This attempt failed - Reasons why are spoke about in Attempt 1
The task at hand boils down to two sub-tasks
- Installing OpenBSD on a Raspberry Pi 4
- Installing and configuring Wireguard on OpenBSD
I’ll explore the research I’ve gathered on these two below
Installing OpenBSD So I did some research on this last month and found this video of someone who has done it before; this tells me it is at least possible, even if it is not widely covered. Devling deeper I found this post which details instructions. This is going to be a fairly complex process, so I’ll detail it below for future me
- Update EEPROM - Log into vanilla raspery-pi-os. I’m going to want to update it using
apt
and update theeeprom
using a separate command. Both below
apt update && apt upgrade -y
rpi-eeprom-update
(It might also be worth setting the DHCP for this MAC as a reserved address at this point also)
-
Load the latest UEFI onto the sd card - This can be done directly from the raspberry pi imager, I just need to choose the bootloader. I may let this Pi boot from USB, so I’ll also choose the
USB boot
option. After this, I insert the SD card I have flashed the UEFI onto into the Pi. After turning it on the green activity light should start rapidly flashing, and if I have connected an HDMI monitor the screen will turn green if successful. -
Set UEFI settings for OpenBSD compatibility - I need to change three settings
- Device Manager -> Raspberry Pi Configuration -> Advanced Configuration -> Limit RAM to 3 GB: Disabled
- Device Manager -> Raspberry Pi Configuration -> Advanced Configuration -> System Table Selection: Device tree
- Device Manager -> Raspberry Pi Configuration -> SD/MMC Configuration -> uSD/eMMC Routing: eMMC2 SDHCI
- Install OpenBSD - So now is probably a good time to mention I have never used any derivative of BSD, let alone installed it. I am moderately terrified, but also excited with this. It looks like to do this I need to go to the this page, choose a mirror, choose my architecture, and download the
miniroot
image file. I need to burn that into the SD card usingdd
and insert it into the Pi. With a keyboard and monitor attached, I can turn on the pi. I need to do any letter key press and backspace whatever I typed. Then I need to settty fb0
(more info on that here). Following this do a normal OpenBSD install, remembering the following
- Set framebuffer as default console (as per Solskogens note) ->
echo "set tty fb0" >> /etc/boot.conf
- Enable X11 ->
rcctl enable xenodm
This being done theoretically I should have a working BSD box. Do I believe this will work the first time? Of course not. I will need to do my regular hardening i.e. automatic updates, ssh hardening, etc. I’m sure it’s going to be fun for me to figure out how to do that.
Installing Wireguard
Once SSH’d into the box I will want to become root using su
. Then run the following commands
- Install Wireguard ->
pkg_add wireguard_tools
- Allow forwarding on server interface (ipv4)->
sysctl net.inet.ip.forwarding=1
- Write new config to
/etc/sysctl.cong
->echo "net.inet.ip.forwarding=1 >> /etc/sysctl.conf
- Create Wireguard dir and cd into it ->
mkdir -p /etc/wireguard && cd /etc/wireguard
- Create a private key ->
wg genkey > private.key
- Create a public key ->
wg pubkey <private.key> public.key
- Create/edit Wireguard config file ->
vim wg0.conf
- Insert the following and save
[Interface]
PrivateKey = {SERVER-PRIVATE-KEY}
ListenPort = 51820
# Client 1
[Peer]
PublicKey = {CLIENT-PUBLIC-KEY}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
- Configure the filewall in
/etc/pf.conf
. Add the following
pass in on wg0
pass in inet proto udp from any to any port 51820
pass out on egress inet from (wg0:network) nat-to (vio0:0)
- Restart firewall ->
pfctl -f /etc/pf.conf
- Create hostname for
wg0
inetc
->vim hostname.wg0
- Inset the following
inet 10.0.10.1 255.255.255.0 NONE
up
!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg.conf
- On the client device install
wireguard-tools
->paru -S wireguard-tools
- Create
/etc/wireguard
dir andcd
into it ->mkdir -p /etc/wireguard && cd /etc/wireguard
- Generate public-private keypair ->
sudo wg genkey | tee private | wg pubkey > public.key && mv private private.key
- Create/edit config file ->
vim wg0.conf
and insert the following
[Interface]
PrivateKey = {CLIENT-PRIVATE-KEY}
Address = 10.0.10.2/24
[Peer]
PublicKey = {SERVER-PUBLIC-KEY}
Endpoint = 192.168.0.0:51820 #Your public IP address
AllowedIPs = 0.0.0.0/0 ::/0
PersistentKeepalive = 25
- Start Wireguard interface on server->
sh /etc/netstart wg0
- Start Wireguard interface on client ->
sudo wg-quick up wg0
- Ping out from the client device to see if it works
It is worth mentioning the following
- with steps
12
and16
. With the IPs that you set - they need to exist within the same subnet, but cannot be the same. On the client side, you are declaring what the IP will be for that device. - When I want to add a new peer, I will have to deliver that in
wg0.conf
on the server. This has the potential to add a lot of administrative overhead, so I will need to see about finding a way to automate this.