Dnia Mon, Mar 21, 2022 at 08:22:36PM -0700, Eric Thomas napisał(a): > Hello, > > I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.) > and generally > harden my home network using OpenBSD. Can I use OpenBSD services AND have > it act as a desktop workstation on the same machine? > > Ref: > https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine > > Thanks, > Eric
Hi Eric, You CAN do that, but you shouldn't. First of all, you most likely overestimate how much resources you need. I used to run pfsense with snort/suricata (can't remember which one) on 3rd gen dual-core i3. You should run as little services on firewall as possible. Let's say that there's bug in browser, that causes machine to hang up. Now, because your browser had bug, your whole network is down, untill you do hard reboot. If someone could exploit bug in browser to gain root access (not very likely, but still), attacker could see traffic from your entire network, not just your workstation. Less services running on firewall means smaller attack surface. Best practice would be to run only network-related services, like DNS, DHCP, VPNs, IDS/IPS on firewall, and keep everything else away from it. Using openbsd as wifi access point is possible, but depending on your network card, it may work well, may work somewhat good, or may not work at all. If you have wifi card laying around, give it a try. If you don't have wifi card laying around, I'd recommend getting seperate AP, as that will give better results. If you want to buy wifi card specifically for openbsd, check in manual if it's supported at all, and if it can work in hostap mode. In my expirience, servers aren't usually a good workstations, as they have crappy GPUs, so for example using web browser may be laggish. Now, why don't you just use your server as a firewall, and use your laptop as a workstation? You can get USB SSD and install openbsd to it, so that it's easy to dual-boot. Also, you could virtualize both workstation and firewall, alongside each other. Keep in mind that to get good graphics performance in VM, you need to allocate entire GPU for it(and then you need another for host, usually integrated will be enough). So beside second GPU, to do gpu passthru, you need CPU that supports VT-d and hypervisor that supports pci passthru (vmware esxi, linux kvm, xcp-ng should work). It's possible, but it's probably the hardest option, and I wouldn't recommend it if you are just starting out. So, all things considered, easiest option would be to use server as firewall, then dualboot laptop as a workstation, or get a cheap second-hand PC. Kind regards, Łukasz
