vedetta (alpha)

OpenBSD Router Boilerplate

About

an opinionated, best practice, vanilla OpenBSD base configuration for bare-metal, or cloud routers

What would an OpenBSD router configured using examples from the OpenBSD FAQ and Manual pages look like?

Features

Share what you've got, keep what you need:

• acme-client - Automatic Certificate Management Environment (ACME) client
  • Configure:
    • etc/acme
    • etc/acme-client.conf
    • etc/httpd.conf
    • etc/pf.conf
    • etc/relayd.conf
    • etc/ssl/acme
    • var/cron/tabs/root
    • var/www/acme
    • var/www/htdocs/freedns.afraid.org
  • Usage:
    • pfctl-f /etc/pf.conf
    • acme-client-vAD freedns.afraid.org
    • ocspcheck-vNo /etc/ssl/acme/freedns.afraid.org.ocsp.resp.der /etc/ssl/acme/freedns.afraid.org.fullchain.pem
• authpf - authenticating gateway user shell
  • Configure:
    • etc/authpf
    • etc/login.conf
    • etc/pf.conf
    • etc/ssh/sshd_config
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlreload sshd
    • ssh[email protected]
• autoinstall - unattended OpenBSD installation and upgrade (pxeboot and mirror example)
  • Configure:
    • etc/dhcpd.conf
    • etc/httpd.conf
    • etc/pf.conf
    • tftpboot
    • var/www/htdocs/boot.vedetta.lan
    • mount host:/path/name /var/www/pub
  • Usage:
    • mkdir -p /tftpboot/etc
    • cd /tftpboot && ftp https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd
    • cp /usr/mdec/pxeboot /tftpboot/
    • chmod 555 -R /tftpboot
    • cd /tftpboot && ln -s pxeboot auto_install
    • echo "boot bsd.rd" > /tftpboot/etc/boot.conf && chmod 444 /tftpboot/etc/boot.conf
    • pfctl-f /etc/pf.conf
    • rcctlset tftpd flags -l boot.vedetta.lan -v /tftpboot
    • rcctlset tftpproxy flags -v
    • rcctlrestart dhcpd httpdtftpd tftpproxy
• dhclient - Dynamic Host Configuration Protocol (DHCP) client
  • Configure:
    • etc/dhclient.conf
    • etc/hostname.em0
    • etc/pf.conf
  • Usage:
    • pfctl-f /etc/pf.conf
    • sh/etc/netstart em0 or
    • dhclientem0
• dhcpd - Dynamic Host Configuration Protocol (DHCP) server
  • Configure:
    • etc/dhcpd.conf
    • etc/pf.conf
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlset dhcpd flags athn0 em1 em2
    • rcctlstart dhcpd
• (optional) wide-dhcpv6 - client and server for the WIDE DHCPv6 protocol
  • Configure:
    • etc/dhcp6s.conf
    • etc/dhcp6c.conf
    • etc/pf.conf
    • etc/rc.d/dhcp6c
    • etc/rc.d/dhcp6s
    • etc/rad.conf
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlset dhcp6s flags -c /etc/dhcp6s.conf -dD -k /etc/dhcp6sctlkey em1
    • rcctlstart dhcp6s
• ftp-proxy - Internet File Transfer Protocol proxy daemon
  • Configure:
    • etc/pf.conf
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlset ftp-proxy flags -b 10.10.10.10 -T FTP_PROXY
    • rcctlset ftp-proxy6 flags -b fd80:1fe9:fcee:1337::ace:face -T FTP_PROXY6
    • rcctlstart ftp-proxy ftp-proxy6
• hostname.if - interface-specific configuration files with Dual IP stack implementation
  • Configure:
    • etc/hostname.athn0
    • etc/hostname.em0
    • etc/hostname.em1
    • etc/hostname.em2
    • etc/hostname.enc1
    • etc/hostname.gif0
    • etc/hostname.switch0
    • etc/hostname.tun0
    • etc/hostname.vether0
    • etc/hostname.vlan5
    • etc/hostname.vlan7
  • Usage:
    • sh /etc/netstart
• hotplugd - devices hot plugging monitor daemon
  • Configure:
    • etc/hotplug/attach
    • etc/hotplug/detach
    • chmod 750 /etc/hotplug/{attach,detach}
  • Usage:
    • rcctlenable hotplugd
    • rcctlstart hotplugd
• httpd - HTTP daemon as primary, fallback, and autoinstall
  • Configure:
    • etc/httpd.conf
    • etc/newsyslog.conf
    • etc/pf.conf
    • etc/ssl/acme/freedns.afraid.org.fullchain.pem
    • etc/ssl/acme/freedns.afraid.org.ocsp.resp.der
    • etc/ssl/acme/private/freedns.afraid.org.key
    • var/www/htdocs
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlreload syslogd
    • rcctlenable httpd
    • rcctlstart httpd
• ifstated - Interface State daemon to reconnect, update IP, and log
  • Configure:
    • etc/ifstated.conf
  • Usage:
    • rcctlenable ifstated
    • rcctlstart ifstated
• IKEv2 VPN (IPv4 and IPv6)
  • Configure:
    • etc/iked
    • etc/iked.conf
    • etc/iked-vedetta.conf
    • etc/ipsec.conf
    • etc/pf.conf
    • etc/ssl/ikeca.cnf
    • etc/ssl/vedetta
  • Usage:
    • ikectlca vedetta create
    • ikectlca vedetta install
    • ikectlca vedetta certificate freedns.afraid.org create
    • ikectlca vedetta certificate freedns.afraid.org install
    • ikectlca vedetta certificate mobile.vedetta.lan create
    • cd /etc/iked/export
    • ikectlca vedetta certificate mobile.vedetta.lan export
    • tar -C /etc/iked/export -xzpf mobile.vedetta.lan.tgz
    • ikectlca vedetta certificate mobile.vedetta.lan revoke
    • ikectlca vedetta key mobile.vedetta.lan delete
    • pfctl-f /etc/pf.conf
    • rcctlenable ipsec
    • rcctlset iked flags -6
    • rcctlstart iked
• IKEv1 VPN (IPv4)
  • Configure:
    • etc/isakmpd
    • etc/ipsec.conf
    • etc/ipsec-vedetta.conf
    • etc/npppd
    • etc/pf.conf
    • etc/ssl/ikeca.cnf
    • etc/ssl/vedetta
  • Usage:
    • ikectlca vedetta create
    • ikectlca vedetta install /etc/isakmpd
    • ikectlca vedetta certificate freedns.afraid.org create
    • ikectlca vedetta certificate freedns.afraid.org install /etc/isakmpd
    • ikectlca vedetta certificate mobile.vedetta.lan create
    • cd /etc/isakmpd/export
    • ikectlca vedetta certificate mobile.vedetta.lan export
    • tar -C /etc/isakmpd/export -xzpf mobile.vedetta.lan.tgz
    • ikectlca vedetta certificate mobile.vedetta.lan revoke
    • ikectlca vedetta key mobile.vedetta.lan delete
    • pfctl-f /etc/pf.conf
    • rcctlenable ipsec npppd
    • rcctlset isakmpd flags -K
    • rcctlstart npppd isakmpd
    • ipsecctl-d -f /etc/ipsec-vedetta.conf
• nsd - Name Server Daemon (NSD) as authoritative DNS nameserver for LAN
  • Configure:
    • etc/pf.conf
    • var/nsd
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlenable nsd
    • rcctlstart nsd
• ntpd - Network Time Protocol daemon
  • Configure:
    • etc/ntpd.conf
    • etc/pf.conf
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlenable ntpd
    • rcctlstart ntpd
• pf - packet filter with IP based adblock
  • Configure:
    • etc/pf.conf
    • usr/local/bin/adhosts.sh
    • usr/local/bin/malware.sh
    • var/cron/tabs/root
  • Usage:
    • pfctl-f /etc/pf.conf
    • pfctl-vvs queue
    • pfctl-s info
    • pfctl-s states
    • pfctl-vvs rules
    • pfctl-v -s rules -R 4
    • pfctl-s memory
    • tcpdump -n -e -ttt -r /var/log/pflog
    • tcpdump -neq -ttt -i pflog0
• rebound - DNS proxy
  • Configure:
    • etc/dhclient.conf
    • etc/resolv.conf
    • etc/pf.conf
  • Usage:
    • pfctl-f /etc/pf.conf
    • dig ipv6.google.com aaaa
• relayd - relay daemon for loadbalancing, SSL/TLS acceleration, DNS-sanitizing, SSH gateway, transparent HTTP proxy, and TLS inspection (MITM)
  • Configure:
    • etc/acme-client.conf
    • etc/httpd.conf
    • etc/pf.conf
    • etc/relayd.conf
    • usr/local/bin/get-pin.sh
    • cd/etc/ssl
    • ln -s acme/freedns.afraid.org.fullchain.pem 10.10.10.11:443.crt
    • ln -s acme/freedns.afraid.org.fullchain.pem fd80:1fe9:fcee:1337::ace:babe:443.crt
    • cd/etc/ssl/private
    • ln -s ../acme/private/freedns.afraid.org.key 10.10.10.11:443.key
    • ln -s ../acme/private/freedns.afraid.org.key fd80:1fe9:fcee:1337::ace:babe:443.key
    • mkdir -p /etc/ssl/relayd/private
    • openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/relayd/private/ca.key -out /etc/ssl/relayd/ca.crt
    • echo 'subjectAltName=DNS:relay.vedetta.lan' > /etc/ssl/relayd/server.ext
    • openssl genrsa -out /etc/ssl/relayd/private/relay.vedetta.lan.key 2048
    • openssl req -new -key /etc/ssl/relayd/private/relay.vedetta.lan.key -out /etc/ssl/relayd/private/relay.vedetta.lan.csr -nodes
    • openssl x509 -sha256 -req -days 365 -in /etc/ssl/relayd/private/relay.vedetta.lan.csr -CA /etc/ssl/relayd/ca.crt -CAkey /etc/ssl/relayd/private/ca.key -CAcreateserial -extfile /etc/ssl/relayd/server.ext -out /etc/ssl/relayd/relay.vedetta.lan.crt
    • cd /etc/ssl
    • ln -s relayd/relay.vedetta.lan.crt 127.0.0.1.crt
    • ln -s relayd/relay.vedetta.lan.crt ::1.crt
    • cd /etc/ssl/private
    • ln -s ../relayd/private/relay.vedetta.lan.key 127.0.0.1.key
    • ln -s ../relayd/private/relay.vedetta.lan.key ::1.key
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlenable relayd
    • rcctlstart relayd
    • pfctl-T add -t httpfilter $ip
    • pfctl-T add -t tlsinspect $ip
• rad - router advertisement daemon
  • Configure:
    • etc/pf.conf
    • etc/rad.conf
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlenable rad
    • rcctlstart rad
• sensorsd - hardware sensors monitor
  • Configure:
    • etc/sensorsd.conf
  • Usage:
    • rcctlenable sensorsd
    • rcctlstart sensorsd
• slaacd - a stateless address autoconfiguration daemon
  • Configure:
    • ifconfigem0 inet6 autoconf
  • Usage:
    • slaacctlshow interface em0
• smtpd - Simple Mail Transfer Protocol daemon, see Caesonia
  • Configure:
    • etc/mail/aliases
    • etc/mail/smtpd.conf
    • touch/etc/mail/secrets
    • chmod 640 /etc/mail/secrets
    • chown root:_smtpd /etc/mail/secrets
    • echo "puffy [email protected]:password" > /etc/mail/secrets
  • Usage:
    • rcctlrestart smtpd
• sshd - OpenSSH SSH daemon with internal-sftp
  • Configure:
    • etc/pf.conf
    • etc/ssh
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlstart sshd
• switchd - software-defined networking (SDN) sflow controller
  • Configure:
    • etc/hostname.switch0
    • etc/pf.conf
    • etc/switchd.conf
  • Usage:
    • sh /etc/netstart switch0
    • pfctl-f /etc/pf.conf
    • rcctlenable switchd
    • rcctlstart switchd
    • switchctlconnect /dev/switch0
• syslogd - log system messages
  • Configure:
    • etc/newsyslog.conf
    • var/cron/tabs/root
  • Usage:
• unbound - Unbound DNS validating resolver from root nameservers, with caching and DNS based adblock
  • Configure:
    • etc/dhclient.conf
    • etc/resolv.conf
    • etc/pf.conf
    • usr/local/bin/dnsblock.sh
    • var/cron/tabs/root
    • var/unbound
  • Usage:
    • pfctl-f /etc/pf.conf
    • rcctlenable unbound
    • rcctlstart unbound

Sysadmin:

• crontab - maintain crontab files for individual users
  • Configure:
    • var/cron
  • Usage:
    • crontab-e
• doas - execute commands as another user
  • Configure:
    • etc/doas.conf
  • Usage:
    • doastmux
• ftp - Internet file transfer program
  • Configure:
    • etc/pf.conf
  • Usage:
    • pfctl-f /etc/pf.conf
    • ftp-o - "https://www.openbsd.org/donations.html"
• mail - send and receive mail, for daily reading
  • Usage:
    • mail
• syspatch - manage base system binary patches
  • Configure:
    • etc/installurl
    • var/cron/tabs/root
  • Usage:
    • syspatch-c
• systat - display system statistics
  • Usage:
    • systatqueues
    • systatpf
    • systatstates
    • systatrules
• tmux - terminal multiplexer
  • Configure:
    • ~/.tmux.conf
  • Usage:
    • tmux

Hardware

OpenBSD likes small form factor, low-power, lots of ECC memory, AES-NI support, open source boot, and the fastest supported network cards. This configuration has been tested on APU2.

Install

Encryption is the easiest method for media sanitization and disposal. OpenBSD supports full disk encryption using a keydisk (e.g. a USB stick).

Partitions are important for security, stability, and integrity. A minimum partition layout example for router with (upgrade itself) binary base, and no packages (comfortable fit on flash memory cards/drives):

SSL

It's best practice to create CAs on a single purpose secure machine, with no network access.

Specify which certificate authorities (CAs) are allowed to issue certificates for your domain, by adding DNS Certification Authority Authorization (CAA) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone

Revoke certificates as often as possible.

SSH

SSH fingerprints verified by DNS is done by adding Secure Shell (Key) Fingerprint (SSHFP) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone: ssh-keygen -r vedetta.lan.
Verify: dig -t SSHFP vedetta.lan
Usage: ssh -o "VerifyHostKeyDNS ask" acolyte.vedetta.lan

Manage keys with ssh-agent.

Detect tampered keyfiles or man in the middle attacks with ssh-keyscan.

Control access to local users with principals.

Firewall

Guests can use the DNS nameserver to access the ad-free web, while authenticated users gain desired permissions. It's best to authenticate an IP after connecting to VPN. There are three users in this one person scenario: one for wheel, one for sftp, and one for authpf.

Performance

Consider using mount_mfs in order to reduce wear and tear, as well as to speed up the system. Remember to set the sticky bit on mfs /tmp, see etc/fstab.

Caveats

• VPN with IKEv2 or IKEv1, not both. While there are many tecnologies for VPN, only IKEv2 and IKEv1 are standard (considerable effort was put into testing and securing)
• relayd does not support CRL, SNI, nor OCSP (yet)
• httpd without custom error pages (can be patched)
• 11n is max WiFi mode, is this enough?

Support

Via issues and #vedetta:matrix.org

Contribute

Want to help out? ⭐️ Fork this repo ⭐️