The first step is to install OpenBSD on a regular computer. This installation may be used to prototype what will eventually be placed on the Soekris, perfect for setting up while waiting for the hardware to arrive. Keeping this installation around for future upgrades as new versions of OpenBSD are released or security flaws are fixed is a good idea.
Support OpenBSD by purchasing the CD set.
Almost everything necessary, and much more, is included in a default install of OpenBSD. However there are a few other important or useful things to include:
Since Compact Flash has a finite write cycle and is fairly slow, the root filesystem will be mounted read-only. /var will be mounted as a memory filesystem where a compressed tar containing a prototype filesystem will be extracted at boot.
/etc/fstab:
/dev/wd0a / ffs ro 1 1
swap /var mfs rw,nosuid,-s=8192 0 0
/etc/rc:
...
umount -a >/dev/null 2>&1
mount -a -t nonfs
mkdir /var/tmp
tar xzpf /var.tar.gz
...
Some devices in /dev are modified by various daemons so they need to either be links to /var or union mounted.
lrwxr-xr-x 1 root wheel 12 Jan 1 00:00 /dev/log -> /var/dev/log
lrwxr-xr-x 1 root wheel 14 Jan 1 00:00 /dev/ptyp0 -> /var/dev/ptyp0
lrwxr-xr-x 1 root wheel 14 Jan 1 00:00 /dev/ptyp1 -> /var/dev/ptyp1
lrwxr-xr-x 1 root wheel 14 Jan 1 00:00 /dev/ttyp0 -> /var/dev/ttyp0
lrwxr-xr-x 1 root wheel 14 Jan 1 00:00 /dev/ttyp1 -> /var/dev/ttyp1
Also the /tmp filesystem
lrwxr-xr-x 1 root wheel 8 Jan 19 13:30 /tmp -> /var/tmp
The following configuration allows IPSec clients on the wireless network to authenticate via a shared secret password. Other options exist including X.509 certificates which are a good choice if access is being allowed by untrusted users. 3DES is used because the vpn1211 accelerator handles it. Another cipher such as AES might use a lot less CPU for the clients.
[Phase 1]
Default = local-peers
[Phase 2]
Passive-connections = authenticated-peers
[local-peers]
Phase = 1
Local-address = 192.168.1.1
Authentication = pAsswOrd
Configuration = isakmp-main-mode
[authenticated-peers]
Phase = 2
ISAKMP-peer = local-peers
Local-ID = local-network
Remote-ID = remote-network
Configuration = ipsec-quick-mode
[local-network]
ID-type = IPV4_ADDR_SUBNET
Network = 0.0.0.0
Netmask = 0.0.0.0
[remote-network]
ID-type = IPV4_ADDR_SUBNET
Network = 192.168.1.0
Netmask = 255.255.255.0
[isakmp-main-mode]
EXCHANGE_TYPE = ID_PROT
Transforms = 3des-sha
[ipsec-quick-mode]
EXCHANGE_TYPE = QUICK_MODE
isakmpd.policy ensures that encryption is used:
KeyNote-Version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" -> "true";
Last of all but likely the most important is configuring pf, the OpenBSD packet filter. The primary rule is to block all incoming traffic on all interfaces, NAT outgoing traffic on the Internet interface, and allow:
# wireless network
wi_if = "wi0"
wi_net = "192.168.1.0/24"
# wired network
en_if = "sis0"
en_net = "192.168.2.0/24"
# internet interface
inet_if = "sis1"
# ----------------------------------------------------------------------
scrub in all
# NAT outgoing traffic from wireless and
wired networks
nat on $inet_if from $wi_net to any -> $inet_if
nat on $inet_if from $en_net to any -> $inet_if
# block incoming traffic, allow and keep
state on outgoing
block in all
pass out all
pass out on $inet_if all keep state
# allow DHCP and ISAKMP so wireless clients
can get an IPSec connection
pass in on $wi_if proto udp from $wi_net to $wi_if port = bootps
pass in on $wi_if proto udp from $wi_net to $wi_if port = isakmp
# allow ipsec tunneled traffic from wireless
clients
pass in on $wi_if proto esp from $wi_net to $wi_if
# allow incoming ipsec traffic
pass in on enc0 from $wi_net to any
# allow all traffic on wired network and
loopback interface
pass in on $en_if from $en_net to any
pass in on lo0 all