Attempt 0 - Wireguard OpenBSD

This attempt failed - Reasons why are spoke about in Attempt 1

The task at hand boils down to two sub-tasks

  1. Installing OpenBSD on a Raspberry Pi 4
  2. Installing and configuring Wireguard on OpenBSD

I’ll explore the research I’ve gathered on these two below

Installing OpenBSD So I did some research on this last month and found this video of someone who has done it before; this tells me it is at least possible, even if it is not widely covered. Devling deeper I found this post which details instructions. This is going to be a fairly complex process, so I’ll detail it below for future me

  1. Update EEPROM - Log into vanilla raspery-pi-os. I’m going to want to update it using apt and update the eeprom using a separate command. Both below
apt update && apt upgrade -y
rpi-eeprom-update

(It might also be worth setting the DHCP for this MAC as a reserved address at this point also)

  1. Load the latest UEFI onto the sd card - This can be done directly from the raspberry pi imager, I just need to choose the bootloader. I may let this Pi boot from USB, so I’ll also choose the USB boot option. After this, I insert the SD card I have flashed the UEFI onto into the Pi. After turning it on the green activity light should start rapidly flashing, and if I have connected an HDMI monitor the screen will turn green if successful.

  2. Set UEFI settings for OpenBSD compatibility - I need to change three settings

  • Device Manager -> Raspberry Pi Configuration -> Advanced Configuration -> Limit RAM to 3 GB: Disabled
  • Device Manager -> Raspberry Pi Configuration -> Advanced Configuration -> System Table Selection: Device tree
  • Device Manager -> Raspberry Pi Configuration -> SD/MMC Configuration -> uSD/eMMC Routing: eMMC2 SDHCI
  1. Install OpenBSD - So now is probably a good time to mention I have never used any derivative of BSD, let alone installed it. I am moderately terrified, but also excited with this. It looks like to do this I need to go to the this page, choose a mirror, choose my architecture, and download the miniroot image file. I need to burn that into the SD card using dd and insert it into the Pi. With a keyboard and monitor attached, I can turn on the pi. I need to do any letter key press and backspace whatever I typed. Then I need to set tty fb0 (more info on that here). Following this do a normal OpenBSD install, remembering the following
  • Set framebuffer as default console (as per Solskogens note) -> echo "set tty fb0" >> /etc/boot.conf
  • Enable X11 -> rcctl enable xenodm

This being done theoretically I should have a working BSD box. Do I believe this will work the first time? Of course not. I will need to do my regular hardening i.e. automatic updates, ssh hardening, etc. I’m sure it’s going to be fun for me to figure out how to do that.

Installing Wireguard Once SSH’d into the box I will want to become root using su. Then run the following commands

  1. Install Wireguard -> pkg_add wireguard_tools
  2. Allow forwarding on server interface (ipv4)-> sysctl net.inet.ip.forwarding=1
  3. Write new config to /etc/sysctl.cong -> echo "net.inet.ip.forwarding=1 >> /etc/sysctl.conf
  4. Create Wireguard dir and cd into it -> mkdir -p /etc/wireguard && cd /etc/wireguard
  5. Create a private key -> wg genkey > private.key
  6. Create a public key -> wg pubkey <private.key> public.key
  7. Create/edit Wireguard config file -> vim wg0.conf
  8. Insert the following and save
[Interface]
PrivateKey = {SERVER-PRIVATE-KEY}
ListenPort = 51820

# Client 1
[Peer]
PublicKey = {CLIENT-PUBLIC-KEY}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
  1. Configure the filewall in /etc/pf.conf. Add the following
pass in on wg0
pass in inet proto udp from any to any port 51820
pass out on egress inet from (wg0:network) nat-to (vio0:0)
  1. Restart firewall -> pfctl -f /etc/pf.conf
  2. Create hostname for wg0 in etc -> vim hostname.wg0
  3. Inset the following
inet 10.0.10.1 255.255.255.0 NONE
up
!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg.conf
  1. On the client device install wireguard-tools -> paru -S wireguard-tools
  2. Create /etc/wireguard dir and cd into it -> mkdir -p /etc/wireguard && cd /etc/wireguard
  3. Generate public-private keypair -> sudo wg genkey | tee private | wg pubkey > public.key && mv private private.key
  4. Create/edit config file -> vim wg0.conf and insert the following
[Interface]
PrivateKey = {CLIENT-PRIVATE-KEY}
Address = 10.0.10.2/24

[Peer]
PublicKey = {SERVER-PUBLIC-KEY}
Endpoint = 192.168.0.0:51820 #Your public IP address
AllowedIPs = 0.0.0.0/0 ::/0
PersistentKeepalive = 25
  1. Start Wireguard interface on server-> sh /etc/netstart wg0
  2. Start Wireguard interface on client -> sudo wg-quick up wg0
  3. Ping out from the client device to see if it works

It is worth mentioning the following

  • with steps 12 and 16. With the IPs that you set - they need to exist within the same subnet, but cannot be the same. On the client side, you are declaring what the IP will be for that device.
  • When I want to add a new peer, I will have to deliver that in wg0.conf on the server. This has the potential to add a lot of administrative overhead, so I will need to see about finding a way to automate this.

whoami

A general purpose blog for me to braindump anything I might be thinking about. Please dont hesistate to reach out if you have any questions

2023-11-07