A couple of years ago I published a blog post about creating an OpenBSD VPN gateway using OpenVPN. I've recently switched from an OpenVPN-based VPN provider to one that uses Wireguard. As a result I've had to redo my VPN gateway. I'll only be highlighting the things I've changed since the last setup in this post, so please refer to the previous post for more details. One advantage this iteration has over the previous one is that it no longer requires third party software to be installed on the OpenBSD router.
Posts with the tag openbsd:
A couple years ago a new device silently entered the OpenBSD source tree. The dt(4) device first appearing in OpenBSD 6.7 with very sparse information. In the releases since, it's gained quite a bit of functionality and now has tools to manipulate it properly. The documentation has gotten better over the last couple years, but there isn't much info about how to leverage it to do anything useful. The dt pseudo device driver is connected to /dev/dt, which is used to interact with the device through ioctl calls.
This is something that took me a while longer to figure out than I'd like admit, and I was only able to figure it out because of a forum post. For whatever reason, I'm only able to mount the share if used the TCP option. I'm not sure if this is a me issue, an OpenBSD issue, or a FreeBSD issue, but I'm putting it out there in case anyone else runs into the same problem.
History The way OpenBSD authenticates users is quite different from other Unix-like operating systems. Most other systems like AIX, Solaris, Linux, the other BSDs, and MacOS, use a framework called Pluggable Authentication Module (PAM). The two main implementations are Linux PAM and OpenPAM. PAM modules are created as dynamically loaded shared objects, which communicate using a combination of common and implementation specific interfaces (Linux-PAM and OpenPAM). It's configured using the pam.
The Problem Say you have an account with a VPN provider. Maybe there are a limit to how many connections you can have with one account. Maybe you want to put more machines than you have connections on the account. Or maybe you want to put a large number of machines of the connection, maybe some FreeBSD Jails, LXC containers, or VMs, and you don't want to download the VPN profiles, sign in and configure them all individually.
I recently gave a talk at work to help introduce OpenBSD to my colleagues. It's a broad introduction to the fundamentals of security in OpenBSD, as well as some basic system administration tips and suggestions anyone coming from a Linux background might find useful. It's roughly split up into four sections; the history of OpenBSD, what sets it apart from other operating systems, a guided installation, and the system administration introduction.
EDIT: After writing this post, tyil, the maintainer of rakudo star, reached out to me and added proper OpenBSD compatibility. The portion of this post dedicated to working around the failing downloads can now be ignored, and rstar now includes a warning if the user doesn't have a login class set. EDIT: The development version of Rakudo Star targets Rakudo 2020.07 instead of 2020.02, which has uses even more memory than the staff login class is allowed.
OpenBSD makes a great router. It's simplicity and ease of configuration makes it perfect for network infrastructure applications. Everything you need to build a network of any size is built into the base system, plus its man pages and examples cover everything you'd need to know. While I've been an OpenBSD user for years, I'm finally in the process of replacing the router provided by my ISP with a PC Engines APU2E4 running OpenBSD.
If you're interested in the PC Engines APU2 line and what the differences are between models, I've covered it in a previous post here. I recently purchased a new PC Engines APU2E4 to use as a home router. I purchased the kit, which includes the board, case, and power supply from CorpShadow. I also ordered the DB9F to USB adapter (Silicon Labs CP2104), so I don't need to get a separate null modem connector.