Re: Cloud-Storage & OpenBSD

2018-09-02 Thread Dain Bentley 
Rclone and a storage provider of choice

Get Outlook for iOS


From: 32071115340n behalf of
Sent: Sunday, September 2, 2018 12:37 PM
To: Kurtis
Cc: misc@openbsd.org
Subject: Re: Cloud-Storage & OpenBSD

Tarsnap?

Sent from my iPhone

> On Sep 2, 2018, at 10:43 AM, Kurtis  wrote:
>
> Hey all,
>
> I'm just wondering if anyone has any suggestions with any Online File Backup 
> / Synchronization services?
>
> I used Dropbox for a long time but decided to drop it in favor of pCloud. 
> It's about time to do another annual subscription so I'm looking at options.
>
> I use the same service for backing up photos from my phone, backing up 
> documents from computers, and syncing files between multiple machines (Mac, 
> Windows, and Linux, Android).
>
> Specifically, I'm looking for a service that is compatible with the major 
> operating systems but also has a good client for OpenBSD.
>
> Bonus feature would be the ability to share the service with my family using 
> different accounts.
>
> The ability to generate credentials that can only access certain folders 
> would be _really_ cool. For example, my machines could generate reports and 
> store them in my sync'd service so I could simplify viewing them from any 
> machine.
>
> Thanks!
>
>
>

Can't connect to local LAN via L2TP VPN

2017-02-24 Thread Dain Bentley 
I have an OpenBSD L2TP IPSEC tunnel created and I can connect to it fine,
however when I try to browse the local network I cannot. Here is my
ipsec.conf file:
Code:

ike passive esp transport \
  proto udp from xx.xx.xx.xx to any port 1701 \
  main auth "hmac-sha1" enc "aes" group modp1024 \
  quick auth "hmac-sha1" enc "aes" group modp1024 \
  psk "VerySecretPassword"

Here is my pf.conf
Code:

ext_if2 = "enc0"
vpn_if = "pppx"
vpn_net = "10.0.0.0/24"

# allow esp protocol
pass in on $ext_if2 proto esp

# allow udp connections for isakmp and ipsec-nat-t
pass in on $ext_if2 proto udp to port { isakmp, ipsec-nat-t }

# allow all IPSec traffic
pass on enc0 keep state (if-bound)

# allow all trafic in the VPN network
pass on $vpn_if from $vpn_net
# allow all trafic out to the VPN network
pass on $vpn_if to $vpn_net

# nat outgoing connections over the internet interface to allow internet usage
match out on $ext_if2 from $vpn_net nat-to ($ext_if2) set prio (3,4)

It doesn't seem to allow me to browse my local network. I can connect just
fine, but it doesn't seem to route my traffic to the local LAN. Is there
something I'm missing?

Re: Multiple VLANs & PF rules

2015-08-19 Thread Dain Bentley 
I have multiple blans and a trunk port.  I have hostname.vlan100
hostname.200 in /etc.  then my pf.conf file uses packet tagging to separate
the vlan traffic

On Wednesday, August 19, 2015, Dot Yet  wrote:

> Hello,
>
> I am replacing a Cisco ASA at my home with an openbsd server. I've pf with
> nat and some basic rules in place. my internal machines are able to reach
> out to the internet with no problems. I've a separate lab network of
> servers which are segregated into multiple VLANs. I've been able to create
> the  various vlans on the openbsd server, but I am not sure how inter-VLAN
> routing is suppose to work. The interface layout looks like this:
>
> em0 - outbound to ISP
> em1 - my home network
> em2 - member of trunk0
> em3 - member of trunk0
> trunk0 - lacp trunk for my lab network
> trunk0.vlan12 - vlan 12
> trunk0.vlan15 - vlan 15
>
> So, can one of you help me understand how I can write the pf rules to allow
> communication between em1 and vlan 12/15 or communication between vlan 12
> and vlan 15 etc.
>
> Please let me know.
>
> Thanks,
> dot

Re: OT: OpenBSD firewalls powering QuakeCon

2015-08-03 Thread Dain Bentley 
Saw this earlier from reddit.  I remember an article from wired magazine a
few years ago that talked about openBSD being used at quakecon

On Monday, August 3, 2015, Bryan Irvine  wrote:

> Interesting interview with the guys running the NOC at QuakeCon.
>
> What Powers Quakecon | Network Operations Center Tour
>

Re: Intel Atom?

2015-07-27 Thread Dain Bentley 
I've been using an atom for a firewall/VPN for a couple of years.  Works
great

On Monday, July 27, 2015, Quartz  wrote:

> What's Intel Atom support like these days? I remember they used to be a
> little weird. Are they handled pretty much like any other x86 chip now or
> are some things still unsupported? Are they capable of handling pf on a
> saturated 100-base-t connection? How about gig-e?

Re: Microsoft Now OpenBSD Foundation Gold Contributor

2015-07-08 Thread Dain Bentley 
For what it's worth, Microsoft leadership has changed and so has their
strategy.  They've embraced other OSS projects and are contributing to
Docker as well.  They are also working on a way to get .Net to be cross
platform.  They have also stated they will be implementing SSH more or less:
http://arstechnica.com/information-technology/2015/06/microsoft-bringing-ssh-to-windows-and-powershell/


Im not surprised by the donation given their leadership change at all.

On Wednesday, July 8, 2015, Joel Rees  wrote:

> Hmm. Should have looked at the contributions page before I posted. I
> was reading "Gold" and thinking "Iridium".
>
> On Thu, Jul 9, 2015 at 8:40 AM, Joel Rees  > wrote:
> > Since Jorge broached the subject, I have a couple of armpits I'd like to
> air.[1]
> >
> > I am glad, Theo, that you are not on the board of the OpenBSD
> > Foundation. For many reasons, including the present topic of
> > discussion, it demonstrates that you understand engineering and
> > security and how they interact from a very broad perspective.
> >
> > I sympathize with the board. There is no correct response that I can
> > see from where I'm sitting.
> >
> > Beyond that, the board doesn't need armchair quarterbacks.
> >
> > I just wish Microsoft had given us (the community, as well as the
> > project) more time.
>
> Less than USD 50,000 is probably not quite in the range to get worried
> about.
>
> Makes Google look a little stingy, though.
>
> > --
> > Joel Rees
> >
> > [1] Opinions are like armpits.
> > Everyone has a couple, and they all stink but your own.
> > -- a common saying in Texas from the mid-1970s
>
> --
> Joel Rees
>
> Be careful when you look at conspiracy.
> Look first in your own heart,
> and ask yourself if you are not your own worst enemy.
> Arm yourself with knowledge of yourself, as well.

Re: Resolve names from chroot'ed OpenBSD httpd

2015-05-23 Thread Dain Bentley 
You found my post nonetheless.  I coped over resolve.conf, local time and
hosts I believe.  Then it started working

On Friday, May 22, 2015, Daniel Bolgheroni  wrote:

> On Fri, May 22, 2015 at 06:39:53AM -0400, Dain Bentley wrote:
> > I had this issue a while back.  Have you tried restarting the server?
>
> Sure, but didn't solve the problem.
>
> http://marc.info/?l=openbsd-misc&m=135603654831609&w=2

Re: Resolve names from chroot'ed OpenBSD httpd

2015-05-22 Thread Dain Bentley 
Also check permissions on the files

On Thursday, May 21, 2015, Daniel Bolgheroni  wrote:

> Hi,
>
> Any advice on resolving names from a chroot'ed httpd?
>
> OpenBSD 5.7, Wordpress downloaded from site, mariadb configured, paths
> set on httpd.conf. Also have /var/www/etc/hosts and
> /var/www/etc/resolv.conf in place.
>
> Works almost as expected, except for some functions like installing
> plugins/themes, which I get a lot of "php_network_getaddresses:
> getaddrinfo failed: no address associated with name" when activating
> Wordpress debug.
>
> Warning: stream_socket_client(): unable to connect to
> tcp://api.wordpress.org:80 (php_network_getaddresses: getaddrinfo
> failed: no address associated with name) in
> /htdocs/wordpress/wp-includes/class-http.php on line 1008
>
> Same problem with nginx from ports.
>
> Thank you.
>
> --
> db

Re: Resolve names from chroot'ed OpenBSD httpd

2015-05-22 Thread Dain Bentley 
I had this issue a while back.  Have you tried restarting the server?

On Thursday, May 21, 2015, Daniel Bolgheroni  wrote:

> Hi,
>
> Any advice on resolving names from a chroot'ed httpd?
>
> OpenBSD 5.7, Wordpress downloaded from site, mariadb configured, paths
> set on httpd.conf. Also have /var/www/etc/hosts and
> /var/www/etc/resolv.conf in place.
>
> Works almost as expected, except for some functions like installing
> plugins/themes, which I get a lot of "php_network_getaddresses:
> getaddrinfo failed: no address associated with name" when activating
> Wordpress debug.
>
> Warning: stream_socket_client(): unable to connect to
> tcp://api.wordpress.org:80 (php_network_getaddresses: getaddrinfo
> failed: no address associated with name) in
> /htdocs/wordpress/wp-includes/class-http.php on line 1008
>
> Same problem with nginx from ports.
>
> Thank you.
>
> --
> db

Re: L2TP using Npppd and IPsec

2015-03-27 Thread Dain Bentley 
I'd love a copy!  Thanks

On Friday, March 27, 2015, Brian S. Vangsgaard  wrote:

> Hi,
>
>  for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a
>> local authentication database. It is in the base and it seems very easy
>> to configure.
>>
>
> It is.
>
>  Is anybody running similar setup in production? Any caveats? Any other
>> advises before I take a plunge.
>>
>
> Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting.
>
> Very easy to configure (linux being the exception :p).
>
> You only need to change npppd.conf, npppd-users and ipsec.conf and you are
> in business.
>
> I wrote an up-to-date guide on how to do it, let me know if you want a
> copy.
>
> Caveats... yes.
> I'm currently seeing issues with some clients (might be a client software
> issue) sending multiple connect requests.
> The ip-address reserved for the client is being assigned to the first
> request, but it seems like the last request "wins", but alas! no ip-address
> available (since it was assigned to the first request).
>
> But then again, I have some Windows clients connected for more than 2
> weeks non-stop, before they disconnect (prob. a Windows update wanting to
> reboot ;) ).
>
>
> --
> bsv