💾 Archived View for perso.pw › blog › rss.xml captured on 2021-12-17 at 13:26:06.
⬅️ Previous capture (2021-12-05)
-=-=-=-=-=-=-
<?xml version="1.0" encoding="UTF-8"?> <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <title>Solene'%</title> <description></description> <link>gemini://perso.pw/blog/</link> <atom:link href="gemini://perso.pw/blog/rss.xml" rel="self" type="application/rss+xml" /> <item> <title>OpenVPN on OpenBSD in its own rdomain to prevent data leak</title> <description> <![CDATA[ <pre># Introduction Today I will explain how to establish an OpenVPN tunnel through a dedicated rdomain to only expose the VPN tunnel as an available interface, preventing leaks outside of the VPN. I did the same recently for WireGuard tunnels but it had an integrated mechanism for this. Let's reuse the network diagram from the WireGuard text to explain:
+-------------+
| server | tun0 remote peer
| |---------------+
+-------------+ |
| public IP |
| 1.2.3.4 |
| |
| |
/\/\/\/\/\/\/\ |OpenVPN
| internet | |VPN
\/\/\/\/\/\/\/ |
| |
| |
|rdomain 1 |
+-------------+ |
| computer |---------------+
+-------------+ tun0
rdomain 0 (default)
We have our computer and have been provided an OpenVPN configuration file, we want to establish the OpenVPN toward the server 1.2.3.4 using rdomain 1. We will set our network interfaces into rdomain 1 so when the VPN is NOT up, we won't be able to connect to the Internet (without the VPN). # Network configuration Add "rdomain 1" to your network interfaces configuration file like "/etc/hostname.trunk0" if you use a trunk interface to aggregate Ethernet/wifi interfaces into an automatic fail over trunk, or in each interface you are supposed to use regularly. I suppose this setup is mostly interesting for wireless users. Create a "/etc/hostname.tun0" file that will be used to prepare the tun0 interface for OpenVPN, add "rdomain 0" to the file, this will be enough to create the tun0 interface at startup. (Note that "up" would work too but if you open your files it will be easier to understand you have different rdomains in your interfaces). Run "sh /etc/netstart" as root to apply changes done to the files, you should have your network interfaces in rdomain 1 now. # OpenVPN configuration From here, I assume your OpenVPN configuration works. The OpenVPN client/server setup is out of the scope of this text. We will use rcctl to ensure openvpn service is enabled (if it's already enabled this is not an issue), then we will configure it to use rtable 1 to run, this mean it will connect through the interfaces in the rdomain 1. If your OpenVPN configuration runs a script to set up the route(s) (through "up /etc/something..." directive in the configuration file), you will have to by add parameter -T0 to the command route in the script. This is important because openvpn will run in rdomain 1 so calls to "route" will apply to routing table 1, so you must change the route command to apply the changes in routing table 0.
rcctl enable openvpn
rcctl set openvpn rtable 1
rcctl restart openvpn
Now, you should have your tun0 interface in rdomain 0, being the default route and the other interfaces in rdomain 1. If you run any network program it will go through the VPN, if the VPN is down, the programs won't connect to the Internet (which is the wanted behavior here). # Conclusion The rdomain and routing tables concepts are powerful tools but they are not always easy to grasp, especially in a context of a VPN mixing both (one for connectivity and one for the tunnel). People using VPN certainly want to prevent their programs to not go through the VPN and this setup is absolutely effective in that task. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/openbsd-openvpn-exit.gmi</guid> <link>gemini://perso.pw/blog//articles/openbsd-openvpn-exit.gmi</link> <pubDate>Thu, 16 Dec 2021 00:00:00 GMT</pubDate> </item> <item> <title>Persistency management of memory based filesystem on OpenBSD</title> <description> <![CDATA[ <pre># Introduction For saving my SSD and also speeding up my system, I store some cache files into memory using the mfs filesystem on OpenBSD. But that would be nice to save the content upon shutdown and restore it at start, wouldn't it? I found that storing the web browser cache in a memory filesystem drastically improve its responsiveness, but it's hard to make measurements of it. Let's do that with a simple rc.d script. # Configuration First, I use a mfs filesystem for my Firefox cache, here is the line in /etc/fstab
/dev/sd3b /home/solene/.cache/mozilla mfs rw,-s400M,noatime,nosuid,nodev 1 0
This mean I have a 400 MB partition using system memory, it's super fast but limited. tmpfs is disabled in the default kernel because it may have issues and is not well enough maintained, so I stick with mfs which is available out of the box. (tmpfs is faster and only use memory when storing file, while mfs reserves the memory chunk at first). # The script We will write /etc/rc.d/persistency with the following content, this is a simple script that will store as a tgz file under /var/persistency every mfs mountpoint found in /etc/fstab when it receives the "stop" command. It will also restore the files at the right place when receiving the "start" command.
STORAGE=/var/persistency/
if [[ "$1" == "start" ]]
then
install -d -m 700 $STORAGE
for mountpoint in $(awk '/ mfs / { print $2 }' /etc/fstab)
do
tar_name="$(echo ${mountpoint#/} | sed 's,/,_,g').tgz"
tar_path="${STORAGE}/${tar_name}"
test -f ${tar_path}
if [ $? -eq 0 ]
then
cd $mountpoint
if [ $? -eq 0 ]
then
tar xzfp ${tar_path} && rm ${tar_path}
fi
fi
done
fi
if [[ "$1" == "stop" ]]
then
install -d -m 700 $STORAGE
for mountpoint in $(awk '/ mfs / { print $2 }' /etc/fstab)
do
tar_name="$(echo ${mountpoint#/} | sed 's,/,_,g').tgz"
cd $mountpoint
if [ $? -eq 0 ]
then
tar czf ${STORAGE}/${tar_name} .
fi
done
fi
All we need to do now is to use "rcctl enable persistency" so it will be run with start/stop at boot/shutdown times. # Conclusion Now I'll be able to carry my Firefox cache across reboots while keeping it in mfs.
hardware.nvidia.modesetting.enable = true;
hardware.nvidia.prime.sync.allowExternalGpu = true;
hardware.nvidia.prime.offload.enable = true;
hardware.nvidia.prime.nvidiaBusId = "PCI:10:0:0";
hardware.nvidia.prime.intelBusId = "PCI:0:2:0";
services.xserver.videoDrivers = ["nvidia" ];
A few notes about the previous chunk of config: - only add nvidia to the list of video drivers, at first I was adding modesetting but this was creating troubles - the PCI bus ID can be found with lspci, it has to be translated in decimal, here my nvidia id is 10:0:0 but in lspci it's 0a:00:00 with 0a being 10 in hexadecimal => https://nixos.wiki/wiki/Nvidia#offload_mode NixOS wiki about nvidia offload mode # How to use it The use of offloading is controlled by environment variables. What's pretty cool is that if you didn't connect the eGPU, it will still work (with integrated GPU). ## Running a command We can use glxinfo to be sure it's working, add the environment as a prefix:
__NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia glxinfo
## In Steam Modify the command line of each game you want to run with the eGPU (it's tedious), by:
__NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia %command%
## In Lutris Lutris has a per-game or per-runner setting named "Enable Nvidia offloading", you just have to enable it. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/nixos-egpu.gmi</guid> <link>gemini://perso.pw/blog//articles/nixos-egpu.gmi</link> <pubDate>Sun, 05 Dec 2021 00:00:00 GMT</pubDate> </item> <item> <title>Using awk to pretty-display OpenBSD packages update changes</title> <description> <![CDATA[ <pre># Introduction You use OpenBSD and when you upgrade your packages you often wonder which one is a rebuild and which one is a real version update? The packages updates are logged in /var/log/messages and using awk it's easy to achieve some kind of report. # Command line The typical update line will display the package name, its version, a "->" and the newer version of the installed package. By verifying if the newer version is different from the original version, we can report updated packages. awk is already installed in OpenBSD, so you can run this command in your terminal without any other requirement.
awk -F '-' '/Added/ && /->/ { sub(">","",$0) ; if( $(NF-1) != $NF ) { $NF=" => "$NF ; print }}' /var/log/messages
The output should look like this (after a pkg_add -u):
Dec 4 12:27:45 daru pkg_add: Added quirks 4.86 => 4.87
Dec 4 13:01:01 daru pkg_add: Added cataclysm dda 0.F.2v0 => 0.F.3p0v0
Dec 4 13:01:05 daru pkg_add: Added ccache 4.5 => 4.5.1
Dec 4 13:04:47 daru pkg_add: Added nss 3.72 => 3.73
Dec 4 13:07:43 daru pkg_add: Added libexif 0.6.23p0 => 0.6.24
Dec 4 13:40:41 daru pkg_add: Added kakoune 2021.08.28 => 2021.11.08
Dec 4 13:43:27 daru pkg_add: Added kdeconnect kde 1.4.1 => 21.08.3
Dec 4 13:46:16 daru pkg_add: Added libinotify 20180201 => 20211018
Dec 4 13:51:42 daru pkg_add: Added libreoffice 7.2.2.2p0v0 => 7.2.3.2v0
Dec 4 13:52:37 daru pkg_add: Added mousepad 0.5.7 => 0.5.8
Dec 4 13:52:50 daru pkg_add: Added munin node 2.0.68 => 2.0.69
Dec 4 13:53:01 daru pkg_add: Added munin server 2.0.68 => 2.0.69
Dec 4 13:53:14 daru pkg_add: Added neomutt 20211029p0 gpgme sasl 20211029p0 gpgme => sasl
Dec 4 13:53:20 daru pkg_add: Added nethack 3.6.6p0 no_x11 3.6.6p0 => no_x11
Dec 4 13:58:53 daru pkg_add: Added ristretto 0.12.0 => 0.12.1
Dec 4 14:01:07 daru pkg_add: Added rust 1.56.1 => 1.57.0
Dec 4 14:02:33 daru pkg_add: Added sysclean 2.9 => 3.0
Dec 4 14:03:57 daru pkg_add: Added uget 2.0.11p4 => 2.2.2p0
Dec 4 14:04:35 daru pkg_add: Added w3m 0.5.3pl20210102p0 image 0.5.3pl20210102p0 => image
Dec 4 14:05:49 daru pkg_add: Added yt dlp 2021.11.10.1 => 2021.12.01
# Limitations The command seems to mangle the separators when displaying the result and doesn't work well with flavors packages that will always be shown as updated. At least it's a good start, it requires a bit more polishing but that's already useful enough for me. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/openbsd-package-update-report.gmi</guid> <link>gemini://perso.pw/blog//articles/openbsd-package-update-report.gmi</link> <pubDate>Sat, 04 Dec 2021 00:00:00 GMT</pubDate> </item> <item> <title>The state of Steam on OpenBSD</title> <description> <![CDATA[ <pre># Introduction There is a very common question within the OpenBSD community, mostly from newcomers: "How can I install Steam on OpenBSD?". The answer is: You can't, there is no way, this is impossible, period. # Why? Steam is a closed source program, while it's now also available on Linux doesn't mean it run on OpenBSD. The Linux Steam version is compiled for linux and without the sources we can't port it on OpenBSD. Even if Steam was able to be installed and could be launched, games are not made for OpenBSD and wouldn't work either. On FreeBSD it may be possible to install Windows Steam using Wine, but Wine is not available on OpenBSD because it require some specific Kernel memory management we don't want to implement for security reasons (I don't have the whole story), but FreeBSD also has a Linux compatibility mode to run Linux binaries, allowing to use programs compiled for Linux. This linux emulation layer has been dropped in OpenBSD a few years ago because it was old and unmaintained, bringing more issues than helping. So, you can't install Steam or use it on OpenBSD. If you need Steam, use a supported operating system. I wanted to make an article about this in hope my text will be well referenced within search engines, to help people looking for Steam on OpenBSD by giving them a reliable answer. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/openbsd-steam.gmi</guid> <link>gemini://perso.pw/blog//articles/openbsd-steam.gmi</link> <pubDate>Wed, 01 Dec 2021 00:00:00 GMT</pubDate> </item> <item> <title>Nethack: end of Sery the Tourist</title> <description> <![CDATA[ <pre>Hello, if you remember my previous publications about Nethack and my character "Sery the tourist", I have bad news. On OpenBSD, nethack saves are stored in /usr/local/lib/nethackdir-3.6.0/logfile and obviously I didn't save this when changing computer a few months ago. I'm very sad of this data loss because I was enjoying a lot telling the story of the character while playing. Sery reached 7th floor while being a Tourist, which is incredible given all the nethack plays I've done and this one was going really well. I don't know if you readers enjoyed that kind of content, if so please tell me so I may start a new game and write about it. As an end, let's say Sery stayed too long in 7th floor and the Langoliers came to eat the Time of her reality. => https://stephenking.fandom.com/wiki/Langoliers Langoliers on Stephen King wiki fandom </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/nethack-end-of-sery.gmi</guid> <link>gemini://perso.pw/blog//articles/nethack-end-of-sery.gmi</link> <pubDate>Sat, 27 Nov 2021 00:00:00 GMT</pubDate> </item> <item> <title>Simple network dashboard with vnstat</title> <description> <![CDATA[ <pre># Introduction Hi! If you run a server or a router, you may want to have a nice view of the bandwidth usage and statistics. This is easy and quick to achieve using vnstat software. It will gather data regularly from network interfaces and store it in rrd files, it's very efficient and easy to use, and its companion program vnstati can generate pictures, perfect for easy visualization. => static/vnstat-dashboard.png My simple router network dashboard with vnstat => https://humdi.net/vnstat/ vnstat project homepage # Setup (on OpenBSD) Simply install vnstat and vnstati packages with pkg_add. All the network interfaces will be added to vnstatd databases to be monitored.
Create a script in /var/www/htdocs/dashboard and make it executable:
cd /var/www/htdocs/dashboard/ || exit 1
vnstati --fiveminutes 60 -o 5.png
vnstati -c 60 -vs -o vs.png
vnstati -c 60 --days 14 -o d.png
vnstati -c 300 --months 5 -o m.png
and create a simple index.html file to display pictures:
<html>
<body>
<div style="display: inline-block;">
<img src="vs.png" /><br />
<img src="d.png" /><br />
<img src="m.png" /><br />
</div>
<img src="5.png" /><br />
</body>
</html>
Add a cron as root to run the script every 10 minutes using _vnstat user:
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
My personal crontab runs only from 8h to 23h because I will never look at my dashboard while I'm sleeping so I don't need to keep it updated, just replace * by 8-23 for the hour field. # Http server Obviously you need to serve /var/www/htdocs/dashboard/ from your http server, I won't cover this step in the article. # Conclusion Vnstat is fast, light and easy to use, but yet it produces nice results. As an extra, you can run the vnstat commands (without the i) and use the raw text output to build an pure text dashboard if you don't want to use pictures (or http). </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/simple-bandwidth-dashboard.gmi</guid> <link>gemini://perso.pw/blog//articles/simple-bandwidth-dashboard.gmi</link> <pubDate>Thu, 25 Nov 2021 00:00:00 GMT</pubDate> </item> <item> <title>OpenBSD and Linux comparison: data transfer benchmark</title> <description> <![CDATA[ <pre># Introduction I had a high suspicion about something but today I made measurements. My feeling is that downloading data from OpenBSD use more "upload data" than on other OS I originally thought about this issue when I found that using OpenVPN on OpenBSD was limiting my download speed because I was reaching the upload limit of my DSL line, but it was fine on Linux. From there, I've been thinking since then that OpenBSD was using more out data but I never measured anything before. # Testing protocol Now that I have an OpenBSD router it was easy to make the measures with a match rule and a label. I'll be downloading a specific file from a specific server a few times with each OS, so I'm adding a rule matching this connection.
match proto tcp from 10.42.42.32 to 145.238.169.11 label benchmark
Then, I've been downloading this file three times per OS and resetting counter after each download and saved the results from "pfctl -s labels" command. => http://ftp.fr.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz OpenBSD comp70.tgz file from an OpenBSD mirror The variance of each result per OS was very low, I used the average of each columns as the final result per OS. # Raw results
OS total packets total bytes packets OUT bytes OUT packets IN bytes IN
----- ------------- ----------- ----------- --------- ---------- --------
OpenBSD 175348 158731602 72068 3824812 10328 154906790
OpenBSD 175770 158789838 72486 3877048 10328 154912790
OpenBSD 176286 158853778 72994 3928988 10329 154924790
Linux 154382 157607418 51118 2724628 10326 154882790
Linux 154192 157596714 50928 2713924 10326 154882790
Linux 153990 157584882 50728 2705092 10326 154879790
# About the results A quick look will show that OpenBSD sent +42% OUT packets compared to Linux and also +42% OUT bytes, meanwhile the OpenBSD/Linux IN bytes ratio is nearly identical (100.02%). => static/network-usage-packets.png Chart showing the IN and OUT packets of Linux and OpenBSD side by side # Conclusion I'm not sure what to conclude except that now, I'm sure there is something here requiring investigation. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/openbsd-network-usage-mystery.gmi</guid> <link>gemini://perso.pw/blog//articles/openbsd-network-usage-mystery.gmi</link> <pubDate>Sun, 14 Nov 2021 00:00:00 GMT</pubDate> </item> <item> <title>How I ended up liking GNOME</title> <description> <![CDATA[ <pre># Introduction Hi! This was a while without much activity on my blog, the reason is that I stabbed through my right index with a knife by accident, the injury was so bad I can barely use my right hand because I couldn't move my index at all without pain. So I've been stuck with only my left hand for a month now. Good news, it's finally getting better :) Which leads me to the topic of this article, why I ended liking GNOME! # Why I didn't use GNOME I will first start about why I didn't use it before. I like to try everything all the time, I like disruption, I like having an hostile (desktop/shell/computer) environment to stay sharp and not being stuck on ideas. My current setup was using Fvwm or Stumpwm, mostly keyboard driven, with many virtual desktop to spatially regroup different activities. However, with an injured hand, I've been facing a big issue, most of my key binding were for two hands and it seemed too weird for me to change the bindings to work with one hand. I tried to adapt using only one hand, but I got poor results and using the cursor was not very efficient because stumpwm is hostile to cursor and fvwm is not really great for this either. # The road to GNOME With only one hand to use my computer, I found the awesome program ibus-typing-booster to help me typing by auto completing words (a bit like on touchscreen phones), it worked out of the box with GNOME due to the ibus integration working well. I used GNOME to debug the package but ended liking it in my current condition. How do I like it now, while I was pestling about it a few months ago as I found it very confusing? Because it's easy to use and spared me movements with my hands, absolutely.
function fzf-histo {
RES=$(fzf --tac --no-sort -e < $HISTFILE)
test -n "$RES" || exit 0
eval "$RES"
}
bind -m ^R=fzf-histo^J
Reload your file or start a new shell, Ctrl+R should now run fzf for a more powerful history search. Don't forget to install fzf package. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/ksh-fzf.gmi</guid> <link>gemini://perso.pw/blog//articles/ksh-fzf.gmi</link> <pubDate>Sun, 17 Oct 2021 00:00:00 GMT</pubDate> </item> <item> <title>Typing faster with assistive technology</title> <description> <![CDATA[ <pre># Introduction This article is being written only using my left hand with the help of ibus-typing-booster program. => https://mike-fabian.github.io/ibus-typing-booster/ ibus-typing-booster project The purpose of this tool is to assist the user by proposing words while typing, a bit like smartphones do. It can be trained with a dictionary, a text file but also learn from user inputs over time. A package for OpenBSD is on the tracks. # Installation This program requires ibus to work, on Gnome it is already enabled but in other environments some configuration are required. Because this may be subject to change over time and duplicating information is bad, I'll give the links for configuring ibus-typing-booster. => https://mike-fabian.github.io/ibus-typing-booster/docs/user/#1 How to enable ibus-typing-booster # How to use Once you have setup ibus and ibus-typing-booster you should be able to switch from normal input to assisted input using "super"+space. When you type with ibus-typing-booster enabled, with default settings, the input should be underlined to show a suggestion can be triggered using TAB key. Then, from a popup window you can pick a word by using TAB to cycle between the suggestions and pressing space to validate, or use the F key matching your choice number (F1 for first, F2 for second etc...) and that's all. # Configuration There are many ways to configure it, suggestions can be done inline while typing which I think is more helpful when you type slowly and you want a quick boost when the suggestion is correct. The suggestions popup can be vertical or horizontal, I personally prefer horizontal which is not the default. Colors and key bindings can changed. # Performance While I type very fast when I have both my hands, using one hand requires me to look the keyboard and make a lot of moves with my hand. This work fine and I can type reasonably fast but this is extremely exhausting and painful for my hand. With ibus-typing-booster I can type full sentences with less efforts but a bit slower. However this is a lot more comfortable than typing everything using my hand. # Conclusion This is an assistive technology easy to setup and that can be a life changer for disabled users who can make use of it. This is not the first time I'm temporarily disabled in regards to using a keyboard, I previously tried a mirrored keyboard layout reverting keys when pressing caps lock, and also Dasher which allow to make words from simple movements such as moving mouse cursor. I find this ibus plugin to be easier to integrate for the brain because I just type with my keyboard in the programs, with Dasher I need to cut and paste content, and with mirrored layout I need to focus on the layout change. I am very happy of it.</pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/ibus-typing-booster.gmi</guid> <link>gemini://perso.pw/blog//articles/ibus-typing-booster.gmi</link> <pubDate>Sat, 16 Oct 2021 00:00:00 GMT</pubDate> </item> <item> <title>Full WireGuard setup with OpenBSD</title> <description> <![CDATA[ <pre># Introduction We want all our network traffic to go through a WireGuard VPN tunnel automatically, both WireGuard client and server are running OpenBSD, how to do that? While I thought it was simple at first, it soon became clear that the "default" part of the problem was not easy to solve, fortunately there are solutions. This guide should work from OpenBSD 6.9. => https://man.openbsd.org/pf.conf#nat-to pf.conf man page about NAT => https://man.openbsd.org/wg WireGuard interface man page => https://man.openbsd.org/ifconfig#WIREGUARD ifconfig man page, WireGuard section # Setup For this setup I assume we have a server running OpenBSD with a public IP address (1.2.3.4 for the example) and an OpenBSD computer with Internet connectivity. Because we want to use the WireGuard tunnel as the default route, we can't define a default route through WireGuard as this, that would prevent our interface to reach the WireGuard endpoint to make the tunnel working. We could play with the routing table by deleting the default route found on the interface, create a new route to reach the WireGuard server and then create a default route through WireGuard, but the whole process is fragile and there is no right place to trigger a script doing this. Instead, we can assign the network interface used to access the Internet to the rdomain 1, configure WireGuard to reach its remote peer through rdomain 1 and create a default route through WireGuard on the rdomain 0. Quick explanation about rdomain: they are different routing tables, default is rdomain 0 but we can create new routing tables and run commands using a specific routing table with "route -T 1 exec ping perso.pw" to make a ping through rdomain 1.
+-------------+
| server | wg0: 192.168.10.1
| |---------------+
+-------------+ |
| public IP |
| 1.2.3.4 |
| |
| |
/\/\/\/\/\/\/\ |WireGuard
| internet | |VPN
\/\/\/\/\/\/\/ |
| |
| |
|rdomain 1 |
+-------------+ |
| computer |---------------+
+-------------+ wg0: 192.168.10.2
rdomain 0 (default)
# Configuration The configuration process will be done in this order: 1. create the WireGuard interface on your computer to get its public key 2. create the WireGuard interface on the server to get its public key 3. configure PF to enable NAT and enable IP forwarding 4. reconfigure computer's WireGuard tunnel using server's public key 5. time to test the tunnel 6. make it default route Our WireGuard server will accept connections on address 1.2.3.4 at the UDP port 4433, we will use the network 192.168.10.0/24 for the VPN, the server IP on WireGuard will be 192.168.10.1 and this will be our future default route. ## On your computer We will make a simple script to generate the configuration file, you can easily understand what is being done. Replace "1.2.3.4 4433" by your IP and UDP port to match your setup.
PRIVKEY=$(openssl rand -base64 32)
cat <<EOF > /etc/hostname.wg0
wgkey $PRIVKEY
wgpeer wgendpoint 1.2.3.4 4433 wgaip 0.0.0.0/0
inet 192.168.10.2/24
up
EOF
sh /etc/netstart wg0
PUBKEY=$(ifconfig wg0 | grep 'wgpubkey' | cut -d ' ' -f 2)
echo "You need $PUBKEY to setup the remote peer"
## On the server ### WireGuard Like we did on the computer, we will use a script to configure the server. It's important to get the PUBKEY displayed in the previous step.
PUBKEY=PASTE_PUBKEY_HERE
PRIVKEY=$(openssl rand -base64 32)
cat <<EOF > /etc/hostname.wg0
wgkey $PRIVKEY
wgpeer $PUBKEY wgaip 192.168.10.0/24
inet 192.168.10.1/24
wgport 4433
up
EOF
sh /etc/netstart wg0
PUBKEY=$(ifconfig wg0 | grep 'wgpubkey' | cut -d ' ' -f 2)
echo "You need $PUBKEY to setup the local peer"
Keep the public key for next step. ## Firewall We want to enable NAT so we can reach the Internet through the server using WireGuard, edit /etc/pf.conf to add the following line (after the skip lines):
pass out quick on egress from wg0:network to any nat-to (egress)
Reload with "pfctl -f /etc/pf.conf". NOTE: if you block all incoming traffic by default, you need to open UDP port 4433. You will also need to either skip firewall on wg0 or configure PF to open what you need. This is beyond the scope of this guide. ## IP forwarding We need to enable IP forwarding because we will pass packets from an interface to another, this is done with "sysctl net.inet.ip.forwarding=1" as root. To make it persistent across reboot, add "net.inet.ip.forwarding=1" to /etc/sysctl.conf (you may have to create the file). From now, the server should be ready. ## On your computer Edit /etc/hostname.wg0 and paste the public key between "wgpeer" and "wgaip", the public key is wgpeer's parameter. Then run "sh /etc/netstart wg0" to reconfigure your wg0 tunnel. After this step, you should be able to ping 192.168.10.1 from your computer (and 192.168.10.2 from the server). If not, please double check the WireGuard and PF configurations on both side. ## Default route This simple setup for the default route will truly make WireGuard your default route. You have to understand services listening on all interfaces will only attach to WireGuard interface because it's the only address in rdomain 0, if needed you can use a specific routing table for a service as explained in rc.d man page. Replace the line "up" with the following:
wgrtable 1
up
!route add -net default 192.168.10.1
Your configuration file should look like this:
wgkey YOUR_KEY
wgpeer YOUR_PUBKEY wgendpoint REMOTE_IP 4433 wgaip 0.0.0.0/0
inet 192.168.10.2/24
wgrtable 1
up
!route add -net default 192.168.10.1
Now, add "rdomain 1" to your network interface used to reach the Internet, in my setup it's /etc/hostname.iwn0 and it looks like this.
join network wpakey superprivatekey
join home wpakey notsuperprivatekey
rdomain 1
up
autoconf
Now, you can restart network with "sh /etc/netstart" and all the network should pass through the WireGuard tunnel. # Handling DNS Because you may use a nameserver in /etc/resolv.conf that was provided by your local network, it's not reachable anymore. I highly recommend to use unwind (in every case anyway) to have a local resolver, or modify /etc/resolv.conf to use a public resolver. unwind can be enabled with "rcctl enable unwind" and "rcctl start unwind", from OpenBSD 7.0 you should have resolvd running by default that will rewrite /etc/resolv.conf if unwind is started, otherwise you need to write "nameserver 127.0.0.1" in /etc/resolv.conf # Bypass VPN If you need for some reason to run a program and not route its traffic through the VPN, it is possible. The following command will run firefox using the routing table 1, however depending on the content of your /etc/resolv.conf you may have issues resolving names (because 127.0.0.1 is only reachable on rdomain 0!). So a simple fix would be to use a public resolver if you really need to do so often.
route -T 1 exec firefox
=> https://man.openbsd.org/route.8#exec route man page about exec command # WireGuard behind a NAT If you are behind a NAT you may need to use the KeepAlive option on your WireGuard tunnel to keep it working. Just add "wgpka 20" to enable a KeepAlive packet every 20 seconds in /etc/hostname.wg0 like this:
wgpeer YOUR_PUBKEY wgendpoint REMOTE_IP 4433 wgaip 0.0.0.0/0 wgpka 20
[....]
=> https://man.openbsd.org/ifconfig#wgpka ifconfig man page explaining wgpka parameter # Conclusion WireGuard is easy to deploy but making it a default network interface adds some complexity. This is usually simpler for protocols like OpenVPN because the OpenVPN daemon can automatically do the magic to rewrite the routes (and it doesn't do it very well) and won't prevent non-VPN access until the VPN is connected. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/openbsd-wireguard-exit.gmi</guid> <link>gemini://perso.pw/blog//articles/openbsd-wireguard-exit.gmi</link> <pubDate>Sat, 09 Oct 2021 00:00:00 GMT</pubDate> </item> <item> <title>Port of the week: foliate</title> <description> <![CDATA[ <pre># Introduction Today I wanted to share with you about the program Foliate, a GTK Ebook reader with interesting features. First, there aren't many epub readers available on OpenBSD (and also on Linux). => https://johnfactotum.github.io/foliate/ Foliate project website # How to install On OpenBSD, a simple "pkg_add foliate" and you are done. # Features Foliate supports multiple features such as:
Policy Compile time Idle time
------ ------------ ---------
powersaving 1123 0
auto 871 252
=> static/freq-time.png Chart showing the difference in time spent for the two policies ## Energy used We see that the powersaving used more energy for the duration of the compilation of gzdoom, 5.9 Wh vs 5.6 Wh, but as we don't turn off the computer after the compilation is done, the auto mode also spent a few minutes idling and used 0.74 Wh in that time.
Policy Compile power Idle power Total (Wh)
------ ------------ --------- ----------
powersaving 5,90 0,00 5,90
auto 5,60 0,74 6,34
=> static/freq-power.png Chart showing the difference in energy used for the two policies # Conclusion For the same job done: compiling games/gzdoom and stay on for 18 minutes and 43 seconds, the powersaving policy used 5.90 Wh while the auto mode used 6.34 Wh. This is a saving of 6.90% of power. This is a testing policy I made for testing purposes, it may be too conservative for most people, I don't know. I'm currently playing with this and with a reproducible benchmark like this one I'm able to compare results between changes in the scheduler. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/openbsd-power-usage.gmi</guid> <link>gemini://perso.pw/blog//articles/openbsd-power-usage.gmi</link> <pubDate>Sun, 26 Sep 2021 00:00:00 GMT</pubDate> </item> <item> <title>Reuse of OpenBSD packages for trying runtime</title> <description> <![CDATA[ <pre># Introduction So, I'm currently playing with OpenBSD trying each end user package (providing binaries) and see if they work when installed alone. I needed a simple way to keep packages downloaded and I didn't want to go the hard way by using rsync on a package mirror because it would waste too much bandwidth and would take too much time. The most efficient way I found rely on a cache and ordering the source of packages. # pkg_add mastery pkg_add has a special variable named PKG_CACHE that when it's set, downloaded packages are copied in this directory. This is handy because every time I will install a package, all the packages downloaded by will kept in that directory. The other variable that interests us for the job is PKG_PATH because we want pkg_add to first look up in $PKG_CACHE and if not found, in the usual mirror. I've set this in my /root/.profile
export PKG_CACHE=/home/packages/
export PKG_PATH=${PKG_CACHE}:http://ftp.fr.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
Every time pkg_add will have to get a package, it will first look in the cache, if not there it will download it in the mirror and then store it in the cache. # Saving time removing packages Because I try packages one by one, installing and removing dependencies takes a lot of time (I'm using old hardware for the job). Instead of installing a package, deleting it and removing its dependencies, it's easier to work with manually installed packages and once done, remove dependencies, this way you will keep already installed dependencies that will be required for the next package.
KEEP=$(echo $* | awk '{ gsub(" ","|",$0); printf("(%s)", $0) }')
for pkg in $(pkg_info -mz | grep -vE "$KEEP")
do
# instead of deleting the package
# mark it installed automatically
pkg_add -aa $pkg
done
pkg_add $*
pkg_delete -a
This way, I can use this script (named add.sh) "./add.sh gnome" and then reuse it with "./add.sh xfce", the common dependencies between gnome and xfce packages won't be removed and reinstalled, they will be kept in place. # Conclusion There are always tricks to make bandwidth and storage more efficient, it's not complicated and it's always a good opportunity to understand simple mechanisms available in our daily tools. </pre> ]]> </description> <guid>gemini://perso.pw/blog//articles/openbsd-quick-package-work.gmi</guid> <link>gemini://perso.pw/blog//articles/openbsd-quick-package-work.gmi</link> <pubDate>Sun, 19 Sep 2021 00:00:00 GMT</pubDate> </item> </channel> </rss>