The first step is to install OpenBSD on a regular computer. This installation may be used to prototype what will eventually be placed on the Soekris, perfect for setting up while waiting for the hardware to arrive. Keeping this installation around for future upgrades as new versions of OpenBSD are released or security flaws are fixed is a good idea.

Support OpenBSD by purchasing the CD set.

Almost everything necessary, and much more, is included in a default install of OpenBSD. However there are a few other important or useful things to include:

Read-Only Configuration

Since Compact Flash has a finite write cycle and is fairly slow, the root filesystem will be mounted read-only. /var will be mounted as a memory filesystem where a compressed tar containing a prototype filesystem will be extracted at boot.

      /etc/fstab:

      /dev/wd0a       /       ffs     ro                      1 1     
      swap            /var    mfs     rw,nosuid,-s=8192       0 0

      /etc/rc:
      ...
      umount -a >/dev/null 2>&1
      mount -a -t nonfs

      mkdir /var/tmp     
      tar xzpf /var.tar.gz
      ...
    

Some devices in /dev are modified by various daemons so they need to either be links to /var or union mounted.

      lrwxr-xr-x  1 root  wheel  12 Jan 1 00:00 /dev/log -> /var/dev/log
      lrwxr-xr-x  1 root  wheel  14 Jan 1 00:00 /dev/ptyp0 -> /var/dev/ptyp0
      lrwxr-xr-x  1 root  wheel  14 Jan 1 00:00 /dev/ptyp1 -> /var/dev/ptyp1
      lrwxr-xr-x  1 root  wheel  14 Jan 1 00:00 /dev/ttyp0 -> /var/dev/ttyp0
      lrwxr-xr-x  1 root  wheel  14 Jan 1 00:00 /dev/ttyp1 -> /var/dev/ttyp1
    

Also the /tmp filesystem

      lrwxr-xr-x  1 root  wheel   8 Jan 19 13:30 /tmp -> /var/tmp
    

Isakmp Configuration

The following configuration allows IPSec clients on the wireless network to authenticate via a shared secret password. Other options exist including X.509 certificates which are a good choice if access is being allowed by untrusted users. 3DES is used because the vpn1211 accelerator handles it. Another cipher such as AES might use a lot less CPU for the clients.

isakmpd.conf:

      [Phase 1]
      Default         = local-peers

      [Phase 2]
      Passive-connections     = authenticated-peers
      
      [local-peers]
      Phase           = 1
      Local-address   = 192.168.1.1
      Authentication  = pAsswOrd
      Configuration   = isakmp-main-mode
      
      [authenticated-peers]
      Phase           = 2
      ISAKMP-peer     = local-peers
      Local-ID        = local-network
      Remote-ID       = remote-network
      Configuration   = ipsec-quick-mode
      
      [local-network]
      ID-type         = IPV4_ADDR_SUBNET
      Network         = 0.0.0.0
      Netmask         = 0.0.0.0
      
      [remote-network]
      ID-type         = IPV4_ADDR_SUBNET
      Network         = 192.168.1.0
      Netmask         = 255.255.255.0
      
      [isakmp-main-mode]
      EXCHANGE_TYPE   = ID_PROT
      Transforms      = 3des-sha
      
      [ipsec-quick-mode]
      EXCHANGE_TYPE   = QUICK_MODE
    

isakmpd.policy ensures that encryption is used:

      KeyNote-Version:  2
      Authorizer:       "POLICY"
      Conditions:       app_domain == "IPsec policy"  &&
                        esp_present == "yes"          &&
                        esp_enc_alg == "3des"         -> "true";
    

Packet Filter Configuration

Last of all but likely the most important is configuring pf, the OpenBSD packet filter. The primary rule is to block all incoming traffic on all interfaces, NAT outgoing traffic on the Internet interface, and allow:

pf.conf:

      # wireless network
      wi_if   = "wi0"
      wi_net  = "192.168.1.0/24"
      
      # wired network
      en_if   = "sis0"
      en_net  = "192.168.2.0/24"

      # internet interface
      inet_if = "sis1"

      # ----------------------------------------------------------------------

      scrub in all

      # NAT outgoing traffic from wireless and
      wired networks

      nat on $inet_if from $wi_net to any -> $inet_if
      nat on $inet_if from $en_net to any -> $inet_if

      # block incoming traffic, allow and keep
      state on outgoing

      block in all
      pass out all
      pass out on $inet_if all keep state

      # allow DHCP and ISAKMP so wireless clients
      can get an IPSec connection

      pass in on $wi_if proto udp from $wi_net to $wi_if port = bootps
      pass in on $wi_if proto udp from $wi_net to $wi_if port = isakmp
      
      # allow ipsec tunneled traffic from wireless
      clients
      
      pass in on $wi_if proto esp from $wi_net to $wi_if
      
      # allow incoming ipsec traffic
      
      pass in on enc0 from $wi_net to any
      
      # allow all traffic on wired network and
      loopback interface

      pass in on $en_if from $en_net to any
      pass in on lo0 all 
    

Next: Diskless Booting

  1. Introduction
  2. OpenBSD Configuration
  3. Diskless Booting
  4. CompactFlash Installation
  5. Mac OS X IPSec
  6. Errata

email address