Cooking Fugu Fish at Home or OpenBSD on a Home Server

Of course, it will not be about cooking a well-known Japanese delicacy. And it will go about setting up several services that I have defined for
yourself as needed, on the home server. The operating system of which will be OpenBSD.
Many will exclaim, but why do you need this little-known OS, because there is Linux, FreeBSD. Yes, indeed, I could set everything up on others
unix like, but it would not have brought me as much pleasure as I experienced while studying and configuring OpenBSD. And then, I always attract complex
and non-standard solutions.
Let's finish with the introduction and return to the topic of the title.
I hasten to introduce you to the menu, dear reader.

Today in the menu:
1. Initial setup.
2. DNS (forwarding requests to the provider).
3. Soft RAID 1 (archive of family photos, music, travel videos and other important information).
4. rtorrent + rutorrent (different torrents are needed, different torrents are important).
5. NFS server (network folder for access from LAN computers).
6. VPN tunnel with work. FreeBSD (mpd5) OpenBSD (ppp) (I love, you know, sometimes working from home).
7. NUT + UPS Ippon Back power pro 400 (unexpected power outage is not a problem for us).
8. Firewall (great PF packet filter).

And so, let's get started.

1. Initial setup.

I will describe the setting based on the fact that the system is already installed.
I will stop only on adjustment of network interfaces. There are two of them in my system: re0, rl0.

# cat /etc/hostname.re0 inet 192.168.254.1 255.255.255.0 inet alias 192.168.254.10 255.255.255.255 #      # cat /etc/hostname.rl0 inet 10.110.1.103 255.255.255.224 

')
To install the software, I use both packages and ports, so first of all we download the ports tree

 # cd /tmp # ftp http://ftp://ftp.openbsd.org/pub/OpenBSD/4.7/ports.tar.gz # cd /usr # tar -zxvf /tmp/ports.tar.gz 

In order to be able to update the ports tree, install cvsup:

 # cd /usr/ports # make search key=cvsup Port: cvsup-16.1hp2-no_x11 Path: net/cvsup,-main,no_x11 Info: network file distribution system Maint: The OpenBSD ports mailing-list <ports@openbsd.org> Index: net devel L-deps: B-deps: :lang/ezm3 R-deps: Archs: i386 # cd net/cvsup # make show=FLAVORS no_x11 # env FLAVOR="no_x11" make install 

clear the port working directories

 # make clean # make clean=depends 

In order not to put it off indefinitely, immediately configure cvsup config to update ports

 #cat /etc/cvsup-file-ports *default release=cvs *default delete use-rel-suffix *default umask=002 *default host=obsd.cec.mtu.edu *default base=/usr *default prefix=/usr *default tag=OPENBSD_4_7 OpenBSD-ports 

Lists of available anonymous cvs servers can be found here.
to update, just use the command

 # cvsup -g -L 2 /etc/cvsup-file-ports 

On this with ports, for now, finish.
Let's go to the packages, in this step I will install all the software I need from the packages

 #export PKG_PATH=http://ftp.gamma.ru/pub/OpenBSD/`uname -r`/packages/`machine -a`/ #pkg_add libxml mod_scgi nut p5-XML-Parser php5-core php5-extensions\ php5-xmlrpc pptp screen xmlrpc-c bash 

* It may well be that the list is incomplete, since the server has been set up for a long time, something I could miss

2. DNS (forwarding requests to the provider).

Make changes to /etc/rc.conf.local to run named

 named_flags="" named_user=named named_chroot=/var/named 

To forward requests by provider DNS, it is enough to make
/var/named/etc/named.conf (in options)
following lines

  forwarders { 10.5.0.2;}; 

and /etc/resolv.conf will contain

 namesrver 127.0.0.1 

3. Soft RAID 1 (archive of family photos, music, travel videos and other important information).

To organize the soft raid in OpenBSD, let's do the following.
(The array will be assembled from two Western Digital HDDs of 500GB each)

 # dmesg |grep WD wd2 at pciide0 channel 1 drive 0: WDC WD5000AAKS-00UU3A0 wd3 at pciide0 channel 1 drive 1: WDC WD5000AAKS-00UU3A0 

Further, everything is strictly according to man softraid, we initialize the disks (we will overwrite the MBR bootcode and MBR partition table)

 # fdisk -iy wd2 # fdisk -iy wd3 

create RAID partitions on disks

 # printf "a\n\n\n\nRAID\nw\nq\n\n" | disklabel -E wd2 # printf "a\n\n\n\nRAID\nw\nq\n\n" | disklabel -E wd3 

we collect an array

 # bioctl -c 1 -l /dev/wd2a,/dev/wd3a softraid0 

cleaning the beginning / title of a disc before using it is considered good form

 # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 

initialize and format the array

 # fdisk -iy sd0 # printf "a\n\n\n\n4.2BSD\nw\nq\n\n" | disklabel -E sd0 # newfs /dev/rsd0a 

The attentive reader will notice that when I cleaned the beginning of the newly created array, I used the name rsd0, whereas when creating the partition on the disk I indicated
sd0. To understand the differences, let's turn to the excellent book Absolute OpenBSD: UNIX for the Practical Paranoid by Michael Lucas

As you can see in the table two types of devices are designated - “raw” devices and block devices. There are programs that are written to work with raw
devices, and they can not work with block devices and, accordingly, vice versa.
When writing / reading to / from block devices, the data is buffered, and upon reaching a certain limit (buffer size) the disk is accessed.
When writing / reading to / from raw devices, data is transferred to the device immediately.
M.Lukas gives the following example to facilitate the understanding of these mechanisms.

Imagine that in front of you is a bottle that you need to fill with pills. You take the pill with your right hand and shift it to the left, and
so until the left hand is filled, then pour all the pills from your left hand into the bottle - this will work with block devices. Your left hand
played the role of a buffer. Now put each tablet in a bottle, one at a time - this is working with raw devices.
* I really hope that my clumsy translation of explanations will be clear

The final step is to mount the array and fix / etc / fstab for automatic mounting when the system boots.

 #mkdir /raid #mount /deb/sd0a /raid #cat /etc/fstab ---skip--- /dev/sd0a /raid ffs rw,nodev,nosuid 1 2 ---skip--- 

4. rtorrent + rutorrent + apache2 (different torrents are needed, different torrents are important).

Even when preparing the first dish (aka the initial setting), we installed the necessary components for the torrent rocking, except for herself.
We will install it from the ports.

In order for rtorrent to work in conjunction with the rutorrent, you need to build it with the configure script option --with-xmlrpc-c, for this we move into the directory
the port

 # cd /usr/ports/net/rtorrent/ 

and correct the parameter CONFIGURE_ARGS in the Makefile

 CONFIGURE_ARGS= ${CONFIGURE_SHARED} --disable-debug --with-xmlrpc-c 

* a small hint, a wonderful mechanism of Flavors, is nothing more than the options of the configure script, which is not difficult to guess by looking at the Makefile
www / php5 / extensions, for example.

I consider the rtorrent config to be redundant, I can only say that the torrents are added to a separate disk mounted to / data, which is exported by
NFS. Folder rights

 # ls -la /data/ total 16 drwxr-xr-x 4 root wheel 512 Dec 11 18:41 . drwxr-xr-x 16 root wheel 512 Dec 20 13:13 .. drwxr-xr-x 12 p2p p2p 1024 Dec 20 20:19 torrents 

Create a user from whom rtorrent will work

 # adduser Use option ``-silent'' if you don't want to see all warnings and questions. Reading /etc/shells Check /etc/master.passwd Check /etc/group Ok, let's go. Don't worry about mistakes. There will be a chance later to correct any input. Enter username []: p2p ---skip--- 

start rtorrent automatically, add to /etc/rc.local

 if [ -x /etc/rtorrent.sh ]; then echo -n ' rtorrent'; /etc/rtorrent.sh fi 

rtorrent.sh

 # cat /etc/rtorrent.sh su p2p -c '/usr/local/bin/screen -m -d -S rtorrent /usr/local/bin/rtorrent' 

Next on the list is rutorrent.

 # cd /var/www/ # mkdir sites/ # cd sites/ # wget http://rutorrent.googlecode.com/files/rutorrent-3.2.tar.gz # tar xzvf rutorrent-3.2.tar.gz # chown -R www:www rutorrent # chmod -R 777 rutorrent/share/ 

Now let's tackle apache2 setup, it is already present in the system. Automatic start at system start with the necessary parameters is solved as follows.

 #cat /etc/rc.conf.local httpd_flags="-u" 

* -u flag I added to disable apache chroot

For rutorrent, I made a separate alias (which is mentioned in the first paragraph) and VirtualHost

 # cat /var/www/conf/Includes/rutorrent.home.local.conf <VirtualHost 192.168.254.10:80> DocumentRoot /var/www/sites/rutorrent ServerName rutorrent.home.local ServerAlias www.rutorrent.home.local ErrorLog "|/usr/local/sbin/rotatelogs2 /var/log/httpd/http.rutorrent.home.local-error_log.%Y-%m-%d-%H_%M_%S 86400" CustomLog "|/usr/local/sbin/rotatelogs2 /var/log/httpd/http.rutorrent.home.local-access_log.%Y-%m-%d-%H_%M_%S 86400" common VirtualHost <b>!!! - ,      </b> <Directory /> AllowOverride AuthConfig DirectoryIndex index.html Order Deny,Allow Deny from all Allow from 192.168.0.0/16 Directory <b>!!! - ,      </b> SCGIMount /RPC2 127.0.0.1:5000 

The final feature of this dish will be setting up password access to the rutorrent web interface.
In the folder rutorrent'a create a file .htaccess

 # cat /var/www/sites/rutorrent/.htaccess AuthName "Ololo can be found here!" AuthType Basic AuthUserFile /home/onotole/.htpasswd 

and the password file at the specified path

 #htpasswd -c /home/onotole/.htpasswd admin 

We start apache and check the fruits of our labors.

 #apachectl start 

A couple of screenshots =)

5. NFS server (network folder for access from LAN computers).

Folders available to clients for NFS mount

 # sed '/ *#/d; /^$/d' /etc/exports /data -alldirs -mapall=nobody -network=192.168.254 -mask=255.255.255.0 /raid -alldirs -mapall=nobody -network=192.168.254 -mask=255.255.255.0 

Access rights

 #chmod 777 /raid 

Run nfsd at system startup

 # grep nfs /etc/rc.conf.local nfs_server=YES 

I have FreeBSD installed on my desktop by editing / etc / fstab mounting folders

 #grep gateway /etc/fstab gateway:/data /home/onotole/data nfs ro 0 0 gateway:/raid /home/onotole/share nfs rw 0 0 #mount ~/data #mount ~/share 

6. VPN tunnel with work. FreeBSD (mpd5) OpenBSD (ppp) (I love, you know, sometimes working from home).

I need access to the local network at work all the time, so I set up a VPN tunnel between the server at work and the home server.

Config mpd5 looks like this

 startup: set user onotole ololo admin set console self 127.0.0.1 5005 set console open set web self 192.168.0.1 5006 set web open default: load pptp_vpn pptp_vpn: create bundle static pptp1 set ipcp ranges 10.255.255.1/32 10.255.255.2/32 set iface route 192.168.254.0/24 set iface enable proxy-arp set iface enable on-demand set bundle enable compression set bundle enable crypt-reqd set ccp yes mppc set mppc yes compress set mppc yes e128 set mppc yes stateless create link static lpptp1 pptp set link action bundle pptp1 set link no pap set link yes chap set auth authname "ololo" set auth password "123" set link mtu 1460 set link keep-alive 0 0 set link max-redial -1 set pptp self 1.2.3.4 set pptp peer 0.0.0.0/0 set link enable incoming 

In OpenBSD, do the following:
change the net.inet.gre.allow parameter

 # sysctl -w net.inet.gre.allow=1 net.inet.gre.allow: 0 -> 1 

also change the value of the parameter in /etc/sysctl.conf

 # grep gre /etc/sysctl.conf net.inet.gre.allow=1 

ppp daemon, main config

 # sed '/ *#/d; /^$/d' /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command disable ipv6cp vpn: set device "!/usr/local/sbin/pptp --nolaunchpppd work-onotole.com" set timeout 0 set lqrperiod 600 set redial 30 set authname ololo set authkey 123 set dial set login set mppe 128 stateless accept chap enable mssfixup disable acfcomp protocomp deny acfcom # 

when raising the link (add routes and distort pf.conf)

 # cat /etc/ppp/ppp.linkup vpn: add work-onotole.com 10.110.1.97 add 192.168.0.0 255.255.255.0 10.255.255.1 ! sh -c "/sbin/pfctl -f /etc/pf.conf" 

in case of a fall (delete routes and distort pf.conf)

 # cat /etc/ppp/ppp.linkdown vpn: delete 192.168.0.0/24 delete work-onotole.com ! sh -c "/sbin/pfctl -f /etc/pf.conf" 

Raise the link when starting the system

 # cat /etc/hostname.tun0 !/usr/sbin/ppp -ddial vpn >/dev/null 2>&1 

7. NUT + UPS Ippon Back power pro 400 (unexpected power outage is not a problem for us).

Create configs for demons.
ups.conf

 # cat /etc/nut/ups.conf [myups] driver = megatec port = /dev/tty00 #   com1 desc = "Server" 

upsd.users

 # cat /etc/nut/upsd.users [admin] password = ups123 allowfrom = localhost actions = SET instcmds = ALL [monuser] password = mon123 allowfrom = localhost upsmon master 

upsd.conf

 # cat /etc/nut/upsd.conf LISTEN 127.0.0.1 3493 

upsmon.conf

 # cat /etc/nut/upsmon.conf MONITOR myups@localhost 1 monuser mon123 master MINSUPPLIES 1 #      SHUTDOWNCMD "/sbin/shutdown -h now" #  POLLFREQALERT 5 #       DEADTIME 15 #  ,        POWERDOWNFLAG /etc/killpower #     FINALDELAY 60 # ,       

Set correct permissions on tty00 and load the driver

 # chown _ups:wheel /dev/tty00 # chmod 600 /dev/tty00 # /usr/local/bin/upsdrvctl start 

Run the demons

 # /usr/local/sbin/upsd # /usr/local/sbin/upsmon 

Check the status of the UPS

 # upsc myups@localhost battery.charge: 97.5 battery.voltage: 13.60 battery.voltage.nominal: 12.0 driver.name: megatec driver.parameter.pollinterval: 2 driver.parameter.port: /dev/tty00 driver.version: 2.4.1 driver.version.internal: 1.6 input.frequency: 50.1 input.frequency.nominal: 50.0 input.voltage: 221.5 input.voltage.fault: 221.5 input.voltage.maximum: 245.0 input.voltage.minimum: 206.8 input.voltage.nominal: 220.0 output.voltage: 221.5 ups.beeper.status: enabled ups.delay.shutdown: 0 ups.delay.start: 2 ups.load: 19.0 ups.mfr: unknown ups.model: unknown ups.serial: unknown ups.status: OL #   ,     OB -    LB -   ups.temperature: 25.0 ups.type: standby 

Add to autostart
In /etc/rc.local prescribe autostart nut

 if [ -x /usr/local/bin/upsdrvctl ]; then echo -n ' nut' chown _ups:wheel /dev/tty00 chmod 600 /dev/tty00 /usr/local/bin/upsdrvctl start > /dev/null 2>&1 /usr/local/sbin/upsd > /dev/null 2>&1 /usr/local/sbin/upsmon > /dev/null 2>&1 fi 

Turning off the power after the data on the disks are synchronized, we will add the following to rc.shutdown

 if [ -f /etc/killpower ]; then /usr/local/bin/upsdrvctl shutdown sleep 60 fi 

8. Firewall (great PF packet filter).

We include packet forwarding

 #sysctl -w net.inet.ip.forwarding=1 

make the appropriate changes in /etc/sysctl.conf

 #grep ip.forwarding /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets 

PF config is more than simple

 # sed '/ *#/d; /^$/d' /etc/pf.conf ext_if="rl0" int_if="re0" vpn_if="tun0" set block-policy return set skip on lo0 match in all scrub (no-df) block all pass on $int_if pass on $vpn_if pass out on $ext_if #    pass out on $ext_if from $int_if:network to any nat-to ($ext_if) #  3333(tcp,udp)  dc++ pass in on $ext_if proto {tcp,udp} from any port 3333 rdr-to 192.168.254.2 synproxy state 

Everything! OpenBSD is staffed =)

That turned out to be my home servachok.
I really like working with OpenBSD, I like it without compromise, simplicity and reliability. By the way, I really appreciated the value of the man command.
only now and thanks to this OS. The system documentation is beyond praise. Developers bow low and deepest gratitude.

When preparing, I used the following sources:
1. man)
2. http://openbsd.org/faq/index.html
3. http://unixadmins.su/index.php/topic,196.0.html
4. www.openbsd.ru/docs/steps/nut.html
5. mpd.sourceforge.net/doc5/mpd.html
6. Absolute OpenBSD: Unix for the practical paranoid
Michael Lucas special thanks for his, without a doubt, masterpiece books!