OpenBSD

OpenBSD 6.9

OpenBSD

OpenBSD 6.9 released

This is the 50th Release of OpenBSD ! As they release twice a Year, must be around 25y ago since the fork of NetBSD started. Wikipedia has got a Comparison of the Different BSD Operating Systems

release 6.9

Upgrade to 6.9

i upgrade my systems twice every years. there is no need to reinstall as the upgrade works fine over year. please read the official upgrade guide carefully and then you may wanna use this script below. use it on your own risk and test it somewhere before you do this on your productive environment.

Projects

OpenBSD

as many of you, i’ve got different kind of stuff running, mostly internally, but also some public things.

Hamsterwheel Counter

my Daughter got a Hamster and he’s running every night in his Weel.. I built a small Wheel-Counter so we can see the Daily Stats an Performance of Cookie :). Website is in German and reachable via IPv6 only …

the Hamster died just before XMAS 2022 :( RIP Cookie !

Bootstrap OpenBSD with Jail Partition

OpenBSD

Bootstrapping VM

This is similar to the previous Post, but with a small difference.

Here, we add an other Partition /jail with 2GB Size. On this Partition, we remove the nodev & nosuid Flag, so we can use this Partition as Root for some Jailed Users. And last but not least, we fireup a new VM, configure a Jailed User and make it Public Available …

VM with 20G Disk

*** Bootstrap OpenBSD 6.8 ***

Deploy VM's with Terraform in 10min

OpenBSD

Managing VM’s on Hetzner Cloud with Terraform

you may want to manage some vm in the cloud. webgui is nice, but a real nerd needs cli ;)

some notes how to get terraform running with OpenBSD.

add Packages (3min)

$ time doas pkg_add git gmake go terraform

3m18.62s real     0m19.53s user     0m07.73s system

set GO PATH

echo "GOPATH=$HOME/go" >> ~/.profile
echo "export GOPATH" >> ~/.profile
. ./.profile
echo $GOPATH

build terraform provider for hcloud (2min)

As the hcloud is not available for OpenBSD, we have to build it on our own.

Bootstrap OpenBSD

OpenBSD

Bootstrapping VM

It’s always good to have Templates. Isn’t it ? Sometime, with a lot of stuff preconfigured and installed. Sometimes, a fresh install without anything (except syspatches). Here a little Helper, how to Build a OpenBSD Template with 20GB, resp. 40GB Disk Size.

This stuff was tested on www.hetzner.de, so you should be able to reproduce it in a few minutes.

Costs: CX11,  1 CPU, 2 GB RAM, 20 GB Disk, 20TB Traffic -> 2.68 Euro/Month
Costs: CPX11, 2 CPU, 2 GB RAM, 40 GB Disk, 20TB Traffic -> 3.76 Euro/Month

If you create an Account, you can use my sponsor link and we both get “a few bucks” to play with …

RPKI for Home Usage

OpenBSD

Resource Public Key Infrastructure

you may know what RPKI is …

It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP.

As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP.

With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.

Openbsd Root Password Recovery

OpenBSD

if you ever have to recover your root password …

Root PW Recovery

boot> boot -s

Enter pathname of shell or RETURN for sh: [ENTER]

fsck -p /
fsck -p /usr

mount -uw /
mount /usr

passwd

and finally: reboot

FSCK

need to run fsck ?

fsck /dev/sd1a
fsck -y /dev/sd1a

FSTAB

need do fix your fstab ?

boot -s
mount /usr
mount /
export TERM=vt100
/usr/bin/vi /etc/fstab
fix it !
Any Comments ?

sha256: 83b758be6c6353e12d4750d8df65d5531075e621a6918ec1c5688386f62e2ace

Jq

OpenBSD

Json Query

some basics about JQ

RAW Data

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0:3]'
[
  {
    "val": 2.64,
    "ack": 1,
    "ts": 1607900404883,
    "q": 0,
    "user": "system.user.admin"
  },
  {
    "val": 2.61,
    "ack": 1,
    "ts": 1607900410483,
    "q": 0,
    "user": "system.user.admin"
  },
  {
    "val": 2.58,
    "ack": 1,
    "ts": 1607900416083,
    "q": 0,
    "user": "system.user.admin"
  }
]

Query First Record

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0]'
{
  "val": 2.64,
  "ack": 1,
  "ts": 1607900404883,
  "q": 0,
  "user": "system.user.admin"
}

Filter val and ts

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0] |.ts,.val'
1607900404883
2.64

Filter val and ts on one line

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0] | (.ts |tostring) + ";" + (.val |tostring)'
"1607900404883;2.64"

Filter first 10 val and ts on one line

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[] | (.ts |tostring) + ";" + (.val |tostring)' |head -10
"1607900404883;2.64"
"1607900410483;2.61"
"1607900416083;2.58"
"1607900421739;2.62"
"1607900427335;2.62"
"1607900433003;2.57"
"1607900438543;2.72"
"1607900444131;2.67"
"1607900449791;2.6"
"1607900455383;2.55"

Filter first 10 val and ts on one line

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[] |.ts,.val' |paste - - |head -10
1607900404883	2.64
1607900410483	2.61
1607900416083	2.58
1607900421739	2.62
1607900427335	2.62
1607900433003	2.57
1607900438543	2.72
1607900444131	2.67
1607900449791	2.6
1607900455383	2.55

Current over 50A

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq -c '.[] | select (.val >= '50')'
{"val":52.55,"ack":1,"ts":1607907152399,"q":0,"user":"system.user.admin"}
{"val":52.54,"ack":1,"ts":1607907157975,"q":0,"user":"system.user.admin"}
{"val":52.53,"ack":1,"ts":1607907163639,"q":0,"user":"system.user.admin"}
{"val":52.5,"ack":1,"ts":1607907169220,"q":0,"user":"system.user.admin"}
{"val":52.49,"ack":1,"ts":1607907174863,"q":0,"user":"system.user.admin"}
{"val":52.53,"ack":1,"ts":1607907180639,"q":0,"user":"system.user.admin"}
...

BGP Stuff

dump networks from AS 3303

Wireguard Puffy to OPNsense

OpenBSD

WG Tunnel between OpenBSD and OPNsense

How to Setup an WG Tunnel between OpenBSD and OPNSense ? That’s quite simple …

OpenBSD

Install Packages

pkg_add wireguard-tools--

Gen Key Onliner

wg genkey | tee privatekey | wg pubkey > publickey

Build Interface

r=$(openssl rand -base64 32)
remote_ip="1.2.3.4"
remote_net="192.168.0.0/24"

cat << 'EOF' > /etc/hostname.wg0
# WG Tunnel to OPNsense
wgkey   ${r}
wgport  51820
wgpeer  xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx= wgendpoint ${remote_ip} 51820 wgaip ${remote_net}
inet    10.0.0.1/24
!route add ${remote_net} 10.0.0.2
up
EOF

sh /etc/netstart wg0
ifconfig wg0

update pf.conf

# skip on wg Interface
set skip on { lo0 wg0 }

# Wireguard
pass in log quick inet proto udp from ${remote_ip}/32 to (self) port 51820

OPNsense

Install Wireguard

Menu System -> Firmware -> Plugins -> Install Wireguard

Keychain

OpenBSD, Linux

Need a small and smart utility to manage you ssh keys under linux ? got some scripts and cronjobs which requires an local ssh key ? have a look at keychain !

Install Software

depending on your OS …

macos$ brew install keychain
debian$ sudo apt-get install keychain
openbsd$ pkg_add keychain
freebsd$ pkg install keychain

edit startup Scripts

$HOME/.bashrc $HOME/.bash_profile /etc/profile $HOME/.profile

cat << 'EOF' >> $HOME/.bashrc
# Keychain Startup
eval `keychain --eval id_ed25519`
EOF

check service

$ keychain
$ ssh-add -L

add to .profile

cat << 'EOF' >> .profile

# Keychain Loaded ? Load and show Key ...
eval $(keychain --eval id_ed25519)
echo -e "loaded keys: `ssh-add -L |cut -c 1-12,77-`\n"
EOF

List Keys

keychain --list

List Finterprints (Public Key ?)

$ keychain --list-fp

Set Timeout

Timeout for SSH Agent