Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/vedetta-com/vedetta
OpenBSD Router Boilerplate
https://github.com/vedetta-com/vedetta
boilerplate dns-server firewall gateway http-server ipv4 ipv6 openbsd relay-server router sdn software-defined-network vpn
Last synced: 3 months ago
JSON representation
OpenBSD Router Boilerplate
- Host: GitHub
- URL: https://github.com/vedetta-com/vedetta
- Owner: vedetta-com
- License: isc
- Created: 2017-06-12T20:43:58.000Z (about 7 years ago)
- Default Branch: master
- Last Pushed: 2019-07-29T14:30:42.000Z (almost 5 years ago)
- Last Synced: 2024-02-24T14:33:49.652Z (4 months ago)
- Topics: boilerplate, dns-server, firewall, gateway, http-server, ipv4, ipv6, openbsd, relay-server, router, sdn, software-defined-network, vpn
- Language: Shell
- Size: 912 KB
- Stars: 288
- Watchers: 29
- Forks: 30
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- awesome-openbsd - vedetta - OpenBSD Router Boilerplate (OpenBSD Provisioning / Interviews with OpenBSD developers)
- awesome-stars - vedetta - OpenBSD Router Boilerplate (Shell)
- awesome-openbsd - vedetta - OpenBSD Router Boilerplate (Non-official OpenBSD websites / Related projects)
- awesome-cyber-security - **220**星
- awesome-openbsd - vedetta - OpenBSD Router Boilerplate (OpenBSD Provisioning / Interviews with OpenBSD developers)
README
# vedetta (alpha)
*Open*BSD Router Boilerplate
## About
> an opinionated, best practice, vanilla OpenBSD base configuration for bare-metal, or cloud routers
What would an OpenBSD router configured using examples from the OpenBSD FAQ and Manual pages look like?
## Features
Share what you've got, keep what you need:
* [acme-client](https://man.openbsd.org/acme-client) - Automatic Certificate Management Environment (ACME) client
- *Configure:*
- [`etc/acme`](src/etc/acme)
- [`etc/acme-client.conf`](src/etc/acme-client.conf)
- [`etc/httpd.conf`](src/etc/httpd.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- [`etc/relayd.conf`](src/etc/relayd.conf)
- [`etc/ssl/acme`](src/etc/ssl/acme)
- [`var/cron/tabs/root`](src/var/cron/tabs/root)
- `var/www/acme`
- [`var/www/htdocs/freedns.afraid.org`](src/var/www/htdocs/freedns.afraid.org)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`acme-client`](https://man.openbsd.org/acme-client)` -vAD freedns.afraid.org`
- [`ocspcheck`](https://man.openbsd.org/ocspcheck)` -vNo /etc/ssl/acme/freedns.afraid.org.ocsp.resp.der /etc/ssl/acme/freedns.afraid.org.fullchain.pem`
* [authpf](https://man.openbsd.org/authpf) - authenticating gateway user shell
- *Configure:*
- [`etc/authpf`](src/etc/authpf)
- [`etc/login.conf`](src/etc/login.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- [`etc/ssh/sshd_config`](src/etc/ssh/sshd_config)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` reload sshd`
- [`ssh`](https://man.openbsd.org/ssh)` [email protected]`
* [autoinstall](https://man.openbsd.org/autoinstall) - unattended OpenBSD installation and upgrade ([pxeboot](https://man.openbsd.org/pxeboot) and [mirror](https://www.openbsd.org/ftp.html) example)
- *Configure:*
- [`etc/dhcpd.conf`](src/etc/dhcpd.conf)
- [`etc/httpd.conf`](src/etc/httpd.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- [`tftpboot`](src/tftpboot)
- [`var/www/htdocs/boot.vedetta.lan`](src/var/www/htdocs/boot.vedetta.lan)
- `mount host:/path/name /var/www/pub`
- *Usage:*
- `mkdir -p /tftpboot/etc`
- `cd /tftpboot && ftp https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd`
- `cp /usr/mdec/pxeboot /tftpboot/`
- `chmod 555 -R /tftpboot`
- `cd /tftpboot && ln -s pxeboot auto_install`
- `echo "boot bsd.rd" > /tftpboot/etc/boot.conf && chmod 444 /tftpboot/etc/boot.conf`
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` set tftpd flags -l boot.vedetta.lan -v /tftpboot`
- [`rcctl`](https://man.openbsd.org/rcctl)` set tftpproxy flags -v`
- [`rcctl`](https://man.openbsd.org/rcctl)` restart dhcpd httpd`[`tftpd`](https://man.openbsd.org/tftpd) [`tftpproxy`](https://man.openbsd.org/tftp-proxy)
* [dhclient](https://man.openbsd.org/dhclient) - Dynamic Host Configuration Protocol (DHCP) client
- *Configure:*
- [`etc/dhclient.conf`](src/etc/dhclient.conf)
- [`etc/hostname.em0`](src/etc/hostname.em0)
- [`etc/pf.conf`](src/etc/pf.conf)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`sh`](https://man.openbsd.org/sh)` /etc/netstart em0` *or*
- [`dhclient`](https://man.openbsd.org/dhclient)` em0`
* [dhcpd](https://man.openbsd.org/dhcpd) - Dynamic Host Configuration Protocol (DHCP) server
- *Configure:*
- [`etc/dhcpd.conf`](src/etc/dhcpd.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` set dhcpd flags athn0 em1 em2`
- [`rcctl`](https://man.openbsd.org/rcctl)` start dhcpd`
* (optional) [wide-dhcpv6](https://github.com/openbsd/ports/tree/master/net/wide-dhcpv6) - client and server for the WIDE DHCPv6 protocol
- *Configure:*
- [`etc/dhcp6s.conf`](src/etc/dhcp6s.conf)
- `etc/dhcp6c.conf`
- [`etc/pf.conf`](src/etc/pf.conf)
- [`etc/rc.d/dhcp6c`](src/etc/rc.d/dhcp6c)
- [`etc/rc.d/dhcp6s`](src/etc/rc.d/dhcp6s)
- [`etc/rad.conf`](src/etc/rad.conf)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` set dhcp6s flags -c /etc/dhcp6s.conf -dD -k /etc/dhcp6sctlkey em1`
- [`rcctl`](https://man.openbsd.org/rcctl)` start dhcp6s`
* [ftp-proxy](https://man.openbsd.org/ftp-proxy) - Internet File Transfer Protocol proxy daemon
- *Configure:*
- [`etc/pf.conf`](src/etc/pf.conf)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` set ftp-proxy flags -b 10.10.10.10 -T FTP_PROXY`
- [`rcctl`](https://man.openbsd.org/rcctl)` set ftp-proxy6 flags -b fd80:1fe9:fcee:1337::ace:face -T FTP_PROXY6`
- [`rcctl`](https://man.openbsd.org/rcctl)` start ftp-proxy ftp-proxy6`
* [hostname.if](https://man.openbsd.org/hostname.if) - interface-specific configuration files with Dual IP stack implementation
- *Configure:*
- [`etc/hostname.athn0`](src/etc/hostname.athn0)
- [`etc/hostname.em0`](src/etc/hostname.em0)
- [`etc/hostname.em1`](src/etc/hostname.em1)
- [`etc/hostname.em2`](src/etc/hostname.em2)
- [`etc/hostname.enc1`](src/etc/hostname.enc1)
- [`etc/hostname.gif0`](src/etc/hostname.gif0)
- [`etc/hostname.switch0`](src/etc/hostname.switch0)
- [`etc/hostname.tun0`](src/etc/hostname.tun0)
- [`etc/hostname.vether0`](src/etc/hostname.vether0)
- [`etc/hostname.vlan5`](src/etc/hostname.vlan5)
- [`etc/hostname.vlan7`](src/etc/hostname.vlan7)
- *Usage:*
- `sh /etc/netstart`
* [hotplugd](https://man.openbsd.org/hotplugd) - devices hot plugging monitor daemon
- *Configure:*
- [`etc/hotplug/attach`](src/etc/hotplug/attach)
- `etc/hotplug/detach`
- `chmod 750 /etc/hotplug/{attach,detach}`
- *Usage:*
- [`rcctl`](https://man.openbsd.org/rcctl)` enable hotplugd`
- [`rcctl`](https://man.openbsd.org/rcctl)` start hotplugd`
* [httpd](https://man.openbsd.org/httpd) - HTTP daemon as primary, fallback, and [autoinstall](https://man.openbsd.org/autoinstall)
- *Configure:*
- [`etc/httpd.conf`](src/etc/httpd.conf)
- [`etc/newsyslog.conf`](src/etc/newsyslog.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- [`etc/ssl/acme/freedns.afraid.org.fullchain.pem`](src/etc/ssl/acme/freedns.afraid.org.fullchain.pem)
- [`etc/ssl/acme/freedns.afraid.org.ocsp.resp.der`](src/etc/ssl/acme/freedns.afraid.org.ocsp.resp.der)
- [`etc/ssl/acme/private/freedns.afraid.org.key`](src/etc/ssl/acme/private/freedns.afraid.org.key)
- [`var/www/htdocs`](src/var/www/htdocs)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` reload syslogd`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable httpd`
- [`rcctl`](https://man.openbsd.org/rcctl)` start httpd`
* [ifstated](https://man.openbsd.org/ifstated) - Interface State daemon to reconnect, update IP, and log
- *Configure:*
- [`etc/ifstated.conf`](src/etc/ifstated.conf)
- *Usage:*
- [`rcctl`](https://man.openbsd.org/rcctl)` enable ifstated`
- [`rcctl`](https://man.openbsd.org/rcctl)` start ifstated`
* IKEv2 VPN (IPv4 and IPv6)
- *Configure:*
- `etc/iked`
- [`etc/iked.conf`](src/etc/iked.conf)
- [`etc/iked-vedetta.conf`](src/etc/iked-vedetta.conf)
- [`etc/ipsec.conf`](src/etc/ipsec.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- `etc/ssl/ikeca.cnf`
- `etc/ssl/vedetta`
- *Usage:*
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta create`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta install`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate freedns.afraid.org create`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate freedns.afraid.org install`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan create`
- `cd /etc/iked/export`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan export`
- `tar -C /etc/iked/export -xzpf mobile.vedetta.lan.tgz`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan revoke`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta key mobile.vedetta.lan delete`
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable ipsec`
- [`rcctl`](https://man.openbsd.org/rcctl)` set iked flags -6`
- [`rcctl`](https://man.openbsd.org/rcctl)` start iked`
* IKEv1 VPN (IPv4)
- *Configure:*
- `etc/isakmpd`
- [`etc/ipsec.conf`](src/etc/ipsec.conf)
- [`etc/ipsec-vedetta.conf`](src/etc/ipsec-vedetta.conf)
- [`etc/npppd`](src/etc/npppd)
- [`etc/pf.conf`](src/etc/pf.conf)
- `etc/ssl/ikeca.cnf`
- `etc/ssl/vedetta`
- *Usage:*
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta create`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta install /etc/isakmpd`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate freedns.afraid.org create`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate freedns.afraid.org install /etc/isakmpd`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan create`
- `cd /etc/isakmpd/export`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan export`
- `tar -C /etc/isakmpd/export -xzpf mobile.vedetta.lan.tgz`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta certificate mobile.vedetta.lan revoke`
- [`ikectl`](https://man.openbsd.org/ikectl)` ca vedetta key mobile.vedetta.lan delete`
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable ipsec npppd`
- [`rcctl`](https://man.openbsd.org/rcctl)` set isakmpd flags -K`
- [`rcctl`](https://man.openbsd.org/rcctl)` start npppd isakmpd`
- [`ipsecctl`](https://man.openbsd.org/ipsecctl)` -d -f /etc/ipsec-vedetta.conf`
* [nsd](https://man.openbsd.org/nsd) - Name Server Daemon (NSD) as authoritative DNS nameserver for LAN
- *Configure:*
- [`etc/pf.conf`](src/etc/pf.conf)
- [`var/nsd`](src/var/nsd)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable nsd`
- [`rcctl`](https://man.openbsd.org/rcctl)` start nsd`
* [ntpd](https://man.openbsd.org/ntpd) - Network Time Protocol daemon
- *Configure:*
- [`etc/ntpd.conf`](src/etc/ntpd.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable ntpd`
- [`rcctl`](https://man.openbsd.org/rcctl)` start ntpd`
* [pf](https://man.openbsd.org/pf) - packet filter with IP based adblock
- *Configure:*
- [`etc/pf.conf`](src/etc/pf.conf)
- [`usr/local/bin/adhosts.sh`](src/usr/local/bin/adhosts.sh)
- [`usr/local/bin/malware.sh`](src/usr/local/bin/malware.sh)
- [`var/cron/tabs/root`](src/var/cron/tabs/root)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`pfctl`](https://man.openbsd.org/pfctl)` -vvs queue`
- [`pfctl`](https://man.openbsd.org/pfctl)` -s info`
- [`pfctl`](https://man.openbsd.org/pfctl)` -s states`
- [`pfctl`](https://man.openbsd.org/pfctl)` -vvs rules`
- [`pfctl`](https://man.openbsd.org/pfctl)` -v -s rules -R 4`
- [`pfctl`](https://man.openbsd.org/pfctl)` -s memory`
- `tcpdump -n -e -ttt -r /var/log/pflog`
- `tcpdump -neq -ttt -i pflog0`
* [rebound](https://man.openbsd.org/rebound) - DNS proxy
- *Configure:*
- [`etc/dhclient.conf`](src/etc/dhclient.conf)
- [`etc/resolv.conf`](src/etc/resolv.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- `dig ipv6.google.com aaaa`
* [relayd](https://man.openbsd.org/relayd) - relay daemon for loadbalancing, SSL/TLS acceleration, DNS-sanitizing, SSH gateway, transparent HTTP proxy, and TLS inspection ([MITM](https://github.com/vedetta-com/vedetta/issues/82#issuecomment-363907251))
- *Configure:*
- [`etc/acme-client.conf`](src/etc/acme-client.conf)
- [`etc/httpd.conf`](src/etc/httpd.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- [`etc/relayd.conf`](src/etc/relayd.conf)
- [`usr/local/bin/get-pin.sh`](src/usr/local/bin/get-pin.sh)
- `cd `[`/etc/ssl`](src/etc/ssl)
- `ln -s acme/freedns.afraid.org.fullchain.pem 10.10.10.11:443.crt`
- `ln -s acme/freedns.afraid.org.fullchain.pem fd80:1fe9:fcee:1337::ace:babe:443.crt`
- `cd `[`/etc/ssl/private`](src/etc/ssl/private)
- `ln -s ../acme/private/freedns.afraid.org.key 10.10.10.11:443.key`
- `ln -s ../acme/private/freedns.afraid.org.key fd80:1fe9:fcee:1337::ace:babe:443.key`
- `mkdir -p /etc/ssl/relayd/private`
- `openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/relayd/private/ca.key -out /etc/ssl/relayd/ca.crt`
- `echo 'subjectAltName=DNS:relay.vedetta.lan' > /etc/ssl/relayd/server.ext`
- `openssl genrsa -out /etc/ssl/relayd/private/relay.vedetta.lan.key 2048`
- `openssl req -new -key /etc/ssl/relayd/private/relay.vedetta.lan.key -out /etc/ssl/relayd/private/relay.vedetta.lan.csr -nodes`
- `openssl x509 -sha256 -req -days 365 -in /etc/ssl/relayd/private/relay.vedetta.lan.csr -CA /etc/ssl/relayd/ca.crt -CAkey /etc/ssl/relayd/private/ca.key -CAcreateserial -extfile /etc/ssl/relayd/server.ext -out /etc/ssl/relayd/relay.vedetta.lan.crt`
- `cd /etc/ssl`
- `ln -s relayd/relay.vedetta.lan.crt 127.0.0.1.crt`
- `ln -s relayd/relay.vedetta.lan.crt ::1.crt`
- `cd /etc/ssl/private`
- `ln -s ../relayd/private/relay.vedetta.lan.key 127.0.0.1.key`
- `ln -s ../relayd/private/relay.vedetta.lan.key ::1.key`
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable relayd`
- [`rcctl`](https://man.openbsd.org/rcctl)` start relayd`
- [`pfctl`](https://man.openbsd.org/pfctl)` -T add -t httpfilter $ip`
- [`pfctl`](https://man.openbsd.org/pfctl)` -T add -t tlsinspect $ip`
* [rad](https://man.openbsd.org/rad) - router advertisement daemon
- *Configure:*
- [`etc/pf.conf`](src/etc/pf.conf)
- [`etc/rad.conf`](src/etc/rad.conf)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable rad`
- [`rcctl`](https://man.openbsd.org/rcctl)` start rad`
* [sensorsd](https://man.openbsd.org/sensorsd) - hardware sensors monitor
- *Configure:*
- [`etc/sensorsd.conf`](src/etc/sensorsd.conf)
- *Usage:*
- [`rcctl`](https://man.openbsd.org/rcctl)` enable sensorsd`
- [`rcctl`](https://man.openbsd.org/rcctl)` start sensorsd`
* [slaacd](https://man.openbsd.org/slaacd) - a stateless address autoconfiguration daemon
- *Configure:*
- [`ifconfig`](https://man.openbsd.org/ifconfig)` em0 inet6 autoconf`
- *Usage:*
- [`slaacctl`](https://man.openbsd.org/slaacctl)` show interface em0`
* [smtpd](https://man.openbsd.org/smtpd) - Simple Mail Transfer Protocol daemon, see [Caesonia](https://github.com/vedetta-com/caesonia/)
- *Configure:*
- [`etc/mail/aliases`](src/etc/mail/aliases)
- [`etc/mail/smtpd.conf`](src/etc/mail/smtpd.conf)
- `touch `[`/etc/mail/secrets`](src/etc/mail/secrets)
- `chmod 640 /etc/mail/secrets`
- `chown root:_smtpd /etc/mail/secrets`
- `echo "puffy [email protected]:password" > /etc/mail/secrets`
- *Usage:*
- [`rcctl`](https://man.openbsd.org/rcctl)` restart smtpd`
* [sshd](https://man.openbsd.org/sshd) - OpenSSH SSH daemon with internal-sftp
- *Configure:*
- [`etc/pf.conf`](src/etc/pf.conf)
- [`etc/ssh`](src/etc/ssh)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` start sshd`
* [switchd](https://man.openbsd.org/switchd) - software-defined networking (SDN) sflow controller
- *Configure:*
- [`etc/hostname.switch0`](src/etc/hostname.switch0)
- [`etc/pf.conf`](src/etc/pf.conf)
- [`etc/switchd.conf`](src/etc/switchd.conf)
- *Usage:*
- `sh /etc/netstart switch0`
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable switchd`
- [`rcctl`](https://man.openbsd.org/rcctl)` start switchd`
- [`switchctl`](https://man.openbsd.org/switchctl)` connect /dev/switch0`
* [syslogd](https://man.openbsd.org/syslogd) - log system messages
- *Configure:*
- [`etc/newsyslog.conf`](src/etc/newsyslog.conf)
- [`var/cron/tabs/root`](src/var/cron/tabs/root)
- *Usage:*
* [unbound](https://man.openbsd.org/unbound) - Unbound DNS validating resolver from root nameservers, with caching and DNS based adblock
- *Configure:*
- [`etc/dhclient.conf`](src/etc/dhclient.conf)
- [`etc/resolv.conf`](src/etc/resolv.conf)
- [`etc/pf.conf`](src/etc/pf.conf)
- [`usr/local/bin/dnsblock.sh`](src/usr/local/bin/dnsblock.sh)
- [`var/cron/tabs/root`](src/var/cron/tabs/root)
- [`var/unbound`](src/var/unbound)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`rcctl`](https://man.openbsd.org/rcctl)` enable unbound`
- [`rcctl`](https://man.openbsd.org/rcctl)` start unbound`
Sysadmin:
* [crontab](https://man.openbsd.org/crontab) - maintain crontab files for individual users
- *Configure:*
- [`var/cron`](src/var/cron)
- *Usage:*
- [`crontab`](https://man.openbsd.org/crontab)` -e`
* [doas](https://man.openbsd.org/doas) - execute commands as another user
- *Configure:*
- [`etc/doas.conf`](src/etc/doas.conf)
- *Usage:*
- [`doas`](https://man.openbsd.org/doas)` tmux`
* [ftp](https://man.openbsd.org/ftp) - Internet file transfer program
- *Configure:*
- [`etc/pf.conf`](src/etc/pf.conf)
- *Usage:*
- [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
- [`ftp`](https://man.openbsd.org/ftp)` -o - "https://www.openbsd.org/donations.html"`
* [mail](https://man.openbsd.org/mail) - send and receive mail, for daily reading
- *Usage:*
- [`mail`](https://man.openbsd.org/mail)
* [syspatch](https://man.openbsd.org/syspatch) - manage base system binary patches
- *Configure:*
- `etc/installurl`
- [`var/cron/tabs/root`](src/var/cron/tabs/root)
- *Usage:*
- [`syspatch`](https://man.openbsd.org/syspatch)` -c`
* [systat](https://man.openbsd.org/systat) - display system statistics
- *Usage:*
- [`systat`](https://man.openbsd.org/systat)` queues`
- [`systat`](https://man.openbsd.org/systat)` pf`
- [`systat`](https://man.openbsd.org/systat)` states`
- [`systat`](https://man.openbsd.org/systat)` rules`
* [tmux](https://man.openbsd.org/tmux) - terminal multiplexer
- *Configure:*
- `~/.tmux.conf`
- *Usage:*
- [`tmux`](https://man.openbsd.org/tmux)
## Hardware
OpenBSD likes small form factor, low-power, lots of ECC memory, AES-NI support, open source boot, and the fastest supported network cards. This configuration has been tested on [APU2](https://pcengines.ch/apu2c4.htm).
## Install
Encryption is the easiest method for media sanitization and disposal. OpenBSD supports [full disk encryption](https://www.openbsd.org/faq/faq14.html#softraidFDE) using a [keydisk](https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk) (e.g. a USB stick).
Partitions are important for [security, stability, and integrity](https://www.openbsd.org/faq/faq4.html#Partitioning). A minimum partition layout [example for router](src/var/www/htdocs/boot.vedetta.lan/disklabel.min) with (upgrade itself) binary base, and no packages (comfortable fit on flash memory cards/drives):
| Filesystem | Mount | Size |
|:---------- |:----------- | -------:|
| a | / | 512M |
| b | /swap | 1024M |
| d | /var | 512M |
| e | /var/log | 128M |
| f | /tmp | 1024M |
| g | /usr | 1024M |
| h | /usr/local | 64M |
| i | /home | 16M |
| *Total* | |**4304M**|
## SSL
It's best practice to create CAs on a single purpose secure machine, with no network access.
Specify which certificate authorities (CAs) are allowed to issue certificates for your domain, by adding [DNS Certification Authority Authorization (CAA)](https://tools.ietf.org/html/rfc6844) Resource Record (RR) to [`var/nsd/zones/master/vedetta.lan.zone`](src/var/nsd/zones/master/vedetta.lan.zone)
Revoke certificates as often as possible.
## SSH
[SSH fingerprints verified by DNS](http://man.openbsd.org/ssh#VERIFYING_HOST_KEYS) is done by adding Secure Shell (Key) Fingerprint (SSHFP) Resource Record (RR) to [`var/nsd/zones/master/vedetta.lan.zone`](src/var/nsd/zones/master/vedetta.lan.zone): `ssh-keygen -r vedetta.lan.`
Verify: `dig -t SSHFP vedetta.lan`
Usage: `ssh -o "VerifyHostKeyDNS ask" acolyte.vedetta.lan`
Manage keys with [ssh-agent](https://man.openbsd.org/ssh-agent).
Detect tampered keyfiles or man in the middle attacks with [ssh-keyscan](http://man.openbsd.org/ssh-keyscan).
Control access to local users with [principals](https://github.com/vedetta-com/vedetta/blob/master/src/usr/local/share/doc/vedetta/OpenSSH_Principals.md).
## Firewall
Guests can use the DNS nameserver to access the ad-free web, while authenticated users gain desired permissions. It's best to authenticate an IP after connecting to VPN. There are three users in this one person scenario: one for wheel, one for sftp, and one for authpf.
## Performance
Consider using [mount_mfs](https://man.openbsd.org/mount_mfs) in order to reduce wear and tear, as well as to speed up the system. Remember to set the [sticky bit](https://man.openbsd.org/chmod.1#1000) on mfs /tmp, see [etc/fstab](src/etc/fstab).
## Caveats
* VPN with IKEv2 or IKEv1, not both. *While there are many tecnologies for VPN, only IKEv2 and IKEv1 are standard (considerable effort was put into testing and securing)*
* relayd does not support CRL, SNI, nor OCSP (yet)
* httpd without custom error pages (can be patched)
* 11n is max WiFi mode, [is this enough?](https://arstechnica.com/information-technology/2017/03/802-eleventy-what-a-deep-dive-into-why-wi-fi-kind-of-sucks/)
## Support
Via [issues](https://github.com/vedetta-com/vedetta/issues) and [#vedetta:matrix.org](https://riot.im/app/#/room/#vedetta:matrix.org)
## Contribute
Want to help out? :star: [Fork this repo](https://github.com/vedetta-com/vedetta/fork) :star: