent HTTP proxy, and TLS inspection (MITM)
- Configure:
etc/acme-client.confetc/httpd.confetc/pf.confetc/relayd.confusr/local/bin/get-pin.shcd/etc/sslln -s acme/freedns.afraid.org.fullchain.pem 10.10.10.11:443.crtln -s acme/freedns.afraid.org.fullchain.pem fd80:1fe9:fcee:1337::ace:babe:443.crtcd/etc/ssl/privateln -s ../acme/private/freedns.afraid.org.key 10.10.10.11:443.keyln -s ../acme/private/freedns.afraid.org.key fd80:1fe9:fcee:1337::ace:babe:443.keymkdir -p /etc/ssl/relayd/privateopenssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/relayd/private/ca.key -out /etc/ssl/relayd/ca.crtecho 'subjectAltName=DNS:relay.vedetta.lan' > /etc/ssl/relayd/server.extopenssl genrsa -out /etc/ssl/relayd/private/relay.vedetta.lan.key 2048openssl req -new -key /etc/ssl/relayd/private/relay.vedetta.lan.key -out /etc/ssl/relayd/private/relay.vedetta.lan.csr -nodesopenssl x509 -sha256 -req -days 365 -in /etc/ssl/relayd/private/relay.vedetta.lan.csr -CA /etc/ssl/relayd/ca.crt -CAkey /etc/ssl/relayd/private/ca.key -CAcreateserial -extfile /etc/ssl/relayd/server.ext -out /etc/ssl/relayd/relay.vedetta.lan.crtcd /etc/sslln -s relayd/relay.vedetta.lan.crt 127.0.0.1.crtln -s relayd/relay.vedetta.lan.crt ::1.crtcd /etc/ssl/privateln -s ../relayd/private/relay.vedetta.lan.key 127.0.0.1.keyln -s ../relayd/private/relay.vedetta.lan.key ::1.key
- Usage:
- Configure:
- rad - router advertisement daemon
- Configure:
- Usage:
- sensorsd - hardware sensors monitor
- Configure:
- Usage:
- slaacd - a stateless address autoconfiguration daemon
- smtpd - Simple Mail Transfer Protocol daemon, see Caesonia
- Configure:
etc/mail/aliasesetc/mail/smtpd.conftouch/etc/mail/secretschmod 640 /etc/mail/secretschown root:_smtpd /etc/mail/secretsecho "puffy puffy@example.com:password" > /etc/mail/secrets
- Usage:
rcctlrestart smtpd
- Configure:
- sshd - OpenSSH SSH daemon with internal-sftp
- Configure:
- Usage:
- switchd - software-defined networking (SDN) sflow controller
- Configure:
- Usage:
- syslogd - log system messages
- Configure:
- Usage:
- unbound - Unbound DNS validating resolver from root nameservers, with caching and DNS based adblock
- Configure:
- Usage:
Sysadmin:
- crontab - maintain crontab files for individual users
- doas - execute commands as another user
- Configure:
- Usage:
doastmux
- ftp - Internet file transfer program
- Configure:
- Usage:
- mail - send and receive mail, for daily reading
- Usage:
- syspatch - manage base system binary patches
- Configure:
etc/installurlvar/cron/tabs/root
- Usage:
syspatch-c
- Configure:
- systat - display system statistics
- tmux - terminal multiplexer
- Configure:
~/.tmux.conf
- Usage:
- Configure:
OpenBSD likes small form factor, low-power, lots of ECC memory, AES-NI support, open source boot, and the fastest supported network cards. This configuration has been tested on APU2.
Encryption is the easiest method for media sanitization and disposal. OpenBSD supports full disk encryption using a keydisk (e.g. a USB stick).
Partitions are important for security, stability, and integrity. A minimum partition layout example for router with (upgrade itself) binary base, and no packages (comfortable fit on flash memory cards/drives):
| Filesystem | Mount | Size |
|---|---|---|
| a | / | 512M |
| b | /swap | 1024M |
| d | /var | 512M |
| e | /var/log | 128M |
| f | /tmp | 1024M |
| g | /usr | 1024M |
| h | /usr/local | 64M |
| i | /home | 16M |
| Total | 4304M |
It's best practice to create CAs on a single purpose secure machine, with no network access.
Specify which certificate authorities (CAs) are allowed to issue certificates for your domain, by adding DNS Certification Authority Authorization (CAA) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone
Revoke certificates as often as possible.
SSH fingerprints verified by DNS is done by adding Secure Shell (Key) Fingerprint (SSHFP) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone: ssh-keygen -r vedetta.lan.
Verify: dig -t SSHFP vedetta.lan
Usage: ssh -o "VerifyHostKeyDNS ask" child.foil.lan
Manage keys with ssh-agent.
Detect tampered keyfiles or man in the middle attacks with ssh-keyscan.
Control access to local users with principals.
Guests can use the DNS nameserver to access the ad-free web, while authenticated users gain desired permissions. It's best to authenticate an IP after connecting to VPN. There are three users in this one person scenario: one for wheel, one for sftp, and one for authpf.
Consider using mount_mfs in order to reduce wear and tear, as well as to speed up the system. Remember to set the sticky bit on mfs /tmp, see etc/fstab.
- VPN with IKEv2 or IKEv1, not both. While there are many tecnologies for VPN, only IKEv2 and IKEv1 are standard (considerable effort was put into testing and securing)
- relayd does not support CRL, SNI, nor OCSP (yet)
- httpd without custom error pages (can be patched)
- 11n is max WiFi mode, is this enough?
Via issues and #vedetta:matrix.org
Want to help out? ⭐ Fork this repo ⭐