Skip to content


Subversion checkout URL

You can clone with
Download ZIP
configuration for my openbsd-based home router
Fetching latest commit...
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
etc firewall off the VPN also :)
README initial import



This is the configuration for my Intel Mac Mini -based OpenBSD router.
It is not something that you can likely copy and use directly, but it
is a good example of a real configuration.  I am not an OpenBSD
expert, but my goal was to modify the default install as little as
possible.  Since that is "secure by default", hopefully I did not
introduce too much insecurity.  It only ends up being a few lines of
config and one or two additional non-standard packages.

If you see something insecure, please send me a patch!  (Yes, the
password for my wireless network is in here.  I don't really care, you
don't live anywhere near me, so you can't get access with that.  I
always use "jrockway" for my passwords anyway!)

My Networks

The network interfaces are setup in hostname.<driver>[0-9]+ files.  I
have the following cards:

msk0: This is the internal Gigabit Ethernet.  It is my internal

      It's on  (It was a /8, but then I ran out of
      networks when setting up a routed OpenVPN.)

aue0: This is a USB 1.1 Ethernet adaptor that connects to teh
      intarwebs.  I bought it because it was the first thing
      documented as supported that I could find on Amazon Prime.
      Since my DSL is 6M/768k, the 12M USB 1.1 is not a bottleneck.

      It's <>.

      (Note: the one I bought from Amazon did not have the same
       chipset as the OpenBSD docs said it had.  But it does work.  I
       wish they would change the model number when they are going to
       dramatically alter the product.)

ath0: Internal wireless a/b/g.  I actually hang a 802.11n access point
      off my internal network, so this exists merely for fun.

      It's on

gif0: This is my tunnel to the IPv6 intarwebs.  It's provided (for
      free) by Hurricane Electric. They give you a /64 or /48.  Since
      not all the particles in the Universe are currently in my
      apartment (and don't need an IP address anyway), I just have a

tun0: This is the tunnel from the OpenVPN server to the networking
      stack. The hostname.tun0 just brings the tunnel up and starts
      the OpenVPN server, which is what actually configures the

      My OpenVPN network is

My Services

dhcpd:   DHCP for my internal network.  snowball2 and eeetv have static
         addresses.  Everything else ends up at or above.

rtadvd:  Advertises my IPv6 subnet to the rest of the internal network.  This
         allows every machine to auto-select a real routable IPv6 address!

named:   This is the DNS server.  It handles:

           * name resolution for the .internal zone
           * reverse name resolution for my IPv6 subnet
           * caching DNS resolution for anything on my internal network

OpenBSD runs a few other services by default; sendmail, sshd, and
ntpd.  These do what you think they do, I didn't touch the
configuration at all (except maybe to turn off root logins over ssh).

My Firewall

I picked OpenBSD instead of Linux mostly because pf is so wonderful.  Detailed
comments are in pf.conf, but here's an overview:

   * keep state on all traffic (and fix all syncookies)
   * deny all traffic by default (and log denied connections)
   * QoS so that ssh stays responsive at all times (and so that
     apt-get dist-upgrade doesn't interfere with my streaming TV
   * NAT from the internet to my internal network
   * allow icmp from the internet
   * allow ssh from the internet
   * allow dns connections to this box
   * allow openvpn connections to this box

Adding a new machine internally

   * assign static IP in dhcpd.conf
   * add reverse DNS entry
   * add forward internal DNS entry

Adding a new machine on the VPN

   * generate certificates


This router is much better than anything I've ever used; various
consumer-level shit boxes (never buy netgear hardware), openwrt, and
ddwrt.  There is no fancy web interface, but once the box is set up
there is nothing much to do.  It just keeps working, and you can ssh
in and check out how the firewall is doing or read your mail.

IPv6 is nice.  I sometimes have better connectivity over the IPv6
tunnel than I do via my IPv4 ISP!


Share and enjoy!
Something went wrong with that request. Please try again.