Blog

another component of OpenBSD is relayd. it’s an integrated Loadbalancer & Proxy Service, like F5, Nginx and Others. But just like other BSD Services, straight, simple and easy to use … wanna see … ?

Setup 4 VM’s, one Loadbalancer and 3 Webserver. The Webserver should server the same content, while the Loadbalancer checks if a Webserver is running and redirects traffic to the host or not.

the configuration on the loadbalancer is simple like that:

did you always wanted to have a fullbgp table at home once ? Over your DSL / CM / LTE or whatever connection ? here a little howto :)

Setup VM

Install a VM with OpenBSD. Add 1 CPU, 1 GB RAM, 20 GB Disk, nothing special

Check our Upstream Provider

Check the Page from Lukasz and spend him a Beer if you ever meet him. He also mentioned my Post in his Slides (Thanks Lukas)

Clear History

have you ever checked in some binarys, confidential stuff or something else by mistake ? Git will keep all your history, that’s their design and purpose.

how ever, if you need to cleanup once, here is a short tutorial.

Kill Git Config

cd myrepo
cat .git/config -> note down the url
url=$(git config --get remote.origin.url)
rm -rf .git

Create New Repo

git init
git add .
git commit -m "Removed history, ..."

Push Remote

git remote add origin git@host/yourrepo  <- URL you noted down above
git remote add origin $url
git push -u --force origin master

All in One

_url=$(git remote -v |awk '/fetch/ { print $2 }')
rm -rf .git
git init
git add .
git commit -m "Removed history ..."
git remote add origin ${_url}
git push -u --force origin main
unset _url

and you’re done :)

assuming you have a apu2|apu3|apu4 from pcengines or a virtual machine running on KVM/Qemu. And you don’t have vga/dvi/hdmi whatever kind of video output. of course, you can install and run OpenBSD (or Linux) on this boxes.

Prepare USB Stick

write openbsdxx.img to an USB Stick. On MacOS, you can use Balena Etcher for example.

boot.conf

if you wanna install from an USB Stick, set the correct Port and Speed before booting.

stumpled upon a bug in openssh … did a small config change in sshd_config, deployed it with ansible … and lost connectifity to all these boxes immediately … and of course, i did a config check before reloading the sshd daemon, and the config check was fine.

i can’t belife that nobody else found this before, as it’s really simple to reproduce. and it’s working with openbsd, debian, centos and mostly on all system which have opensshd implemented (and that’s a lot of …)

https://serverfault.com/questions/142344/how-to-test-dns-glue-record

Check GlueRecords

host:~ $ dig +short ch. NS
c.nic.ch.
a.nic.ch.
h.nic.ch.
f.nic.ch.
g.nic.ch.
b.nic.ch.
e.nic.ch.

host:~ $ dig +norec @a.nic.ch. noflow.ch. NS

; <<>> DiG 9.10.6 <<>> +norec @a.nic.ch. noflow.ch. NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29211
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;noflow.ch. IN  NS

;; AUTHORITY SECTION:
noflow.ch.  3600  IN  NS  ns3.noflow.ch.
noflow.ch.  3600  IN  NS  ns2.noflow.ch.
noflow.ch.  3600  IN  NS  ns1.noflow.ch.

;; ADDITIONAL SECTION:
ns3.noflow.ch.  3600  IN  A 45.32.159.233
ns2.noflow.ch.  3600  IN  A 193.36.36.130
ns1.noflow.ch.  3600  IN  A 45.15.80.202

;; Query time: 12 msec
;; SERVER: 2001:620:0:ff::56#53(2001:620:0:ff::56)
;; WHEN: Wed Aug 26 23:09:52 CEST 2020
;; MSG SIZE  rcvd: 140

you can see, there are three gluerecords with (A) and none with (AAAA). need to talk with my domain hosting provider as i’d like to have AAAA as well …

Some Install Notes

https://checkmk.de/cms_install_packages_debian.html

download and scp check-mk-enterprise-1.6.0p15.demo_0.buster_amd64.deb -> enterprise microkernel, 2 x 10 Hosts download and scp check-mk-raw-1.6.0p15_0.buster_amd64.deb -> raw edition, nagios kernel

ssh root@localhost

apt-get install dpkg-sig libnet-snmp-perl snmp
wget https://checkmk.com/support/Check_MK-pubkey.gpg
gpg --import Check_MK-pubkey.gpg
dpkg-sig --verify /tmp/check-mk-enterprise-1.6.0p15.demo_0.buster_amd64.deb
apt-get install gdebi-core
gdebi /tmp/check-mk-raw-1.6.0p15_0.buster_amd64.deb
omd version

omd create mysite
omd config

oder

omd restore /tmp/mysite.tar.gz

Install v2.0 and migrate existing Config

https://checkmk.de/cms_install_packages_debian.html

download file: check-mk-raw-2.0.0p5_0.buster_amd64.deb

scp check-mk-raw-2.0.0p5_0.buster_amd64.deb host227:/tmp/

Prepare New Host

apt install -y dpkg-sig libnet-snmp-perl snmp

wget https://checkmk.com/support/Check_MK-pubkey.gpg
gpg --import Check_MK-pubkey.gpg
dpkg-sig --verify /tmp/check-mk-raw-2.0.0p5_0.buster_amd64.deb

apt-get install gdebi-core
gdebi /tmp/check-mk-raw-2.0.0p5_0.buster_amd64.deb

omd version

Backup old Server

Backup and copy to new Server

let’s do the opposite. you have some ipv6 connectifity and need to transport ipv4

Host A (IPv6 only)

root@hosta ~# ifconfig vio0
vio0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500
        lladdr 56:00:02:e7:9d:e5
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet6 fe80::5400:2ff:fee7:9de5%vio0 prefixlen 64 scopeid 0x1
        inet6 2a05:f480:1400:7b6:a9e0:6a15:217:cc5c prefixlen 64 autoconf pltime 604627 vltime 2591827
        inet6 2a05:f480:1400:7b6:446d:acb7:5fe4:450f prefixlen 64 autoconf autoconfprivacy pltime 86046 vltime 172537

root@hosta ~# i3
IPv4: !NETWORK
IPv6: 2a05:f480:1400:7b6:446d:acb7:5fe4:450f

Host B (Ipv6 only)

root@hostb ~# ifconfig vio0
vio0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500
        lladdr 56:00:02:e7:9d:f4
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet6 fe80::5400:2ff:fee7:9df4%vio0 prefixlen 64 scopeid 0x1
        inet6 2001:19f0:6801:1e3b:7982:92b4:5c8d:edfb prefixlen 64 autoconf pltime 604403 vltime 2591603
        inet6 2001:19f0:6801:1e3b:e6f:24db:27f7:de37 prefixlen 64 autoconf autoconfprivacy pltime 85502 vltime 171928

root@hostb ~# i3
IPv4: !NETWORK
IPv6: 2001:19f0:6801:1e3b:e6f:24db:27f7:de37

Configure GIF Interfaces

Host A

ifconfig gif0 inet6 tunnel 2a05:f480:1400:7b6:a9e0:6a15:217:cc5c 2001:19f0:6801:1e3b:7982:92b4:5c8d:edfb
ifconfig gif0 inet alias 10.0.0.1 10.0.0.2

Host B

ifconfig gif0 inet6 tunnel 2001:19f0:6801:1e3b:7982:92b4:5c8d:edfb 2a05:f480:1400:7b6:a9e0:6a15:217:cc5c
ifconfig gif0 inet alias 10.0.0.2 10.0.0.1

or make them persistent

let’s assume you need ipv6 connectifity somewhere … You can use some Tunnelbrokers or your run OpenBSD on your Boxes and want todo it on your own. Here some hints.

Server with DualStack

you need a Maschine out in the Internet which is DualStacked

stoege@dualstack$ i3
IPv4: 11.22.33.44
IPv6: 2001:db8:100::100

Host with IPv4 only

stoege@ipv4 host ~# i3
IPv4: 55.66.77.88
IPv6: !NETWORK

and you want to bring IPv4 to the second host

Configure GIF Interfaces

Server

cat << 'EOF' > /etc/hostname.gif0
# IPv4 Tunnel to Host
tunnel 11.22.33.44 55.66.77.88
inet6 alias 2001:db8::1 128
dest 2001:db8:::2
EOF

sh /etc/netstart gif0

IPv4 Host

cat << 'EOF' > /etc/hostname.gif0
# IPv4 Tunnel to Dualstack
tunnel 55.66.77.88 11.22.33.44
inet6 alias 2001:db8::2 128
dest 2001:db8:::1
!route -n add -inet6 default 2001:db8:::1
EOF

sh /etc/netstart gif0

Enable IPv4 and IPv6 Forwarding

you know, the sysctl stuff and so ..

Wireguard on OpenBSD

OpenBSD added wg to the Kernel a while ago … why not have a look into and do some speedtests … ?

Setup

CLIENT1 — WireGuard — CLIENT2

and running tcpbench between Client1 and Client2

Fireup VMs

Stage 3 VM’s on my litte Proxmox Server (Intel NUC)

wg_overlay: 10.0.0.0/24