vedetta (alpha)

OpenBSD Router Boilerplate

About

an opinionated, best practice, vanilla OpenBSD base configuration for bare-metal, or cloud routers

What would an OpenBSD router configured using examples from the OpenBSD FAQ and Manual pages look like?

Features

Share what you've got, keep what you need:

• acme-client - Automatic Certificate Management Environment (ACME) client
  • Configure:
    • etc/acme
    • etc/acme-client.conf
    • etc/httpd.conf
    • etc/pf.conf
    • etc/relayd.conf
    • etc/ssl/acme
    • var/cron/tabs/root
    • var/www/acme
    • var/www/htdocs/freedns.afraid.org
  • Usage:
    • pfctl -f /etc/pf.conf
    • acme-client -vAD freedns.afraid.org
    • ocspcheck -vNo /etc/ssl/acme/freedns.afraid.org.ocsp.resp.der /etc/ssl/acme/freedns.afraid.org.fullchain.pem
• authpf - authenticating gateway user shell
  • Configure:
    • etc/authpf
    • etc/login.conf
    • etc/pf.conf
    • etc/ssh/sshd_config
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl reload sshd
    • ssh pauth@freedns.afraid.org
• autoinstall - unattended OpenBSD installation and upgrade (pxeboot and mirror example)
  • Configure:
    • etc/dhcpd.conf
    • etc/httpd.conf
    • etc/pf.conf
    • tftpboot
    • var/www/htdocs/boot.vedetta.lan
    • mount host:/path/name /var/www/pub
  • Usage:
    • mkdir -p /tftpboot/etc
    • cd /tftpboot && ftp https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd
    • cp /usr/mdec/pxeboot /tftpboot/
    • chmod 555 -R /tftpboot
    • cd /tftpboot && ln -s pxeboot auto_install
    • echo "boot bsd.rd" > /tftpboot/etc/boot.conf && chmod 444 /tftpboot/etc/boot.conf
    • pfctl -f /etc/pf.conf
    • rcctl set tftpd flags -l boot.vedetta.lan -v /tftpboot
    • rcctl set tftpproxy flags -v
    • rcctl restart dhcpd httpdtftpd tftpproxy
• dhclient - Dynamic Host Configuration Protocol (DHCP) client
  • Configure:
    • etc/dhclient.conf
    • etc/hostname.em0
    • etc/pf.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • sh /etc/netstart em0 or
    • dhclient em0
• dhcpd - Dynamic Host Configuration Protocol (DHCP) server
  • Configure:
    • etc/dhcpd.conf
    • etc/pf.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set dhcpd flags athn0 em1 em2
    • rcctl start dhcpd
• (optional) wide-dhcpv6 - client and server for the WIDE DHCPv6 protocol
  • Configure:
    • etc/dhcp6s.conf
    • etc/dhcp6c.conf
    • etc/pf.conf
    • etc/rc.d/dhcp6c
    • etc/rc.d/dhcp6s
    • etc/rad.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set dhcp6s flags -c /etc/dhcp6s.conf -dD -k /etc/dhcp6sctlkey em1
    • rcctl start dhcp6s
• ftp-proxy - Internet File Transfer Protocol proxy daemon
  • Configure:
    • etc/pf.conf
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl set ftp-proxy flags -b 10.10.10.10 -T FTP_PROXY
    • rcctl set ftp-proxy6 flags -b fd80:1fe9:fcee:1337::ace:face -T FTP_PROXY6
    • rcctl start ftp-proxy ftp-proxy6
• hostname.if - interface-specific configuration files with Dual IP stack implementation
  • Configure:
    • etc/hostname.athn0
    • etc/hostname.em0
    • etc/hostname.em1
    • etc/hostname.em2
    • etc/hostname.enc1
    • etc/hostname.gif0
    • etc/hostname.switch0
    • etc/hostname.tun0
    • etc/hostname.vether0
    • etc/hostname.vlan5
    • etc/hostname.vlan7
  • Usage:
    • sh /etc/netstart
• hotplugd - devices hot plugging monitor daemon
  • Configure:
    • etc/hotplug/attach
    • etc/hotplug/detach
    • chmod 750 /etc/hotplug/{attach,detach}
  • Usage:
    • rcctl enable hotplugd
    • rcctl start hotplugd
• httpd - HTTP daemon as primary, fallback, and autoinstall
  • Configure:
    • etc/httpd.conf
    • etc/newsyslog.conf
    • etc/pf.conf
    • etc/ssl/acme/freedns.afraid.org.fullchain.pem
    • etc/ssl/acme/freedns.afraid.org.ocsp.resp.der
    • etc/ssl/acme/private/freedns.afraid.org.key
    • var/www/htdocs
  • Usage:
    • pfctl -f /etc/pf.conf
    • rcctl reload syslogd
    • rcctl enable httpd
    • rcctl start httpd
• ifstated - Interface State daemon to reconnect, update IP, and log
  • Configure:
    • etc/ifstated.conf
  • Usage:
    • rcctl enable ifstated
    • rcctl start ifstated
• IKEv2 VPN (IPv4 and IPv6)
  • Configure:
    • etc/iked
    • etc/iked.conf
    • etc/iked-vedetta.conf
    • etc/ipsec.conf
    • etc/pf.conf
    • etc/ssl/ikeca.cnf
    • etc/ssl/vedetta
  • Usage:
    • ikectl ca vedetta create
    • ikectl ca vedetta install
    • ikectl ca vedetta certificate freedns.afraid.org create
    • ikectl ca vedetta certificate freedns.afraid.org install
    • ikectl ca vedetta certificate mobile.vedetta.lan create
    • cd /etc/iked/export
    • ikectl ca vedetta certificate mobile.vedetta.lan export
    • tar -C /etc/iked/export -xzpf mobile.vedetta.lan.tgz
    • ikectl ca vedetta certificate mobile.vedetta.lan revoke
    • ikectl ca vedetta key mobile.vedetta.lan delete
    • pfctl -f /etc/pf.conf
    • rcctl enable ipsec
    • rcctl set iked flags -6
    • rcctl start iked
• IKEv1 VPN (IPv4)
  • Configure:
    • etc/isakmpd
    • etc/ipsec.conf
    • etc/ipsec-vedetta.conf
    • etc/npppd
    • etc/pf.conf
    • etc/ssl/ikeca.cnf
    • etc/ssl/vedetta
  • Usage:
    • ikectl ca vedetta create
    • ikectl ca vedetta install /etc/isakmpd
    • ikectl ca vedetta certificate freedns.afraid.org create
    • ikectl ca vedetta certificate freedns.afraid.org install /etc/isakmpd
    • ikectl ca vedetta certificate mobile.vedetta.lan create
    • cd /etc/isakmpd/export
    • ikectl ca vedetta certificate mobile.vedetta.lan export
    • tar -C /etc/isakmpd/export -xzpf mobile.vedetta.lan.tgz
    • ikectl ca vedetta certificate mobile.vedetta.lan revoke
    • ikectl ca vedetta key mobile.vedetta.lan delete
    • pfctl -f /etc/pf.conf
    • [rcctl](https