OpenBSD Router Boilerplate
Clone or download
horia Merge pull request #153 from vedetta-com/wip
Remove "Globally Reachable"
Latest commit b9cbf5b Oct 18, 2018
Permalink
Failed to load latest commit information.
src Remove "Globally Reachable" Oct 18, 2018
LICENSE Modernize LICENSE Feb 20, 2018
README.md Use OpenSSH certificates Oct 9, 2018

README.md

vedetta (alpha)

OpenBSD Router Boilerplate

Vedetta Logo

About

an opinionated, best practice, vanilla OpenBSD base configuration for bare-metal, or cloud routers

What would an OpenBSD router configured using examples from the OpenBSD FAQ and Manual pages look like?

Features

Share what you've got, keep what you need:

Sysadmin:

Hardware

OpenBSD likes small form factor, low-power, lots of ECC memory, AES-NI support, open source boot, and the fastest supported network cards. This configuration has been tested on APU2.

Install

Encryption is the easiest method for media sanitization and disposal. OpenBSD supports full disk encryption using a keydisk (e.g. a USB stick).

Partitions are important for security, stability, and integrity. A minimum partition layout example for router with (upgrade itself) binary base, and no packages (comfortable fit on flash memory cards/drives):

Filesystem Mount Size
a / 512M
b /swap 1024M
d /var 512M
e /var/log 128M
f /tmp 1024M
g /usr 1024M
h /usr/local 64M
i /home 16M
Total 4304M

SSL

It's best practice to create CAs on a single purpose secure machine, with no network access.

Specify which certificate authorities (CAs) are allowed to issue certificates for your domain, by adding DNS Certification Authority Authorization (CAA) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone

Revoke certificates as often as possible.

SSH

SSH fingerprints verified by DNS is done by adding Secure Shell (Key) Fingerprint (SSHFP) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone: ssh-keygen -r vedetta.lan.
Verify: dig -t SSHFP vedetta.lan
Usage: ssh -o "VerifyHostKeyDNS ask" acolyte.vedetta.lan

Manage keys with ssh-agent.

Detect tampered keyfiles or man in the middle attacks with ssh-keyscan.

Control access to local users with principals.

Firewall

Guests can use the DNS nameserver to access the ad-free web, while authenticated users gain desired permissions. It's best to authenticate an IP after connecting to VPN. There are three users in this one person scenario: one for wheel, one for sftp, and one for authpf.

Performance

Consider using mount_mfs in order to reduce wear and tear, as well as to speed up the system. Remember to set the sticky bit on mfs /tmp, see etc/fstab.

Caveats

  • VPN with IKEv2 or IKEv1, not both. While there are many tecnologies for VPN, only IKEv2 and IKEv1 are standard (considerable effort was put into testing and securing)
  • relayd does not support CRL, SNI, nor OCSP (yet)
  • httpd without custom error pages (can be patched)
  • 11n is max WiFi mode, is this enough?
  • authpf users have sftp access

Support

Via issues and #vedetta:matrix.org

Contribute

Want to help out? ⭐️ Fork this repo ⭐️