diff options
| author | kaa <kaa@disroot.org> | 2025-06-09 04:05:40 -0700 |
|---|---|---|
| committer | kaa <kaa@disroot.org> | 2025-06-09 04:05:40 -0700 |
| commit | 135d511aa98ea481736660a888383787bef881b9 (patch) | |
| tree | 9b34915d48862d15fba1f41908c3326017fd1491 | |
| -rw-r--r-- | README | 5 | ||||
| -rw-r--r-- | dhcpd.conf | 15 | ||||
| -rw-r--r-- | doas.conf | 1 | ||||
| -rw-r--r-- | fstab | 16 | ||||
| -rw-r--r-- | hostname.alc0 | 5 | ||||
| -rw-r--r-- | hostname.athn0 | 3 | ||||
| -rwxr-xr-x | hostname.bridge0 | 2 | ||||
| -rw-r--r-- | hostname.lo1 | 3 | ||||
| -rw-r--r-- | hostname.pair0 | 2 | ||||
| -rw-r--r-- | hostname.pair1 | 2 | ||||
| -rw-r--r-- | hostname.rtwn0 | 2 | ||||
| -rwxr-xr-x | hostname.vether0 | 1 | ||||
| -rwxr-xr-x | hostname.wg0 | 8 | ||||
| -rwxr-xr-x | pf.conf | 107 | ||||
| -rw-r--r-- | rc.conf.local | 14 | ||||
| -rw-r--r-- | rc.securelevel | 13 | ||||
| -rwxr-xr-x | relayd.conf | 5 | ||||
| -rw-r--r-- | sysctl.conf | 3 | ||||
| -rwxr-xr-x | vm.conf | 15 |
19 files changed, 222 insertions, 0 deletions
@@ -0,0 +1,5 @@ +Here is an example set of configuration files for OpenBSD. +VPN locked to rdomain 1. +Virtual machine as a client on the network. +Gateway host over ethernet. +See https://man.openbsd.org/. diff --git a/dhcpd.conf b/dhcpd.conf new file mode 100644 index 0000000..c609176 --- /dev/null +++ b/dhcpd.conf @@ -0,0 +1,15 @@ +subnet 10.0.0.0 netmask 255.255.255.0 { + range 10.0.0.2 10.0.0.254; + option routers 10.0.0.1; + option domain-name-servers 1.1.1.1; +} +subnet 192.168.2.0 netmask 255.255.255.0 { + range 192.168.2.100 192.168.2.254; + option routers 192.168.2.1; + option domain-name-servers 1.1.1.1; +} +subnet 172.16.0.0 netmask 255.255.0.0 { + range 172.16.0.2 172.16.0.254; + option routers 172.16.0.1; + option domain-name-servers 1.1.1.1,8.8.8.8; +} diff --git a/doas.conf b/doas.conf new file mode 100644 index 0000000..d57c5ec --- /dev/null +++ b/doas.conf @@ -0,0 +1 @@ +permit nopass kaa as root @@ -0,0 +1,16 @@ +4e4ba49841012f73.b none swap sw +4e4ba49841012f73.a / ffs rw 1 1 + +#4e4ba49841012f73.d /tmp ffs rw,nodev,noatime,nosuid 1 2 +swap /tmp mfs rw,nodev,nosuid,async,-s1024m 0 0 + +4e4ba49841012f73.k /home ffs rw,nodev,noatime,nosuid 1 2 +4e4ba49841012f73.f /usr ffs rw,nodev,noatime 1 2 +4e4ba49841012f73.g /usr/X11R6 ffs rw,nodev,noatime 1 2 +4e4ba49841012f73.h /usr/local ffs rw,wxallowed,nodev,noatime 1 2 +4e4ba49841012f73.j /usr/obj ffs rw,nodev,noatime,nosuid 1 2 +4e4ba49841012f73.i /usr/src ffs rw,nodev,noatime,nosuid 1 2 +4e4ba49841012f73.e /var ffs rw,nodev,noatime,nosuid 1 2 + +4e4ba49841012f73.l /bank ffs rw,nodev,noatime,nosuid,noatime 0 2 +e220a59b5812fff0.c /mnt/a ffs rw,nodev,noatime,nosuid 0 2 diff --git a/hostname.alc0 b/hostname.alc0 new file mode 100644 index 0000000..145c243 --- /dev/null +++ b/hostname.alc0 @@ -0,0 +1,5 @@ +# Gateway mode +inet 192.168.2.1/24 + +# Client mode +#inet autoconf diff --git a/hostname.athn0 b/hostname.athn0 new file mode 100644 index 0000000..132acc0 --- /dev/null +++ b/hostname.athn0 @@ -0,0 +1,3 @@ +join "my net" wpakey mypass +#inet autoconf +down diff --git a/hostname.bridge0 b/hostname.bridge0 new file mode 100755 index 0000000..634b6a0 --- /dev/null +++ b/hostname.bridge0 @@ -0,0 +1,2 @@ +add vether0 +up diff --git a/hostname.lo1 b/hostname.lo1 new file mode 100644 index 0000000..24d5c93 --- /dev/null +++ b/hostname.lo1 @@ -0,0 +1,3 @@ +rdomain 1 +inet 127.0.0.1/8 +up diff --git a/hostname.pair0 b/hostname.pair0 new file mode 100644 index 0000000..fee58ef --- /dev/null +++ b/hostname.pair0 @@ -0,0 +1,2 @@ +rdomain 0 +inet 192.168.7.1/24 diff --git a/hostname.pair1 b/hostname.pair1 new file mode 100644 index 0000000..3740df3 --- /dev/null +++ b/hostname.pair1 @@ -0,0 +1,2 @@ +rdomain 1 +inet 192.168.7.2/24 diff --git a/hostname.rtwn0 b/hostname.rtwn0 new file mode 100644 index 0000000..865a9e5 --- /dev/null +++ b/hostname.rtwn0 @@ -0,0 +1,2 @@ +join "My Network" wpakey secret +inet autoconf diff --git a/hostname.vether0 b/hostname.vether0 new file mode 100755 index 0000000..37ff656 --- /dev/null +++ b/hostname.vether0 @@ -0,0 +1 @@ +inet 10.0.0.1 255.255.255.0 diff --git a/hostname.wg0 b/hostname.wg0 new file mode 100755 index 0000000..b4b0184 --- /dev/null +++ b/hostname.wg0 @@ -0,0 +1,8 @@ +rdomain 1 + +wgkey public +wgpeer private wgaip ::0/0 wgaip 0.0.0.0/0 wgendpoint some.i.p.addr port +inet6 fc00:bbbb:bbbb:bb01::8:4948/128 +inet 10.71.73.73/32 +wgrtable 0 +up @@ -0,0 +1,107 @@ +# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ +# +# See pf.conf(5) and /etc/examples/pf.conf + +set skip on lo +set skip on lo1 + +block return # block stateless traffic +pass # establish keep-state + +# By default, do not permit remote connections to X11 +#block return in on ! lo0 proto tcp to port 6000:6010 + +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild + +# VM networking. +bridge = "vether0" +match out on egress from $bridge:network to any nat-to (egress) + +# play difficult +block on egress all + +# enable torrent +pass out quick on egress proto tcp to any user _transmission +pass in quick on egress proto tcp from any user _transmission +pass quick on egress proto udp from any user _transmission +pass quick on egress proto tcp from any user _transmission + +# enable openvpn +pass quick on egress proto udp user _openvpn + +tcp_services = "{ssh, smtp, domain, www, pop3, auth, http, https, pop3s, irc, openvpn, git, imaps, imap, smtps, vnc}" +# These services are not marked in /etc/services +dict = "2628" +# http without binding to port 80 +althttp = "8080" + +pass proto tcp to port $tcp_services +# Port 587 used by disroot. +pass proto tcp to port 587 +pass proto tcp to port $dict +pass proto tcp to port $althttp + +pass proto tcp to port nfs +pass proto udp to port nfs + +# DMS for Roku. +dms="1900" +dms_http="1338" +pass proto tcp to port $dms +pass proto udp to port $dms +pass proto tcp to port $dms_http +pass proto udp to port $dms_http +dms_roku="35888" +pass proto udp to port $dms_roku + +# Traceroute +trace="33434" +pass proto udp to port $trace + +# Enable LPR printing. +lpr="515" +pass proto tcp to port $lpr + +# Enable SANE. +pass proto tcp to port sane-port +pass proto udp to port sane-port + +# Enable BJNP. +bjnp_print="8612" +bjnp_scan="8613" +pass proto tcp to port $bjnp_print +pass proto udp to port $bjnp_print +pass proto tcp to port $bjnp_scan +pass proto udp to port $bjnp_scan + +# Enable IRC. +irc="6667" +pass proto tcp to port $irc + +udp_services = "{domain, openvpn}" +pass out proto udp to port $udp_services + +# Broken DAC. Allow incoming traffic on port 12345 for it. +dac="12345" +pass proto tcp to port $dac + +# Remote sndio connection. See https://www.openbsd.org/faq/faq13.html +# Prioritize. See pf.conf(5) +sndio=11025 +pass proto tcp to port $sndio set prio 4 +# https://man.openbsd.org/pf.conf#QUEUEING + +# Xonotic +xonotic = "26000" +pass out proto tcp to port $xonotic +pass out proto udp to port $xonotic +pass in proto tcp to port $xonotic +pass in proto udp to port $xonotic + +# drawterm +pass proto tcp to port {17010,17013,17019,17020,567} +# see drawterm/kern/devip.c +# see https://plan9.io/wiki/plan9/drawterm/index.html +# I like ICMP ping. +pass proto icmp from any to any diff --git a/rc.conf.local b/rc.conf.local new file mode 100644 index 0000000..b2e25c0 --- /dev/null +++ b/rc.conf.local @@ -0,0 +1,14 @@ +dhcpd_flags= +ftpd_flags= +ftpproxy_flags= +httpd_flags= +ntpd_flags=NO +pkg_scripts=cupsd cups_browsed saned transmission_daemon pfstatd +portmap_flags= +relayd_flags= +resolvd_flags=NO +sndiod_flags=-s default -m play,mon -s mon -L- -b 9600 -r 41000 +sndiod_rtable=1 +transmission_daemon_flags=-w /mnt/a/torrent -a 127.0.0.1,192.168.*.*,10.71.73.73,localhost +transmission_daemon_rtable=1 +vmd_flags= diff --git a/rc.securelevel b/rc.securelevel new file mode 100644 index 0000000..9e0d45e --- /dev/null +++ b/rc.securelevel @@ -0,0 +1,13 @@ +# lo0 +route -T1 add localhost localhost +# rtwn0 +gate=$(route -T0 get default | awk '/gateway/ {print $2 }') +# wg0 +wgremote=111.222.111.222 +wgdevice4=10.71.73.73 +wgdevice6=fc00:bbbb:bbbb:bb01::8:4948 +route -T1 add -inet6 default $wgdevice6 +route -T1 add default $wgdevice4 + +# Pair to tunnel transmission web service +ifconfig pair0 patch pair1 diff --git a/relayd.conf b/relayd.conf new file mode 100755 index 0000000..1b38845 --- /dev/null +++ b/relayd.conf @@ -0,0 +1,5 @@ +table <transmission> { 192.168.7.2 } +relay www { + listen on 0.0.0.0 port 9091 + forward to <transmission> port 9091 check tcp +} diff --git a/sysctl.conf b/sysctl.conf new file mode 100644 index 0000000..a89ee31 --- /dev/null +++ b/sysctl.conf @@ -0,0 +1,3 @@ +machdep.lidaction=0 +net.inet.ip.forwarding=1 +kern.maxfiles=99999 @@ -0,0 +1,15 @@ +switch "uplink" { + interface bridge0 +} +vm "alp" { + disable + memory 1024M + cdrom "/var/vm/alpine-standard-3.18.2-x86_64.iso" + disk "/var/vm/alp.qcow2" + owner kaa + interface { + lladdr 52:54:00:00:EE:04 + switch "uplink" + } + +} |