Setup OpenBSD server daemons

OpenBSD is a great choice for a server due to its security and rock-solid reliability. These machines are known for running months or years on end without needing a reboot. Some common services you can provide to your network are DHCP, routing, firewalling, and web hosting. We'll go over configuring these services on OpenBSD 6.3.

DHCP

OpenBSD comes with a DHCP server, dhcpd, that is configured through the /etc/dhcpd.conf file. Here is an example for a dual-network setup:

# Global parameters
authoritative;
allow unknown-clients;
option domain-name "yourdomain.com";
option domain-name-servers 8.8.8.8, 8.8.4.4;

# Trusted network
subnet 192.168.1.0 netmask 255.255.255.0
{
    option routers 192.168.1.1;
    option broadcast-address 192.168.1.255;
    range 192.168.1.50 192.168.1.100;

    # 1-month leases
    option dhcp-lease-time 2592000;
    default-lease-time 2592000;
    max-lease-time 2592000;

    # Static IP addresses
    host desktop
    {
        hardware ethernet A0:36:9F:4A:77:2D;
        fixed-address 192.168.1.10;
    }

    host phone
    {
        hardware ethernet 70:71:BC:B0:1E:98;
        fixed-address 192.168.1.11;
    }
}

# DMZ network
subnet 10.10.0.0 netmask 255.255.0.0
{
    option routers 10.10.0.1;
    option broadcast-address 10.10.255.255;
    range 10.10.1.0 10.10.1.255;

    # 1-week leases
    option dhcp-lease-time 604800;
    default-lease-time 604800;
    max-lease-time 604800;
}

To enable dhcpd, add its corresponding flags to /etc/rc.conf.local:

dhcpd_flags=""

If you have multiple NICs on this machine, you can list them in the flags to indicate that dhcpd should only listen on those interfaces.

dhcpd_flags="em0 em1"

These should match the interface names displayed by ifconfig.

Routing and Firewalling

OpenBSD is the home of packet filter, or pf for short, a stateful firewall that is highly configurable and efficient. To enable OpenBSD to route traffic between its interfaces, you need to turn on IP forwarding. Add the following line to /etc/sysctl.conf.

net.inet.ip.forwarding=1

Before establishing a basic pf ruleset, determine which interface is "outside", or Internet facing, and which interface(s) are "inside", or local network facing. The following example will use em2 as the outside interface and em0 and em1 as the two inside interfaces. Configuration of pf is done through /etc/pf.conf.

extif="em2"
intif="em0"
dmzif="em1"

match out on $extif from { $intif:network, $dmzif:network } inet nat-to ($extif)
block all
pass out on $extif from { self, $intif:network, $dmzif:network }

This configures NAT on both of the inside interfaces and allows any traffic originating from those networks. This only scratches the surface of what pf is capable of. If you're interested in more advanced setups check out the following resources:

Web Hosting

Lastly, OpenBSD includes httpd which will perform the duties of a web server. It's included in the base system so you don't even need to install anything. It is configured through /etc/httpd.conf, of which the following is an example.

server "default" {
    listen on * port 80
    root "/htdocs/default/"
}

The root path will be appended to /var/www, rather than being hosted directly at the specified location.

Add the following line to /etc/rc.conf.local to enable httpd automatically on reboot.

httpd_flags=""

Write the following to `/var/www/htdocs/default/index.html' as a test web page.

hello world

Finish up

Now that everything is configured you'll want to reboot the machine and watch for an error messages on the console.

$ doas shutdown -r now

After coming back up, you should be able to get an IP address from this machine, use it as your gateway to the Internet, and browse to it to see the text "hello world" in your web browser.

For more detailed information on these configuration files, you can pass their names to man

$ man httpd.conf

Or visit their online man pages at the following links

Comments !

social