divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb.git
Log | Files | Refs | README | LICENSE

commit 57a232ec491c32eb6cad4ee9002e0b0d60c07a2b
parent 37c11070e34f93ff8ac2ebaa6a8cc2d4d35f7110
Author: sin <sin@2f30.org>
Date:   Tue Mar  1 16:25:21 +0000

Add initial version of OpenBSD gateway tutorial

Diffstat:
Makefile | 3++-
guides.md | 1+
guides/openbsd-gateway.md | 308+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 311 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile @@ -18,7 +18,8 @@ PAGES = $(MENUPAGES) \ guides/netbsd-linode.html \ guides/rpi-tv.html \ guides/irix-sgi-o2.html \ - guides/openbsd-httpd-cgit.html + guides/openbsd-httpd-cgit.html \ + guides/openbsd-gateway.html EXTRA = css divzerokey.png favicon.ico index.html \ lectures/resources diff --git a/guides.md b/guides.md @@ -11,3 +11,4 @@ Just some notes on various useful tasks. * [rpi-tv](guides/rpi-tv.html): Raspberry Pi console media center with TV remote on Arch Linux * [irix-sgi-o2](guides/irix-sgi-o2.html): Installing IRIX 6.5 to an SGI O2 from the network * [openbsd-httpd-cgit](guides/openbsd-httpd-cgit.html): Configuring httpd, slowcgi and cgit on OpenBSD + * [openbsd-gateway](guides/openbsd-gateway.html): Setting up a home gateway with OpenBSD + other goodies diff --git a/guides/openbsd-gateway.md b/guides/openbsd-gateway.md @@ -0,0 +1,308 @@ +### Setting up a home gateway with OpenBSD + other goodies + +If you have a spare box with two or more NICs, you can turn it into a powerful OpenBSD router. +In this tutorial, I will walk you through my gateway configuration. + +**Remember! Do not blindly copy paste the configuration files!** + +### Available hardware and network layout + +My router is a [Shuttle XH81V](http://www.shuttle.eu/products/slim/xh81v/). It has two Realtek +NICs. + +I have a single physical subnet, 10.0.0.0/24. + +Because of lack of additional NICs or a [VLAN](https://en.wikipedia.org/wiki/Virtual_LAN) capable switch, +there is no [DMZ](https://en.wikipedia.org/wiki/DMZ_%28computing%29). +To avoid exposing many services to the outside, I typically use ssh tunneling or a VPN +to access the services on the inside. + +I have a dedicated server hosted in a DC. I use [tinc](http://www.tinc-vpn.org/) in a bridged mode +configuration to make the server appear on my main subnet. This way, I can access the server transparently even on +machines on my local network that I cannot install tinc to. + +For IPv6, I use a [Hurricane Electric](https://tunnelbroker.net/) tunnel. Their service has proven reliable +with virtually no downtime experienced in the past year. + +### Topics covered + +The following topics will be discussed: + +* Firewall, routing and NAT configuration +* DHCP server configuration +* Split horizon DNS +* PXE booting +* Configuring an IPv6 gif(4) tunnel with Hurricane Electric +* NetFlow sensor and collector configuration +* Debugging tips + +### Firewall, routing and NAT configuration + +There is an excellent [tutorial](http://www.openbsd.org/faq/pf/example1.html) in the pf FAQ. +Fore more information, check the [pf.conf(5)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5), +[hostname.if(5)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/hostname.if.5) and +[ifconfig(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ifconfig.8) manpages. + +#### /etc/pf.conf + + int_if = "re1" + sshbox = "10.0.0.2" + martians = "{ 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 \ + 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 \ + 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 \ + 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32 }" + + set loginterface egress + set skip on lo0 + set block-policy return + + match in all scrub (no-df random-id) + + match out on egress inet from !(egress:network) to any nat-to (egress:0) + + block drop in quick on egress from { no-route urpf-failed $martians } + block return out quick on egress to $martians + block + + pass in on $int_if + pass in on egress inet proto icmp to (egress) + pass in on egress inet proto tcp to (egress) port ssh rdr-to $sshbox + pass out + +#### /etc/sysctl.conf + + net.inet.ip.forwarding=1 + +#### /etc/hostname.re0 + + description "WAN" + dhcp + +#### /etc/hostname.re1 + + description "LAN" + inet 10.0.0.1 255.255.255.0 10.0.0.255 + up + +Reboot the router. + +### DHCP server configuration + +I use [2f30.org](http://2f30.org) as the default search domain. I have a [split horizon DNS](https://en.wikipedia.org/wiki/Split-horizon_DNS) +configuration so I can access my machines from my local network as well as from the outside. + +#### /etc/dhcpd.conf + + option domain-name "2f30.org"; + option domain-name-servers 10.0.0.1; + + subnet 10.0.0.0 netmask 255.255.255.0 { + option routers 10.0.0.1; + range 10.0.0.32 10.0.0.127; + + host sshbox { + hardware ethernet aa:bb:cc:dd:ee:ff; + fixed-address 10.0.0.2; + } + } + +Update /etc/rc.conf.local: + + dhcpd_flags="re1" + +Restart dhcpd: + + /etc/rc.d/dhcpd restart + +### Split horizon DNS + +I am using unbound(8) as a caching DNS resolver. + +#### /var/unbound/etc/unbound.conf + + server: + interface: 10.0.0.1 + access-control: 10.0.0.0/24 allow + + local-data: "gw.2f30.org. IN A 10.0.0.1" + local-data-ptr: "10.0.0.1 gw.2f30.org." + + local-data: "sshbox.2f30.org. IN A 10.0.0.2" + local-data-ptr: "10.0.0.2 sshbox.2f30.org." + + forward-zone: + name: "." + forward-addr: 208.67.222.222 + forward-addr: 208.67.220.220 + +Update /etc/rc.conf.local: + + unbound_flags= + +Restart unbound: + + /etc/rc.d/unbound restart + +At this point, you should be able to plug a machine to your switch, get an IP address +and browse the web. + +You should also be able to access $sshbox from the outside over ssh on the default port. +In my configuration this is a separate machine but could just as well be the router itself. + +### PXE booting + +I use PXE booting on my laptop to upgrade OpenBSD. I run a tftp server on my router +to serve the latest bsd.rd. + +#### Setting up tftpd and dhcpd for PXE booting + +Prepare /tftpboot: + + mkdir /tftpboot + cp /usr/mdec/pxeboot /tftpboot + +Update /etc/dhcpd.conf: + + subnet 10.0.0.0 netmask 255.255.255.0 { + filename "pxeboot"; + next-server 10.0.0.1; + ... + } + +Update /etc/rc.conf.local: + + tftpd_flags="-l 10.0.0.1 /tftpboot" + +Restart dhcpd and tftpd: + + /etc/rc.d/tftpd restart + /etc/rc.d/dhcpd restart + +#### Cron job to fetch latest bsd.rd + +Use crontab -e as root to add a new job as follows: + + 15 10 * * * /usr/bin/ftp -o /tftpboot/bsd.rd ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd 1>/dev/null + +It will download bsd.rd once a day at 10:15 in the morning. + +To test, plug your laptop to the switch and choose to boot over the network. Once you get to the OpenBSD +boot prompt, type /bsd.rd and hit return. + +### Configuring an IPv6 gif(4) tunnel with Hurricane Electric + +First of all, you will have to create an account on their [website](https://tunnelbroker.net). From there, +follow their guide to set up a tunnel. You will basically have to choose the tunnel endpoint. Find the one +with the minimum latency. + +#### /etc/sysctl.conf + +net.inet6.ip6.forwarding=1 + +#### /etc/hostname.gif0 + + description "Hurricane Electric 6in4 link" + tunnel <your-ipv4-endpoint> <their-ipv4-endpoint> + mtu 1480 + !ifconfig gif0 inet6 alias 2001:XXXX:XXXX:XXXX::2 2001:XXXX:XXXX:XXXX::1 prefixlen 128 + !route -n add -inet6 default 2001:XXXX:XXXX:XXXX::1 + +#### /etc/hostname.re1 + + inet6 alias 2001:XXXX:XXXX:XXXX::1 64 + +This will add an IPv6 alias on your router's internal interface. + +#### /etc/pf.conf + + pass in on egress inet proto 41 from <their-ipv4-endpoint> to (egress) + pass in on gif0 inet6 + +#### /etc/rtadvd.conf + + re1:\ + :addrs#1:addr="2001:XXXX:XXXX:XXXX::":prefixlen#64: + +Update /etc/rc.conf.local: + + rtadvd_flags="re1" + +Reboot your router. + +On your OpenBSD client, enable autoconfiguration: + + ifconfig em0 inet6 autoconf + +### NetFlow sensor and collector configuration + +I use [NetFlow](https://en.wikipedia.org/wiki/NetFlow) to get an idea of what kind of traffic passes through my gateway. + +To configure a netflow sensor on the gateway: + +#### /etc/pf.conf + + set state-defaults pflow + +#### /etc/hostname.pflow0 +flowsrc 10.0.0.1 flowdst 10.0.0.2:5555 + +Activate sensor: + + pfctl -f /etc/pf.conf + sh /etc/netstart pflow0 + +On the receiver, in this case the box with address 10.0.0.2 we'll install [flowd](http://www.mindrot.org/files/flowd/README). It is a secure and minimal +netflow collector written by Damien Miller. + +First, install flowd from ports. + +#### /etc/flowd.conf + + logfile "/var/log/flowd" + listen on 10.0.0.2:5555 + flow source 10.0.0.1 + store ALL + +Restart flowd: + + /etc/rc.d/flowd restart + +Give it a moment and use flowd-reader(8) on the specified logfile to examine the flows. + +### Debugging tips + +One of the advantages of using OpenBSD as opposed to a standard consumer grade router is that +you have all the needed tools at your disposal for debugging your network. The following manpages +should be of interest. + +* [tcpdump(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/tcpdump.8) +* [systat(4)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/systat.1) +* [dig(1)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/dig.1) +* [arp(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/arp.8) +* [ndp(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ndp.8) +* [route(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/route.8) +* [netstat(1)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/netstat.1) +* [pflogd(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/pflogd.8) +* [pflow(4)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pflow.4) + +Keep your configuration as simple as possible. Do not randomly poke on sysctl knobs you do not +understand. Rely on the defaults unless you have a good reason not to. + +If you have made extensive changes on a running system, do a final reboot to make sure everything +comes back up as expected. + +Consider having a second machine connected over serial to your router. This way you can capture a trace +if the router crashes. It can also be used as an out-of-band mechanism to configure your router without +hooking up a monitor and a keyboard. + +### Reading material + +I've found the following references highly informative and useful. + +* [OpenBSD FAQ](http://www.openbsd.org/faq/) +* [TCP/IP Illustrated: Volume 1](http://www.amazon.co.uk/TCP-Illustrated-Protocols-Addison-Wesley-Professional/dp/0321336313/ref=sr_1_1?s=books&ie=UTF8&qid=1453299772&sr=1-1&keywords=tcp%2Fip+illustrated) +* [Unix Network Programming](http://www.amazon.co.uk/Unix-Network-Programming-Addison-Wesley-Professional/dp/0131411551/ref=sr_1_1?s=books&ie=UTF8&qid=1453299853&sr=1-1&keywords=unix+network+programming) +* [Book of PF](https://www.nostarch.com/pf3) +* [IPv6 for IPv4 Experts](https://sites.google.com/site/yartikhiy/home/ipv6book) +* [IPv6 Core Protocols Implementation](http://www.amazon.co.uk/Protocols-Implementation-Morgan-Kaufmann-Networking-x/dp/0124477518) +* [TCP/IP guide](http://www.tcpipguide.com/)