OpenBSD

Source: peter.hansteen - Dec 31, 2022 The OpenBSD packet filter PF was introduced a little more than 20 years ago as part of OpenBSD 3.0. We’ll take a short tour of PF features and tools that I have enjoyed using. Press enter or click to view image in full size NOTE: If you are more of a slides person, the condensate for a SEMIBUG user group meeting is available here. A version with “classical” formatting but no trackers is available here. ...

Source: unfriendlygrinch - Mar 16, 2022 Traditionally speaking, the OpenBSD kernel routing system has a single table for routes. This means it only allows non-conflicting IP address assignments and all network interfaces on the system are connected to a single routing table. Therefore, by default, all interfaces on an OpenBSD server belong to rdomain 0. Assuming that IP Forwarding is enabled and pf(4) allows it, traffic will flow freely between all interfaces. This functionality is also present in userland tools such as dhclient(8), dhcpd(8), and in the routing protocol daemons ospfd(8), and bgpd(8). The ability to have routing domains first appeared in OpenBSD 4.6, allowing for virtual routing and firewalling. ...

Source: packetmischief - September 20, 2011 The OpenBSD routing table can be carved into multiple virtual routing tables allowing complete logical separation of attached networks. This article gives a brief overview of rtables and explains how to successfully leak traffic between virtual routing domains. The ability to virtualize the routing table in OpenBSD first appeared in version 4.6. Since then the functionality has matured nicely with support for virtual routing tables now present in userland tools such as dhclient(8) and dhcpd(8) and in the routing protocol daemons ripd(8), ospfd(8), and bgpd(8). Kernel side, pf(4) has been extended to handle filtering of packets based on the routing table they came in on as well as being able to move packets between routing tables. This article will concentrate on the latter with examples of how to setup separate routing tables and leak traffic between them successfully. ...

Source: zakaria - Published on 2022-02-15 and updated on 2025-11-20 Note: This guide is severely out of date. The author recommends using ssl-proxy instead of relayd due to changes in the Tailscale protocol regarding web-sockets. In this post I’ll detail the steps I took to install and configure headscale, an open-source self-hostable implementation of the Tailscale control server, on OpenBSD. Code blocks prefixed with # imply that the command should be run as a privileged user/root. ...

Source: IANIX - Updated: June 28, 2022 Running WireGuard on OpenBSD is easy and pleasant. This is a minimalist howto for getting a basic server/client pair running such as in a “roadwarrior” or VPS setting. OpenBSD server setup On your existing OpenBSD server type the following as root: pkg_add wireguard-tools sysctl net.inet.ip.forwarding=1 sysctl net.inet6.ip6.forwarding=1 echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf mkdir -p /etc/wireguard chmod 700 /etc/wireguard cd /etc/wireguard wg genkey > secret.key chmod 600 secret.key wg pubkey < secret.key > public.key Now, create /etc/wireguard/wg0.conf. It should look something like this: ...