non-amd64 vps's in europe?

[Peter J. Philipp]

Hi,

I'm asking for a friend in spain.  He would like to know if there is any
openbsd vps providers in europe that provide non-amd64 vps's such as 
hetzner's arm64 instance.

He doesn't want to deal with hetzner because of their tight control checks
regarding id cards and stuff.  Is there anything else out there that works
with OpenBSD?  He does not want amazon either.

Best Regards,
-peter

-- 
Over thirty years experience on Unix-like Operating Systems starting with QNX.

Re: My /usr cleaning campaign..

[patric conant]

I'd like to second the recommendation to leave it alone.

On Sat, Aug 12, 2023 at 9:56 PM Daniele B.  wrote:

>
> Thanks for this one Matthew.
>
> Looking further, I noticed..
>
> - /usr/local/share/gtk-doc (=131MB), html doc completed of some vary
>   .png files..  I guess this could be not only an endemic problem of my
>   stick as gtk-doc is not installed here: I'm not in the need of GTK C
>   code documentation
> - /usr/local/share/doc (=118MB)
>
> and..
> - what about /usr/local/share/gir-1.0 (70M) ?
>
> I'd like almost to delete ./gtk-doc and move ./doc to eg. /home/ (with
> sensibly more space) with a link to among the toppings.. ;D
>
>
> -- Daniele Bonini
>
>
> Matthew Ernisse  wrote:
>
> > On Sun, Aug 13, 2023 at 02:31:44AM +0200, Daniele B. said:
> > >I found instead /usr/share/relink/kernel/GENERIC.MP (636M) that is
> > >good to not have, eventually. Is it safe to move away or erase it?
> >
> > Leave it alone.
> >
> > >Any other suggestion for my /usr cleaning campaign? ;D
> >
> > You have sufficient free space to safely proceed with the upgrade.
> > Why potentially risk deleting something you don't understand?
> >
> > I would suggest either:
> > - Proceed with the upgrade.
> > - Reinstall the system from scratch with a larger /usr.
>
>
>

-- 
Patric Conant
Mirage Computing Lead Consultant
@MirageComputing on twitter
https://m.facebook.com/MirageComputing/
316 409 2424

httpd server "default" is not what I expected

[Alfred Morgan]

I was surprised that `server "default"` didn't act like I expected. In this
example I expected `test1` to get 200 and everything else to get 404 but
this is not the case. In this example server "test1" actually catches all:
localhost, test1, and test2 will get code 200.

/etc/hosts:
127.0.0.1  localhost  test1  test2

/tmp/httpd.conf:
server "test1" {
  listen on localhost port 8080
  block return 200
}

server "default" {
  listen on localhost port 8080
  block return 404
}

httpd -df /tmp/httpd.conf &

ftp -o - http://localhost:8080/ #200
ftp -o - http://test1:8080/ #200
ftp -o - http://test2:8080/ #200

man httpd.conf says:
"Match the server name using shell globbing rules. This can be an explicit
name, www.example.com, or a name including wildcards, *.example.com."

There is no mention as to what `server "default"` does even though it is
used several times in the man page. I find the behaviour to be odd
for it not to be documented. It isn't until I change the line to `server
"*"` when it starts doing what I expected:

ftp -o- http://localhost:8080/ #404
ftp -o- http://test1:8080/ #200
ftp -o- http://test2:8080/ #404

This is a gotcha in general. I would think the examples should use server
"*" instead and document what server "default" actually does.

and while we are here. Why does running httpd as a user say:
httpd: need root privileges

does it...?

-alfred

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

[SOUBHEEK NATH]

Hello Lain,

I appreciate your feedback and the time you took to provide it.

1. I set up OpenBSD 7.3 on a Raspberry Pi 4B with 4GB of RAM, which is
   running from a USB drive.
2. This is not a production environment, it is solely for educational
   purposes.
3. The router is currently using its default settings and three other
   devices are connected to it.
4. The wireless router is currently using its default settings to
   assign IP addresses to three other devices that are connected to it.
   You are correct, with this setup and pf rule, the wireguard VPN
   server is accessible from within the local area network. However, I
   believe that in the future, I can use the same setup and pf rule to
   remotely access the server's ports exclusively through the wireguard
   VPN from outside the network.
5. Your configuration is functioning correctly, allowing only devices
   within the wireguard network to access ports 22 and 80, while
   blocking access for others.
6. However, I cannot allow only one device with the IP address 10.0.8.4.
   All devices in the wireguard network are able to access ports 22 and
   80.
   I have attempted to use the following pf rule:

   set skip on lo

   block return# block stateless traffic
   pass# establish keep-state

   # By default, do not permit remote connections to X11
   block return in on ! lo0 proto tcp to port 6000:6010

   # Port build user does not need network

   pass in quick on wg0 proto tcp from 10.0.8.4 to any port {22, 80}
   block in quick on egress proto tcp from any to any port {22, 80}

   block return out log proto {tcp udp} user _pbuild

   pass in on egress proto tcp from any to any port 22

   pass out on egress inet from (wg0:network) nat-to (bwfm0:0)

   Based on my understanding of the OpenBSD PF-Packet filtering document
   (https://www.openbsd.org/faq/pf/filter.html), the intention of this
   pf rule is to allow only the IP address 10.0.8.4 to access ports 22
   and 80. However, currently both machines with IP addresses 10.0.8.2
   and 10.0.8.3 are able to access ports 22 and 80.

7. I have already falsified the private and public keys when submitting
   this question.
   I attempted to include 'Address = 10.0.8.1/32' in the wireguard
   [Interface] block earlier as you suggested, but encountered an error.

   $ doas sh /etc/netstart wg0
   Line unrecognized: `Address=10.0.8.1/24'
   Configuration parsing error

   I've gone through this link while setting up wireguard:
   https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/
   Despite its absence, wireguard is functioning properly.

8. I greatly appreciate your suggestion regarding the PreShareKey in
   wireguard configuration. It would be a valuable addition to my
   knowledge and will benefit me in the future.

Thanks again.
--
Soubheek Nath
Fifth Estate
Kolkata, India
soubheekn...@gmail.com

On Sun, Aug 13, 2023 at 7:04 AM lain.  wrote:
>
> I failed to come up with reasons for using a preshared key, so I've let
> ChatGPT generate reasons for me:
>
> Certainly! WireGuard's use of a preshared key (PSK) adds an additional layer 
> of symmetric encryption to the standard asymmetric encryption. Here's a brief 
> explanation of the advantage:
>
> 1. **Symmetric vs. Asymmetric Encryption**: WireGuard primarily uses 
> asymmetric encryption, where each party has a pair of keys (public and 
> private). Symmetric encryption, on the other hand, utilizes the same key for 
> both encryption and decryption. By adding a PSK, WireGuard incorporates both 
> types of encryption.
>
> 2. **Additional Security Layer**: The PSK is mixed into the encryption 
> process along with the standard public and private keys. Even if an attacker 
> could somehow compromise the asymmetric part (though practically very 
> difficult), they would still need the PSK to decrypt the communication.
>
> 3. **Protection Against Quantum Attacks**: Though still theoretical at this 
> point, quantum computers could eventually break the Diffie-Hellman key 
> exchange used in many encryption protocols. By using a PSK, WireGuard adds 
> protection against this potential future vulnerability.
>
> 4. **Simplicity**: WireGuard's design is intended to be simple and easy to 
> implement. The use of a PSK aligns with this philosophy by providing a 
> straightforward way to bolster security.
>
> Here's an example of how you would generate and implement a preshared key in 
> WireGuard:
>
> Generate the PSK:
> ```bash
> wg genpsk
> ```
>
> You would then add the generated key to both the client and server 
> configurations:
>
> Server's `wg0.conf`:
> ```ini
> [Peer]
> PublicKey = CLIENT_PUBLIC_KEY
> PresharedKey = GENERATED_PRESHARED_KEY
> AllowedIPs = CLIENT_IP/32
> ```
>
> Client's `wg0.conf`:
> ```ini
> [Peer]
> PublicKey = SERVER_PUBLIC_KEY
> PresharedKey = GENERATED_PRESHARED_KEY
> AllowedIPs = 0.0.0.0/0
> Endpoint = SERVER_IP:PORT
> ```
>
> In summary, adding a PSK provides an extra layer of security t

Re: Problem with nsd not being reloaded.

[WATANABE Takeo]

Hi.

It was an elementary mistake.

The following line was added to nsd.conf and
now both nsd-control and rcctl work.


/var/nsd/etc/nsd.conf
-
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
server-key-file: "/var/nsd/etc/nsd_server.key"
server-cert-file: "/var/nsd/etc/nsd_server.pem"
control-key-file: "/var/nsd/etc/nsd_control.key"
control-cert-file: "/var/nsd/etc/nsd_control.pem"

-

Thank you very much for the valuable points you have raised.


on Sat, 12 Aug 2023 11:49:45 - (UTC)
Stuart Henderson  wrote: 

> On 2023-08-12, Pontus Stenetorp  wrote:
>> On Sat 12 Aug 2023, WATANABE Takeo wrote:
>>> 
>>> I am using nsd, which runs by default on OpenBSD 7.2 amd64.
>>> To update the zone file after changes have been made.
>>> 
>>> # rcctl reload nsd
>>> 
>>> would result in
>>> 
>>> nsd(failed)
>>> 
>>> and cannot be updated.
>>> 
>>> As far as I could find, restarting the host seems to be
>>> the only way to update the zone information.
>>> 
>>> How can I use the rcctl command to reload the zo information,
>>> as I am having trouble dealing with this?
>>> 
>>> -
>>> # more rc.conf.local
>>> 
>>> nsd_flags=
>>> smtpd_flags=NO
>>> sshd_flags=NO
>>> unbound_flags=
>>
>> No solution, but I am experiencing the same issue on OpenBSD 7.3. You
>> do not need a restart though, you can just dig out the NSD PIDs with
>> grep(1) and ps(1); then pass them to kill(1) and then use rcctl(8). Not
>> pretty, but it works as I have not had the time to dig into what the
>> underlying problem is.
>>
>> etc/rc.conf.local:
>>
>>  nsd_flags=
>>
>> var/nsd/etc/nsd.conf:
>>
>>  server:
>>  hide-version: yes
>>  verbosity: 1
>>  database: ""
>>
>>  remote-control:
>>  control-enable: yes
>>  control-interface: /var/run/nsd.sock
>>
>>  ---8<---
>>
>>
> 
> No problems here with "rcctl reload nsd" on 7.3 or 2-week-old -current,
> though typically I use "nsd-control reload " after a change.
> 
> Any clues from rcctl -d reload nsd? Anything relevant in logs? If not
> try bumping up the detail level e.g. "verbosity: 3" 


---
WATANABE, Takeo
t...@kasaneiro.jp

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

[Stuart Henderson]

>Based on my understanding of the OpenBSD PF-Packet filtering document
>(https://www.openbsd.org/faq/pf/filter.html), the intention of this
>pf rule is to allow only the IP address 10.0.8.4 to access ports 22
>and 80. However, currently both machines with IP addresses 10.0.8.2
>and 10.0.8.3 are able to access ports 22 and 80.

Maybe try something like

set skip on lo
block log
match out on bwfm0 inet received-on wg0 nat-to (bwfm0)
pass out
pass in on wg0
block log in to (self)
pass proto tcp from 10.0.8.4 to port {22 80}

I recommend ignoring the pf faq and use https://man.openbsd.org/pf.conf 
instead.

>https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/

what a mess of things from the base OS and unneeded third-party tools.

> On Sun, Aug 13, 2023 at 7:04 AM lain.  wrote:
>>
>> I failed to come up with reasons for using a preshared key, so I've let
>> ChatGPT generate reasons for me:

oh $deitt please do not.

Re: My /usr cleaning campaign..

[Matthew Ernisse]

On Sun, Aug 13, 2023 at 04:37:25AM +0200, Daniele B. said:

[ snip ]


- what about /usr/local/share/gir-1.0 (70M) ?


I gather you are not running the automatic layout presented to you from
the OpenBSD installer as it will create separate slices for /usr and
/usr/local.

You should probably re-install with the suggested partition and slice
layout, possibly increasing some sizes to fit your disk and use case.

I'd suggest understanding disklabel(8) and hier(7) first.

--
Please direct replies to the list.

Re: My /usr cleaning campaign..

[Daniele B.]

You got it, sometimes I have to get to "Personalized Setup" to feel
like an advanced user.. ;D

My disk layout is already like a little roll coaster (in plain italian
!!! "russian mountains" !!!) but I'm able to enjoy it.. 

For now I moved doc and gtk-doc with their image files away reaching
quota 25% free. If you say it I could probably be happy about it..

I still do not understand why I have gtk-doc presents on disk but I keep
it for myself, not like the mistake on the signature, I mean.. then we
go to disturb the developers, bloood..


-- Daniele Bonini


Matthew Ernisse  wrote:

> I gather you are not running the automatic layout presented to you
> from the OpenBSD installer as it will create separate slices for /usr
> and /usr/local.
> 
> You should probably re-install with the suggested partition and slice
> layout, possibly increasing some sizes to fit your disk and use case.
> 
> I'd suggest understanding disklabel(8) and hier(7) first.

Re: My /usr cleaning campaign..

[Allan Streib]

On Sun, Aug 13, 2023, at 10:29, Daniele B. wrote:
> You got it, sometimes I have to get to "Personalized Setup" to feel
> like an advanced user.. ;D

I used to tweak my installations in ways that I thought were better but
I frequently ended up shooting myself in the foot.

If you plan to install a lot of packages, you might want make /usr/local
bigger. If you've been upgrading from an original installation 5 years
ago, you might eventually need to repartition as the original scheme was
based on the old release and things change.

At this point, after running OpenBSD in various systems since 3.x, I
almost always just accept the defaults on everything I can. Administering
systems over time is enough work without having to remember all the
local changes I made every time I need to upgrade.

Allan

Re: My /usr cleaning campaign..

[Daniele B.]

"Allan Streib"  wrote:

> If you plan to install a lot of packages, you might want make
> /usr/local bigger. If you've been upgrading from an original
> installation 5 years ago, you might eventually need to repartition as
> the original scheme was based on the old release and things change.

Luckily my dev environment is enough stable along the time, it is not
so worst. I'm looking however ahead to avoid worst symptoms at the
moment of sysupgrade. I'm on a stick and my average status during
late night upgrades is already in tension with one hand on to the phone
for the emergency service, that's it. The stick is not that big so
believing to simplify the disk layout at my few logged setups I
always cut on /usr/local, that said the stick size is always limited,
you can put on one or two mounting points but the space constraint is
still there. True, I lay part of my data on a external disk but then
what you suggest to move there from /usr ? Probably nothing, I'm
guessing..
The point is exactly that like many I do not want to to start 
all over and the hope is always to find some bugs for the devs that
allow me to erase stuff on /usr and gain those percentage points that
give me more heart confidence.

-- Daniele Bonini
 

 

Re: My /usr cleaning campaign..

[Stuart Henderson]

On 2023-08-13, Daniele B.  wrote:
>
> You got it, sometimes I have to get to "Personalized Setup" to feel
> like an advanced user.. ;D

Advanced OpenBSD users know that changing from install defaults can
often cause pain. In terms of partitioning; resizing partitions to make
them bigger than default is usually fine; adding the odd extra partition
or two is usually fine; combining partitions or reducing sizes of most
of the default-installed partitions often results in some problems.

> My disk layout is already like a little roll coaster (in plain italian
> !!! "russian mountains" !!!) but I'm able to enjoy it.. 
>
> For now I moved doc and gtk-doc with their image files away reaching
> quota 25% free. If you say it I could probably be happy about it..

Now you'll have problems when you update packages.

> I still do not understand why I have gtk-doc presents on disk but I keep
> it for myself, not like the mistake on the signature, I mean.. then we
> go to disturb the developers, bloood..

Because you installed a package which includes them.

You might not need that package any more, use pkglocate to track down
which package provides a certain file.

riscv questions

[Peter J. Philipp]

Hi,

I was wondering two things currently, both having to do with QEMU on OpenBSD.

I noticed in my QEMU that is running OpenBSD that it is supporting the
H-extension.  The H is hypervisor.  Does this mean that there is support
emulated for hypervisor host and guest in QEMU?  Also is there any efforts to
implement this where I can be an observer?

I saw somewhere that newer QEMU support RV128 cpu emulation.  While this
is something for 20 years from now perhaps, I'm still curious if anyone is
considering a port to the RV128, or is at least turned on by the thought of it.
Unfortunately I believe the RV128 isn't intended for an 128 bit address space
but has something planned for partitioning it in half so it will be 64 bit 
space.  With the other 64 bit for something security related.

Also I'd like to say that I have my first piece of RV64 hardware for a few
weeks now and it can run linux ubuntu.  It's a Mango Pi which is the same
form factor as a RPI zero.  I also donated one to a developer so perhaps we'll
see OpenBSD running on it one day.  In half a dozen weeks or so I'm considering
getting my second RV64 computer, which will be somewhat of a visionfive 2-like
SBC for a router.  Not sure which yet, though, let's see who can deliver in 
October.

Next year I'd like to invest into a larger RV64 computer for workstation. As 
you can see I'm starting to get a bit serious around Risc-V

Best Regards,
-peter

-- 
Over thirty years experience on Unix-like Operating Systems starting with QNX.

Re: My /usr cleaning campaign..

[Daniele B.]

Thanks Stuart, as usual.

Stuart Henderson  wrote:

> > I still do not understand why I have gtk-doc presents on disk but I
> > keep it for myself, not like the mistake on the signature, I mean..
> > then we go to disturb the developers, bloood..  
> 
> Because you installed a package which includes them.
> 
> You might not need that package any more, use pkglocate to track down
> which package provides a certain file.

pkg_info gtk-doc doesn't say me gtk-doc is installed..
 
But when I launch:

pkg_locate share/gtk-doc | less

from the displayed list I think there is no package missing to have
resources installed there..

> > For now I moved doc and gtk-doc with their image files away reaching
> > quota 25% free. If you say it I could probably be happy about it..  
> 
> Now you'll have problems when you update packages.

I move them away linking -s to them onto /usr/local, do you still think
it can cause problems?


-- Daniele Bonini

Re: My /usr cleaning campaign..

[Stuart Henderson]

On 2023-08-13, Daniele B.  wrote:
>
> Thanks Stuart, as usual.
>
> Stuart Henderson  wrote:
>
>> > I still do not understand why I have gtk-doc presents on disk but I
>> > keep it for myself, not like the mistake on the signature, I mean..
>> > then we go to disturb the developers, bloood..  
>> 
>> Because you installed a package which includes them.
>> 
>> You might not need that package any more, use pkglocate to track down
>> which package provides a certain file.
>
> pkg_info gtk-doc doesn't say me gtk-doc is installed..

The gtk-doc package has the tools. Actual doc for various libraries is
usually included with the package for that library.

Not sure how much space it takes on your system, but on mine it's about
100M, and if I was worried about 100M on a shared /usr and /usr/local,
I'd definitely want a larger partition.

The most common packages that install gtk-doc files which actually
take noticable amounts of space are the various webkit2gtk ones.
You may find that you have 2 versions of webkit2gtk installed from
previous dependencies pulling them in and one of them is no longer
needed.

You could also "pkg_delete -na" (simulate uninstalling packages which
were only installed as dependencies) and review the list. If it shows
any packages which you actually want then "pkg_add -m " to
set the "manually installed" marker, then "pkg_delete -a" to remove
the rest.


> But when I launch:
>
> pkg_locate share/gtk-doc | less
>
> from the displayed list I think there is no package missing to have
> resources installed there..
>
>> > For now I moved doc and gtk-doc with their image files away reaching
>> > quota 25% free. If you say it I could probably be happy about it..  
>> 
>> Now you'll have problems when you update packages.
>
> I move them away linking -s to them onto /usr/local, do you still think
> it can cause problems?

That's quite possible.

Re: My /usr cleaning campaign..

[Daniele B.]

Stuart Henderson  wrote:

> The gtk-doc package has the tools. Actual doc for various libraries is
> usually included with the package for that library.
> 

[...]

> > But when I launch:
> >
> > pkg_locate share/gtk-doc | less
> >
> > from the displayed list I think there is no package missing to have
> > resources installed there..
> >  
> >> > For now I moved doc and gtk-doc with their image files away
> >> > reaching quota 25% free. If you say it I could probably be happy
> >> > about it..
> >> 
> >> Now you'll have problems when you update packages.  
> >
> > I move them away linking -s to them onto /usr/local, do you still
> > think it can cause problems?  
> 
> That's quite possible.


Ok, I reverted all back into /usr/local/share. Thanks


-- Daniele Bonini

Re: My /usr cleaning campaign..

[Thomas Frohwein]

On Sun, Aug 13, 2023 at 06:40:54PM +0200, Daniele B. wrote:
> 
> Thanks Stuart, as usual.
> 
> Stuart Henderson  wrote:
> 
> > > I still do not understand why I have gtk-doc presents on disk but I
> > > keep it for myself, not like the mistake on the signature, I mean..
> > > then we go to disturb the developers, bloood..  
> > 
> > Because you installed a package which includes them.
> > 
> > You might not need that package any more, use pkglocate to track down
> > which package provides a certain file.
> 
> pkg_info gtk-doc doesn't say me gtk-doc is installed..

I don't think that command tells you anything about the installation
status of that package. When I need to check if a package is installed,
I use for example:

$ pkg_info | grep "gtk.doc"

>From pkg_info(1):

"If no pkg-name is specified, pkg_info shows the names and one-line
comments for all installed packages except internal packages.

> But when I launch:
> 
> pkg_locate share/gtk-doc | less
> 
> from the displayed list I think there is no package missing to have
> resources installed there..

I'm not sure that that's the command to answer the question that you
have. In fact, with wc -l: 14274 this is an exceptionally noisy command
and it shows dozens if not hundreds of different packages that install
into share/gtk-doc.

Note that pkg_locate doesn't limit itself to what you have currently
installed, but shows any file from any package, installed or not, that
has the string 'share/gtk-doc' in its path.

> > > For now I moved doc and gtk-doc with their image files away reaching
> > > quota 25% free. If you say it I could probably be happy about it..  
> > 
> > Now you'll have problems when you update packages.
> 
> I move them away linking -s to them onto /usr/local, do you still think
> it can cause problems?

I think that's asking for trouble and sometimes hard-to-diagnose bugs
with packages in the future.

I'm still not sure what problem you are trying to solve... You want to
upgrade, but are afraid of having too little space in the /usr
partition?

Frankly, having /usr/local on its own partition is exactly the kind of
default that would protect you from /usr/local/share/gtk-docs impinging
on your space in the /usr partition... Not sure if that problem
situation isn't entirely self-made and you are looking for solving the
problems of unsupported customization with even more unsupported
customization...

Re: My /usr cleaning campaign..

[Daniele B.]

Thomas Frohwein  wrote:

> I'm still not sure what problem you are trying to solve... You want to
> upgrade, but are afraid of having too little space in the /usr
> partition?
> 
> Frankly, having /usr/local on its own partition is exactly the kind of
> default that would protect you from /usr/local/share/gtk-docs
> impinging on your space in the /usr partition... Not sure if that
> problem situation isn't entirely self-made and you are looking for
> solving the problems of unsupported customization with even more
> unsupported customization...

I'm on a stick and I have my Xfce Mount Plugin that let me check in an
easy way how much space left on each mounting point. Especially after
an upgrade I'm usual to look ahead to find possible space problems 
looking to the next upgrade, with special care to /usr that is 
under pressure. I have not yet a real problem, I'm just
usual to care about this specific situation with attention.

Consider that I go ahead by battery of sticks from a lot time and this
also means that ten years ago, 64G or 128G where not affordable like
are today. And I'm not sure seen my conditions what does it matter
having two mounting points or one on /usr against my little storage
device, as my mounting points are all with very, ad-hoc, limited gbz..

Actually you seems to point to my "unsupported customization", its
okay although not fascinating..

Indeed, I point you out prbs in the hope to help and I also 
investigated things on mark.info. The doc and
gtk-doc take on my little storage by their html and .png files almost 
250-270M that I don't need and they are significant. As I'm not the only 
one keeping the OpenBSD adventure on sticks from lot of time, and
having read some specific threads over the same concerns, I pray you to
continue to have in your heart with enough pragmatism both installation and
upgrade process also thinking to who of us are still on small storage
devices. And in the specific what go a little out the this "pragmatism"
(at my side) is to find out easy detailed arguments on how to fix and
find installations missed files when I see potential to improve stuff
how installation is done. And I mean with proper balance: no
one probably wants to find out that OpenBSD failed to support software
or to arrange dependencies, but maybe I'm neither in the need to makes
lonely eyes on garbage or forgot files taking space.

Sorry for the blust..

Re: My /usr cleaning campaign..

[Ingo Schwarze]

Hi Daniele,

if you *really* want user customization as massive as what you
keep talking about, OpenBSD is likely the wrong system for you.
More than any other system, OpenBSD is optimized for sane defaults,
with the goal that users need to customize as little as possible.
Providing lots of configuration options for everything is not among
the project goals.  If you are looking for a system where user
configurability is among the central goals, you might want to look
at Gentoo Linux or a similar system.

If you *really* want to run on hardware so tiny that you worry about
100 MB of disk space below /usr/local/, again, OpenBSD is likely
the wrong system for you in 2023 (i did run an OpenBSD firewall on
24 MB of RAM and 200 MB of disk grand total in 2002, but this is no
longer 2002).  Sure, OpenBSD still comes with a smaller footprint
than many other general purpose systems - but if you want to go *that*
tiny, you might want to look at Alpine Linux, which is optimized for
extremely small hardware, or at similar systems.

Daniele B. wrote on Sun, Aug 13, 2023 at 09:13:54PM +0200:

> Indeed, I point you out prbs in the hope to help

Right now, you are certainly not helping anything.  Rather, you are
distracting developers.  What you are pointing out are not "problems"
but a pair of feet looking similar to swiss cheese after extensive
use of a shotgun, and you keep talking about plans to apply the
same treatment to your knees and your belly as well.

By now, it is abundantly clear you lack the basic skills you would
need to deviate from the default OpenBSD configuration even in simple
ways, let alone to identify problems in OpenBSD (which do exist).

Yours,
  Ingo

-- 
Ingo Schwarze 
http://www.openbsd.org/   
http://mandoc.bsd.lv/ 

Re: non-amd64 vps's in europe?

[Aaron Mason]

Oracle Cloud offers arm64 VPS. It does tend to be picky when it comes
to the credit card you use for signup, though - your details need to
be a near exact match.

On Sun, Aug 13, 2023 at 5:28 PM Peter J. Philipp  wrote:
>
> Hi,
>
> I'm asking for a friend in spain.  He would like to know if there is any
> openbsd vps providers in europe that provide non-amd64 vps's such as
> hetzner's arm64 instance.
>
> He doesn't want to deal with hetzner because of their tight control checks
> regarding id cards and stuff.  Is there anything else out there that works
> with OpenBSD?  He does not want amazon either.
>
> Best Regards,
> -peter
>
> --
> Over thirty years experience on Unix-like Operating Systems starting with QNX.
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: non-amd64 vps's in europe?

[Chris Narkiewicz]

On Sun, Aug 13, 2023 at 09:17:58AM +0200, Peter J. Philipp wrote:
> He doesn't want to deal with hetzner because of their tight control checks
> regarding id cards and stuff.

Huh? They didn't check my national ID nor passport. Payment card was enough.

Is he using some dodgy payment method that triggered KYC alarm?

Given that VPS can be used for criminal activity, I doubht he will
find anyone willing to provide the service without KYC.

Best regards,
Chris Narkiewicz

Re: Feedback on redesigned OpenBSD.org

[Steve Litt]

mich...@mlpdesign.com said on Fri, 11 Aug 2023 18:33:03 -0500

>Hi all
>
>Ok, here's is update2 to the design. Note: I still need to break this 
>down into individual patches for review but wanted to get feedback on 
>the aesthetics first.
>
>v1: https://www.openbsd.design/cvs/www/index.html
>
>v2: https://www.openbsd.design/cvs/www2/index.html
>
>What's Change in v2:
>
>
>Based on feedback either directly or on the mailing list, I did the 
>following:
>
>*** Note: I have only focused on the Light Theme for this version ***
>
>- Removed puffy from footer

I see no need to remove Puffy. Besides being a symbol of OpenBSD, it
tells the reader the lower bound of the web page. I'd suggest you put
it back.

>
>- Removed all web fonts (just system defaults now)

This is excellent, because it lets all users instantly see it at the
size they picked for their browser defaults. So it serves both the
person with 20/10 vision and 20/60 corrected vision. And because a
fontface isn't named, it's guaranteed to be the Sans font the user is
accustomed to on their web browser.

>
>- Increased the line-height

In my opinion the line height in both versions is excellent. In my
opinion, the inter-paragraph vertical distance should be increased
slightly in V2.

>
>- Reverted most (but not all) colors back to either
>   browser defaults or what's on openbsd.org
>
>- Increased font-size (and specified it in 'em')

For normal text, why specify font size at all? I reserve font size only
for special things like headers or special s.

>
>- Removed the max-width of 840px (now full-width)

I think you should put back the max-width, but express it in em. I work
a lot with the LyX project mailing list, where we use LyX to create
documents that are both readable and aesthetic. A rule of thumb I
learned there is that each line should be roughly 70 characters long. I
find that when lines have too many characters, I lose my place while
going all the way back left and one down.

>
>- Removed/reverted the black OpenBSD logo back to what's on openbsd.org
>
>
>For what it's worth, here's my thoughts about the new design:
>
>
>Polish: My main concern is that it's not as polished as v1, and that 
>could
>determine future OpenBSD users.

I agree the new one isn't as polished, although I'm not sure this would
determine future OpenBSD users, as the candidate for OpenBSD is going
to be pretty geeky.

>
>Readability: Readability is significantly worse in v2 vs. v1

Agreed, but this can mostly be reverted by bringing back the maximum
line width. Your original font was crisper than my browser default, but
as I mentioned, better sacrifice a little beauty to make it universally
useful.

>
>- Line Length, by making the line length unlimited in width, it makes
>it extremely difficult to read body text. Reason being, your eye needs
>to track to the next line. The rule of thumb is, the longer the line
>length the bigger the line-heigh needs to be. When the line length can
>be unlimited long, it's difficult to set an appropriate line-heigh
>which hurts
>readability.

I agree wholeheartedly. When encountering pages with too-long lines, I
have to skinny up my browser window to skinny up line length, and then
expand the browser again when looking at another tab. By the way, I
think that even in V1 your lines were too long.

The only time I recommend against maximum line length is on pages whose
content contains a lot of code. You can't wrap code the way you can
other things, so you need as much width as you can get.

Somebody could argue that you're wasting a lot of space on the sides of
your text. My answer would be "so what?" Mice have scroll wheels now,
and with shorter lines it's easier to keep your place when scrolling
than with ginormous lines.


>
>- Colors, the more colors that are present, the more distracting a 
>website
>will become. That's ok if it's a marketing website, but a site that's 
>primarily
>documentation - you want to reduce the color palette down to only 2 (3 
>max)
>colors. This is why technical manuals are mostly created in grayscale,

Please prefer #00 text on #ff background. Those of us with poor
visual acuity need all the help we can get. Yes, I know, I know, some
folks get headaches with pure black on pure white. You can't please all
the people all the time, but with #00 on #ff at least you know
your work is *readable* by the most people possible. And let me tell
you, *I* get headaches trying to read midgray on lighter gray.

>because color very much distracts the eyes and makes it more difficult 
>to
>read body text. I feel like v2 color palette, which are peoples ask to 
>revert
>to the previous color palette causes that. (And I still haven't revert 
>to
>all of the openbsd.org colors)

I could argue either side of the "multiple colors are more distracting
than helpful" topic.

By the way, in the V2 left side link list, topic headings "Ope

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

[lain.]

6. In that case, simply change "10.0.8.0/24" to "10.0.8.4/32".
For explanation sake, .0/24 means "everything connected to this
network", whereas ".4/32" means "only this specific machine", so does 
".3/32", ".2/32", ".5/32", and so on.

7. If you've followed Vultr's post, you might consider changing the
/etc/hostname.wg0 file to just this one liner:
!/usr/local/bin/wg-quick up wg0

On 2023年08月13日 16:57, SOUBHEEK NATH wrote:
> Hello Lain,
> 
> I appreciate your feedback and the time you took to provide it.
> 
> 1. I set up OpenBSD 7.3 on a Raspberry Pi 4B with 4GB of RAM, which is
>running from a USB drive.
> 2. This is not a production environment, it is solely for educational
>purposes.
> 3. The router is currently using its default settings and three other
>devices are connected to it.
> 4. The wireless router is currently using its default settings to
>assign IP addresses to three other devices that are connected to it.
>You are correct, with this setup and pf rule, the wireguard VPN
>server is accessible from within the local area network. However, I
>believe that in the future, I can use the same setup and pf rule to
>remotely access the server's ports exclusively through the wireguard
>VPN from outside the network.
> 5. Your configuration is functioning correctly, allowing only devices
>within the wireguard network to access ports 22 and 80, while
>blocking access for others.
> 6. However, I cannot allow only one device with the IP address 10.0.8.4.
>All devices in the wireguard network are able to access ports 22 and
>80.
>I have attempted to use the following pf rule:
> 
>set skip on lo
> 
>block return# block stateless traffic
>pass# establish keep-state
> 
># By default, do not permit remote connections to X11
>block return in on ! lo0 proto tcp to port 6000:6010
> 
># Port build user does not need network
> 
>pass in quick on wg0 proto tcp from 10.0.8.4 to any port {22, 80}
>block in quick on egress proto tcp from any to any port {22, 80}
> 
>block return out log proto {tcp udp} user _pbuild
> 
>pass in on egress proto tcp from any to any port 22
> 
>pass out on egress inet from (wg0:network) nat-to (bwfm0:0)
> 
>Based on my understanding of the OpenBSD PF-Packet filtering document
>(https://www.openbsd.org/faq/pf/filter.html), the intention of this
>pf rule is to allow only the IP address 10.0.8.4 to access ports 22
>and 80. However, currently both machines with IP addresses 10.0.8.2
>and 10.0.8.3 are able to access ports 22 and 80.
> 
> 7. I have already falsified the private and public keys when submitting
>this question.
>I attempted to include 'Address = 10.0.8.1/32' in the wireguard
>[Interface] block earlier as you suggested, but encountered an error.
> 
>$ doas sh /etc/netstart wg0
>Line unrecognized: `Address=10.0.8.1/24'
>Configuration parsing error
> 
>I've gone through this link while setting up wireguard:
>https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/
>Despite its absence, wireguard is functioning properly.
> 
> 8. I greatly appreciate your suggestion regarding the PreShareKey in
>wireguard configuration. It would be a valuable addition to my
>knowledge and will benefit me in the future.
> 
> Thanks again.
> --
> Soubheek Nath
> Fifth Estate
> Kolkata, India
> soubheekn...@gmail.com
> 
> On Sun, Aug 13, 2023 at 7:04 AM lain.  wrote:
> >
> > I failed to come up with reasons for using a preshared key, so I've let
> > ChatGPT generate reasons for me:
> >
> > Certainly! WireGuard's use of a preshared key (PSK) adds an additional 
> > layer of symmetric encryption to the standard asymmetric encryption. Here's 
> > a brief explanation of the advantage:
> >
> > 1. **Symmetric vs. Asymmetric Encryption**: WireGuard primarily uses 
> > asymmetric encryption, where each party has a pair of keys (public and 
> > private). Symmetric encryption, on the other hand, utilizes the same key 
> > for both encryption and decryption. By adding a PSK, WireGuard incorporates 
> > both types of encryption.
> >
> > 2. **Additional Security Layer**: The PSK is mixed into the encryption 
> > process along with the standard public and private keys. Even if an 
> > attacker could somehow compromise the asymmetric part (though practically 
> > very difficult), they would still need the PSK to decrypt the communication.
> >
> > 3. **Protection Against Quantum Attacks**: Though still theoretical at this 
> > point, quantum computers could eventually break the Diffie-Hellman key 
> > exchange used in many encryption protocols. By using a PSK, WireGuard adds 
> > protection against this potential future vulnerability.
> >
> > 4. **Simplicity**: WireGuard's design is intended to be simple and easy to 
> > implement. The use of a PSK aligns with this philosophy by providing a 
> > straightforward way to bolster secu

re-create certs server/laptop both OpenBSD 7.3

[latincom]

Hello

i am testing IKEv2; and because i felt really confuse trying to configure
them; i delete all certs; and i can not find how to re-create them, on FAQ
and misc!

May somebody help please?

Thank you.

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

[lain.]

On 2023年08月13日 12:17, Stuart Henderson wrote:
> >https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/
> 
> what a mess of things from the base OS and unneeded third-party tools.
> 
List of tools:
wireguard-tools (required), nano (vim would have been enough), and the
rest is everything OpenBSD ships with.
Oh the horror, that's far too much, the sky is falling!

> > On Sun, Aug 13, 2023 at 7:04 AM lain.  wrote:
> >>
> >> I failed to come up with reasons for using a preshared key, so I've let
> >> ChatGPT generate reasons for me:
> 
> oh $deitt please do not.
> 
What matters is not who or what answered, what matters is the answer,
and the answer it provided is good, but I guess autists gonna autist.

Re: re-create certs server/laptop both OpenBSD 7.3

[Lucas]

latin...@vcn.bc.ca wrote:
> Hello
> 
> i am testing IKEv2; and because i felt really confuse trying to configure
> them; i delete all certs; and i can not find how to re-create them, on FAQ
> and misc!
> 
> May somebody help please?
> 
> Thank you.

It's in /etc/rc , function make_keys at line 135:

# Generate keys for isakmpd, iked and sshd if they don't exist yet.
make_keys() {
# ...
local _iked_key=/etc/iked/private/local.key
local _iked_pub=/etc/iked/local.pub

# ...

if [[ ! -f $_iked_key ]]; then
echo -n "openssl: generating iked ECDSA keys... "
if openssl ecparam -genkey -name prime256v1 -out $_iked_key 
>/dev/null 2>&1 &&
chmod 600 $_iked_key &&
openssl ec -out $_iked_pub -in $_iked_key \
-pubout >/dev/null 2>&1; then
echo done.
else
echo failed.
fi
fi

# ...
}

-Lucas

Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3

[latincom]

> latin...@vcn.bc.ca wrote:
>> Hello
>>
>> i am testing IKEv2; and because i felt really confuse trying to
>> configure
>> them; i delete all certs; and i can not find how to re-create them, on
>> FAQ
>> and misc!
>>
>> May somebody help please?
>>
>> Thank you.
>
> It's in /etc/rc , function make_keys at line 135:
>
> # Generate keys for isakmpd, iked and sshd if they don't exist yet.
> make_keys() {
>   # ...
>   local _iked_key=/etc/iked/private/local.key
>   local _iked_pub=/etc/iked/local.pub
>
>   # ...
>
>   if [[ ! -f $_iked_key ]]; then
>   echo -n "openssl: generating iked ECDSA keys... "
>   if openssl ecparam -genkey -name prime256v1 -out $_iked_key 
> >/dev/null
> 2>&1 &&
>   chmod 600 $_iked_key &&
>   openssl ec -out $_iked_pub -in $_iked_key \
>   -pubout >/dev/null 2>&1; then
>   echo done.
>   else
>   echo failed.
>   fi
>   fi
>
>   # ...
> }
>
> -Lucas
>

Hey Lucas thank you very much man!

Something magic had happend after reboot! lkev2 is working, BTW at the
client i can not use Web Browser?, the ssh connection did not stop
working.

Really thanks man.