iked choosing the wrong policy?
Hello, everyone. This is my iked.conf: ``` ikev2 "for-phone" passive esp \ from any to 10.0.3.2/32 \ local egress peer any \ ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group ecp256 \ childsa enc aes-256 auth hmac-sha2-256 prf hmac-sha2-256 group ecp256 \ srcid server.mine \ dstid phone.mine \ eap "mschap-v2" \ config address 10.0.3.2 \ config name-server 10.0.0.1 \ config netmask 255.255.255.255 \ config protected-subnet 10.0.0.0/24 \ config protected-subnet 10.0.1.0/24 \ config protected-subnet 10.0.2.0/24 \ tag "ROADW" ikev2 "for-laptop" passive esp \ from any to 10.0.3.3/32 \ local egress peer any \ ikesa enc aes-256 auth hmac-sha2-512 prf hmac-sha2-512 group ecp521 \ childsa enc aes-256 auth hmac-sha2-512 group ecp521 \ srcid server.mine \ dstid laptop.mine \ rsa \ config address 10.0.3.3 \ config name-server 10.0.0.1 \ config netmask 255.255.255.255 \ config protected-subnet 10.0.0.0/24 \ config protected-subnet 10.0.1.0/24 \ config protected-subnet 10.0.2.0/24 \ tag "ROADW" ``` I expected the peer presenting itself as "phone.mine" get the first policy (as long as it manages to authenticate by mschapv2), and the peer presenting itself as "laptop.mine" to get the second policy. However, what happens in reality is that both of them are being given the second policy, and the phone fails to authenticate. If I comment out the second policy, the phone successfully gets the first policy and authenticates itself, but, obviously, the laptop does not work then. How to correct the setup? -- Your sincerely, Vladimir Nikishkin (MiEr, lockywolf) (Laptop)
Re: rdr-to across wg tunnel
On 21/07/26 08:55am, deich...@placebonol.com wrote: > Did you enable forwarding? > > On July 25, 2021 10:22:58 PM MDT, Vincent Lee wrote: Basically, what this gentleman said. You've thus far not sent us any information of worth on your setup, or even a tcpdump(8). Please send us the output of (1) $ sysctl net.inet.ip.forwarding as well as that of (2) $ netstat -rnf inet The former needs to output 1 for any of this to work. It allow forwarding of packets across interfaces. If it outputs zero then simply set it via sysctl(8) and add the corresponding entry to sysctl.conf(5) In the case of (2), I suspect there might not be a route to the host on the other end. To resolve (2), assuming you've resolved (1), requires my favourite OpenBSD daemon: relayd(8). You can save yourself a lot of time by simply configuring a route context in relayd.conf(5). Regards, JP
Re: Submitting Patches
> I've made a patch for the Xenocara project, and would like to submit > it. What is the best mailing list/developer/maintainer to send it to? > I can attach the patch in the a reply if anyone is curious for more > context. Thank you in advance. https://www.openbsd.org/faq/faq5.html#Diff
Re: rdr-to across wg tunnel
Did you enable forwarding? On July 25, 2021 10:22:58 PM MDT, Vincent Lee wrote: >Hi all, I'm running into some trouble trying to configure a >network. I'll try to keep it concise: > >Background: > >1. I have an OpenBSD Vultr VPS. It serves various odds and ends on >external IP address $foo, and runs 6.9 + syspatches. > >2. I have a second Linux machine located on a residential network with >unstable external IP. I'd like to avoid dynamic DNS services, having to >configure port-forwarding, etc. > >3. The two machines are linked by a confirmed-working Wireguard >tunnel. The VPS has address 10.0.0.1 and the Linux machine has address >10.0.0.2 in the tunnel. > >Objective: > >1. I want to expose a stable, routable IP address for the Linux machine, >regardless of the state of the residential network, by proxying through >my VPS. > >2. This address should be logically distinct from the existing address >for the VPS, as there is an overlap in the services each will >serve. (e.g. I could plausibly serve one website from the VPS and a >separate one from the Linux machine.) > >What I've tried: > >1. I've requested a second IP address $bar for my VPS and added it as an >inet alias address in hostname.if. With only this configuration, pinging >address $bar (which routes to the VPS) works. > >2. Next, I tried adding a pf redirect on the VPS: pass in from any to >$bar rdr-to 10.0.0.2 > >3. I tried pinging and ssh-ing to address $bar after adding this rule >and reloading pf rules, but traffic don't seem to be getting to the >Linux box. > >4. I tried also a binat rule: pass on egress from 10.0.0.2 to any >binat-to $bar with the same result. > >Any obvious problems, and is there an easier way to achieve my >objective? >
Re: rdr-to across wg tunnel
On Sun, Jul 25, 2021 at 11:22:58PM -0500, Vincent Lee said: > 2. Next, I tried adding a pf redirect on the VPS: pass in from any to > $bar rdr-to 10.0.0.2 It sounds like you want binat-to. Checkout pf.conf(5). --Matt -- Matthew Ernisse m...@going-flying.com https://www.going-flying.com/
Re: How to use macros in acme-client.conf?
On 7/26/21 5:20 AM, Omar Polo wrote: Alexis writes: Stuart Henderson writes: In gmane.os.openbsd.misc, you wrote: I'm trying to use macros in my acme-client.conf, but it seems I cannot get the syntax right. In addition to that, even when I try the example from the acme-client.conf(5): api_url="https://acme-v02.api.letsencrypt.org/directory; authority letsencrypt { api url $api_url account key "/etc/acme/letsencrypt-privkey.pem" } It fails with a syntax error: $ ./acme-client -vvv -f ../test.conf api_url = "https://acme-v02.api.letsencrypt.org/directory; ../test.conf:3: syntax error Are spaces around the '=' permitted? i thought they weren't. The example in acme-client.conf(5) man page certainly doesn't have them. The parser.y used in acme-client (and other stuff in base) is quite flexible w.r.t. spaces/tabs 602 top: 603 p = buf; 604 while ((c = lgetc(0)) == ' ' || c == '\t') 605 ; /* nothing */ In sh (and probably other languages) spaces around the equal sign aren't permitted (well, the are valid but yields a different result). Alexis. Might be worth checking for non printable characters: #!/usr/bin/env perl # # set tabstop=2 # use common::sense; my $file = shift or die "usage: $0 filename\n"; open my $fh, "<", $file or die "$!"; my $line_number = 1; while (<$fh>) { my @chars = split //; for (@chars) { my $ord = ord $_; # skip newlines and tabs next if ($ord == 10 || $ord == 9); die "non printable character found: $line_number: $ord\n" if ($ord < 32 || $ord > 126); } $line_number++; } close $fh; 1;
Re: How to use macros in acme-client.conf?
Alexis writes: > Stuart Henderson writes: > >> In gmane.os.openbsd.misc, you wrote: >>> I'm trying to use macros in my acme-client.conf, but it seems I >>> cannot >>> get the syntax right. In addition to that, even when I try the >>> example >>> from the acme-client.conf(5): >>> >>> api_url="https://acme-v02.api.letsencrypt.org/directory; >>> authority letsencrypt { >>> api url $api_url >>> account key "/etc/acme/letsencrypt-privkey.pem" >>> } >>> >>> It fails with a syntax error: >>> >>> $ ./acme-client -vvv -f ../test.conf >>> api_url = "https://acme-v02.api.letsencrypt.org/directory; >>> ../test.conf:3: syntax error > > Are spaces around the '=' permitted? i thought they weren't. The > example in acme-client.conf(5) man page certainly doesn't have them. The parser.y used in acme-client (and other stuff in base) is quite flexible w.r.t. spaces/tabs 602 top: 603 p = buf; 604 while ((c = lgetc(0)) == ' ' || c == '\t') 605 ; /* nothing */ In sh (and probably other languages) spaces around the equal sign aren't permitted (well, the are valid but yields a different result). > Alexis.
Re: How to use macros in acme-client.conf?
Stuart Henderson writes: In gmane.os.openbsd.misc, you wrote: I'm trying to use macros in my acme-client.conf, but it seems I cannot get the syntax right. In addition to that, even when I try the example from the acme-client.conf(5): api_url="https://acme-v02.api.letsencrypt.org/directory; authority letsencrypt { api url $api_url account key "/etc/acme/letsencrypt-privkey.pem" } It fails with a syntax error: $ ./acme-client -vvv -f ../test.conf api_url = "https://acme-v02.api.letsencrypt.org/directory; ../test.conf:3: syntax error Are spaces around the '=' permitted? i thought they weren't. The example in acme-client.conf(5) man page certainly doesn't have them. Alexis.
Re: How to use macros in acme-client.conf?
In gmane.os.openbsd.misc, you wrote: > I'm trying to use macros in my acme-client.conf, but it seems I cannot > get the syntax right. In addition to that, even when I try the example > from the acme-client.conf(5): > > api_url="https://acme-v02.api.letsencrypt.org/directory; > authority letsencrypt { > api url $api_url > account key "/etc/acme/letsencrypt-privkey.pem" > } > > It fails with a syntax error: > > $ ./acme-client -vvv -f ../test.conf > api_url = "https://acme-v02.api.letsencrypt.org/directory; > ../test.conf:3: syntax error > > It looks like the macro is loaded correctly, but the expansion fail. Are > the macros just bugged? If not, could someone please advice me on what I > am doing wrong? It works for me. Are you using a new manpage with an old version of acme-client?
Re: Remove outdated /etc/examples/unwind.conf?
On 2021-07-24, David Higgs wrote: > I wonder if there would be any benefit to a sysclean-like tool as part of a > standard upgrade/sysmerge that automatically deletes everything older than > the (supported) current and prior release? I think it's not possible, sometimes config files move from being installed in /etc by default to not having a default but still used, such a tool would remove those. sysclean is great, and for files in "system owned" directories like /usr/lib, /usr/include, /usr/share and the various bin directories, in almost all cases the list of files can be removed directly. But for "user owned" directories like /etc that's very much not the case.
Re: Permit to reprint tshirt artwork
Good morning! titomarifran...@gmail.com (Tito Mari Francis Escaño), 2021.07.26 (Mon) 04:28 (CEST): > I really like the tshirt design as illustrated here: > https://www.openbsd.org/images/tshirt-23.gif The most recent similar thread I could find: https://marc.info/?l=openbsd-misc=155439809001096 Marcus > I bought this shirt before and I was hoping to buy at least one but as per > https://www.openbsd.org/tshirts.html this is out of print. > > Can you please point me to whom I should ask permission to reprint > t-shirts with this design? > > Thanks and regards.
rdr-to across wg tunnel
Hi all, I'm running into some trouble trying to configure a network. I'll try to keep it concise: Background: 1. I have an OpenBSD Vultr VPS. It serves various odds and ends on external IP address $foo, and runs 6.9 + syspatches. 2. I have a second Linux machine located on a residential network with unstable external IP. I'd like to avoid dynamic DNS services, having to configure port-forwarding, etc. 3. The two machines are linked by a confirmed-working Wireguard tunnel. The VPS has address 10.0.0.1 and the Linux machine has address 10.0.0.2 in the tunnel. Objective: 1. I want to expose a stable, routable IP address for the Linux machine, regardless of the state of the residential network, by proxying through my VPS. 2. This address should be logically distinct from the existing address for the VPS, as there is an overlap in the services each will serve. (e.g. I could plausibly serve one website from the VPS and a separate one from the Linux machine.) What I've tried: 1. I've requested a second IP address $bar for my VPS and added it as an inet alias address in hostname.if. With only this configuration, pinging address $bar (which routes to the VPS) works. 2. Next, I tried adding a pf redirect on the VPS: pass in from any to $bar rdr-to 10.0.0.2 3. I tried pinging and ssh-ing to address $bar after adding this rule and reloading pf rules, but traffic don't seem to be getting to the Linux box. 4. I tried also a binat rule: pass on egress from 10.0.0.2 to any binat-to $bar with the same result. Any obvious problems, and is there an easier way to achieve my objective?