OpenBSD

Wireguard Puffy to OPNsense

WG Tunnel between OpenBSD and OPNsense How to Setup an WG Tunnel between OpenBSD and OPNSense ? That’s quite simple … OpenBSD Install Packages pkg_add wireguard-tools-- Build Interface r=$(openssl rand -base64 32) remote_ip="1.2.3.4" remote_net="192.168.0.0/24" cat << 'EOF' > /etc/hostname.wg0 # WG Tunnel to OPNsense wgkey ${r} wgport 51820 wgpeer xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx= wgendpoint ${remote_ip} 51820 wgaip ${remote_net} inet 10.0.0.1/24 !route add ${remote_net} 10.0.0.2 up EOF sh /etc/netstart wg0 ifconfig wg0 update pf.

Keychain

Need a small and smart utility to manage you ssh keys under linux ? got some scripts and cronjobs which requires an local ssh key ? have a look at keychain ! Install Software $ sudo apt-get install keychain edit startup Scripts $HOME/.bashrc / $HOME/.bash_profile / /etc/profile cat << 'EOF' >> $HOME/.bashrc # Keychain Startup eval `keychain --eval id_ed25519` EOF check service $ keychain $ ssh-add -L sha256: 3e33fcf6e85d374fe4e3b365c96c4a0d0270d99768af09f7ec8612209008ad04

OpenBSD & PHP Stuff 7.4

Install NGINX & PHP pkg_add nginx php--%7.4 rcctl enable nginx php74_fpm Edit php.ini sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/' /etc/php-7.4.ini sed -i s'/short_open_tag = Off.*/short_open_tag = On/' /etc/php-7.4.ini Stop 7.3 & Start 7.4 rcctl stop php73_fpm rcctl restart nginx php74_fpm Uninstall PHP 7.3 pkg_del php--%7.3 pkg_del -a sha256: 17490303fe106a6c3a34071338097e6c1aff50c0d4764f1615c0993ce9211bb2

OpenBSD Current

OpenBSD Current Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots FAQ Assuming, you can’t wait for the next release, or you wanna test features, find bugs and so participate on the community, this little script will help you: Upgrade to Current and remove game*,comp*,xf* and xs* Packages before reboot cat << 'EOF' > upgrade_to_current.sh #!/bin/sh echo "let's check for news .

OpenBSD with IPSEC -> GIF -> OSFP

Intro Stage two Machines, puffy206 and puffy207 Both Maschines needs static IP Adresses puffy206 Loopback & Gif doas su - cat << 'EOF' > /etc/hostname.lo1 inet 10.0.0.6/32 up EOF cat << 'EOF' > /etc/hostname.gif0 description "Point2Point Interface for OSPF" mtu 1420 10.10.10.6 10.10.10.7 netmask 255.255.255.255 tunnel 192.168.108.206 192.168.108.207 EOF Enable IPSEC & IP Forwarding cat << 'EOF' >> /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.gre.allow=1 EOF rcctl enable ipsec isakmpd rcctl set isakmpd flags -K Create Tunnel Endpoint cat << 'EOF' > /etc/ipsec.

IPSEC with OpenBSD

Intro Stage a few Machines, puffy206 - 209 puffy206 has got a static ip, while puffy207 - 209 got dynamic ip addresses Master, puffy206 Loopback doas su - cat << 'EOF' > /etc/hostname.lo1 inet 10.0.0.6/32 up EOF Enable IPSEC & IP Forwarding cat << 'EOF' >> /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.gre.allow=1 EOF rcctl enable ipsec isakmpd rcctl set isakmpd flags -K Create Tunnel Endpoint cat << 'EOF' > /etc/ipsec.conf ike dynamic esp tunnel from 10.

Tweak Nginx Webserver with limited Client Certificate

Install NGINX & PHP pkg_add nginx php--%7.3 rcctl enable nginx php73_fpm Edit php.ini sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/' /etc/php-7.3.ini sed -i s'/short_open_tag = Off.*/short_open_tag = On/' /etc/php-7.3.ini nginx.conf mkdir /var/log/nginx cat << 'EOF' > /etc/nginx/nginx.conf worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.php index.html index.htm; keepalive_timeout 65; server_tokens off; proxy_cache_valid any 0s; log_format main '$remote_addr - $ssl_client_serial - [$time_local] - "$request" - $status - $body_bytes_sent'; map $ssl_client_serial $ssl_access { default 0; WFuDgzQBZXV740D3 1; # Hans Muster EDugUslEX1Et90WX 0; # Beat Breu 2DF3C663741296F5 1; # Ruedi Ruessel } # # HTTP -> Redirect to HTTPS # server { listen 80; server_name localhost; access_log logs/host.

Keepalive

Little Keep Alive … mit freundlicher genehmigung von Kumpel Marc :) #!/usr/bin/env bash FILE="$HOME/scripts/excuses" # Linux or BSD ? nf points to the right binary which numfmt > /dev/null 2>&1 && nf=$(which numfmt) || nf=$(which gnumfmt); # Linux or BSD ? gs points to the right binary which shuf > /dev/null 2>&1 && gs=$(which shuf) || gs=$(which gshuf); if [ ! -e "$FILE" ]; then echo "" echo "$FILE does not exist" echo "##############################################" command -v curl >/dev/null 2>&1 || { echo >&2 "Holy cow!

Openbsd Nginx with Client Authentication

Requirement Webserver http Webserver https Protected Folder https://egal.com/protected with Client Certificate /etc/httpd.conf # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $ server "*" { listen on * port 8080 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } } /etc/nginx/nginx.conf # Take note of http://wiki.nginx.org/Pitfalls #user www; worker_processes 1; #load_module "modules/ngx_stream_module.so"; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #error_log syslog:server=unix:/dev/log,severity=notice; #pid logs/nginx.pid; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.

Nginx with Client Certificate

NGINX with Client Certificates root@debian:/etc/nginx/sites-available# server { listen 80; listen [::]:80; server_name host198.planet; root /var/www/host198.planet; access_log /var/log/nginx/host198.planet; index index.html; location / { try_files $uri $uri/ =404; } } server { listen 443 ssl; listen [::]:443 ssl; server_name host198.planet; root /var/www/host198.planet; ssl_certificate /etc/ssl/private/fullchain.crt; ssl_certificate_key /etc/ssl/private/host198.planet.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_client_certificate /etc/ssl/private/ca.crt; ssl_verify_client optional; access_log /var/log/nginx/host198.planet; index index.html; #location / { # try_files $uri $uri/ =404; #} location / { # if the client-side certificate failed to authenticate, show a 403 # message to the client if ($ssl_client_verify !