Skip to content

Instantly share code, notes, and snippets.

@Morelcia

Morelcia/1-README.md

Last active May 28, 2021
Embed
What would you like to do?
OpenBSD configs

Configs that I use on my OpenBSD VPS for WireGuard, OpenSMTPD, network interfaces and few other things.

# Bottom of default config
userdb {
driver = static
args = uid=nat gid=nat home=/home/nat/ allow_all_users=yes
}
namespace inbox {
inbox = yes
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Junk {
special_use = \Junk
auto = subscribe
autoexpunge = 30d
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
mailbox Trash {
special_use = \Trash
}
mailbox Archive {
special_use = \Archive
}
}
inet xxx.xxx.xxx.xxx 255.255.252.0 NONE
inet6 xxxx:xxxx:xxxx:xxxx::1 64
up
!route add -inet default 188.68.52.1
!route add -inet6 :: fe80::1%vio0
inet 192.168.10.1 255.255.255.0 192.168.10.255
wgport 51820
wgkey <server/router privkey>
# device 1
wgpeer <device 1 pubkey> wgaip 192.168.10.2/32
# device 2
wgpeer <device 2 pubkey> wgaip 192.168.10.3/32
# Goals:
# - lock all ports on vio0/WAN and allow only required ones
# - nat internal VPN to external interface
# - devices on VPN see each other (allows for KDE connect over mobile data etc.)
# - traffic is normalised, antispoofing enabled and other basic hardenings
# - icmp is enabled
#
# Please leave a comment if you have any suggestions.
ext_if = "vio0"
vpn_if = "wg0"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
tcp_services = "{ 22, 25, 80, 443, 25565 }"
udp_services = "{ 443, 6969, 51820 }"
set block-policy drop
set skip on lo0
set loginterface $ext_if
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from ($vpn_if:network) to any nat-to ($ext_if:0)
antispoof quick for { egress, $ext_if, $vpn_if }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick
pass proto { icmp, icmp6 } max-pkt-rate 5/1
pass in on $ext_if proto tcp to port $tcp_services
pass in on $ext_if proto udp to port $udp_services
pass in on $vpn_if inet
allow_username_mismatch = true;
domain {
example.com {
path = "/etc/mail/dkim/example.com.key";
selector = "20210325";
}
}
domain {
example2.com {
path = "/etc/mail/dkim/example.com.key";
selector = "20210325";
}
}
pki "mail.example.com" cert "/etc/letsencrypt/live/example.com/fullchain.pem"
pki "mail.example.com" key "/etc/letsencrypt/live/example.com/privkey.pem"
filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
disconnect "550 no residential connections"
filter check_rdns phase connect match !rdns \
disconnect "550 no rDNS is so 80s"
filter check_fcrdns phase connect match !fcrdns \
disconnect "550 no FCrDNS is so 80s"
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 5000"
filter rspamd proc-exec "filter-rspamd"
table domains file:/etc/mail/domains
table virtuals file:/etc/mail/virtuals
listen on all tls pki mail.example.com \
filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
listen on all port submission tls-require pki mail.example.com auth filter rspamd
action "local_mail" lmtp "/var/dovecot/lmtp" rcpt-to virtual <virtuals>
action "outbound" relay helo mail.example.com
match from any for domain <domains> action "local_mail"
match for local action "local_mail"
match from any auth for any action "outbound"
match for any action "outbound"
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
hw.smt=1
@wiv0

This comment has been minimized.

Copy link

@wiv0 wiv0 commented May 28, 2021

good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment