Cooking Fugu Fish at Home or OpenBSD on a Home Server


    Of course, this will not be about preparing a well-known Japanese delicacy. And she will go about setting up several services, which I have determined for
    myself as necessary, on the home server. Which operating system will be OpenBSD.
    Many will exclaim, but why do you need this little-known OS, because there is Linux, FreeBSD. Yes, indeed, I could configure everything I needed on other
    unix like, but it would not bring me as much pleasure as I experienced while studying and tuning OpenBSD. And then, I am always attracted to complex
    and non-standard solutions.
    Finish with the introduction and return to the subject line.
    I hasten to introduce you to the menu, dear reader.

    Today's menu:
    1. Initial setup.
    2. DNS (redirecting requests to the provider).
    3. Soft RAID 1 (archive of family photos, music, travel videos and other important information).
    4. rtorrent + rutorrent (different torrents are needed, different torrents are important).
    5. NFS server (network folder for access from LAN computers).
    6. VPN tunnel with work. FreeBSD (mpd5) OpenBSD (ppp) (I like, you know, sometimes working from home).
    7. NUT + UPS Ippon Back power pro 400 (we are not afraid of an unexpected blackout).
    8. Firewall (great PF packet filter).


    And so, let's get started.



    1. Initial setup.


    I will describe the configuration based on the fact that the system is already installed.
    I will dwell only on the configuration of network interfaces. There are two of them in my system: re0, rl0.
    # cat /etc/hostname.re0                                                                                             
    inet 192.168.254.1 255.255.255.0
    inet alias 192.168.254.10 255.255.255.255
    #зачем мне алиас будет понятно позже
    # cat /etc/hostname.rl0                                                                                             
    inet 10.110.1.103  255.255.255.224


    To install the software, I use both packages and ports, so the first thing to do is download the ports tree

    # cd /tmp
    # ftp http://ftp://ftp.openbsd.org/pub/OpenBSD/4.7/ports.tar.gz
    # cd /usr
    # tar -zxvf /tmp/ports.tar.gz


    In order to be able to update the ports tree, install cvsup:
    # cd /usr/ports
    # make search key=cvsup
    Port:   cvsup-16.1hp2-no_x11
    Path:   net/cvsup,-main,no_x11
    Info:   network file distribution system
    Maint:  The OpenBSD ports mailing-list 
    Index:  net devel
    L-deps:
    B-deps: :lang/ezm3
    R-deps:
    Archs:  i386
    # cd net/cvsup
    # make show=FLAVORS
    no_x11
    # env FLAVOR="no_x11" make install 


    we will clear working directories of ports
    # make clean
    # make clean=depends 


    In order not to delay, we will immediately configure the cvsup config for updating ports
    #cat /etc/cvsup-file-ports
    *default release=cvs
    *default delete use-rel-suffix
    *default umask=002
    *default host=obsd.cec.mtu.edu
    *default base=/usr
    *default prefix=/usr
    *default tag=OPENBSD_4_7
    OpenBSD-ports


    Lists of available anonymous cvs servers can be viewed here.
    To update, just use the command
    # cvsup -g -L 2 /etc/cvsup-file-ports


    On this with the ports, for now, let's finish.
    Let's move on to the packages, in this step I will install everything that I need from the packages
    #export PKG_PATH=http://ftp.gamma.ru/pub/OpenBSD/`uname -r`/packages/`machine -a`/
    #pkg_add libxml mod_scgi nut p5-XML-Parser php5-core php5-extensions\
    php5-xmlrpc pptp screen xmlrpc-c bash

    * It may well turn out that the list is incomplete, since the server is configured for a long time, I could miss something

    2. DNS (redirecting requests to the provider).



    Make changes to /etc/rc.conf.local to run named
    named_flags=""
    named_user=named       
    named_chroot=/var/named 


    For forwarding of requests by provider DNS, it is enough to enter the following lines in
    /var/named/etc/named.conf (in options)

            forwarders {
            10.5.0.2;};


    and /etc/resolv.conf will contain
    namesrver 127.0.0.1


    3. Soft RAID 1 (archive of family photos, music, travel videos and other important information).



    To organize a soft raid in OpenBSD, do the following.
    (The array will be assembled from two Western Digital 500GB HDDs)
    # dmesg |grep WD                                                                                                     
    wd2 at pciide0 channel 1 drive 0: WDC WD5000AAKS-00UU3A0
    wd3 at pciide0 channel 1 drive 1: WDC WD5000AAKS-00UU3A0


    Further, everything is strictly according to man softraid, initialize the disks (overwrite the MBR bootcode and MBR partition table)
    # fdisk -iy wd2
    # fdisk -iy wd3


    create RAID partitions on disks
    # printf "a\n\n\n\nRAID\nw\nq\n\n" | disklabel -E wd2
    # printf "a\n\n\n\nRAID\nw\nq\n\n" | disklabel -E wd3


    we collect an array
    # bioctl -c 1 -l /dev/wd2a,/dev/wd3a softraid0


    it’s good practice to clean the beginning / title of a disc before using it
    # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1


    initialize and format the array
    # fdisk -iy sd0
    # printf "a\n\n\n\n4.2BSD\nw\nq\n\n" | disklabel -E sd0
    # newfs /dev/rsd0a


    An attentive reader will notice that when I cleaned the beginning of a newly created array, I used the name rsd0, while when creating a partition on the disk I specified
    sd0. To understand the differences, we turn to the wonderful book Absolute OpenBSD: UNIX for the Practical Paranoid by Michael Lucas.

    As you can see, the table shows two types of devices - “raw” devices and block devices. There are programs that are written to work with raw
    devices, and they cannot work with block devices and, accordingly, vice versa.
    When writing / reading to / from block devices, data is buffered, and upon reaching a certain limit (buffer size), a disk is accessed.
    When writing / reading to / from raw devices, data is transferred to the device immediately.
    M. Lucas gives the following example to facilitate understanding of these mechanisms.

    Imagine that you have a bottle in front of you that you need to fill with tablets. You take the tablet with your right hand and shift it to the left, and
    so on until the left hand is full, then pour all the tablets from the left hand into the bottle - this will work with block devices. Your left hand
    played the role of a buffer. Now put each tablet in a bottle one at a time - this is working with raw devices.
    * I really hope that my clumsy translation of explanations will be understandable.

    The final step is to mount the array and fix / etc / fstab to automatically mount it at boot time.
    #mkdir /raid
    #mount /deb/sd0a /raid
    #cat /etc/fstab
    ---skip---
    /dev/sd0a /raid ffs rw,nodev,nosuid 1 2
    ---skip---


    4. rtorrent + rutorrent + apache2 (different torrents are needed, different torrents are important).



    Even when preparing the first dish (aka initial setup), we installed the necessary components for the work of the torrent rocking chair, except for herself.
    We will install it from the ports.

    In order for rtorrent to work in conjunction with rutorrent, you need to build it with the configure script option --with-xmlrpc-c, for this we’ll go to the
    port directory
    # cd /usr/ports/net/rtorrent/


    and fix the CONFIGURE_ARGS parameter in the Makefile
    CONFIGURE_ARGS=         ${CONFIGURE_SHARED}   --disable-debug --with-xmlrpc-c

    * A small hint, a wonderful Flavors mechanism, there is nothing more than the configure script options, which is not hard to guess by looking at the Makefile
    www / php5 / extensions, for example.

    I consider the rtorrent config to be excessive, I’ll just say that the torrents are added to a separate disk mounted to / data, which is exported via
    NFS. Folder Rights
    # ls -la /data/                                                                                                     
    total 16
    drwxr-xr-x   4 root  wheel   512 Dec 11 18:41 .
    drwxr-xr-x  16 root  wheel   512 Dec 20 13:13 ..
    drwxr-xr-x  12 p2p   p2p    1024 Dec 20 20:19 torrents


    Create a user from whom rtorrent will work
    # adduser 
    Use option ``-silent'' if you don't want to see all warnings and questions.
    Reading /etc/shells
    Check /etc/master.passwd
    Check /etc/group
    Ok, let's go.
    Don't worry about mistakes. There will be a chance later to correct any input.
    Enter username []: p2p
    ---skip---


    rtorrent auto start, add to /etc/rc.local
    if [ -x /etc/rtorrent.sh ]; then
    echo -n ' rtorrent';       /etc/rtorrent.sh
    fi


    rtorrent.sh
    # cat /etc/rtorrent.sh                                                                                               
    su p2p  -c '/usr/local/bin/screen -m -d -S rtorrent /usr/local/bin/rtorrent'


    Next on the list is rutorrent
    # cd /var/www/                                                                                                       
    # mkdir sites/                                                                                                       
    # cd sites/                                                                                                         
    # wget http://rutorrent.googlecode.com/files/rutorrent-3.2.tar.gz
    # tar xzvf rutorrent-3.2.tar.gz                                                                                     
    # chown -R www:www rutorrent                                                                                         
    # chmod -R 777 rutorrent/share/ 


    Now let's get down to configuring apache2, it is already present on the system. Automatic start at system startup with the necessary parameters is solved as follows
    #cat /etc/rc.conf.local
    httpd_flags="-u"

    * I added the -u flag in order to disable Apache chrooting.

    For rutorrent I made a separate alias (which is mentioned in the first paragraph) and VirtualHost
    # cat /var/www/conf/Includes/rutorrent.home.local.conf                                                               
    
    DocumentRoot /var/www/sites/rutorrent
    ServerName  rutorrent.home.local
    ServerAlias www.rutorrent.home.local
    ErrorLog "|/usr/local/sbin/rotatelogs2 /var/log/httpd/http.rutorrent.home.local-error_log.%Y-%m-%d-%H_%M_%S 86400"
    CustomLog "|/usr/local/sbin/rotatelogs2 /var/log/httpd/http.rutorrent.home.local-access_log.%Y-%m-%d-%H_%M_%S 86400" common
    VirtualHost !!! - тэг, при правильном его написании не отображается
    AllowOverride AuthConfig
    DirectoryIndex index.html
    Order Deny,Allow
    Deny from all
    Allow from 192.168.0.0/16
    Directory  !!! - тэг, при правильном его написании не отображается
    SCGIMount /RPC2 127.0.0.1:5000


    The final piece of this dish will be setting up password access to the rutorrent web interface.
    In the rutorrent folder, create a .htaccess file
    # cat /var/www/sites/rutorrent/.htaccess                                                                             
    AuthName "Ololo can be found here!"
    AuthType Basic
    AuthUserFile /home/onotole/.htpasswd


    and password file at the specified path
    #htpasswd -c /home/onotole/.htpasswd admin


    We start apache and check the fruits of our labors
    #apachectl start


    A couple of screenshots =)



    5. NFS server (network folder for access from LAN computers).



    Folders Available to Clients for NFS Mounting
    # sed '/ *#/d; /^$/d'  /etc/exports                                                                                 
    /data -alldirs -mapall=nobody  -network=192.168.254 -mask=255.255.255.0
    /raid -alldirs -mapall=nobody  -network=192.168.254 -mask=255.255.255.0


    Access rights
    #chmod 777 /raid 


    Starting nfsd at system startup
    # grep nfs /etc/rc.conf.local
    nfs_server=YES


    I have FreeBSD installed on the desktop, editing the / etc / fstab mount folders
    #grep gateway /etc/fstab
    gateway:/data      /home/onotole/data nfs ro 0 0
    gateway:/raid                /home/onotole/share nfs rw 0 0
    #mount ~/data
    #mount ~/share


    6. VPN tunnel with work. FreeBSD (mpd5) OpenBSD (ppp) (I like, you know, sometimes working from home).



    I need access to the local network at work all the time, so I organized a VPN tunnel between the server at work and the home server.

    The mpd5 config looks like this
    startup:
       set user onotole ololo admin
          set console self 127.0.0.1 5005
       set console open
              set web self 192.168.0.1 5006
       set web open
    default:
       load pptp_vpn
    pptp_vpn:
    	create bundle static pptp1
    	set ipcp ranges 10.255.255.1/32 10.255.255.2/32
    	set iface route 192.168.254.0/24
    	set iface enable proxy-arp
    	set iface enable on-demand
    	set bundle enable compression
    	set bundle enable crypt-reqd
    	set ccp yes mppc
    	set mppc yes compress
    	set mppc yes e128
    	set mppc yes stateless
    	create link static lpptp1 pptp
    	set link action bundle pptp1
    	set link no pap
    	set link yes chap
    	set auth authname "ololo"
    	set auth password "123"
    	set link mtu 1460
    	set link keep-alive 0 0
    	set link max-redial -1
    	set pptp self 1.2.3.4
    	set pptp peer 0.0.0.0/0
    	set link enable incoming
    


    In OpenBSD, do the following:
    change the parameter net.inet.gre.allow
    # sysctl -w net.inet.gre.allow=1                                                                         
    net.inet.gre.allow: 0 -> 1 


    also change the value of the parameter in /etc/sysctl.conf
    # grep gre /etc/sysctl.conf                                                                                         
    net.inet.gre.allow=1


    ppp daemon, main config
    # sed '/ *#/d; /^$/d'  /etc/ppp/ppp.conf                                                                             
    default:
        set log Phase Chat LCP IPCP CCP tun command
        disable ipv6cp
    vpn:
        set device "!/usr/local/sbin/pptp --nolaunchpppd work-onotole.com"
        set timeout 0
        set lqrperiod 600
        set redial 30
        set authname ololo
        set authkey 123
        set dial
        set login
        set mppe 128 stateless
        accept chap
        enable mssfixup
        disable acfcomp protocomp
        deny acfcom 
    # 
    


    when raising the link (add routes and distort pf.conf)
    # cat /etc/ppp/ppp.linkup   
    vpn:
        add work-onotole.com 10.110.1.97
        add 192.168.0.0 255.255.255.0 10.255.255.1
         ! sh -c "/sbin/pfctl -f /etc/pf.conf"


    when falling (delete routes and distort pf.conf)
    # cat /etc/ppp/ppp.linkdown
    vpn:
        delete 192.168.0.0/24
        delete  work-onotole.com
        ! sh -c "/sbin/pfctl -f /etc/pf.conf"


    Raise the link at system startup
    # cat /etc/hostname.tun0                                                                                             
    !/usr/sbin/ppp -ddial vpn >/dev/null 2>&1


    7. NUT + UPS Ippon Back power pro 400 (we are not afraid of an unexpected blackout).



    We create configs for demons.
    ups.conf
    # cat /etc/nut/ups.conf 
    [myups]
        driver = megatec
        port = /dev/tty00 #ибп подключен к com1
        desc = "Server"


    upsd.users
    # cat /etc/nut/upsd.users
    [admin]
        password = ups123
        allowfrom = localhost
        actions = SET
        instcmds = ALL
    [monuser]
        password = mon123
        allowfrom = localhost
        upsmon master


    upsd.conf
    # cat /etc/nut/upsd.conf                                                                                                               
    LISTEN 127.0.0.1 3493


    upsmon.conf
    # cat /etc/nut/upsmon.conf                                                                                           
    MONITOR myups@localhost 1 monuser mon123 master
    MINSUPPLIES 1 #сколько у нас батарей в ибп
    SHUTDOWNCMD "/sbin/shutdown -h now" #комманда выключения
    POLLFREQALERT 5 #частота опроса ибп при работе от батареи
    DEADTIME 15 #интервал в секундах, перед тем как ибп будет объявлен мертвым
    POWERDOWNFLAG /etc/killpower #флаг для форсирования завершения работы
    FINALDELAY 60 #процент батареи, при котором происходит завершение работы системы


    Set the correct rights to tty00 and load the driver
    
    # chown _ups:wheel /dev/tty00
    # chmod 600 /dev/tty00
    # /usr/local/bin/upsdrvctl start


    Run the demons
    # /usr/local/sbin/upsd
    # /usr/local/sbin/upsmon


    Checking the status of the UPS
    # upsc  myups@localhost
    battery.charge: 97.5
    battery.voltage: 13.60
    battery.voltage.nominal: 12.0
    driver.name: megatec
    driver.parameter.pollinterval: 2
    driver.parameter.port: /dev/tty00
    driver.version: 2.4.1
    driver.version.internal: 1.6
    input.frequency: 50.1
    input.frequency.nominal: 50.0
    input.voltage: 221.5
    input.voltage.fault: 221.5
    input.voltage.maximum: 245.0
    input.voltage.minimum: 206.8
    input.voltage.nominal: 220.0
    output.voltage: 221.5
    ups.beeper.status: enabled
    ups.delay.shutdown: 0
    ups.delay.start: 2
    ups.load: 19.0
    ups.mfr: unknown
    ups.model: unknown
    ups.serial: unknown
    ups.status: OL #ибп работает от сети, так же могут быть  OB - от батареи и  LB - батарея севшая
    ups.temperature: 25.0
    ups.type: standby


    Add to autorun
    In /etc/rc.local prescribe autorun nut
    if [ -x /usr/local/bin/upsdrvctl ]; then
        echo -n ' nut'
        chown _ups:wheel /dev/tty00
        chmod 600 /dev/tty00
        /usr/local/bin/upsdrvctl start > /dev/null 2>&1
        /usr/local/sbin/upsd > /dev/null 2>&1
        /usr/local/sbin/upsmon > /dev/null 2>&1
    fi


    Turn off the power after the data on the disks are synchronized, add the following to rc.shutdown
    if [ -f /etc/killpower ]; then
        /usr/local/bin/upsdrvctl shutdown
        sleep 60
    fi


    8. Firewall (great PF packet filter).



    Turn on packet forwarding
    #sysctl -w net.inet.ip.forwarding=1 


    make the appropriate changes in /etc/sysctl.conf
    #grep ip.forwarding /etc/sysctl.conf
    net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets


    PF config is more than simple
    # sed '/ *#/d; /^$/d'  /etc/pf.conf
    ext_if="rl0"
    int_if="re0"
    vpn_if="tun0"
    set block-policy return
    set skip on lo0
    match in all scrub (no-df)
    block all
    pass on $int_if
    pass on $vpn_if
    pass out on  $ext_if
    #натим все из локалки
    pass out on $ext_if from $int_if:network to any nat-to ($ext_if)
    #прокидываем порты 3333(tcp,udp) для dc++
    pass in on $ext_if proto {tcp,udp} from any port 3333 rdr-to 192.168.254.2 synproxy state


    All! OpenBSD is equipped =)

    This is how I got my home server.
    I really like working with OpenBSD, it will run into its compromise, simplicity and reliability. By the way, I really appreciated the value of the man command
    only now and thanks to this OS. The system documentation is beyond praise. To the developers, a deep bow and deepest gratitude.

    In preparation, I used the following sources:
    1. man)
    2. http://openbsd.org/faq/index.html
    3. http://unixadmins.su/index.php/topic,196.0.html
    4. www.openbsd .ru / docs / steps / nut.html
    5. mpd.sourceforge.net/doc5/mpd.html
    6. Absolute OpenBSD: Unix for the practical paranoid
    Special thanks to Michael Lucas for his undoubtedly masterpieces!

    Also popular now: