OpenBSD

RPKI for Home Usage

Resource Public Key Infrastructure you may know what RPKI is … It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP. As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP. With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.

Openbsd Root Password Recovery

if you ever have to recover root password … boot> boot -s Enter pathname of shell or RETURN for sh: [ENTER] fsck -p / fsck -p /usr mount -uw / mount /usr passwd and finally: reboot sha256: b95b600be5f4f8c76448bc80699fdf39660be04dd3c92169bbfa16cf61d4f1a8

Wireguard Puffy to OPNsense

WG Tunnel between OpenBSD and OPNsense How to Setup an WG Tunnel between OpenBSD and OPNSense ? That’s quite simple … OpenBSD Install Packages pkg_add wireguard-tools-- Build Interface r=$(openssl rand -base64 32) remote_ip="1.2.3.4" remote_net="192.168.0.0/24" cat << 'EOF' > /etc/hostname.wg0 # WG Tunnel to OPNsense wgkey ${r} wgport 51820 wgpeer xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx= wgendpoint ${remote_ip} 51820 wgaip ${remote_net} inet 10.0.0.1/24 !route add ${remote_net} 10.0.0.2 up EOF sh /etc/netstart wg0 ifconfig wg0 update pf.

Keychain

Need a small and smart utility to manage you ssh keys under linux ? got some scripts and cronjobs which requires an local ssh key ? have a look at keychain ! Install Software $ sudo apt-get install keychain edit startup Scripts $HOME/.bashrc / $HOME/.bash_profile / /etc/profile cat << 'EOF' >> $HOME/.bashrc # Keychain Startup eval `keychain --eval id_ed25519` EOF check service $ keychain $ ssh-add -L sha256: 3e33fcf6e85d374fe4e3b365c96c4a0d0270d99768af09f7ec8612209008ad04

OpenBSD 6.8

OpenBSD 6.8 released OpenBSD has two new releases every year. historically, on 1. Mai and 1. November. With a few small execptions in the past Check Wikipedia so, then latest OS appeared today: OpenBSD 6.8 Perform a Full Upgrade (incl. X Stuff) sysupgrade -r Run the Script (on your own risk !) doas su - mkdir /root/bin ftp -o /root/bin/upgrade_to_68.sh https://puffy.nolink.ch/scripts/upgrade_to_68.sh chmod 740 /root/bin/upgrade_to_68.sh # /root/bin/upgrade_to_68.sh # *** reboot *** # /root/bin/upgrade_to_68.

Nginx

Assuming you have a Website with some higher load, higher demand for availability, or both of them. You can do the following: Duplicate your Webserver (and the Content of Course) as much as you need Put a Loadbalancer in Front the Webserver, best in Combination with a Firewall Ruleset Terminate TLS on the Loadbalancer once, or on each Webserver directly. Whatever you prefer. You can also double the Loadbalancer with two Boxes the get redundancy on this level.

SSH Server behind Firewall

got a Server behing NAT / Firewall ? Need Shell access to … ? Server behind NAT/FW user@server$ ssh -R 1234:localhost:22 my.public.jumpbox Access Server ssh my.public.jumpbox user@jumpbox$ ssh -p 1234 localhost user@server$ and you’re in :) sha256: a2d421e9b998a6ecc2d1764036662585199c760809bef98dd88174c8d1609fcf

Relayd

another component of OpenBSD is relayd. it’s an integrated Loadbalancer & Proxy Service, like F5, Nginx and Others. But just like other BSD Services, straight, simple and easy to use … wanna see … ? Setup 4 VM’s, one Loadbalancer and 3 Webserver. The Webserver should server the same content, while the Loadbalancer checks if a Webserver is running and redirects traffic to the host or not. the configuration on the loadbalancer is simple like that:

FullBGP at Home

did you always wanted to have a fullbgp table at home once ? Over your DSL / CM / LTE or whatever connection ? here a little howto :) Setup VM Install a VM with OpenBSD. Add 1 CPU, 1 GB RAM, 20 GB Disk, nothing special Check our Upstream Provider Check the Page from Lukasz and spend him a Beer if you ever meet him. Edit your Config set the router-id to your Public IP.

Tunnel IPv4 over IPv6

let’s do the opposite. you have some ipv6 connectifity and need to transport ipv4 Host A (IPv6 only) root@hosta ~# ifconfig vio0 vio0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500 lladdr 56:00:02:e7:9d:e5 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect status: active inet6 fe80::5400:2ff:fee7:9de5%vio0 prefixlen 64 scopeid 0x1 inet6 2a05:f480:1400:7b6:a9e0:6a15:217:cc5c prefixlen 64 autoconf pltime 604627 vltime 2591827 inet6 2a05:f480:1400:7b6:446d:acb7:5fe4:450f prefixlen 64 autoconf autoconfprivacy pltime 86046 vltime 172537 root@hosta ~# i3 IPv4: !