pf route-to
Hi all, I am failing at a basic routing. I have included this rule in my pf.conf: pass out quick proto udp from any to any port 51820 route-to 192.168.1.254 I thought this would be force egress traffic with destination port 51820 to use 192.168.1.254 as a gateway, instead of the default gateway specified in `route show` Is this incorrect? It seems to not work, as this scenario fail: SCENARIO FAIL --- #pf.conf pass out quick proto udp from any to any port 51820 route-to 192.168.1.254 # routing route change default 10.0.0.1 # point all traffic to vpn gateway whereas this works (everything is the same, but I manually add a route to the public ip of the vpn) SCENARIO WORKS - #pf.conf pass out quick proto udp from any to any port 51820 route-to 192.168.1.254 # routing route change default 10.0.0.1 # point all traffic to vpn gateway # routing route add 135.32.101.17 192.168.1.254 # point vpn_public_ip to local gateway So it seems my understanding of this pf rule is incorrect. Can anyone help me use pf to override the default gateway? Thanks!
Re: wireguard routing
Hi David, thanks for your help. Currently, serverB has only 1 wireguard interface, which contains both peers (serverA and serverC). It is no issue to create a second wireguard interface though. In the configuration you propose (I think there is a typo and the third config is for serverC), I don't think the internet packets from serverA will be routed to serverC. As in, if on server A I ping the wikipedia.org address, it will go through serverB's local gateway and not serverC. My understanding is that if I don't change the default gateway on serverB, then it will always use its local gateway, instead of the desired outcome of sending to serverC, and going via serverC's local gateway. Am I missing something? Thanks!
Re: wireguard routing
Hi Crystal, Yes, both server A and C can access serverB, which has a fixed, public IP. Thanks for the advice. I can make it work for only ssh’ing into either machine, but not for using all internet via serverC’s connection, from serverA. I believe the wireguard configuration will use allowedIPs to route wireguard IPs, but the wireguard config will not route external IPs. I thought I needed openBSD’s route for that. Are you able to make it work for that scenario? Thanks! Jake > On 10 Aug 2024, at 11:11, Crystal Kolipe > wrote: > > On Sat, Aug 10, 2024 at 09:18:48AM +0100, 04-psyche.tot...@icloud.com wrote: > Hi all, > > I am working on a wireguard network. > > I have a setup like this: > > serverA (10.0.0.0) => serverB (10.0.0.1) => serverC (10.0.0.2) > > - serverA connects to serverB with AllowedIPs = 0.0.0.0/0 > - serverB connectes to serverC with AllowedIPs = 0.0.0.0/0 > > I cannot access serverC directly from serverA (it does not have a public > facing IP), so I go via serverB. > > Can serverA and serverC both make inbound connections to serverB? > > If so, then just: > > * set up a dedicated subnet for each of serverA and serverC > * include both in the configuration of wgaip on each server > * use a short wgpka setting on serverA and serverC to ensure that the link > stays up. > > No need for manual routing changes, routing domains, cron jobs or other > cludges. > > It just works. > > I'm ssh'ed in to a machine right now that is at the other end of such a tunnel > on a dynamic IP, and it's been up for seven days.
wireguard routing
Hi all, I am working on a wireguard network. I have a setup like this: serverA (10.0.0.0) => serverB (10.0.0.1) => serverC (10.0.0.2) - serverA connects to serverB with AllowedIPs = 0.0.0.0/0 - serverB connectes to serverC with AllowedIPs = 0.0.0.0/0 I cannot access serverC directly from serverA (it does not have a public facing IP), so I go via serverB. I therefore need to set up routing on serverB. If I set my default gateway to serverC: `route change default 10.0.0.2` Then I cannot connect from serverA, because packets from serverA are never returned to serverA. So I need to also add a route like this: `route add serverA_public_ip serverB_local_gateway` However, this is problematic with IP roaming (in other words, I don't have a good solution to dynamically know serverA's endpoint). A solution would be to run a crontab every few minutes, parse the output of `wg show wg0 endpoints` and programatically add the route for the current endpoint. This solution feels atrocious though. The wireguard website proposes a solution with fwmark: https://www.wireguard.com/netns/#improved-rule-based-routing However, this is linux based, and I am not sure this is the optimal solution for an openBSD system. So I have a few questions: - I am currently using /etc/hostname.wg0 and routing table. Should I use wg0-quick instead? Does wg0-quick take care automatically of routing in the case of IP roaming? - Is the fwmark solution a good solution for openBSD as well? If yes, how can I implement it? Should I use routing domains? Thanks!
Re: avoid single-user mode boot
Thanks Matthew, that's helpful. I will look into that.
Re: avoid single-user mode boot
Thanks Stuart for all these thoughts. That's a lot of great ideas. Let me try to clarify a few things: - change `do_fsck` to `do_fsck -y` - I assume you mean Line 410. That seems like a great idea. Do I understand correctly that the normal behaviour for this `do_fsck` is to run the check, and mark filesystems dirty, and then enter single-user mode? Whereas if I replace it with `do_fsck -y `, the filesystems will not be marked dirty, and it will not enter singe user mode? - starting network and sshd in single user mode In /etc/profile, I guess I can add something like: if [IS_SINGLE_USER_MODE]; then sh /etc/netstart rcctl start sshd fi does that seem reasonable? (I have to figure out how to check if I am in user mode) - noatime, memory buffers, mfs -- All great ideas, I will implement that. @crystal, thank you, unfortunately, even an SBC on the router is not a viable option for this specific use case.
Re: avoid single-user mode boot
Thanks Crystal, unfortunately for this specific case, adding another machine to the same network is not an option. > On 24 Jul 2024, at 11:11, Crystal Kolipe wrote: > > On Wed, Jul 24, 2024 at 09:04:17AM +0100, 04-psyche.tot...@icloud.com wrote: >> Alternatively, is there a way to have ssh access in single user mode? > > The normal way to handle this and other boot-related problems is with a serial > connection from another machine that is still accessible via the network. > > Depending on your budget, what this system is being used for, and the > connectivity that is available at the remote location, there are various ways > of making that happen.
avoid single-user mode boot
Hi all, I have a machine that will be placed in a remote location, and have no physical access to. The connection will be made through ssh only. I'd like to make it as resilient to failure as possible. A big concern to me is for a disk failure to happen (say a power outage), and the machine to be rebooted in single user mode. At that point, the machine has no network access, and so I lose contact to it. Is there any way to disable going to single user mode when fsck is not happy? Is it reasonable to change the /etc/fstab to modify the fsck flag from 1 and 2 to 0, to bypass the fsck checks ? Alternatively, is there a way to have ssh access in single user mode? Thanks! Jake
Re: Dual boot with 2 openbsd
Thanks a lot to you 3 for your thoughts. RAID1 on the overlapping capacity: I don't like that idea much because RAID1 has an extra cost where any modification on disk1 will be performed on disk2. I want to reap the benefits of having disk1 for the OS and disk2 for data. That makes the overall system much faster, because each drive is ddicated to 1 task, and each task is independent. @Crystal, thanks a lot for all the details. I am not planning to share the home drive, because indeed I feared the extra complications. the extra partition m is beyond the OS partitions. Your point regarding no guarantee for the system to boot to disk 2 is well taken. It makes me question if it's worth doing at all. Do yo uhave a sense if there is a large enough probability of disk1 failing catastrophically enough for the UEFI to directly boot to disk2, rather than being in a bad state on disk1? Thanks!
Re: Dual boot with 2 openbsd
I don't use RAID1 because the disks have vastly different capacity (one is 4 times the size of the other). > On 17 Jul 2024, at 00:34, Benjamin Stürz > wrote: > > On 7/16/24 10:57 PM, 04-psyche.tot...@icloud.com wrote: >> Hi all! >> I want to setup a dual boot system, with 2 OpenBSD system, and I wanted to >> run it past you guys, to see if the idea makes sense (and make sure I >> implement it correctly). >> It is for a system that I will not be able to access physically easily. >> So I bought 2 drives. >> My idea is: >> - Install OpenBSD on the 2 drives >> + drive1 : partition a to k for the OS >> + drive 2: partition a to k for the OS and partition m for data >> - In UEFI, set up boot priority drive1, then drive2 >> - In the OS of drive1, mount only partition m of drive2 >> - As long as drive1 does not fail, I enjoy the OS on drive1 and I still make >> use of drive2 >> - If drive1 fails, the UEFI will automatically boot on drive2, and I can >> still enjoy the usage of the system, without having needed to access it >> physically. >> Does this idea make sense? >> If yes, any tip on how to do it? In particular, when I install OpenBSD on >> drive2, is it better to run the openBSD installer by having booted on >> drive2, or can I just run it from OpenBSD_drive1 and select drive 2 as >> destination for the new OS? >> Thanks! >> Jake > > Why don't you just use RAID 1?
Dual boot with 2 openbsd
Hi all! I want to setup a dual boot system, with 2 OpenBSD system, and I wanted to run it past you guys, to see if the idea makes sense (and make sure I implement it correctly). It is for a system that I will not be able to access physically easily. So I bought 2 drives. My idea is: - Install OpenBSD on the 2 drives + drive1 : partition a to k for the OS + drive 2: partition a to k for the OS and partition m for data - In UEFI, set up boot priority drive1, then drive2 - In the OS of drive1, mount only partition m of drive2 - As long as drive1 does not fail, I enjoy the OS on drive1 and I still make use of drive2 - If drive1 fails, the UEFI will automatically boot on drive2, and I can still enjoy the usage of the system, without having needed to access it physically. Does this idea make sense? If yes, any tip on how to do it? In particular, when I install OpenBSD on drive2, is it better to run the openBSD installer by having booted on drive2, or can I just run it from OpenBSD_drive1 and select drive 2 as destination for the new OS? Thanks! Jake
fsck similar to boot
Hi all, I have removed my second drive away from /etc/fstab and I am now manually mounting it as needed. I believe this means there is no automatic fsck check ran, and that feels like a bad thing. I was thinking I should run the same fsck check when I manually mount my drive. How can I manually run a fast fsck check, equal to what is performed at boot time? I tried fsck -n and fsck -p but both of these are way too long, whereas the boot check is fast. Thanks!
Re: Debian 12 Under VMM
Great to hear! The combined power of OpenBSD and Debian is now yours, use it wisely ;) > On 17 Jun 2024, at 18:56, Manuel Giraud wrote: > > >> Hi Manuel, >> >> this was tricky. First I had to clear out the screen with CTRL+L. >> >> Then I had to use the arrows up and down, and this makes a menu appear. >> Then you choose Help, and you enter the boot commands. > > Thanks, it works as expected. FTR, here is what I have done: > >- Select the "Help" menu entry, you get the following prompt: > > Press F2 through F10 for details, or ENTER to boot: > >- Type "install gfxpayload=text console=ttyS0,115200" and enter >- Press space, proceed with installation > -- > Manuel Giraud
Re: Debian 12 Under VMM
Hi Manuel, this was tricky. First I had to clear out the screen with CTRL+L. Then I had to use the arrows up and down, and this makes a menu appear. Then you choose Help, and you enter the boot commands. I had to go through a few trials and errors. Patience is key ;) Good luck > On 14 Jun 2024, at 15:14, Manuel Giraud wrote: > > >> Thank you Dave and Bruce. >> >> This worked for me: >> >> boost install gfxpayload=text console=ttyS0,115200n8 >> >> The critical part was that I had to type it and not copy paste it. > > Hi, > > Could you explain how did you entered those instructions? I'm trying > the same vm.conf as you but when I start with "vmctl start -c 1", I'm > presented with a textual menu and I don't know what to do with it. > > Best regards, > -- > Manuel Giraud
Re: Debian 12 Under VMM
Thank you Dave and Bruce.
This worked for me:
boost install gfxpayload=text console=ttyS0,115200n8
The critical part was that I had to type it and not copy paste it.
For some reasons, I have problems on the terminal of the VM. I can't copy paste
it correctly, nor use the arrows without glitch.
Also as an FYI for anyone else trying. I have to kill the VM at the end of the
install, and not let the installation process reboot the machine. Otherwise it
hangs indefinitely.
Thanks!
Jake
Dave Voutila mailto:d...@sisu.io>> writes:
>
>> Hi all,
>>
>> I am trying to run Debian 12 under VMM.
>>
>> I can see on the email from 2024-04-02 that Bruce managed to make it work,
>> but I don't know how.
>>
>> The crux of the issue is that the Debian ISO installer does not seem to work
>> under serial console.
>
> You need to modify the kernel boot args to disable video and rely on
> serial console. I can't recall whatever the graphics arg is to the linux
> kernel, but you typically want something like vga=off and then set the
> console arg. I recommend setting both that and io_delay:
>
> console=ttyS0,115200 io_delay=none
>
> io_delay will make the kernel skip doing some pointless artificial
> delays that don't matter with vmd.
>
>>
>> Here's what I did:
>>
>> /etc/vm.conf
>>
>> vm "vm1" {
>>memory 1G
>>disable
>>cdrom "/isos/debian-12.5.0-amd64-netinst.iso"
>>disk "/disks/disk_vm1.qcow2" format qcow2
>>local interface
>> }
>>
>> When I then start the vm, I am greeted with the message:
>>
>> "Press a key, otherwise speech synthesis will be started in 27 seconds..."
>>
>>
>> and then after keypress
>>
>> "
>> Undefined video mode number: 314
>> Press to see video modes available, to continue, or wait 30
>> sec
>> "
>>
>> and it then crashes.
>>
>> Can anyone (maybe Bruce) point me in the right direction?
>>
>> Thanks!
>> Jake
Try "gfxpayload=text console=ttyS0,115200" (without the quotes)
I think there's a question about scanning for a graphics card after
setting the boot parameters. Skip it if you can. The timeout was really
long, maybe indefinate. I think I gave up a tried again.
Using arrows in VMM
Greetings, I am running Debian 12 under VMM, on OpenBSD 7.5. Whenever I am using the arrows (to retrieve previous history or simply to move left or right), there is a long random sleep, of 5 to 10 seconds. Sometimes more. Does anybody know what could be the issue? Inside the VM, the term is vt200. The host has xterm-256color as term. I ssh into the host. Thanks, Jake
Re: Debian 12 Under VMM
Hi all,
I am trying to run Debian 12 under VMM.
I can see on the email from 2024-04-02 that Bruce managed to make it work, but
I don't know how.
The crux of the issue is that the Debian ISO installer does not seem to work
under serial console.
Here's what I did:
/etc/vm.conf
vm "vm1" {
memory 1G
disable
cdrom "/isos/debian-12.5.0-amd64-netinst.iso"
disk "/disks/disk_vm1.qcow2" format qcow2
local interface
}
When I then start the vm, I am greeted with the message:
"Press a key, otherwise speech synthesis will be started in 27 seconds..."
and then after keypress
"
Undefined video mode number: 314
Press to see video modes available, to continue, or wait 30 sec
"
and it then crashes.
Can anyone (maybe Bruce) point me in the right direction?
Thanks!
Jake
Using nopass on a single user machine
Hi all, Is there any downside is using the nopass option of doas, for a single user machine? It's a machine that I access to only via ssh, with an identity file. In what way would it increase the attack surface to do so? Thanks, Jake
vim editor with TERM
Hi all, I use the following terminal: echo $TERM xterm-256color when in my ~/.profile I do: export EDITOR=nano everything works well. However, if I do export EDITOR=vim then when I ssh into the machine, up and down arrow in the terminal do not work anymore (it does not give me access to previous commands entered). I have installed the following vim: $ pkg_info | grep vim vim-9.1.139-no_x11 vi clone, many additional features Does anyone have a clue as to what could cause this issue? Thanks, Jake
Re: umount raid volume before shutdown?
From my reading of /etc/rc, it seems that at shutdown or reboot, the OS will automatically unmount everything. So that will unmount my encrypted partition. However, it does not run bioctl -d sd* for the pseudo-device. So I guess the question become, is it a problem to exit the system without detaching the softraid volume via bioctl? Thanks! > > Hi all, > > on my main hard drive, I have a partition `p` that I have encrypted in the > following way: > > $bioctl -c C -l sd0p softraid0 > > -> This created the sd1 pseudo-device, on which I ran the following: > > $fdisk -g sd1 > > $disklabel -E sd1 # created partition i, to take all the space. This is the > unique partition on this > > $newfs sd1a > > I then mount this via: > > $mount /dev/sd1i /decrypt > > > I have two questions: > > - I don't want to have to unmount /decrypt before I shutdown or restart the > computer. Does OpenBSD unmount cleanly encrypted volumes when shutting down? > > - what should I do with the encrypted sd0p ? Should I remove it from my > /etc/fstab and not even mount it? Or is it fine to keep it mounted? > > Thanks! > > Jake
Call sysctl before sysctl.conf
Hi all, When openBSD runs my processor at 100%, it makes a noise. Interestingly, when in bios, this noise does not appear. To get rid of the noise I call sysctl with this: sysctl hw.perfpolicy=manual sysctl hw.setperf=99 The problem is, at the beginning of boot, openBSD runs the processor with hw.setperf=100, so the noise is present. Using a /etc/sysctl.conf with: hw.perfpolicy=manual hw.setperf=99 does not help, as this happen too late. I also tried to use a /etc/rc.securelevel with: sysctl hw.perfpolicy=manual sysctl hw.setperf=99 but it also happens too late, and the noise is present (if brief). Is there a way to make hw.setperf=99 really permanent, or happen even earlier during boot? Thanks! Jake
Re: How to set number of blocks in fdisk GPT
Thanks Kirill. Yes, I saw that, but in my case, FAT32 is not the file format that I am using to encrypt the partition. The partition is on an SSD with 4.2BSD filesystem. On Thu, 30 May 2024 10:06:11 +0100, > > > > How can I choose the blocks parametres in the command: > > > > fdisk -gy -b blocks disk > > > > The man page does not indicate how to make an informed choice. I > couldn’t find relevant help on the internet. > > > > As suggested at https://www.openbsd.org/faq/faq14.html you may use 532480. > > Which is the minimum size of such partition due to a limitation of FAT32. > > Some details can be found here: > > https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions > > -- > wbr, Kirill >
umount raid volume before shutdown?
Hi all, on my main hard drive, I have a partition `p` that I have encrypted in the following way: $bioctl -c C -l sd0p softraid0 -> This created the sd1 pseudo-device, on which I ran the following: $fdisk -g sd1 $disklabel -E sd1 # created partition i, to take all the space. This is the unique partition on this $newfs sd1a I then mount this via: $mount /dev/sd1i /decrypt I have two questions: - I don't want to have to unmount /decrypt before I shutdown or restart the computer. Does OpenBSD unmount cleanly encrypted volumes when shutting down? - what should I do with the encrypted sd0p ? Should I remove it from my /etc/fstab and not even mount it? Or is it fine to keep it mounted? Thanks! Jake
How to set number of blocks in fdisk GPT
Hi all, How can I choose the blocks parametres in the command: fdisk -gy -b blocks disk The man page does not indicate how to make an informed choice. I couldn’t find relevant help on the internet. Thanks!
Re: disk encryption for remote server
Thanks all for your thoughts. Regarding the remote serial console access, unfortunately, it is not possible in my case. I do not have IPMI or something similar :( On Mon, 27 May 2024 at 08:17, Manuel Giraud < manuel_at_ledu-giraud_fr_rmp93abv53d47h_m6783...@icloud.com> wrote: > Stefan Kreutz writes: > > > Can you access the machine's serial console, maybe redirected over IP? > > I concur that a remote serial console access (maybe via a web interface > serviced by your provider) is your best option here. > > I used to do (almost) FDE without console access but here is list of > drawbacks/requirements: > > - It is not really FDE because / was not encrypted > > - It required patching /etc/rc with the patch at the end of this > message > > - The "/root/sshd" from this patch is a self-contained sshd > without the need of any external library. It is *not* a copy > of /usr/sbin/sshd and you have to compile it yourself (and I > don't remenber how) > > > Best regards, > -- > Manuel Giraud >
disk encryption for remote server
Hi everyone, Is there any way to use disk encryption without having physical access to the device? A few potential ideas: - is there a way to enter the encryption passphrase via ssh? - is there a way to create a non encrypted partition on the same hard drive, where the keydisk would be stored, and automatically used? (For various reasons, an external usb key is not feasible). And yes, I realize this would weaken the security significantly, but I'd still like to know if it's feasible? My guess is that it's not possible, but I wanted to ask to make sure. Cheers, Jake
