OpenBSD

Migrate Packages from Host A to Host B

How to migrate all Packages

Got several Packages installed on Host A and you would like to migrate them to Host B ? That’s easy :)

Extract on Host A

pkg_info -mz | tee list
ansible--
bash--
...
vnstat--
wget--

scp list HostB:/tmp/

Import on Host B

doas pkg_add -l /tmp/list

Oneline

or you can simple do it in one line, although there are two commands. copy and install

Scamper

Install

doas pkg_add scamper

Scamper

umweg ~# scamper -c "trace -M" -i 8.8.8.8
traceroute from 130.60.xx.xx to 8.8.8.8
 1  130.60.xx.xx 0.418 ms [mtu: 1500]
 2  130.60.xx.xx 0.411 ms [mtu: 1500]
 3  10.1.1.209  1.658 ms [mtu: 1500]
 4  10.1.0.54  2.284 ms [mtu: 1500]
 5  10.20.128.37  0.848 ms [mtu: 1500]
 6  192.41.136.65  0.994 ms [mtu: 1500]
 7  192.41.136.1  0.774 ms [mtu: 1500]
 8  72.14.195.4  1.491 ms [mtu: 1500]
 9  74.125.243.161  2.975 ms [mtu: 1500]
10  172.253.50.23  2.530 ms [mtu: 1500]
11  8.8.8.8  1.901 ms [mtu: 1500]

Source

https://www.caida.org/tools/measurement/scamper/

OpenBSD APU Serial Console

How to Access APU “B” from APU “A” via Serial Console (USB to Serial Device)

APU “A”

Connect USBtoSerial Adapter

Connect to Serial Console on APU “B”

APU “B”

/etc/ttys
tty00 "/usr/libexec/getty std.115200" vt220  on secure

APU “A”

cu -s 115200 -l /dev/tty00

cu -s 115200 -l /dev/cuaU0 (8 Port USB2Serial Device)

-> you have now Console Access to APU “B”

Hardware

https://www.amazon.de/LogiLink-AU0033-USB-Adapter-Serial/dp/B00BBXHOAY USB Serial Adapter


Any Comments ?

sha256: 28cee1e19429893ed3a288609d580ce28305a3c80961771d3a495403af3cf3c5

Openbsd upgrade 6.6

OpenBSD 6.6 is released today. here is my upgrade procedure:

run sysmerge

reboot

run script:

#!/bin/sh

# be nice and verbose
e() {
  echo "\n$1 **"
}

e "** vars"
_mydir=$(pwd)

e "** build base urls"
_path_base=https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/
_path_pkg=https://cdn.openbsd.org/pub/OpenBSD/6.6/packages/amd64/
echo "_path_base: ${_path_base}"
echo "_path_pkg: ${_path_pkg}"

e "** make all devices"
cd /dev
./MAKEDEV all || exit 1

e "** cd /tmp"
cd /tmp

e "** install boot loader"
_boot=$(mount |awk -F'[/ ]' '/ on \/ / {print $3}')
installboot ${_boot%?}

e "** hash new Kernel"

 
Any Comments ?
sha256 -h /var/db/kernel.SHA256 /bsd e "** export URL for pkg upgrade" echo "export PKG_PATH=${_path_pkg}" export PKG_PATH="${_path_pkg}" e "** run sysmerge" sysmerge e "** run fw update" fw_update -v e "** run pkg update" pkg_add -Vu e "** index new man pages" makewhatis e "** Update Acme Client API" sed -i s'/acme-v01.api.letsencrypt.org/acme-v02.api.letsencrypt.org/' /etc/acme-client.conf e "** files to remove" rm -f /usr/share/man/man3p/carp.3p \ /usr/share/man/man3p/Tie::ExtraHash.3p \ /usr/share/man/man3p/Tie::StdHash.3p \ /usr/share/man/man3p/Tie::StdScalar.3p \ /usr/share/man/man3p/basename.3p \ /usr/share/man/man3p/cluck.3p \ /usr/share/man/man3p/confess.3p \ /usr/share/man/man3p/croak.3p \ /usr/share/man/man3p/dirname.3p \ /usr/share/man/man3p/fileparse.3p \ /usr/share/man/man3p/getopt.3p \ /usr/share/man/man3p/getopts.3p \ /usr/share/man/man3p/inet_aton.3p \ /usr/share/man/man3p/inet_ntoa.3p \ /usr/share/man/man3p/longmess.3p \ /usr/share/man/man3p/look.3p \ /usr/share/man/man3p/open2.3p \ /usr/share/man/man3p/open3.3p \ /usr/share/man/man3p/pod2usage.3p \ /usr/share/man/man3p/podchecker.3p \ /usr/share/man/man3p/podselect.3p \ /usr/share/man/man3p/shortmess.3p \ /usr/share/man/man3p/sockaddr_in.3p \ /usr/share/man/man3p/sockaddr_un.3p \ /usr/share/man/man3p/writemain.3p rm -f /usr/sbin/snmpctl \ /usr/share/man/man8/snmpctl.8 rm -f /usr/X11R6/lib/pkgconfig/libfs.pc \ /usr/X11R6/include/X11/fonts/FSlib.h rm -rf /usr/X11R6/share/doc/libFS rm -f /usr/X11R6/bin/xman \ /usr/X11R6/lib/X11/xman.help \ /usr/X11R6/man/man1/xman.1 \ /usr/X11R6/share/X11/app-defaults/Xman rm -f /usr/X11R6/bin/xman \ /usr/X11R6/lib/X11/xman.help \ /usr/X11R6/man/man1/xman.1 \ /usr/X11R6/share/X11/app-defaults/Xman \ /usr/X11R6/lib/pkgconfig/libfs.pc \ /usr/X11R6/lib/modules/v10002d.uc \ /usr/X11R6/lib/modules/v20002d.uc \ /usr/X11R6/lib/modules/drivers/ark_drv.la \ /usr/X11R6/lib/modules/drivers/ark_drv.so \ /usr/X11R6/lib/modules/drivers/chips_drv.la \ /usr/X11R6/lib/modules/drivers/chips_drv.so \ /usr/X11R6/lib/modules/drivers/glint_drv.la \ /usr/X11R6/lib/modules/drivers/glint_drv.so \ /usr/X11R6/lib/modules/drivers/i128_drv.la \ /usr/X11R6/lib/modules/drivers/i128_drv.so \ /usr/X11R6/lib/modules/drivers/neomagic_drv.la \ /usr/X11R6/lib/modules/drivers/neomagic_drv.so \ /usr/X11R6/lib/modules/drivers/rendition_drv.la \ /usr/X11R6/lib/modules/drivers/rendition_drv.so \ /usr/X11R6/lib/modules/drivers/s3_drv.la \ /usr/X11R6/lib/modules/drivers/s3_drv.so \ /usr/X11R6/lib/modules/drivers/s3virge_drv.la \ /usr/X11R6/lib/modules/drivers/s3virge_drv.so \ /usr/X11R6/lib/modules/drivers/sis_drv.la \ /usr/X11R6/lib/modules/drivers/sis_drv.so \ /usr/X11R6/lib/modules/drivers/tdfx_drv.la \ /usr/X11R6/lib/modules/drivers/tdfx_drv.so \ /usr/X11R6/lib/modules/drivers/trident_drv.la \ /usr/X11R6/lib/modules/drivers/trident_drv.so \ /usr/X11R6/lib/modules/drivers/tseng_drv.la \ /usr/X11R6/lib/modules/drivers/tseng_drv.so \ /usr/X11R6/man/man4/chips.4 \ /usr/X11R6/man/man4/glint.4 \ /usr/X11R6/man/man4/i128.4 \ /usr/X11R6/man/man4/neomagic.4 \ /usr/X11R6/man/man4/rendition.4 \ /usr/X11R6/man/man4/s3.4 \ /usr/X11R6/man/man4/s3virge.4 \ /usr/X11R6/man/man4/sis.4 \ /usr/X11R6/man/man4/tdfx.4 \ /usr/X11R6/man/man4/trident.4 \ /usr/X11R6/man/man4/tseng.4 \ /usr/X11R6/man/man3/XkbAllocGeomOverlayKey.3 rm -f /usr/X11R6/include/X11/fonts/FSlib.h \ /usr/include/dev/ic/dwc_gmac_reg.h \ /usr/include/dev/ic/dwc_gmac_var.h \ /usr/include/llvm/Analysis/IndirectCallSiteVisitor.h \ /usr/include/llvm/CodeGen/GCs.h \ /usr/include/llvm/DebugInfo/PDB/Native/NativeBuiltinSymbol.h \ /usr/include/llvm/DebugInfo/PDB/Native/NativeEnumSymbol.h \ /usr/include/llvm/IR/TypeBuilder.h \ /usr/include/llvm/Transforms/Utils/OrderedInstructions.h rm -f /usr/share/man/man1/clang++.1 \ /usr/share/man/man1/clang-cpp.1 \ /usr/share/man/man1/diagnostics.1 \ /usr/share/man/man3/SipHash24.3 \ /usr/share/man/man3/bitstring.3 \ /usr/share/man/man3/byteorder.3 \ /usr/share/man/man3/directory.3 \ /usr/share/man/man3/ethers.3 \ /usr/share/man/man3/exec.3 \ /usr/share/man/man3/fts.3 \ /usr/share/man/man3/getcap.3 \ /usr/share/man/man3/inet_net.3 \ /usr/share/man/man3/md5.3 \ /usr/share/man/man3/pcap-filter.3 \ /usr/share/man/man3/pcap.3 \ /usr/share/man/man3/pwcache.3 \ /usr/share/man/man3/resolver.3 \ /usr/share/man/man3/rmd160.3 \ /usr/share/man/man3/sha1.3 \ /usr/share/man/man3/sha2.3 \ /usr/share/man/man3/stdarg.3 \ /usr/share/man/man3/uucplock.3 \ /usr/share/man/man3/uuid.3 \ /usr/share/man/man3/ypclnt.3 \ /usr/share/man/man4/i386/vmm.4 \ /usr/share/man/man4/macppc/openprom.4 \ /usr/share/man/man4/sparc64/openprom.4 e "** remove myself" cd ${_mydir} rm $0 e "** done !"

Any Comments ?

sha256: 2bb8d98fff6c458bd85b32a50afb0c31b65a2cd8a0599fdc891b567334464552

How to Create Bootable USB Stick for OpenBSD

Download “install66.fs”

Open balenaEtcher on OSX

Proceed

-> seems not to work :(

build USB Stick with DD

mount
/dev/disk4s1 on /Volumes/Ohne Titel (hfs, local, nodev, nosuid, journaled, noowners)

Open DiskUtils

Unmount “Ohne Titel”

DD

osx$ sudo dd if=install66.fs of=/dev/disk4s1 bs=1m

wait 10min

done


Any Comments ?

sha256: 82aedd94540efdd5f343399a0d3d67cab01c64cb5ee70f441427fd5cbfa136da

OpenBSD 6.x Diskusage

How much Disk is used with Default Partitioning

puffy66# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a     1005M   96.1M    858M    10%    /
/dev/sd0k      9.6G    2.0K    9.1G     0%    /home
/dev/sd0d      1.8G   12.0K    1.7G     0%    /tmp
/dev/sd0f      2.5G    955M    1.4G    39%    /usr
/dev/sd0g     1005M    202M    752M    21%    /usr/X11R6
/dev/sd0h      4.2G    218K    3.9G     0%    /usr/local
/dev/sd0j      5.8G    2.0K    5.5G     0%    /usr/obj
/dev/sd0i      1.7G    2.0K    1.6G     0%    /usr/src
/dev/sd0e      2.8G    5.9M    2.7G     0%    /var

Example with 32 GB

puffy66# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      3.9G   96.1M    3.6G     3%    /
/dev/sd0g      7.8G    2.0K    7.4G     0%    /home
/dev/sd0d      2.0G   12.0K    1.9G     0%    /tmp
/dev/sd0f      7.9G    1.1G    6.4G    15%    /usr
/dev/sd0e      7.9G    5.9M    7.5G     0%    /var

Partition Proposal for 16GB

/dev/sd0a 2G  /
/dev/sd0b 1G  swap
/dev/sd0d 1G  /tmp
/dev/sd0e 4G  /var
/dev/sd0f 4G  /usr
/dev/sd0g 4G  /home

Partition Proposal for 20GB

/dev/sd0a 2G  /
/dev/sd0b 1G  swap
/dev/sd0d 1G  /tmp
/dev/sd0e 6G  /var
/dev/sd0f 6G  /usr
/dev/sd0g 4G  /home

Partition Proposal for 32GB

/dev/sd0a 4G  /
/dev/sd0b 2G  swap
/dev/sd0d 2G  /tmp
/dev/sd0e 8G  /var
/dev/sd0f 8G  /usr
/dev/sd0g 8G  /home

Partition Proposal for 64GB

/dev/sd0a 4G  /
/dev/sd0b 2G  swap
/dev/sd0d 2G  /tmp
/dev/sd0e 8G  /var
/dev/sd0f 8G  /usr
/dev/sd0g 8G  /home
/dev/sd0h 32G /data

Templates APU 16GB

cat << 'EOF' > autodisklabel
/       2G
swap    0.5G
/tmp    1G
/usr    4G
/var    4G
/home   4G
EOF

Templates APU 120GB

cat << 'EOF' > autodisklabel
/       4G
swap    4G
/tmp    4G
/usr    8G
/var    8G
/home   16G
/data   64G
EOF

Quick and Dirty APU 120GB

a 4G /root
a 4G swap
a 4G /tmp
a 8G /usr
a 8G /home
a *  /var

-> which results in:

apu-120GB# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      3.9G   75.0M    3.6G     2%    /
/dev/sd0f      7.8G    2.0K    7.4G     0%    /home
/dev/sd0d      3.9G   16.0K    3.7G     0%    /tmp
/dev/sd0e      7.8G    1.2G    6.1G    17%    /usr
/dev/sd0g     81.1G    7.0M   77.1G     0%    /var

Any Comments ?

sha256: 8b0fa0f79f422c4d4ed8eb1ee67cda1d67470ff8aec34f18bb7715b6ea4291f0

how to move on the cli


Any Comments ?

sha256: 92b20e0a803b2e3c9a987fe89c259ac9bd069b22732d93f80d0626fae15e733b

Multicast

/etc/mrouted.conf

name LOCAL 239.255.0.0/16
phyint em1 disable

forward multicast

sysctl.conf
net.inet.ip.mforwarding=1

enable and start Service

rcctl enable multicast
rcctl start multicast
rcctl enable mrouted
rcctl start mrouted

useful commands

netstat -g
map-mbone
mrinfo
mtrace

https://felix-kling.de/blog/2019/sonos-dedicated-vlan.html


Any Comments ?

sha256: 8f43d20c9f3186346dfab5fb16a3de63b780d414c608ce12f0d096089fbf9642

Dualstack

DualStack & Prefix Delegation with OpenBSD

OS: OpenBSD 6.5

Hint: wide-dhcpv6-20080615p9 was not working fine. So, i gave a try with dhcpcd

Install Package

pkg_add dhcpcd-7.1.1p4

Configure dhcpcd

/etc/dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier

# disable running any hooks; not typically required for simple DHCPv6-PD setup
script ""

# List interfaces explicitly so that dhcpcd doesn't touch others
allowinterfaces em1 vlan108 vlan110 vlan112

interface em1
    # the following two lines tell dhcpcd to do router solicitation
    # itself. don't use them if using "inet6 autoconf" (slaacd)
    ipv6rs
    ia_na 1

    # request prefixes from the provider to use for downstream networks
    ia_pd 2 vlan108/1 vlan110/2 vlan112/3

Enable and Start Service

rcctl enable dhcpcd
rcctl restart dhcpcd

You sould now get a ip address on your public interface. adjust the pf.conf accordingly for ipv6 !

Wireguard

WireGuard Stuff, 2019-09-18

Resourcen

Also Check my new Post about Wireguard on Current …

Using wireguard on OpenBSD

OpenBSD Router: VPN

Wireguard Server

Packages

pkg_add wireguard-go \
  wireguard-tools \
  libqrencode

Config & Enable WG

rcctl enable wireguard_go
rcctl set wireguard_go flags tun2

Prepare Environment

mkdir -p /etc/wireguard/{keys,config}
cd /etc/wireguard

Generate Keys

wg genkey | tee keys/server-private.key    | wg pubkey > keys/server-public.key
wg genkey | tee keys/client001-private.key | wg pubkey > keys/client001-public.key
wg genkey | tee keys/client002-private.key | wg pubkey > keys/client002-public.key
wg genkey | tee keys/client003-private.key | wg pubkey > keys/client003-public.key

chmod 600 keys/*private.key

Config Interface

cat << 'EOF' > /etc/hostname.tun2
10.0.0.1 10.0.0.2 netmask 255.255.255.0
inet6 alias 2001:db8::1 128
dest 2001:db8::2
!/bin/sleep 10 && /usr/local/bin/wg setconf tun2 /etc/wireguard/server.conf &
EOF

IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
EOF

sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1

server.conf

cat << 'EOF' > server.conf

[Interface]
PrivateKey  = $(cat keys/server-private.key)
ListenPort  = 51820

# IPv4 only
[Peer]
PublicKey   = $(cat keys/client001-public.key)
AllowedIPs  = 10.0.0.2/32

# IPv6 only
[Peer]
PublicKey   = $(cat keys/client002-public.key)
AllowedIPs  = 2001:db8::3/128

# IPv4 and IPv6
[Peer]
PublicKey   = $(cat keys/client003-public.key)
AllowedIPs  = 2001:db8::4/128, 10.0.0.4/32
EOF

chmod 600 server.conf

Update PF

... snip ...

set skip on { lo0 enc0 tun2 }

# WG Stuff
match out log on egress inet  from (tun2:network) nat-to (egress:0)
match out log on egress inet6 from (tun2:network) nat-to (egress)

... snip ...

# Block all
block log

... snip ...

# Allow Wireguard from any
pass in log quick inet  proto { tcp udp } from any to (self) port { 51820 }
pass in log quick inet6 proto { tcp udp } from any to (self) port { 51820 }

... snip ...

Reboot Server and active all config

reboot

cd /etc/wireguard

Update Config Script

cat << 'EOF' > wg_update_config.sh
# !/bin/sh
wg setconf tun2 server.conf
wg show
exit 0
EOF

chmod 755 wg_update_config.sh

Wireguard Client

IPv4 only

cat << 'EOF' > config/client001.conf
[Interface]
PrivateKey  = $(cat keys/client001-private.key)
Address     = 10.0.0.2/32
DNS         = 8.8.8.8

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 8.8.8.8/32
Endpoint    = $(ifconfig egress |awk '/inet / {print $2}'):51820
EOF

IPv6 only

cat << 'EOF' > config/client002.conf
[Interface]
PrivateKey  = $(cat keys/client002-private.key)
Address     = 2001:db8::3/128
DNS         = 2001:4860:4860::8888

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 2001:4860:4860::8888/128
Endpoint    = [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF

IPv4+6 (not yet working …)

cat << 'EOF' > config/client003.conf
[Interface]
PrivateKey  = $(cat keys/client003-private.key)
Address     = 10.0.0.4/32, 2001:db8::4/128
DNS         = 8.8.8.8, 2001:4860:4860::8888

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 8.8.8.8/32, 2001:4860:4860::8888/128
Endpoint    = $(ifconfig egress |awk '/inet / {print $2}'):51820, [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF

Generate QR

cat config/client001.conf | qrencode -t ansiutf8
cat config/client002.conf | qrencode -t ansiutf8
cat config/client003.conf | qrencode -t ansiutf8

Show Commands

puffy66 1 ../wireguard# wg show
interface: tun2
  public key: eBzb9Q+95EQj2C2hRd7RuGH4dES9sjfgjWHHFskJ+SQ=
  private key: (hidden)
  listening port: 51820

peer: 6i2k+s3bgUgRRbVefCNzjQPJZbsIzipNsFOmjFCnLHE=
  endpoint: 192.168.108.125:52565
  allowed ips: 10.0.0.2/32
  latest handshake: 56 seconds ago
  transfer: 13.19 KiB received, 8.07 KiB sent

peer: gRWzWzJIelqez9/lHsL/KsDDKjCoZK6I91hggeNELmc=
  allowed ips: 2001:db8::3/128

peer: pulLKxKk6dwFf6xlb+mEiP4AdS0jbs5hYOvMC7FfNXM=
  allowed ips: 10.0.0.4/32, 2001:db8::4/128

Any Comments ?

sha256: eac4ea99441b96d1bd1b22b00d615ca82cda2d67a6dfada8f9876ba75e6fb4f1