OpenBSD Router

The configuration for my OpenBSD home router. I use a Protectli vault, which I highly recommend.

Features

• Firewall

• DHCP

• IPv6

• Multicast

• VLAN

• DNS caching

• DNS over TLS

• Remote access via SSH

• Support for Matter IoT devices

• Monitoring via SNMP

Services

• dhcpd

• dhcp6leased

• mrouted

• PF

• rad

• snmpd

• sshd

• Unbound

Overview

This configuration is intended for OpenBSD 7.6. Egress is on port em0, which is connected to my ISP. The rest of the physical interfaces are combined using a virtual ethernet bridge. Additional VLAN’s are used to isolate different parts of the network. These are described in the [VLANs] table.

Table 1. VLANs

VLAN	Purpose
2	Wireless guest network
3	IoT
4	Work

The egress interface obtains an IPv6 address using stateless address autoconfiguration. An additional IPv6 prefix is obtained from my ISP using prefix-delegation for the bridge network. The primary network and each VLAN receive a /64 prefix cut from the delegated prefix.

Usage

1. Install OpenBSD. The process is documented in the OpenBSD FAQ - Installation Guide No graphical utilities are needed.

2. Install the Git necessary.

   doas pkg_add git

3. Clone the repository.

   git clone https://github.com/jwillikers/openbsd-router

4. Change to the project’s directory.

   cd openbsd-router

5. Copy the etc/snmpd.conf.template file to etc/snmpd.conf.

   cp etc/snmpd.conf.template etc/snmpd.conf

6. Restrict permissions on etc/snmpd.conf.

   chmod 0600 etc/snmpd.conf

7. Add the authentication and encryption passphrases for the SNMPv3 user in the etc/snmpd.conf file.

   etc/snmpd.conf

   user "monitor" auth hmac-sha256 authkey "******" enc aes enckey "******"

8. Install everything.

   doas ./install.sh

Validate Configuration Files

The validate.sh script can be used to validate some of the configuration files. Run it to ensure everything is hunky dory.

doas ./validate.sh

Update

The update.sh script is a convenience for running commands to update the OpenBSD system. It will initiate upgrades of the system to new major versions, in addition to applying system patches and updating packages. Run it as follows.

doas ./update.sh

For details on upgrading between major versions, find corresponding upgrade guide on the OpenBSD Frequently Asked Questions page.

Code of Conduct

The project’s Code of Conduct is available in the CODE_OF_CONDUCT.adoc file.

License

This project is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.

© 2023-2024 Jordan Williams

Authors

Jordan Williams