OpenBSD

Wireguard with Public IP behind NAT

… or how to host a Dualstacked Public Website behind a IPv4 NAT Box without Reverse Proxy, Portforwarding and other ugly stuff …

inspired by the following Post, i started a little project and redesigned the connectifity for my Hamster’s Webserver :)

i wrote a mail to the guys from tetaneutral.net and asked them for the wireguard vpn service with public ipv4/ipv6 adresses for my server. as i didn’t get any feedback, i had to implement the “Server” on my own.

Dog

Dog (echo dig |sed ’s/i/o/')

you know nslookup, dig, hosts, getenv and all the commans for the cli. but have you ever tried dog ?

Website: https://dns.lookup.dog/

and their Doku: https://dns.lookup.dog/dns-in-five-minutes

dog is an open-source DNS client for the command-line. It has colourful output, supports the DoT and DoH protocols, and can emit JSON.

Install Package

$ doas pkg_add dog

Examples

DNS over TLS

$ dog example.com --tls @dns.google

DNS Request over HTTPS

$ dog -H @https://dns.google/dns-query lookup.dog
A lookup.dog. 18m08s   51.159.26.255

Json Support

$ dog bsago.me --json | jq .responses[0].answers[0]
{
  "address": "138.68.117.94",
  "class": "IN",
  "name": "bsago.me.",
  "ttl": 7111,
  "type": "A"
}

Full Help File

$ dog --help
dog ● command-line DNS client

Usage:
  dog [OPTIONS] [--] <arguments>

Examples:
  dog example.net                          Query a domain using default settings
  dog example.net MX                       ...looking up MX records instead
  dog example.net MX @1.1.1.1              ...using a specific nameserver instead
  dog example.net MX @1.1.1.1 -T           ...using TCP rather than UDP
  dog -q example.net -t MX -n 1.1.1.1 -T   As above, but using explicit arguments

Query options:
  <arguments>              Human-readable host names, nameservers, types, or classes
  -q, --query=HOST         Host name or IP address to query
  -t, --type=TYPE          Type of the DNS record being queried (A, MX, NS...)
  -n, --nameserver=ADDR    Address of the nameserver to send packets to
  --class=CLASS            Network class of the DNS record being queried (IN, CH, HS)

Sending options:
  --edns=SETTING           Whether to OPT in to EDNS (disable, hide, show)
  --txid=NUMBER            Set the transaction ID to a specific value
  -Z=TWEAKS                Set uncommon protocol-level tweaks

Protocol options:
  -U, --udp                Use the DNS protocol over UDP
  -T, --tcp                Use the DNS protocol over TCP
  -S, --tls                Use the DNS-over-TLS protocol
  -H, --https              Use the DNS-over-HTTPS protocol

Output options:
  -1, --short              Short mode: display nothing but the first result
  -J, --json               Display the output as JSON
  --color, --colour=WHEN   When to colourise the output (always, automatic, never)
  --seconds                Do not format durations, display them as seconds
  --time                   Print how long the response took to arrive

Meta options:
  -?, --help               Print list of command-line options
  -v, --version            Print version information

Happy Dog !

PHP 8.0 on OpenBSD 6.9

OpenBSD 6.9 and PHP 8 is out … Why not give a try ?

list packages

what PHP Packages are available with Version 6.9 ?

root@host # pkg_info -Q php |grep '\-8'
php-8.0.3
php-apache-8.0.3
php-bz2-8.0.3
php-cgi-8.0.3
php-curl-8.0.3
php-dba-8.0.3
php-dbg-8.0.3
php-enchant-8.0.3
php-gd-8.0.3
php-gmp-8.0.3
php-imap-8.0.3
php-intl-8.0.3
php-ldap-8.0.3
php-mysqli-8.0.3
php-odbc-8.0.3
php-pcntl-8.0.3
php-pdo_dblib-8.0.3
php-pdo_mysql-8.0.3
php-pdo_odbc-8.0.3
php-pdo_pgsql-8.0.3
php-pdo_sqlite-8.0.3
php-pgsql-8.0.3
php-pspell-8.0.3
php-shmop-8.0.3
php-snmp-8.0.3
php-soap-8.0.3
php-sqlite3-8.0.3
php-tidy-8.0.3
php-xsl-8.0.3
php-zip-8.0.3

Install and Configure Nginx

add nginx, php8

add webserver, php8 and enable the services

OpenBSD 6.9

OpenBSD 6.9 released

This is the 50th Release of OpenBSD ! As they release twice a Year, must be around 25y ago since the fork of NetBSD started. Wikipedia has got a Comparison of the Different BSD Operating Systems

release 6.9

Upgrade to 6.9

i upgrade my systems twice every years. there is no need to reinstall as the upgrade works fine over year. please read the official upgrade guide carefully and then you may wanna use this script below. use it on your own risk and test it somewhere before you do this on your productive environment.

Projects

as many of you, i’ve got different kind of stuff running, mostly internally, but also some public things.

Hamsterwheel Counter

my Daughter got a Hamster and he’s running every night in his Weel.. I built a small Wheel-Counter so we can see the Daily Stats an Performance of Cookie :). Website is in German and reachable via IPv6 only …

the Hamster died just before XMAS 2022 :( RIP Cookie !

Honeypot

i like to run honeypots … ok, to be honest, it’s not a honeypot. It’s a productive maschine for me, but all the bots trying to get in get’s redirected to a Honeypot, the credentials were captured and last but not least, you can watch them live in your browser :)

http://honeypot.nolink.ch

btw. 100k failed login attempts in 10 Day …

have fun !


Any Comments ?

sha256: 8ae49e2283f894d5ab59ec16309f4f1d4aa547c0fd90705f969bae0d20d3b6f2

Bootstrap OpenBSD with Jail Partition

Bootstrapping VM

This is similar to the previous Post, but with a small difference.

Here, we add an other Partition /jail with 2GB Size. On this Partition, we remove the nodev & nosuid Flag, so we can use this Partition as Root for some Jailed Users. And last but not least, we fireup a new VM, configure a Jailed User and make it Public Available …

VM with 20G Disk

*** Bootstrap OpenBSD 6.8 ***

Deploy VM's with Terraform in 10min

Managing VM’s on Hetzner Cloud with Terraform

you may want to manage some vm in the cloud. webgui is nice, but a real nerd needs cli ;)

some notes how to get terraform running with OpenBSD.

add Packages (3min)

$ time doas pkg_add git gmake go terraform

3m18.62s real     0m19.53s user     0m07.73s system

set GO PATH

echo "GOPATH=$HOME/go" >> ~/.profile
echo "export GOPATH" >> ~/.profile
. ./.profile
echo $GOPATH

build terraform provider for hcloud (2min)

As the hcloud is not available for OpenBSD, we have to build it on our own.

Bootstrap OpenBSD

Bootstrapping VM

It’s always good to have Templates. Isn’t it ? Sometime, with a lot of stuff preconfigured and installed. Sometimes, a fresh install without anything (except syspatches). Here a little Helper, how to Build a OpenBSD Template with 20GB, resp. 40GB Disk Size.

This stuff was tested on www.hetzner.de, so you should be able to reproduce it in a few minutes.

Costs: CX11,  1 CPU, 2 GB RAM, 20 GB Disk, 20TB Traffic -> 2.68 Euro/Month
Costs: CPX11, 2 CPU, 2 GB RAM, 40 GB Disk, 20TB Traffic -> 3.76 Euro/Month

If you create an Account, you can use my sponsor link and we both get “a few bucks” to play with …

RPKI for Home Usage

Resource Public Key Infrastructure

you may know what RPKI is …

It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP.

As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP.

With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.