Blame
Date:
Wed Feb 1 05:00:29 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=w3m/0.5.3+git20210102
03
2023-01-22
jrmu
author=jrmu
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1597227135
07
2023-01-22
jrmu
host=38.87.162.154
08
2023-01-22
jrmu
name=Openbsd.Iked
09
2023-01-22
jrmu
rev=8
10
2023-01-22
jrmu
targets=
11
2023-01-22
jrmu
text=(:redirect iked/configure:)%0aNote: this is made for OpenBSD 6.6, it has been not updated for latest version of OpenBSD (which is currently 6.9)%0a%0aAdd this to /etc/iked.conf (replace 192.168.1.1 with your server's public IP address):%0a%0a[@%0auser 'username' 'password'%0aikev2 'vpn.ircnow.org' passive esp \%0a from 0.0.0.0/0 to 0.0.0.0/0 \%0a local 192.168.1.1 peer any \%0a srcid vpn.ircnow.org \%0a eap "mschap-v2" \%0a config address 10.0.5.0/24 \%0a config name-server 192.168.1.1 \%0a tag "ROADW"%0a@]%0a%0aThe 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%0aAdd this to /etc/pf.conf:%0a%0a[@%0apass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0apass in inet proto esp tag IKED%0apass on enc0 inet tagged ROADW%0amatch out on vio inet tagged ROADW nat-to vio0%0amatch in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a@]%0a%0aTo reload the new pf ruleset:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf %0a@]%0a%0aAt this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%0a[@%0a# ikectl ca vpn create%0a# ikectl ca vpn install%0acertificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0aCRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a# ikectl ca vpn certificate server1.domain create%0a# ikectl ca vpn certificate server1.domain install%0awriting RSA key%0a# cp /etc/iked/ca/ca.crt /var/www/htdocs/%0a@]%0a%0aWe will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a%0a/etc/resolv.conf:%0a%0a[@%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0a/etc/resolv.conf.tail:%0a%0a[@%0alookup file bind%0a@]%0a%0a/var/unbound/etc/unbound.conf:%0a%0a[@%0aoutgoing-interface: 203.0.113.5%0aaccess-control: 10.0.0.0/8 allow%0a...%0a%0alocal-zone: "www.domain.com" static%0a%0a...%0a@]%0a%0aThe local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%0a[@%0a$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a@]%0a%0aWe need to reformat this hosts file:%0a%0a[@%0a$ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a$ sed 's/ "/"/' newhosts2 > newhosts3%0a@]%0a%0aManually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%0aDoes this need to be added to /etc/sysctl.conf:%0a%0a[@%0anet.inet.ip.forwarding=1%0anet.inet.ipcomp.enable=1%0a@]%0a%0a%0aTo start iked,%0a%0a[@%0a$ doas rcctl enable iked%0a$ doas rcctl start iked%0a@]%0a%0aTo turn on debugging, replace the last step with:%0a%0a[@%0a$ doas iked -dv%0a@]%0a%0aNote: You may consider using blacklists from here:%0a[@%0ahttps://dsi.ut-capitole.fr/blacklists/index_en.php%0ahttps://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0ahttps://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a@]%0a
12
2023-01-22
jrmu
time=1650431809
13
2023-01-22
jrmu
author:1650431809=jrmu
14
2023-01-22
jrmu
diff:1650431809:1628989736:=1d0%0a%3c (:redirect iked/configure:)%0a118c117%0a%3c @]%0a---%0a> @]%0a\ No newline at end of file%0a
15
2023-01-22
jrmu
host:1650431809=38.87.162.154
16
2023-01-22
jrmu
author:1628989736=mkf
17
2023-01-22
jrmu
csum:1628989736=updated, still doesn't work on 6.9
18
2023-01-22
jrmu
diff:1628989736:1628967008:=95c95,98%0a%3c net.inet.ipcomp.enable=1%0a---%0a> #net.inet.ipcomp.enable=1%0a> #net.inet.esp.enable=1%0a> #these two are enabled?%0a> net.inet.ah.enable=1%0a102a106%0a> $ doas rcctl set iked flags -6%0a109c113%0a%3c $ doas iked -dv%0a---%0a> $ doas iked -6 -dv%0a
19
2023-01-22
jrmu
host:1628989736=198.251.81.133
20
2023-01-22
jrmu
author:1628967008=mkf
21
2023-01-22
jrmu
diff:1628967008:1628966702:=95,97c95,96%0a%3c #net.inet.ipcomp.enable=1%0a%3c #net.inet.esp.enable=1%0a%3c #these two are enabled?%0a---%0a> net.inet.ipcomp.enable=1%0a> net.inet.esp.enable=1%0a
22
2023-01-22
jrmu
host:1628967008=198.251.81.133
23
2023-01-22
jrmu
author:1628966702=mkf
24
2023-01-22
jrmu
diff:1628966702:1628960165:=3,4c3,4%0a%3c Add this to /etc/iked.conf (replace 192.168.1.1 with your server's public IP address):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):%0a> %0a9c9%0a%3c local 192.168.1.1 peer any \%0a---%0a> local 203.0.113.5 peer any \%0a13c13%0a%3c config name-server 192.168.1.1 \%0a---%0a> config name-server 203.0.113.5 \%0a25c25%0a%3c match out on vio inet tagged ROADW nat-to vio0%0a---%0a> match out on $ext_if inet tagged ROADW nat-to $ext_if%0a28a29,30%0a> where ext_if is your external interface.%0a> %0a72a75,80%0a> %0a> forward-zone:%0a> forward-addr: 185.121.177.177%0a> forward-addr: 169.239.202.202%0a> %0a> ...%0a116d123%0a%3c [@%0a120c127,132%0a%3c @]%0a\ No newline at end of file%0a---%0a> %0a> Banned networks:%0a> %0a> irc.p2p-network.net%0a> irc.gazellegames.net%0a> irc.nzbs.in%0a\ No newline at end of file%0a
25
2023-01-22
jrmu
host:1628966702=198.251.81.133
26
2023-01-22
jrmu
author:1628960165=mkf
27
2023-01-22
jrmu
diff:1628960165:1620873930:=1c1%0a%3c Note: this is made for OpenBSD 6.6, it has been not updated for latest version of OpenBSD (which is currently 6.9)%0a---%0a> ====== OpenBSD 6.6 on amd64 ======%0a
28
2023-01-22
jrmu
host:1628960165=2.178.173.183
29
2023-01-22
jrmu
author:1620873930=st13g
30
2023-01-22
jrmu
diff:1620873930:1612350661:=
31
2023-01-22
jrmu
host:1620873930=200.121.220.221
32
2023-01-22
jrmu
author:1612350661=jrmu
33
2023-01-22
jrmu
diff:1612350661:1597227135:=5c5%0a%3c [@%0a---%0a> %3ccode>%0a15,16c15,16%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a21c21%0a%3c [@%0a---%0a> %3ccode>%0a27,28c27,28%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a33c33%0a%3c [@%0a---%0a> %3ccode>%0a35,36c35,36%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a39c39%0a%3c [@%0a---%0a> %3ccode>%0a48,49c48,49%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a54c54%0a%3c [@%0a---%0a> %3ccode>%0a57,58c57,58%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a61c61%0a%3c [@%0a---%0a> %3ccode>%0a63,64c63,64%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a67c67%0a%3c [@%0a---%0a> %3ccode>%0a81,82c81,82%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a85c85%0a%3c [@%0a---%0a> %3ccode>%0a87,88c87,88%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a91c91%0a%3c [@%0a---%0a> %3ccode>%0a95,96c95,96%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a101c101%0a%3c [@%0a---%0a> %3ccode>%0a106,108c106,108%0a%3c @]%0a%3c %0a%3c %0a---%0a> %3c/code>%0a> %0a> %0a111c111%0a%3c [@%0a---%0a> %3ccode>%0a115,116c115,116%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a119c119%0a%3c [@%0a---%0a> %3ccode>%0a121c121%0a%3c @]%0a---%0a> %3c/code>%0a
34
2023-01-22
jrmu
host:1612350661=125.231.56.15
35
2023-01-22
jrmu
author:1597227135=jrmu
36
2023-01-22
jrmu
diff:1597227135:1597227135:=1,132d0%0a%3c ====== OpenBSD 6.6 on amd64 ======%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):%0a%3c %0a%3c %3ccode>%0a%3c user 'username' 'password'%0a%3c ikev2 'vpn.ircnow.org' passive esp \%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \%0a%3c local 203.0.113.5 peer any \%0a%3c srcid vpn.ircnow.org \%0a%3c eap "mschap-v2" \%0a%3c config address 10.0.5.0/24 \%0a%3c config name-server 203.0.113.5 \%0a%3c tag "ROADW"%0a%3c %3c/code>%0a%3c %0a%3c The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%3c %0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c %3ccode>%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c %3c/code>%0a%3c %0a%3c where ext_if is your external interface.%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c %3ccode>%0a%3c $ doas pfctl -f /etc/pf.conf %0a%3c %3c/code>%0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c %3ccode>%0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a%3c # ikectl ca vpn certificate server1.domain create%0a%3c # ikectl ca vpn certificate server1.domain install%0a%3c writing RSA key%0a%3c # cp /etc/iked/ca/ca.crt /var/www/htdocs/%0a%3c %3c/code>%0a%3c %0a%3c We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a%3c %0a%3c /etc/resolv.conf:%0a%3c %0a%3c %3ccode>%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c %3c/code>%0a%3c %0a%3c /etc/resolv.conf.tail:%0a%3c %0a%3c %3ccode>%0a%3c lookup file bind%0a%3c %3c/code>%0a%3c %0a%3c /var/unbound/etc/unbound.conf:%0a%3c %0a%3c %3ccode>%0a%3c outgoing-interface: 203.0.113.5%0a%3c access-control: 10.0.0.0/8 allow%0a%3c ...%0a%3c %0a%3c local-zone: "www.domain.com" static%0a%3c %0a%3c ...%0a%3c %0a%3c forward-zone:%0a%3c forward-addr: 185.121.177.177%0a%3c forward-addr: 169.239.202.202%0a%3c %0a%3c ...%0a%3c %3c/code>%0a%3c %0a%3c The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%3c %0a%3c %3ccode>%0a%3c $ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a%3c %3c/code>%0a%3c %0a%3c We need to reformat this hosts file:%0a%3c %0a%3c %3ccode>%0a%3c $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a%3c $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a%3c $ sed 's/ "/"/' newhosts2 > newhosts3%0a%3c %3c/code>%0a%3c %0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%3c %0a%3c Does this need to be added to /etc/sysctl.conf:%0a%3c %0a%3c %3ccode>%0a%3c net.inet.ip.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a%3c %3c/code>%0a%3c %0a%3c %0a%3c To start iked,%0a%3c %0a%3c %3ccode>%0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl set iked flags -6%0a%3c $ doas rcctl start iked%0a%3c %3c/code>%0a%3c %0a%3c To turn on debugging, replace the last step with:%0a%3c %0a%3c %3ccode>%0a%3c $ doas iked -6 -dv%0a%3c %3c/code>%0a%3c %0a%3c Note: You may consider using blacklists from here:%0a%3c https://dsi.ut-capitole.fr/blacklists/index_en.php%0a%3c https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0a%3c https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a%3c %0a%3c Banned networks:%0a%3c %0a%3c irc.p2p-network.net%0a%3c irc.gazellegames.net%0a%3c irc.nzbs.in%0a\ No newline at end of file%0a
37
2023-01-22
jrmu
host:1597227135=38.81.163.143
IRCNow