OpenBSD Router Boilerplate

an opinionated, best practice, vanilla OpenBSD base configuration for bare-metal, or cloud routers

What would an OpenBSD router configured using examples from the OpenBSD FAQ and Manual pages look like?

Share what you've got, keep what you need:

• acme-client - Automatic Certificate Management Environment (ACME) client
  • Configure:
    • etc/acme
    • etc/acme/acme-client.conf
    • etc/httpd.conf
    • etc/pf.conf
    • etc/relayd.conf
    • etc/ssl/acme
    • var/cron/tabs/root
    • var/www/htdocs/acme
    • var/www/htdocs/freedns.afraid.org
  • Usage:
    • pfctl -f /etc/pf.conf
    • acme-client -vAD freedns.afraid.org
    • usr/local/bin/get-ocsp.sh freedns.afraid.org
• authpf - authenticating gateway user shell
  • Configure:
    • etc/authpf
    • etc/login.conf
    • etc/pf.conf
    • etc/ssh/sshd_config
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl reload sshd
    • ssh [email protected]
• dhclient - Dynamic Host Configuration Protocol (DHCP) client
  • Configure:
    • etc/dhclient.conf
    • etc/hostname.em0
    • etc/pf.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • sh /etc/netstart em0 or
    • dhclient em0
• dhcpd - Dynamic Host Configuration Protocol (DHCP) server
  • Configure:
    • etc/dhcpd.conf
    • etc/pf.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set dhcpd flags \"athn0 em1 em2\"
    • rcctl start dhcpd
• (optional) wide-dhcpv6 - client and server for the WIDE DHCPv6 protocol
  • Configure:
    • etc/dhcp6s.conf
    • etc/dhcp6c.conf
    • etc/pf.conf
    • etc/rc.d/dhcp6c
    • etc/rc.d/dhcp6s
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set dhcp6s flags \"-c /etc/dhcp6s.conf -dD -k /etc/dhcp6sctlkey em1\"
    • rcctl start dhcp6s
• ftp-proxy - Internet File Transfer Protocol proxy daemon
  • Configure:
    • etc/pf.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set ftp-proxy flags \"-b 10.10.10.10 -T FTP_PROXY\"
    • rcctl set ftp-proxy6 flags \"-b fd80:1fe9:fcee:1337::ace:face -T FTP_PROXY6\"
    • rcctl start ftp-proxy ftp-proxy6
• hostname.if - interface-specific configuration files with Dual IP stack implementation
  • Configure:
    • etc/hostname.athn0
    • etc/hostname.em0
    • etc/hostname.em1
    • etc/hostname.em2
    • etc/hostname.enc1
    • etc/hostname.gif0
    • etc/hostname.tun0
    • etc/hostname.vether0
  • Usage:
    • sh /etc/netstart
• httpd - HTTP daemon as primary, fallback, and autoinstall
  • Configure:
    • etc/httpd.conf
    • etc/newsyslog.conf
    • etc/pf.conf
    • etc/ssl/acme/freedns.afraid.org.fullchain.pem
    • etc/ssl/acme/freedns.afraid.org.ocsp.resp.der
    • etc/ssl/acme/private/freedns.afraid.org.key
    • var/www/htdocs
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl reload syslogd
    • rcctl enable httpd
    • rcctl start httpd
• ifstated - Interface State daemon to reconnect, update IP, and log
  • Configure:
    • etc/ifstated.conf
  • Usage:
    • rcctl enable ifstated
    • rcctl start ifstated
• IKEv2 VPN (IPv4 and IPv6)
  • Configure:
    • etc/iked
    • etc/iked.conf
    • etc/iked-vedetta.conf
    • etc/pf.conf
    • etc/ssl/ikeca.cnf
    • etc/ssl/vedetta
  • Usage:
    • ikectl ca vedetta create
    • ikectl ca vedetta install
    • ikectl ca vedetta certificate freedns.afraid.org create
    • ikectl ca vedetta certificate freedns.afraid.org install
    • ikectl ca vedetta certificate mobile.vedetta.lan create
    • cd /etc/iked/export
    • ikectl ca vedetta certificate mobile.vedetta.lan export
    • tar -C /etc/iked/export -xzpf mobile.vedetta.lan.tgz
    • ikectl ca vedetta certificate mobile.vedetta.lan revoke
    • ikectl ca vedetta key mobile.vedetta.lan delete
    • pfctl -f /etc/pf.conf
    • rcctl set iked flags \"-6\"
    • rcctl start iked
• IKEv1 VPN (IPv4)
  • Configure:
    • etc/isakmpd
    • etc/ipsec.conf
    • etc/ipsec-vedetta.conf
    • etc/npppd
    • etc/pf.conf
    • etc/ssl/ikeca.cnf
    • etc/ssl/vedetta
  • Usage:
    • ikectl ca vedetta create
    • ikectl ca vedetta install /etc/isakmpd
    • ikectl ca vedetta certificate freedns.afraid.org create
    • ikectl ca vedetta certificate freedns.afraid.org install /etc/isakmpd
    • ikectl ca vedetta certificate mobile.vedetta.lan create
    • cd /etc/isakmpd/export
    • ikectl ca vedetta certificate mobile.vedetta.lan export
    • tar -C /etc/isakmpd/export -xzpf mobile.vedetta.lan.tgz
    • ikectl ca vedetta certificate mobile.vedetta.lan revoke
    • ikectl ca vedetta key mobile.vedetta.lan delete
    • pfctl -f /etc/pf.conf
    • rcctl enable ipsec npppd
    • rcctl set isakmpd flags \"-K\"
    • rcctl start npppd isakmpd
    • ipsecctl -d -f /etc/ipsec-vedetta.conf
• nsd - Name Server Daemon (NSD) as authoritative DNS nameserver for LAN
  • Configure:
    • etc/pf.conf
    • var/nsd
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set nsd flags \"-c /var/nsd/etc/nsd.conf\"
    • rcctl start nsd
• ntpd - Network Time Protocol daemon
  • Configure:
    • etc/ntpd.conf
    • etc/pf.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl enable ntpd
    • rcctl start ntpd
• pf - packet filter with IP based adblock
  • Configure:
    • etc/pf.conf
    • var/cron/tabs/root
  • Usage:
    • pfctl -f /etc/pf.conf
    • pfctl -vvs queue
    • pfctl -s info
    • pfctl -s states
    • pfctl -vvs rules
    • pfctl -v -s rules -R 4
    • pfctl -s memory
    • tcpdump -n -e -ttt -r /var/log/pflog
    • tcpdump -neq -ttt -i pflog0
• rebound - DNS proxy
  • Configure:
    • etc/pf.conf
    • etc/resolv.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • dig ipv6.google.com aaaa
• relayd - relay daemon for loadbalancing, SSL/TLS acceleration, and DNS-sanitizing
  • Configure:
    • etc/pf.conf
    • etc/relayd.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl enable relayd
    • rcctl start relayd
• rtadvd - router advertisement daemon
  • Configure:
    • etc/pf.conf
    • etc/rtadvd.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set rtadvd flags \"athn0 em1 em2\"
    • rcctl start rtadvd
• sshd - OpenSSH SSH daemon with internal-sftp
  • Configure:
    • etc/pf.conf
    • etc/ssh
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl start sshd
• syslogd - log system messages
  • Configure:
    • etc/newsyslog.conf
    • var/cron/tabs/root
  • Usage:
    • rcctl set syslogd flags \"\${syslogd_flags} -a /var/unbound/dev/log -a /var/nsd/dev/log\"
    • rcctl start syslogd
• unbound - Unbound DNS validating resolver from root nameservers, with caching and DNS based adblock
  • Configure:
    • etc/pf.conf
    • var/cron/tabs/root
    • var/unbound
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set unbound flags \"-v -c /var/unbound/etc/unbound.conf\"
    • rcctl start unbound

Sysadmin:

• crontab - maintain crontab files for individual users
  • Configure:
    • var/cron
  • Usage:
    • crontab -e
• doas - execute commands as another user
  • Configure:
    • etc/doas.conf
  • Usage:
    • doas tmux
• ftp - Internet file transfer program
  • Configure:
    • etc/pf.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • ftp "https://www.openbsd.org/index.html"
• mail - send and receive mail, for daily reading
  • Usage:
    • mail
• syspatch - manage base system binary patches
  • Configure:
    • etc/installurl
    • var/cron/tabs/root
  • Usage:
    • syspatch -c
• systat - display system statistics
  • Usage:
    • systat queues
    • systat pf
    • systat states
    • systat rules
• tmux - terminal multiplexer
  • Configure:
    • ~/.tmux.conf
  • Usage:
    • tmux

OpenBSD likes small form factor, low power, lots of ECC memory, AES-NI support, open source boot, and the fastest supported network cards. This configuration has been tested on APU2.

Encryption is the easiest method for media sanitization and disposal. For this reason, it is recommended to use full disk encryption.

It's best practice to create CAs on a single purpose secure machine, with no network access.

Specify which certificate authorities (CAs) are allowed to issue certificates for your domain, by adding DNS Certification Authority Authorization (CAA) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone

Revoke certificates as often as possible.

SSH fingerprints verified by DNS is done by adding Secure Shell (Key) Fingerprint (SSHFP) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone: ssh-keygen -r vedetta.lan.
Verify: dig -t SSHFP vedetta.lan
Usage: ssh -o "VerifyHostKeyDNS ask" acolyte.vedetta.lan

Manage keys with ssh-agent.

Guests can use the DNS nameserver to access the ad-free web, while authenticated users gain desired permissions. It's best to authenticate an IP after connecting to VPN. There are three users in this one person example: one for wheel, one for sftp, and one for authpf.

Consider using mount_mfs in order to reduce wear and tear, as well as to speed up the system. Remember to set the sticky bit on mfs /tmp, as shown in etc/fstab.

• VPN with IKEv2 or IKEv1, not both. While there are many tecnologies for VPN, only IKEv2 and IKEv1 are standard (considerable effort was put into testing and securing)
• OpenIKED is close to supporting the strongSwan Android client
• relayd does not ocsp, yet
• 11n is max WiFi mode, is this enough?
• authpf users have sftp access

Via issues and #openbsd:matrix.org

Show us your fork!