OpenBSD Router Boilerplate
an opinionated, best practice, vanilla OpenBSD base configuration for bare-metal, or cloud routers
What would an OpenBSD router configured using examples from the OpenBSD FAQ and Manual pages look like?
Share what you've got, keep what you need:
- acme-client - Automatic Certificate Management Environment (ACME) client
- Configure:
- Usage:
pfctl
-f /etc/pf.conf
acme-client
-vAD freedns.afraid.org
usr/local/bin/get-ocsp.sh
freedns.afraid.org
- authpf - authenticating gateway user shell
- Configure:
- Usage:
pfctl
-f /etc/pf.conf
rcctl
reload sshd
ssh
[email protected]
- dhclient - Dynamic Host Configuration Protocol (DHCP) client
- Configure:
- Usage:
- dhcpd - Dynamic Host Configuration Protocol (DHCP) server
- Configure:
- Usage:
- (optional) wide-dhcpv6 - client and server for the WIDE DHCPv6 protocol
- Configure:
etc/dhcp6s.conf
etc/dhcp6c.conf
etc/pf.conf
etc/rc.d/dhcp6c
etc/rc.d/dhcp6s
- Usage:
- Configure:
- ftp-proxy - Internet File Transfer Protocol proxy daemon
- Configure:
- Usage:
- hostname.if - interface-specific configuration files with Dual IP stack implementation
- Configure:
- Usage:
sh /etc/netstart
- httpd - HTTP daemon as primary, fallback, and autoinstall
- Configure:
- Usage:
- ifstated - Interface State daemon to reconnect, update IP, and log
- Configure:
- Usage:
- IKEv2 VPN (IPv4 and IPv6)
- Configure:
etc/iked
etc/iked.conf
etc/iked-vedetta.conf
etc/pf.conf
etc/ssl/ikeca.cnf
etc/ssl/vedetta
- Usage:
ikectl
ca vedetta create
ikectl
ca vedetta install
ikectl
ca vedetta certificate freedns.afraid.org create
ikectl
ca vedetta certificate freedns.afraid.org install
ikectl
ca vedetta certificate mobile.vedetta.lan create
cd /etc/iked/export
ikectl
ca vedetta certificate mobile.vedetta.lan export
tar -C /etc/iked/export -xzpf mobile.vedetta.lan.tgz
ikectl
ca vedetta certificate mobile.vedetta.lan revoke
ikectl
ca vedetta key mobile.vedetta.lan delete
pfctl
-f /etc/pf.conf
rcctl
set iked flags \"-6\"
rcctl
start iked
- Configure:
- IKEv1 VPN (IPv4)
- Configure:
etc/isakmpd
etc/ipsec.conf
etc/ipsec-vedetta.conf
etc/npppd
etc/pf.conf
etc/ssl/ikeca.cnf
etc/ssl/vedetta
- Usage:
ikectl
ca vedetta create
ikectl
ca vedetta install /etc/isakmpd
ikectl
ca vedetta certificate freedns.afraid.org create
ikectl
ca vedetta certificate freedns.afraid.org install /etc/isakmpd
ikectl
ca vedetta certificate mobile.vedetta.lan create
cd /etc/isakmpd/export
ikectl
ca vedetta certificate mobile.vedetta.lan export
tar -C /etc/isakmpd/export -xzpf mobile.vedetta.lan.tgz
ikectl
ca vedetta certificate mobile.vedetta.lan revoke
ikectl
ca vedetta key mobile.vedetta.lan delete
pfctl
-f /etc/pf.conf
rcctl
enable ipsec npppd
rcctl
set isakmpd flags \"-K\"
rcctl
start npppd isakmpd
ipsecctl
-d -f /etc/ipsec-vedetta.conf
- Configure:
- nsd - Name Server Daemon (NSD) as authoritative DNS nameserver for LAN
- Configure:
- Usage:
- ntpd - Network Time Protocol daemon
- Configure:
- Usage:
- pf - packet filter with IP based adblock
- Configure:
- Usage:
- rebound - DNS proxy
- Configure:
- Usage:
pfctl
-f /etc/pf.conf
dig ipv6.google.com aaaa
- relayd - relay daemon for loadbalancing, SSL/TLS acceleration, and DNS-sanitizing
- Configure:
- Usage:
- rtadvd - router advertisement daemon
- Configure:
- Usage:
- sshd - OpenSSH SSH daemon with internal-sftp
- Configure:
- Usage:
- syslogd - log system messages
- Configure:
- Usage:
- unbound - Unbound DNS validating resolver from root nameservers, with caching and DNS based adblock
- Configure:
- Usage:
Sysadmin:
- crontab - maintain crontab files for individual users
- doas - execute commands as another user
- Configure:
- Usage:
doas
tmux
- ftp - Internet file transfer program
- Configure:
- Usage:
- mail - send and receive mail, for daily reading
- Usage:
- syspatch - manage base system binary patches
- Configure:
etc/installurl
var/cron/tabs/root
- Usage:
syspatch
-c
- Configure:
- systat - display system statistics
- tmux - terminal multiplexer
- Configure:
~/.tmux.conf
- Usage:
- Configure:
OpenBSD likes small form factor, low power, lots of ECC memory, AES-NI support, open source boot, and the fastest supported network cards. This configuration has been tested on APU2.
Encryption is the easiest method for media sanitization and disposal. For this reason, it is recommended to use full disk encryption.
It's best practice to create CAs on a single purpose secure machine, with no network access.
Specify which certificate authorities (CAs) are allowed to issue certificates for your domain, by adding DNS Certification Authority Authorization (CAA) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone
Revoke certificates as often as possible.
SSH fingerprints verified by DNS is done by adding Secure Shell (Key) Fingerprint (SSHFP) Resource Record (RR) to var/nsd/zones/master/vedetta.lan.zone
: ssh-keygen -r vedetta.lan.
Verify: dig -t SSHFP vedetta.lan
Usage: ssh -o "VerifyHostKeyDNS ask" acolyte.vedetta.lan
Manage keys with ssh-agent.
Guests can use the DNS nameserver to access the ad-free web, while authenticated users gain desired permissions. It's best to authenticate an IP after connecting to VPN. There are three users in this one person example: one for wheel, one for sftp, and one for authpf.
Consider using mount_mfs in order to reduce wear and tear, as well as to speed up the system. Remember to set the sticky bit on mfs /tmp, as shown in etc/fstab.
- VPN with IKEv2 or IKEv1, not both. While there are many tecnologies for VPN, only IKEv2 and IKEv1 are standard (considerable effort was put into testing and securing)
- OpenIKED is close to supporting the strongSwan Android client
- relayd does not ocsp, yet
- 11n is max WiFi mode, is this enough?
- authpf users have sftp access
Via issues and #openbsd:matrix.org
Show us your fork!