Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/jwillikers/openbsd-router

The configuration for my OpenBSD home router.
https://github.com/jwillikers/openbsd-router

bsd config dhcp dns firewall ipv6 matter multicast networking openbsd pf router unbound vlan

Last synced: 3 months ago
JSON representation

The configuration for my OpenBSD home router.

Awesome Lists containing this project

README 

        
= OpenBSD Router

Jordan Williams 

:experimental:

:icons: font

ifdef::env-github[]

:tip-caption: :bulb:

:note-caption: :information_source:

:important-caption: :heavy_exclamation_mark:

:caution-caption: :fire:

:warning-caption: :warning:

endif::[]

:dhcpd: https://man.openbsd.org/dhcpd[dhcpd]

:dhcp6leased: https://man.openbsd.org/dhcp6leased.8[dhcp6leased]

:mrouted: https://man.openbsd.org/mrouted[mrouted]

:OpenBSD: https://www.openbsd.org/[OpenBSD]

:OpenBSD-version: 7.6

:PF: https://www.openbsd.org/faq/pf/index.html[PF]

:Protectli: https://protectli.com[Protectli]

:rad: https://man.openbsd.org/rad[rad]

:snmpd: https://man.openbsd.org/snmpd[snmpd]

:sshd: https://man.openbsd.org/sshd[sshd]

:Unbound: https://nlnetlabs.nl/projects/unbound/about/[Unbound]



The configuration for my {OpenBSD} home router.

I use a {Protectli} vault, which I highly recommend.



// https://sha256.net/dhcpv6-pd-first-steps.html

// todo Provide additional static, local IPv6 addresses through DHCPv6 on my local network.

// Then provide IPv6 addresses for the DNS servers on the router.

// This will require using ISC's kea, `kea` package, instead of the local dhcp server.



.Features

* Firewall

* DHCP

* IPv6

* Multicast

* VLAN

* DNS caching

* DNS over TLS

* Remote access via SSH

* Support for Matter IoT devices

* Monitoring via SNMP



.Services

* {dhcpd}

* {dhcp6leased}

* {mrouted}

* {PF}

* {rad}

* {snmpd}

* {sshd}

* {Unbound}



== Overview



This configuration is intended for OpenBSD {OpenBSD-version}.

Egress is on port `em0`, which is connected to my ISP.

The rest of the physical interfaces are combined using a virtual ethernet bridge.

Additional VLAN's are used to isolate different parts of the network.

These are described in the <> table.



.VLANs

[cols="1,2"]

|===

| VLAN

| Purpose



| 2

| Wireless guest network



| 3

| IoT



| 4

| Work

|===



The egress interface obtains an IPv6 address using stateless address autoconfiguration.

An additional IPv6 prefix is obtained from my ISP using prefix-delegation for the bridge network.

The primary network and each VLAN receive a `/64` prefix cut from the delegated prefix.



== Usage



. Install OpenBSD.

The process is documented in the https://www.openbsd.org/faq/faq4.html[OpenBSD FAQ - Installation Guide]

No graphical utilities are needed.



. Install the Git necessary.

+

[,sh]

----

doas pkg_add git

----



. Clone the repository.

+

[,sh]

----

git clone https://github.com/jwillikers/openbsd-router

----



. Change to the project's directory.

+

[,sh]

----

cd openbsd-router

----



. Copy the `etc/snmpd.conf.template` file to `etc/snmpd.conf`.

+

[,sh]

----

cp etc/snmpd.conf.template etc/snmpd.conf

----



. Restrict permissions on `etc/snmpd.conf`.

+

[,sh]

----

chmod 0600 etc/snmpd.conf

----



. Add the authentication and encryption passphrases for the SNMPv3 user in the `etc/snmpd.conf` file.

+

.etc/snmpd.conf

[source]

----

user "monitor" auth hmac-sha256 authkey "******" enc aes enckey "******"

----



. Install everything.

+

[,sh]

----

doas ./install.sh

----



== Validate Configuration Files



The `validate.sh` script can be used to validate some of the configuration files.

Run it to ensure everything is hunky dory.



[,sh]

----

doas ./validate.sh

----



== Update



The `update.sh` script is a convenience for running commands to update the OpenBSD system.

It will initiate upgrades of the system to new major versions, in addition to applying system patches and updating packages.

Run it as follows.



[,sh]

----

doas ./update.sh

----



For details on upgrading between major versions, find corresponding upgrade guide on the https://www.openbsd.org/faq/[OpenBSD Frequently Asked Questions page].



== Code of Conduct



The project's Code of Conduct is available in the link:CODE_OF_CONDUCT.adoc[] file.



== License



This project is licensed under the https://creativecommons.org/licenses/by-sa/4.0/legalcode[Creative Commons Attribution-ShareAlike 4.0 International License].



© 2023-2024 Jordan Williams



== Authors



mailto:{email}[{author}]