From 135d511aa98ea481736660a888383787bef881b9 Mon Sep 17 00:00:00 2001
From: kaa <kaa@disroot.org>
Date: Mon, 9 Jun 2025 04:05:40 -0700
Subject: Initial

---
 README           |   5 +++
 dhcpd.conf       |  15 ++++++++
 doas.conf        |   1 +
 fstab            |  16 +++++++++
 hostname.alc0    |   5 +++
 hostname.athn0   |   3 ++
 hostname.bridge0 |   2 ++
 hostname.lo1     |   3 ++
 hostname.pair0   |   2 ++
 hostname.pair1   |   2 ++
 hostname.rtwn0   |   2 ++
 hostname.vether0 |   1 +
 hostname.wg0     |   8 +++++
 pf.conf          | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 rc.conf.local    |  14 ++++++++
 rc.securelevel   |  13 +++++++
 relayd.conf      |   5 +++
 sysctl.conf      |   3 ++
 vm.conf          |  15 ++++++++
 19 files changed, 222 insertions(+)
 create mode 100644 README
 create mode 100644 dhcpd.conf
 create mode 100644 doas.conf
 create mode 100644 fstab
 create mode 100644 hostname.alc0
 create mode 100644 hostname.athn0
 create mode 100755 hostname.bridge0
 create mode 100644 hostname.lo1
 create mode 100644 hostname.pair0
 create mode 100644 hostname.pair1
 create mode 100644 hostname.rtwn0
 create mode 100755 hostname.vether0
 create mode 100755 hostname.wg0
 create mode 100755 pf.conf
 create mode 100644 rc.conf.local
 create mode 100644 rc.securelevel
 create mode 100755 relayd.conf
 create mode 100644 sysctl.conf
 create mode 100755 vm.conf

diff --git a/README b/README
new file mode 100644
index 0000000..055267d
--- /dev/null
+++ b/README
@@ -0,0 +1,5 @@
+Here is an example set of configuration files for OpenBSD.
+VPN locked to rdomain 1.
+Virtual machine as a client on the network.
+Gateway host over ethernet.
+See https://man.openbsd.org/.
diff --git a/dhcpd.conf b/dhcpd.conf
new file mode 100644
index 0000000..c609176
--- /dev/null
+++ b/dhcpd.conf
@@ -0,0 +1,15 @@
+subnet 10.0.0.0 netmask 255.255.255.0 {
+	range 10.0.0.2 10.0.0.254;
+	option routers 10.0.0.1;
+	option domain-name-servers 1.1.1.1;
+}
+subnet 192.168.2.0 netmask 255.255.255.0 {
+	range 192.168.2.100 192.168.2.254;
+	option routers 192.168.2.1;
+	option domain-name-servers 1.1.1.1;
+}
+subnet 172.16.0.0 netmask 255.255.0.0 {
+	range 172.16.0.2 172.16.0.254;
+	option routers 172.16.0.1;
+	option domain-name-servers 1.1.1.1,8.8.8.8;
+}
diff --git a/doas.conf b/doas.conf
new file mode 100644
index 0000000..d57c5ec
--- /dev/null
+++ b/doas.conf
@@ -0,0 +1 @@
+permit nopass kaa as root
diff --git a/fstab b/fstab
new file mode 100644
index 0000000..46852df
--- /dev/null
+++ b/fstab
@@ -0,0 +1,16 @@
+4e4ba49841012f73.b none swap sw
+4e4ba49841012f73.a / ffs rw 1 1
+
+#4e4ba49841012f73.d /tmp ffs rw,nodev,noatime,nosuid 1 2
+swap /tmp mfs rw,nodev,nosuid,async,-s1024m 0 0
+
+4e4ba49841012f73.k /home ffs rw,nodev,noatime,nosuid 1 2
+4e4ba49841012f73.f /usr ffs rw,nodev,noatime 1 2
+4e4ba49841012f73.g /usr/X11R6 ffs rw,nodev,noatime 1 2
+4e4ba49841012f73.h /usr/local ffs rw,wxallowed,nodev,noatime 1 2
+4e4ba49841012f73.j /usr/obj ffs rw,nodev,noatime,nosuid 1 2
+4e4ba49841012f73.i /usr/src ffs rw,nodev,noatime,nosuid 1 2
+4e4ba49841012f73.e /var ffs rw,nodev,noatime,nosuid 1 2
+
+4e4ba49841012f73.l /bank ffs rw,nodev,noatime,nosuid,noatime 0 2
+e220a59b5812fff0.c /mnt/a ffs rw,nodev,noatime,nosuid 0 2
diff --git a/hostname.alc0 b/hostname.alc0
new file mode 100644
index 0000000..145c243
--- /dev/null
+++ b/hostname.alc0
@@ -0,0 +1,5 @@
+# Gateway mode
+inet 192.168.2.1/24
+
+# Client mode
+#inet autoconf
diff --git a/hostname.athn0 b/hostname.athn0
new file mode 100644
index 0000000..132acc0
--- /dev/null
+++ b/hostname.athn0
@@ -0,0 +1,3 @@
+join "my net" wpakey mypass
+#inet autoconf
+down
diff --git a/hostname.bridge0 b/hostname.bridge0
new file mode 100755
index 0000000..634b6a0
--- /dev/null
+++ b/hostname.bridge0
@@ -0,0 +1,2 @@
+add vether0
+up
diff --git a/hostname.lo1 b/hostname.lo1
new file mode 100644
index 0000000..24d5c93
--- /dev/null
+++ b/hostname.lo1
@@ -0,0 +1,3 @@
+rdomain 1
+inet 127.0.0.1/8
+up
diff --git a/hostname.pair0 b/hostname.pair0
new file mode 100644
index 0000000..fee58ef
--- /dev/null
+++ b/hostname.pair0
@@ -0,0 +1,2 @@
+rdomain 0
+inet 192.168.7.1/24
diff --git a/hostname.pair1 b/hostname.pair1
new file mode 100644
index 0000000..3740df3
--- /dev/null
+++ b/hostname.pair1
@@ -0,0 +1,2 @@
+rdomain 1
+inet 192.168.7.2/24
diff --git a/hostname.rtwn0 b/hostname.rtwn0
new file mode 100644
index 0000000..865a9e5
--- /dev/null
+++ b/hostname.rtwn0
@@ -0,0 +1,2 @@
+join "My Network" wpakey secret
+inet autoconf
diff --git a/hostname.vether0 b/hostname.vether0
new file mode 100755
index 0000000..37ff656
--- /dev/null
+++ b/hostname.vether0
@@ -0,0 +1 @@
+inet 10.0.0.1 255.255.255.0
diff --git a/hostname.wg0 b/hostname.wg0
new file mode 100755
index 0000000..b4b0184
--- /dev/null
+++ b/hostname.wg0
@@ -0,0 +1,8 @@
+rdomain 1
+
+wgkey public
+wgpeer private wgaip ::0/0 wgaip 0.0.0.0/0 wgendpoint some.i.p.addr port
+inet6 fc00:bbbb:bbbb:bb01::8:4948/128
+inet 10.71.73.73/32
+wgrtable 0
+up
diff --git a/pf.conf b/pf.conf
new file mode 100755
index 0000000..b69d69e
--- /dev/null
+++ b/pf.conf
@@ -0,0 +1,107 @@
+#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
+#
+# See pf.conf(5) and /etc/examples/pf.conf
+
+set skip on lo
+set skip on lo1
+
+block return	# block stateless traffic
+pass		# establish keep-state
+
+# By default, do not permit remote connections to X11
+#block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
+
+# VM networking.
+bridge = "vether0"
+match out on egress from $bridge:network to any nat-to (egress)
+
+# play difficult
+block on egress all
+
+# enable torrent
+pass out quick on egress proto tcp to any user _transmission
+pass in quick on egress proto tcp from any user _transmission
+pass quick on egress proto udp from any user _transmission
+pass quick on egress proto tcp from any user _transmission
+
+# enable openvpn
+pass quick on egress proto udp user _openvpn
+
+tcp_services = "{ssh, smtp, domain, www, pop3, auth, http, https, pop3s, irc, openvpn, git, imaps, imap, smtps, vnc}"
+# These services are not marked in /etc/services
+dict = "2628"
+# http without binding to port 80
+althttp = "8080"
+
+pass proto tcp to port $tcp_services
+# Port 587 used by disroot.
+pass proto tcp to port 587
+pass proto tcp to port $dict
+pass proto tcp to port $althttp
+
+pass proto tcp to port nfs
+pass proto udp to port nfs
+
+# DMS for Roku.
+dms="1900"
+dms_http="1338"
+pass proto tcp to port $dms
+pass proto udp to port $dms
+pass proto tcp to port $dms_http
+pass proto udp to port $dms_http
+dms_roku="35888"
+pass proto udp to port $dms_roku
+
+# Traceroute
+trace="33434"
+pass proto udp to port $trace
+
+# Enable LPR printing.
+lpr="515"
+pass proto tcp to port $lpr
+
+# Enable SANE.
+pass proto tcp to port sane-port
+pass proto udp to port sane-port
+
+# Enable BJNP.
+bjnp_print="8612"
+bjnp_scan="8613"
+pass proto tcp to port $bjnp_print
+pass proto udp to port $bjnp_print
+pass proto tcp to port $bjnp_scan
+pass proto udp to port $bjnp_scan
+
+# Enable IRC.
+irc="6667"
+pass proto tcp to port $irc
+
+udp_services = "{domain, openvpn}"
+pass out proto udp to port $udp_services
+
+# Broken DAC. Allow incoming traffic on port 12345 for it.
+dac="12345"
+pass proto tcp to port $dac
+
+# Remote sndio connection. See https://www.openbsd.org/faq/faq13.html
+# Prioritize. See pf.conf(5)
+sndio=11025
+pass proto tcp to port $sndio set prio 4
+# https://man.openbsd.org/pf.conf#QUEUEING
+
+# Xonotic
+xonotic = "26000"
+pass out proto tcp to port $xonotic
+pass out proto udp to port $xonotic
+pass in proto tcp to port $xonotic
+pass in proto udp to port $xonotic
+
+# drawterm
+pass proto tcp to port {17010,17013,17019,17020,567}
+# see drawterm/kern/devip.c
+# see https://plan9.io/wiki/plan9/drawterm/index.html
+# I like ICMP ping.
+pass proto icmp from any to any
diff --git a/rc.conf.local b/rc.conf.local
new file mode 100644
index 0000000..b2e25c0
--- /dev/null
+++ b/rc.conf.local
@@ -0,0 +1,14 @@
+dhcpd_flags=
+ftpd_flags=
+ftpproxy_flags=
+httpd_flags=
+ntpd_flags=NO
+pkg_scripts=cupsd cups_browsed saned transmission_daemon pfstatd
+portmap_flags=
+relayd_flags=
+resolvd_flags=NO
+sndiod_flags=-s default -m play,mon -s mon -L- -b 9600 -r 41000
+sndiod_rtable=1
+transmission_daemon_flags=-w /mnt/a/torrent -a 127.0.0.1,192.168.*.*,10.71.73.73,localhost
+transmission_daemon_rtable=1
+vmd_flags=
diff --git a/rc.securelevel b/rc.securelevel
new file mode 100644
index 0000000..9e0d45e
--- /dev/null
+++ b/rc.securelevel
@@ -0,0 +1,13 @@
+# lo0
+route -T1 add localhost localhost
+# rtwn0
+gate=$(route -T0 get default | awk '/gateway/ {print $2 }')
+# wg0
+wgremote=111.222.111.222
+wgdevice4=10.71.73.73
+wgdevice6=fc00:bbbb:bbbb:bb01::8:4948
+route -T1 add -inet6 default $wgdevice6
+route -T1 add default $wgdevice4
+
+# Pair to tunnel transmission web service
+ifconfig pair0 patch pair1
diff --git a/relayd.conf b/relayd.conf
new file mode 100755
index 0000000..1b38845
--- /dev/null
+++ b/relayd.conf
@@ -0,0 +1,5 @@
+table <transmission> { 192.168.7.2 }
+relay www {
+	listen on 0.0.0.0 port 9091
+	forward to <transmission> port 9091 check tcp
+}
diff --git a/sysctl.conf b/sysctl.conf
new file mode 100644
index 0000000..a89ee31
--- /dev/null
+++ b/sysctl.conf
@@ -0,0 +1,3 @@
+machdep.lidaction=0
+net.inet.ip.forwarding=1
+kern.maxfiles=99999
diff --git a/vm.conf b/vm.conf
new file mode 100755
index 0000000..fc56bc9
--- /dev/null
+++ b/vm.conf
@@ -0,0 +1,15 @@
+switch "uplink" {
+	interface bridge0
+}
+vm "alp" {
+	disable
+	memory 1024M
+	cdrom "/var/vm/alpine-standard-3.18.2-x86_64.iso"
+	disk "/var/vm/alp.qcow2"
+	owner kaa
+	interface {
+		lladdr 52:54:00:00:EE:04
+		switch "uplink"
+	}
+
+}
-- 
cgit v1.2.3