Re: news from my hacked box

[Anders Andersson]

On Wed, Apr 1, 2020 at 10:29 PM Cord  wrote:
>
> Hi,
> I found something that in my opinion are nearly evidences.
> For those who doesn't know my story please read past messages:
> https://marc.info/?a=15535526152=1=2
> Well, as I said previously my laptop was been hacked then I bought a new 
> laptop because my suspicious are that the uefi or other firmware was been 
> hacked (I reinstalled openbsd various times)
> The old laptop had a wifi usb dongle to connect to the wifi router.
> Now the new laptop has a wifi chip that works properly on opnebsd.
> The inner IF is iwm0.
> And I discovered differences on wifi performance between the on board IF and 
> the old usb dongle.
> Of course the tests were been made from exactly the same physical place.
> The following are the results (I used speedtest-cli):
> iwm0 with vpn download: 0,46 mbit/s upload: 0,55 mbit/s
> iwm0 without vpn download: 0,50 mbit/s upload: 2,53 mbit/s
> urtwn0 with vpn download: 20,88 mbit/s upload: 8,49 mbit/s
> urtwn0: without vpn download: 24,83 mbit/s upload 9,27 mbit/s
>
> The following are the results pinging 8.8.8.8 with -c 500:
> 500 packets transmitted, 500 packets received, 0.0% packet loss
> iwm0: round-trip min/avg/max/std-dev = 18.761/6372.615/72372.495/14987.007 ms
> urtwn0: round-trip min/avg/max/std-dev = 24.068/36.489/878.218/48.120 ms
>
> As I know the traffic shaping is configured by pf with pf.conf, the following 
> is my pf.conf (I'm sorry I'm not a genius of pf):
> ---/etc/pf.conf
> if="urtwn0"
> #if="iwm0"
> dns="{8.8.8.8}"
> myvpn="{x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x}"
> weird="{239.255.255.250, 224.0.0.1}"
> pany="{udp, tcp}"
> set skip on tun0
> set skip on lo
> set block-policy drop
> set loginterface $if
> block quick inet6
> block quick on $if from any to $weird
> pass quick proto icmp
> pass out quick on $if proto $pany from $if to $dns
> pass out quick on $if proto udp from $if to $myvpn
> pass out quick on $if proto tcp from $if to my01-other-vpn.com
> pass out quick on $if proto tcp from $if to my02-other-vpn.com
> pass out quick on $if proto tcp from $if to my03-other-vpn.com
> block drop in on ! lo0 proto tcp to port 6000:6010
> block drop out log proto {tcp udp} user _pbuild
> block log quick on $if
> --
>
> Other strange things that happens on my laptop are the following:
> 1) sometimes my openvpn (2 times on 5) fail authentication even I use a saved 
> file authentication data and pass it the data with --auth-user-pass 
> /my/path/pass
> Then in my opinion it's impossible fails the authentication.
> 2) sometimes KeePassXC fails authentication on random site. If I copy the 
> password and paste it by hand it works.
> 3) and of course there are people that can spy me and modify suggested videos 
> on youtube. Please do not comment this because I know it's very subjective.
>
> As I said previously in my opinion there is 0day on how is implemented the 
> tcp/ip stack in the kernel.
> And the vulnerability can be exploited by a mitm attack from the home router.
> Thank you Cord.

Hello Cord, and thank you for the interesting messages.

Just a thought: Do you have any wall paintings, and have you noticed
something different about them since you got hacked?

You see, I once talked to a man at the local library who was looking
for literature about computer viruses and he mentioned that the virus
had somehow spread out from the USB ports in his computer onto his
paintings, which had now become dull and grey. His family told him
that he was imagining things and refused to help him, that's why he
was at the library to search for information.

If your computer has been hacked, maybe it is by the same virus.

Kind regards,
Anders

Re: Faking the same LAN over the Internet

[Matt Schwartz]

You could also consider using etherip(4). I think the etherip(4) interface
might be more NAT tolerant but I am not really sure.

Re: Faking the same LAN over the Internet

[Diana Eichert]

yes, if your openbsd device is not your broadband router then consider below.

brief how to, actual implementation left to individual admin

step one, have a relatively low cost virtual host provider
step two, using virtual host provider to determine data center with
lowest combined latency between your 2(or more) endpoints
step three, create ipsec tunnels between endpoints and VM server
step four, create egre or eiop or whatever use chose between the
various endpoints across ipsec tunnel

On Wed, Apr 1, 2020 at 11:45 AM Tom Smyth  wrote:
>
> Hi Chris, Dianna,
>
> Gre is great and fast and a hell of a lot faster than OpenVPN...
> However and it is a Big However...
> Gre does not typically work Across NATs
>
> L2 GRE tunnel interfaces u can run on OpenBSD
>  include eoip(4)  egre(4), etherip(4)
>
>
> On Wed, 1 Apr 2020 at 17:58, Chris Bennett
>  wrote:
> >
> > On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote:
> > > have you considered looking at native OpenBSD tools?
> > >
> > > https://man.openbsd.org/egre.4
> > >
> >
> > Wow! I had no idea about this.
> > The manual page seems to be very clear, too.
> >
> > I have 2 servers at different ISPs and from home I almost always connect
> > over my phone's hotspot.
> >
> > I will definitely be learning this!
> >
> > Thanks!
> >
> > Chris Bennett
> >
> >
>
>
> --
> Kindest regards,
> Tom Smyth.
>


-- 

-

Past hissy-fits are not a predictor of future hissy-fits.
Nick Holland(06 Dec 2005)

To announce that there must be no criticism of the president,
or that we are to stand by the president, right or wrong, is not
only unpatriotic and servile, but is morally treasonable to
the American public.  - Theodore Roosevelt(1918)

Re: Recommendations for video call/conferencing server on OpenBSD?

[T. Ribbrock]

On Wed, Apr 01, 2020 at 11:36:07PM +0200, Jan Betlach wrote:
> I am using jitsi.org and tox.chat (on Linux VM).

Have you by any chance tried to get jitsi running natively on OpenBSD?
That would be my preference, if possible (especially as said server is
not exactly "high end"...)

Cheerio,

Thomas
-- 
-
 Thomas Ribbrockhttp://www.ribbrock.org/ 
   "You have to live on the edge of reality - to make your dreams come true!"

Re: Recommendations for video call/conferencing server on OpenBSD?

[Jan Betlach]

Hi,

I am using jitsi.org and tox.chat (on Linux VM).

Jan




On 1 Apr 2020, at 22:53, T. Ribbrock wrote:

> Hi all,
>
> with more and more colleagues and friends sitting at home, I'm
> considering installing some video call/conferencing software on my
> existing OpenBSD server.
>
> I currently have Nextcloud installed on that server, so the easiest
> option was the Nexcloud Talk plugin, which I'm playing with now.
>
> Nonetheless, I'd be curious about what others use/recommend for video
> calls/conferencing - any suggestions?
>
> Thanks in advance,
>
> Thomas

Recommendations for video call/conferencing server on OpenBSD?

[T. Ribbrock]

Hi all,

with more and more colleagues and friends sitting at home, I'm
considering installing some video call/conferencing software on my
existing OpenBSD server.

I currently have Nextcloud installed on that server, so the easiest
option was the Nexcloud Talk plugin, which I'm playing with now.

Nonetheless, I'd be curious about what others use/recommend for video
calls/conferencing - any suggestions?

Thanks in advance,

Thomas

Re: reviewing what is available

[Ingo Schwarze]

Hi Luke,

Luke A. Call wrote on Wed, Apr 01, 2020 at 01:36:49PM -0600:
> On 04-01 12:47, Chris Bennett wrote:
>> On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote:

>>> have you considered looking at native OpenBSD tools?
>>> https://man.openbsd.org/egre.4

>> Wow! I had no idea about this.

> I think you know more about obsd than I do, but in case it's useful to
> anyone else:
> 
> I didn't know about egre(4) either, but I am trying to go
> gradually thru the process of seeing "what is there" by browsing to
> man.openbsd.org, putting a single period (".") in the search field,
> choose a section, click apropos, and methodically reading.

As jmc@ made me aware recently, an equal sign (or even better: Nm=)
is faster than a period because it doesn't need to evaluate a regular
expression for each and every manual page in the database.  ;-)


By the way, you can do that from the command line, too, no need
to access the Internet:

   $ man -s 2 -ak Nm=

then type

   :tNAME

and hit the "enter" key.  If you aleady know about the stuff shown
at the top of the screen, just hit the

  t

key once, or as many times as the top of the screen seems familiar.
Even if you decide to study something and move around with arrows
up and down and search with the "/" and "?" keys, hitting the "t"
key again later will get you to next manual page from the place
that you last jumped to with "t".  If you get very confused as to
where you stopped and whether you maybe skipped anything, hit "T"
(= Shift-t) until you see something familiar, then move forward
again with "t" as before.

The "man -s 2 -ak Nm=" feature has been working for a long time, for
multiple -stable releases, but for the ":tNAME" and "t" sugar, you
nead a *really* current -current, as in, from a few minutes ago,
or tomorrow's (amd64) snapshots, or later for slower architectures.

Enjoy,
  Ingo


> Lots of good
> stuff and some surprises (for me at least) in there.  If I hadn't
> done that once with debian (years ago), I wouldn't know about touch(1),
> for example, and a bunch of other things.
> 
> Again, you know more than I, so no insult intended.  :)

news from my hacked box

[Cord]

Hi,
I found something that in my opinion are nearly evidences.
For those who doesn't know my story please read past messages:
https://marc.info/?a=15535526152=1=2
Well, as I said previously my laptop was been hacked then I bought a new laptop 
because my suspicious are that the uefi or other firmware was been hacked (I 
reinstalled openbsd various times)
The old laptop had a wifi usb dongle to connect to the wifi router.
Now the new laptop has a wifi chip that works properly on opnebsd.
The inner IF is iwm0.
And I discovered differences on wifi performance between the on board IF and 
the old usb dongle.
Of course the tests were been made from exactly the same physical place.
The following are the results (I used speedtest-cli):
iwm0 with vpn download: 0,46 mbit/s upload: 0,55 mbit/s
iwm0 without vpn download: 0,50 mbit/s upload: 2,53 mbit/s
urtwn0 with vpn download: 20,88 mbit/s upload: 8,49 mbit/s
urtwn0: without vpn download: 24,83 mbit/s upload 9,27 mbit/s

The following are the results pinging 8.8.8.8 with -c 500:
500 packets transmitted, 500 packets received, 0.0% packet loss
iwm0: round-trip min/avg/max/std-dev = 18.761/6372.615/72372.495/14987.007 ms
urtwn0: round-trip min/avg/max/std-dev = 24.068/36.489/878.218/48.120 ms

As I know the traffic shaping is configured by pf with pf.conf, the following 
is my pf.conf (I'm sorry I'm not a genius of pf):
---/etc/pf.conf
if="urtwn0"
#if="iwm0"
dns="{8.8.8.8}"
myvpn="{x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x}"
weird="{239.255.255.250, 224.0.0.1}"
pany="{udp, tcp}"
set skip on tun0
set skip on lo
set block-policy drop
set loginterface $if
block quick inet6
block quick on $if from any to $weird
pass quick proto icmp
pass out quick on $if proto $pany from $if to $dns
pass out quick on $if proto udp from $if to $myvpn
pass out quick on $if proto tcp from $if to my01-other-vpn.com
pass out quick on $if proto tcp from $if to my02-other-vpn.com
pass out quick on $if proto tcp from $if to my03-other-vpn.com
block drop in on ! lo0 proto tcp to port 6000:6010
block drop out log proto {tcp udp} user _pbuild
block log quick on $if
--

Other strange things that happens on my laptop are the following:
1) sometimes my openvpn (2 times on 5) fail authentication even I use a saved 
file authentication data and pass it the data with --auth-user-pass 
/my/path/pass
Then in my opinion it's impossible fails the authentication.
2) sometimes KeePassXC fails authentication on random site. If I copy the 
password and paste it by hand it works.
3) and of course there are people that can spy me and modify suggested videos 
on youtube. Please do not comment this because I know it's very subjective.

As I said previously in my opinion there is 0day on how is implemented the 
tcp/ip stack in the kernel.
And the vulnerability can be exploited by a mitm attack from the home router.
Thank you Cord.

Re: bird crashes kernel

[Stuart Henderson]

It's probably worth capturing output of route -n monitor while this is 
happening.

Userland-triggerable kernel panic is definitely a bug of some sort, so please
send it to bugs@.

On 2020-04-01, Bastien Durel  wrote:
> Hello,
>
> I tried to replace ospfd & ospf6d by bird, as they don't seem to handle
> wireguard tunnels well, but soon after bird starts (or stops), I get a
> panic (copied from console):
>
> fremen# /etc/rc.d/bird stop   
>  
> birduvm_fault(0xfd813f96b000, 0x18, 0, 1) -> e
> fatal page fault in supervisor mode
> trap type 6 code 0 rip 81a49c6b cs 8 rflags 10206 cr2  18 cpl 0 rsp 
> 8000336d08c0
> gsbase 0x81f44ff0  kgsbase 0x0
> panic: trap type 6, code=0, pc=81a49c6b
> Starting stack trace...
> panic() at panic+0x11b
> kerntrap(8000336d0810) at kerntrap+0x114
> alltraps_kern_meltdown(6,28001,0,0,815b2dd0,18) at 
> alltraps_kern_meltdown+0x7b
> ml_purge(18) at ml_purge+0x1b
> arp_rtrequest() at arp_rtrequest+0x180
> rtm_output(814b6600,8000336d0ad0,8000336d0a28,40,0) at 
> rtm_output+0x41d
> route_output(fd808b525500,fd813212c090,0,0) at route_output+0x329
> route_usrreq(fd813212c090,9,fd808b525500,0,0,800033566548) at 
> route_usrreq+0x207
> sosend(fd813212c090,0,8000336d0d28,0,0,80) at sosend+0x383
> dofilewritev(800033566548,5,8000336d0d28,0,8000336d0e00) at 
> dofilewritev+0xf9
> sys_write(800033566548,8000336d0da0,8000336d0e00) at 
> sys_write+0x51
> syscall(8000336d0e70) at syscall+0x389
> Xsyscall(6,4,1eee94104820,4,1eee9c8370d8,1eeec4584c80) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7f62c0, count: 244
> End of stack trace.
> syncing disks...10 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9  giving up
>
> Here is the dmesg :
>
> [...]
> arpresolve: 10.42.42.0: route contains no arp information
> arpresolve: 10.42.42.0: route contains no arp information
> arpresolve: 10.42.42.0: route contains no arp information
> uvm_fault(0xfd813f96b000, 0x18, 0, 1) -> e
> fatal page fault in supervisor mode
> trap type 6 code 0 rip 81a49c6b cs 8 rflags 10206 cr2  18 cpl 0 rsp 
> 8000336d08c0
> gsbase 0x81f44ff0  kgsbase 0x0
> panic: trap type 6, code=0, pc=81a49c6b
> Starting stack trace...
> panic() at panic+0x11b
> kerntrap(8000336d0810) at kerntrap+0x114
> alltraps_kern_meltdown(6,28001,0,0,815b2dd0,18) at 
> alltraps_kern_meltdown+0x7b
> ml_purge(18) at ml_purge+0x1b
> arp_rtrequest() at arp_rtrequest+0x180
> rtm_output(814b6600,8000336d0ad0,8000336d0a28,40,0) at 
> rtm_output+0x41d
> route_output(fd808b525500,fd813212c090,0,0) at route_output+0x329
> route_usrreq(fd813212c090,9,fd808b525500,0,0,800033566548) at 
> route_usrreq+0x207
> sosend(fd813212c090,0,8000336d0d28,0,0,80) at sosend+0x383
> dofilewritev(800033566548,5,8000336d0d28,0,8000336d0e00) at 
> dofilewritev+0xf9
> sys_write(800033566548,8000336d0da0,8000336d0e00) at 
> sys_write+0x51
> syscall(8000336d0e70) at syscall+0x389
> Xsyscall(6,4,1eee94104820,4,1eee9c8370d8,1eeec4584c80) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7f62c0, count: 244
> End of stack trace.
> syncing disks...presolve: 10.42.42.0: route contains no arp informat
> OpenBSD 6.6 (GENERIC.MP) #7: Thu Mar 12 11:55:22 MDT 2020
> 
> r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4196302848 (4001MB)
> avail mem = 4056403968 (3868MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x8ce22000 (85 entries)
> bios0: vendor American Megatrends Inc. version "5.12" date 11/23/2018
> bios0: Default string Default string
> acpi0 at bios0: ACPI 6.0
> acpi0: sleep states S0 S3 S5
> acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT HPET SSDT SSDT UEFI 
> SSDT LPIT SSDT SSDT SSDT SSDT DBGP DBG2 SSDT DMAR ASF! WSMT
> acpi0: wakeup devices RP09(S3) PXSX(S3) RP10(S3) PXSX(S3) RP11(S3) PXSX(S3) 
> RP12(S3) PXSX(S3) RP13(S3) PXSX(S3) RP01(S3) PXSX(S3) RP02(S3) PXSX(S3) 
> RP03(S3) PXSX(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Celeron(R) CPU 3855U @ 1.60GHz, 1596.83 MHz, 06-4e-03
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,ERMS,INVPCID,RDSEED,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var 

Re: [OpenIKED] current session list

[Radek]

On Wed, 1 Apr 2020 08:50:41 - (UTC)
Stuart Henderson  wrote:

> On 2020-04-01, Radek  wrote:
> > Hi @misc,
> > is there any equivalent of "npppctl sessions all/brief" for iked(8)?
> > How can I get the list of currently connected roadwarriors? They use CA.
> > "ipsecctl -sa" shows IPs only, but I need to know who is who.
> 
> If you're not running recent -current, update (either the whole OS or
> just iked+ikectl), something changed recently (possibly "Copy EAP ID to
> new SA when rekeying IKE SA") that resulted in me seeing EAP-MSCHAPv2
> usernames in a typical ipsecctl -sa, hopefully it will help for CA client
> certs too. (Perhaps not surprisingly there have been quite a lot of
> recent improvements to iked in -current).
> 
> 
Thank you Stuart. I'm running 6.6. Unfortunately, the VPN box became quite 
important because of recent remote work policy and I don't wan't to "touch" it 
now as it works as expected. I manage this box remotely and I can't take the 
risk that sth goes wrong with update.

This box has recently got increase the number of iked(8) users and I just 
wanted to have a better view of them. That was the reason of my question. 
I will wait for the next release and replace the box in - hopefully - better 
circumstances.
It is good to see that iked(8) improves regularly from one release to another.

-- 
Radek

reviewing what is available (was Re: Faking the same LAN over the Internet

[Luke A. Call]

On 04-01 12:47, Chris Bennett wrote:
> On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote:
> > have you considered looking at native OpenBSD tools?
> > https://man.openbsd.org/egre.4
> 
> Wow! I had no idea about this.

I think you know more about obsd than I do, but in case it's useful to
anyone else:

I didn't know about egre(4) either, but I am trying to go
gradually thru the process of seeing "what is there" by browsing to
man.openbsd.org, putting a single period (".") in the search field,
choose a section, click apropos, and methodically reading.  Lots of good
stuff and some surprises (for me at least) in there.  If I hadn't
done that once with debian (years ago), I wouldn't know about touch(1),
for example, and a bunch of other things.

Again, you know more than I, so no insult intended.  :)
-- 
Luke Call
Peace, tech, help, ideas:  http://lukecall.net 
(Updated 2020-03-13. Feedback welcome; https is on todo list.)

Re: Faking the same LAN over the Internet

[Tom Smyth]

Hi Chris, Dianna,

Gre is great and fast and a hell of a lot faster than OpenVPN...
However and it is a Big However...
Gre does not typically work Across NATs

L2 GRE tunnel interfaces u can run on OpenBSD
 include eoip(4)  egre(4), etherip(4)


On Wed, 1 Apr 2020 at 17:58, Chris Bennett
 wrote:
>
> On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote:
> > have you considered looking at native OpenBSD tools?
> >
> > https://man.openbsd.org/egre.4
> >
>
> Wow! I had no idea about this.
> The manual page seems to be very clear, too.
>
> I have 2 servers at different ISPs and from home I almost always connect
> over my phone's hotspot.
>
> I will definitely be learning this!
>
> Thanks!
>
> Chris Bennett
>
>


-- 
Kindest regards,
Tom Smyth.

Re: Faking the same LAN over the Internet

[Chris Bennett]

On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote:
> have you considered looking at native OpenBSD tools?
> 
> https://man.openbsd.org/egre.4
> 

Wow! I had no idea about this.
The manual page seems to be very clear, too.

I have 2 servers at different ISPs and from home I almost always connect
over my phone's hotspot.

I will definitely be learning this!

Thanks!

Chris Bennett

Re: Faking the same LAN over the Internet

[Diana Eichert]

have you considered looking at native OpenBSD tools?

https://man.openbsd.org/egre.4

bird crashes kernel

[Bastien Durel]

Hello,

I tried to replace ospfd & ospf6d by bird, as they don't seem to handle
wireguard tunnels well, but soon after bird starts (or stops), I get a
panic (copied from console):

fremen# /etc/rc.d/bird stop
birduvm_fault(0xfd813f96b000, 0x18, 0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip 81a49c6b cs 8 rflags 10206 cr2  18 cpl 0 rsp 
8000336d08c0
gsbase 0x81f44ff0  kgsbase 0x0
panic: trap type 6, code=0, pc=81a49c6b
Starting stack trace...
panic() at panic+0x11b
kerntrap(8000336d0810) at kerntrap+0x114
alltraps_kern_meltdown(6,28001,0,0,815b2dd0,18) at 
alltraps_kern_meltdown+0x7b
ml_purge(18) at ml_purge+0x1b
arp_rtrequest() at arp_rtrequest+0x180
rtm_output(814b6600,8000336d0ad0,8000336d0a28,40,0) at 
rtm_output+0x41d
route_output(fd808b525500,fd813212c090,0,0) at route_output+0x329
route_usrreq(fd813212c090,9,fd808b525500,0,0,800033566548) at 
route_usrreq+0x207
sosend(fd813212c090,0,8000336d0d28,0,0,80) at sosend+0x383
dofilewritev(800033566548,5,8000336d0d28,0,8000336d0e00) at 
dofilewritev+0xf9
sys_write(800033566548,8000336d0da0,8000336d0e00) at sys_write+0x51
syscall(8000336d0e70) at syscall+0x389
Xsyscall(6,4,1eee94104820,4,1eee9c8370d8,1eeec4584c80) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7f62c0, count: 244
End of stack trace.
syncing disks...10 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9  giving up

Here is the dmesg :

[...]
arpresolve: 10.42.42.0: route contains no arp information
arpresolve: 10.42.42.0: route contains no arp information
arpresolve: 10.42.42.0: route contains no arp information
uvm_fault(0xfd813f96b000, 0x18, 0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip 81a49c6b cs 8 rflags 10206 cr2  18 cpl 0 rsp 
8000336d08c0
gsbase 0x81f44ff0  kgsbase 0x0
panic: trap type 6, code=0, pc=81a49c6b
Starting stack trace...
panic() at panic+0x11b
kerntrap(8000336d0810) at kerntrap+0x114
alltraps_kern_meltdown(6,28001,0,0,815b2dd0,18) at 
alltraps_kern_meltdown+0x7b
ml_purge(18) at ml_purge+0x1b
arp_rtrequest() at arp_rtrequest+0x180
rtm_output(814b6600,8000336d0ad0,8000336d0a28,40,0) at 
rtm_output+0x41d
route_output(fd808b525500,fd813212c090,0,0) at route_output+0x329
route_usrreq(fd813212c090,9,fd808b525500,0,0,800033566548) at 
route_usrreq+0x207
sosend(fd813212c090,0,8000336d0d28,0,0,80) at sosend+0x383
dofilewritev(800033566548,5,8000336d0d28,0,8000336d0e00) at 
dofilewritev+0xf9
sys_write(800033566548,8000336d0da0,8000336d0e00) at sys_write+0x51
syscall(8000336d0e70) at syscall+0x389
Xsyscall(6,4,1eee94104820,4,1eee9c8370d8,1eeec4584c80) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7f62c0, count: 244
End of stack trace.
syncing disks...presolve: 10.42.42.0: route contains no arp informat
OpenBSD 6.6 (GENERIC.MP) #7: Thu Mar 12 11:55:22 MDT 2020

r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4196302848 (4001MB)
avail mem = 4056403968 (3868MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x8ce22000 (85 entries)
bios0: vendor American Megatrends Inc. version "5.12" date 11/23/2018
bios0: Default string Default string
acpi0 at bios0: ACPI 6.0
acpi0: sleep states S0 S3 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT HPET SSDT SSDT UEFI SSDT 
LPIT SSDT SSDT SSDT SSDT DBGP DBG2 SSDT DMAR ASF! WSMT
acpi0: wakeup devices RP09(S3) PXSX(S3) RP10(S3) PXSX(S3) RP11(S3) PXSX(S3) 
RP12(S3) PXSX(S3) RP13(S3) PXSX(S3) RP01(S3) PXSX(S3) RP02(S3) PXSX(S3) 
RP03(S3) PXSX(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU 3855U @ 1.60GHz, 1596.83 MHz, 06-4e-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,ERMS,INVPCID,RDSEED,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU 3855U @ 1.60GHz, 1596.29 MHz, 06-4e-03
cpu1: 

Re: [OpenIKED] current session list

[Stuart Henderson]

On 2020-04-01, Radek  wrote:
> Hi @misc,
> is there any equivalent of "npppctl sessions all/brief" for iked(8)?
> How can I get the list of currently connected roadwarriors? They use CA.
> "ipsecctl -sa" shows IPs only, but I need to know who is who.

If you're not running recent -current, update (either the whole OS or
just iked+ikectl), something changed recently (possibly "Copy EAP ID to
new SA when rekeying IKE SA") that resulted in me seeing EAP-MSCHAPv2
usernames in a typical ipsecctl -sa, hopefully it will help for CA client
certs too. (Perhaps not surprisingly there have been quite a lot of
recent improvements to iked in -current).

Re: Faking the same LAN over the Internet

[slackwaree]

Use OpenVPN in bridged mode or if it's too complicated for you to set it up you 
can give a shot for Hamachi which was made for exactly this.

There is one caveat regarding using the bridged mode in openvpn that there is 
more packet overhead than if you would be using the routed tun network but I 
guess it will be more than enough for your application.

Other thing can be broadcast storm some misbehavior of bridge interfaces (like 
sometimes your FW thinks the packet come in on br0 sometimes on tap0), mtu 
problems that is also why ovpn team wants to remove the bridged mode so enjoy 
it while you can :)



‐‐‐ Original Message ‐‐‐
On Tuesday, March 31, 2020 11:34 AM, Chris Rawnsley  wrote:

> In the period of The Great Isolation, a friend and I wish to play
> a game that has LAN-only multiplayer. We, however, live in different
> locations and, more importantly, different LANs. An often cited
> approach to solving this is to set up a VPN and connect the two
> devices to it. This requires that both devices run a VPN client
> that connects to the third device that manages the connection. And
> then, hey presto! You have a "LAN".
>
> The complication I have found is that we are both using a Nintendo
> Switch (NinSw) and this device comes without a VPN client. Initially,
> I thought it would be possible to use a VPN client on a computer
> which was wired in over Ethernet and then share the wireless to the
> NinSw. This setup would be mirrored on the other side. The diagram
> below tries to make this clearer. Search for "Where my thinking"
> to skip over this.
>
> ||
> | | ..
> | | ) ) ) |:| |:|
> || `' .---/::\\ [NinSw] | [laptop] | [VPN] | 
> | \\ / | _\\__/_`-| ... |[uplink]// mirrored on the other side
> ``
> [gateway]
>
> Where my thinking comes stuck is how the wired connection is shared
> to the NinSw over wireless. The laptop, running MacOS in the case
> of my friend, will setup its own NAT to isolate the wireless
> connections from the uplink. The NinSw is then unable to receive
> an IP from the VPN and therefore not appear as part of the same
> network.
>
> Ignoring the particular case of how "Internet Connection Sharing"
> works on MacOS, would it be possible to setup some "VPN bridge"
> (yes, I made that up) on OpenBSD where it handles the details of
> the VPN connection but forwards the IP address to another device?
>
> If anyone has more insight into this and can point me in the right
> direction I would be grateful. Similarly if there's been a mistake
> in my thinking please point it out as that could help too.
>
>
> -
>
> Chris Rawnsley
>
> P.S. the game in question is Civilization 6 and, yes, they very
> annoyingly restricted it to LAN-only multiplayer...

16gb nvme (optane) : install target : supported?

[Mayuresh Kathe]

is installation to a 16gb optane disk (built-in to my laptop) supported?
currently running ubuntu 18.04 and it runs really well off the optane.
even gives me an additional 1 hour of battery usage.

[OpenIKED] current session list

[Radek]

Hi @misc,
is there any equivalent of "npppctl sessions all/brief" for iked(8)?
How can I get the list of currently connected roadwarriors? They use CA.
"ipsecctl -sa" shows IPs only, but I need to know who is who.

-- 
Radek