💾 Archived View for bvnf.space › blog › 001_setting_up_vger.gmi captured on 2022-07-16 at 13:38:31. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-03-01)

-=-=-=-=-=-=-

Setting up vger(8) on OpenBSD

vger[1] is a Gemini server written by Solene. It is simple and only parses requests on stdin and prints to stdout, leaving networking and TLS management to other components. However, it is still well-featured (support for CGI, virtual hosts, using a chroot) and it is very secure. Running on OpenBSD, it can make use of unveil(2) to restrict filesystem access.

[1] vger repository at tildegit.org

To handle the networking and TLS, on OpenBSD we can use inetd(8) and relayd(8). relayd handles the request, and inetd sends it on stdin to vger and returns stdout.

vger can be installed from ports:

pkg_add vger

Generating a self-signed keypair

Now, we need a keypair for relayd to handle the TLS with:

openssl req \
	-new \
	-subj "/CN=gemini.bvnf.space" \
	-x509 \
	-newkey rsa:2048 \
	-days 1825 \
	-nodes \
	-out /etc/ssl/gemini.bvnf.space.crt \
	-keyout /etc/ssl/private/gemini.bvnf.space.key

EDIT: 2022-01-09

Using a DNS name in the Common Name (CN) field is deprecated; instead DNS names should go in Subject Alt name fields. Just add this option to the above command:

-addext "subjectAltName = DNS:bvnf.space, DNS:gemini.bvnf.space"

This keypair is valid for 5 years. I tried using an ECDH key (replace "-newkey rsa:2048" with "-newkey ec -pkeyopt ec_paramgen_curve:prime256v1") but it seems that relayd can only use RSA keys at the moment.

Configure relayd

/etc/relayd.conf:

log connection
tcp protocol "gemini" {
	tls keypair "gemini.bvnf.space"
}
relay "gemini" {
	listen on "gemini.bvnf.space" port 1965 tls
	protocol "gemini"
	forward to 127.0.0.1 port 11965
}

The argument to "tls keypair" must be the same as the certificate and key names (without .crt or .key) produced by openssl(1) above.

Checking relayd config

relayd -n

Configure inetd

Add this line to /etc/inetd.conf: (the _vger user should have been created by installing vger through ports)

127.0.0.1:11965 stream	tcp	nowait	_vger	/usr/local/bin/vger	vger -m text/plain -i

Options to be passed to vger (see the vger(8) manpage) are specified here. You might want to enable chrooting (-u user) but on OpenBSD this doesn't provide many benefits on top of the use of unveil(2).

Last thing: remember to open TCP 1965 in /etc/pf.conf.

Start it up

Finally, write something in /var/gemini, and start inetd and relayd.

echo "# ben's space" > /var/gemini/index.gmi
rcctl start relayd
rcctl start inetd

--

written 2021-10-27

blog home

home