Tested on OpenBSD 6.8
It's no secret that consumer routers have security problems (600 CVEs between 1999 and January of 2017, and those were only the disclosed vulnerabilities) as a result of poorly engineered software. The paper “So You Think Your Router Is Safe?“ addresses this subject well.
For a while, I was running DD-WRT on a Netgear R7000P as my router. Even though it's leagues better than the stock firmware (not a very high bar to clear) and makes for a capable access point (AP), it has some pain points as a router. Here are a few that come to mind.
/
(SquashFS).Lastly, one complaint that doesn't concern routing: if DD-WRT acts as an access point, clicking ‘Apply settings’ in the web interface necessitates reassociation due to DD-WRT resetting its network interfaces.
DD-WRT is powerful set-and-forget consumer firmware, don't get me wrong–I'd still recommend it over proprietary firmware. That said, I was constantly wishing that I could peel back the layers of abstraction and manage routing in a more transparent fashion. As someone who's been bitten by the OpenBSD bug (or pufferfish, same difference), the solution that came to mind was to build my own router. So I did, and what follows is how I did it.
Note that I still use the Netgear R7000P as a bridged AP. OpenBSD's AP support is a work in progress and an order of magnitude slower than a bridged AP in my case.
To purchase an APU4D4 or similar, visit PC Engines. Their boards come with coreboot preinstalled and so far it's been a great experience.
Include a USB to DB9F serial adapter in your purchase, as it's needed for the installation.
Consult the manual for assembly instructions.
Download, verify, and flash the amd64 image that includes the file sets
(installXX.img)
to a USB drive. OpenBSD's FAQ covers
this.
Connect to the serial port. I run OpenBSD on my laptop, so I use
cu(1)
for serial connections.
# cu -l cuaU0 -s 115200
This indicates the line to use (-l)
and the baud rate (-s)
. The APU4D4
requires a baud rate of 115200
.
Now that you're connected, use this OpenBSD APU4D4 installation guide.
Do the usual, e.g. read
afterboot(8)
, check your mail,
etc. After that, there's a couple of things you'll probably want to
implement.
pppoe(4)
.unbound(8)
, see
genblock.As always, give official OpenBSD documentation preferential treatment and cross-reference it when using unofficial documentation. Keep it simple and if you don't understand something, don't change it.
I like to use a VPN on my home network, as I don't trust my ISP and it's
a good fallback for traffic that doesn't use Tor. Using WireGuard is
pretty straightforward; wg-quick
is the easiest way, though WireGuard
can be directly configured with
ifconfig(8)
as well.
Note that I only use IPv4 for the sake of simplicity. Additional steps are needed if IPv6 tunneling is required.
wg-quick
Install wireguard-tools
.
# pkg_add wireguard-tools
Bring the wg(4)
interface up using
wg-quick
(omit the filename extension for conf filename).
# wg-quick up [conf filename]
Modify your nat-to
entry in
pf.conf(5)
accordingly.
match out on wg inet from !(wg:network) to any nat-to (wg:0)
Test the configuration.
# pfctl -f /etc/pf.conf -nvv
If everything looks right, load pf.conf(5)
.
# pfctl -f /etc/pf.conf
Verify from a connected client.
$ curl ifconfig.me && printf '\n'
If everything's up and working, place the following in
/etc/rc.local
so a WireGuard connection is established on boot.
/usr/local/bin/wg-quick up [conf filename]
This works just fine–that said, ifconfig
has the advantage of no
dependencies.
ifconfig
Create wg0
.
# ifconfig wg0 create
Add the private key.
# ifconfig wg0 wgkey [private key]
Add the public key and related options.
# ifconfig wg0 wgpeer [public key] \
wgendpoint [endpoint addr] [port] \
wgaip 0.0.0.0/0
Add the IP address specified in your WireGuard configuration file.
# ifconfig wg0 [if addr]
Set up the relevant routing table entries.
# route -qn add -inet 0.0.0.0/1 -iface [if addr]
# route -qn add -inet 128.0.0.0/1 -iface [if addr]
# route -qn delete -inet [endpoint addr]
# route -qn add -inet [endpoint addr] -gateway [gateway addr]
Modify your nat-to
entry in
pf.conf(5)
accordingly.
match out on wg inet from !(wg:network) to any nat-to (wg:0)
Test the configuration.
# pfctl -f /etc/pf.conf -nvv
If everything looks right, load pf.conf(5)
.
# pfctl -f /etc/pf.conf
Verify from a connected client.
$ curl ifconfig.me && printf '\n'
If everything's up and working, place the following in
/etc/hostname.wg0
so a WireGuard connection is established on boot.
wgkey [private key]
wgpeer [public key] \
wgendpoint [endpoint addr] [port] \
wgaip 0.0.0.0/0
inet [if addr]
!route -qn add -inet 0.0.0.0/1 -iface [if addr]
!route -qn add -inet 128.0.0.0/1 -iface [if addr]
!route -qn delete -inet [endpoint addr]
!route -qn add -inet [endpoint addr] -gateway [gateway addr]
127.0.0.1
is used for DNS or your router won't use
unbound(8)
. See
resolv.conf(5)
.forward-addr
in
unbound.conf(5)
.Don't set forward-first: yes
or you'll experience DNS leaks whenever
the upstream resolver fails.