version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:68.0) Gecko/20100101 Firefox/68.0 SeaMonkey/2.53.14 author=mkf charset=UTF-8 csum= ctime=1614444529 host=198.251.81.133 name=Znc.Chroot rev=74 targets=Openbsd.Ddos,Znc.Install,Chroot.Intro,Openbsd.Buyvm,Openbsd.Syspatch,Znc.Patch,Ftp.Usage,Tar.Usage,Openbsd.Adduser,Openbsd.Loginconf,Openbsd.Vipw,Grep.Usage,Tls.Overview,Openhttpd.Configure,Acme-client.Configure,Dns.Vhost,Dns.Overview,DNS.RDNS,Dns.Records,Host.Usage,Relayd.Acceleration,IP.Myaddress,Localhost.Intro,Openbsd.Relayd,Oidentd.ZNC,Pf.Intro,Bouncer.Bouncer,Znc.Webpanel,Openbsd.Cron,Netcat.Irc,Znc.Relayd,Znc.Usage,Openbsd.Nsd,Nsd.Zone text=(:title Chroot ZNC:)%0a%0aIn this guide, we will install ZNC inside a chroot.%0a%0a[[https://wiki.znc.in|ZNC]] is an IRC bouncer. It runs on a server and stays connected after you turn off your computer or phone. It saves chat messages and replays them when you reconnect, and also helps to hide your IP address. If you are running it on IRCNow, your server may also offer [[openbsd/ddos|DDoS protection]] to keep you online.%0a%0a!! Before You Begin%0a%0aYou will want to set up [[Znc/Install|ZNC]] once without a chroot, as a normal user without root powers. This will give you a better understanding of how ZNC works before you attempt a more complex, chrooted install.%0a%0aNext, read the [[chroot/intro|introduction to chroots]] to get familiar with the concept of chroots. In this guide, we use a chroot for extra security.%0a%0a!! Public ZNCs%0a%0aIf you are offering a public ZNC service for many users, you will want to get a ddos-filtered IPv4 address and an IPv6 subnet from your internet provider ([[openbsd/buyvm|BuyVM guide]]).%0a%0a!! Installing Dependencies%0a%0aThe below installation was tested on [[openbsd/syspatch|OpenBSD 7.1 stable]]. ZNC will run inside a chroot at /home/znc.%0a%0aBefore beginning the installation, check to make sure you are using OpenBSD 7.1 and that your system is patched:%0a%0a[@%0a$ uname -a%0aOpenBSD username.example.com 7.1 GENERIC#443 amd64%0a$ doas syspatch%0a@]%0a%0aNext, we install needed dependencies:%0a%0a[@%0a$ doas pkg_add icu4c boost cmake gettext-runtime gettext-tools%0a@]%0a%0a!! Installing from Packages%0a%0a'''WARNING''': OpenBSD 6.9 (and later) may contain a bug that causes ZNC to crash with a segmentation fault. To avoid this, we recommend applying a [[znc/patch|custom patch to ZNC]].%0a%0aIf you are running on a single core server, you can install znc from packages:%0a%0a[@%0a$ doas pkg_add znc%0a@]%0a%0a!! Compiling from Source%0a%0a!!! Patched Source%0a%0aDue to a bug in OpenBSD 6.9, we have applied a [[znc/patch|custom patch to ZNC]]:%0a%0a[@%0a$ cd ~%0a$ ftp https://ircnow.org/software/znc-1.8.2b.tar.gz%0a@]%0a%0aOn OpenBSD, [[ftp/usage|ftp]] can also be used to download files from the web.%0a%0aNext, [[tar/usage|extract and unzip]] the files:%0a%0a[@%0a$ tar xvzf znc-1.8.2.tar.gz%0a@]%0a%0aFor [[tar/usage|tar]], the options xvzf stand for e(x)tract, (v)erbose, un(z)ip, and (f)ile.%0a%0aNext, we build ZNC:%0a%0a[@%0a$ cd znc-1.8.2%0a$ mkdir build%0a$ cd build%0a$ cmake ..%0a$ make%0a$ doas make install%0a@]%0a%0a!! Configuring the Chroot%0a%0aWe want to [[openbsd/adduser|create a new unprivileged user account]] for security:%0a%0a[@%0a$ doas useradd -m -d /home/znc -s /sbin/nologin znc%0a@]%0a%0a@@-m@@ tells [[https://man.openbsd.org/useradd|useradd]] to create a home folder; @@-d@@ says the home folder is @@/home/znc@@; @@-s@@ specifies the default shell as @@/sbin/nologin@@, meaning no user can login. The username created is znc.%0a%0a!!! Login Class%0a%0aAdd the following lines to the end of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a%0a[@%0aznc:\%0a :openfiles-cur=4096:\%0a :openfiles-max=8182:\%0a :openfiles=4096:\%0a :stacksize-cur=48M:\%0a :stacksize-max=48M:\%0a :maxproc-max=infinity:\%0a :maxproc-cur=4096:\%0a :tc=daemon:%0a@]%0a%0a'''WARNING''': Use tabs and not spaces. Spaces will fail and as a result, znc will not get the file resources it needs.%0a%0aThe [[openbsd/loginconf|login.conf]] guide explains the attributes in more detail.%0a%0aEach time znc creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, znc will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.%0a%0aThe current and maximum stack size controls how much stack memory a user can use. We set it at 48M to give ZNC plenty of room.%0a%0a@@maxproc@@ limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096. @@tc=daemon@@ means that the default values will come from the @@daemon@@ login class.%0a%0aNow we change znc's default login class to znc:%0a%0a[@%0a$ doas usermod -L znc znc%0a@]%0a%0aThis can also be edited with a text editor using [[openbsd/vipw]].%0a%0aTo confirm that the login class has been changed, check [[https://man.openbsd.org/./man5/passwd.5|/etc/master.passwd]].%0a%0a[@%0a$ doas grep '^znc' /etc/master.passwd%0aznc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin%0a@]%0a%0a[[grep/usage|grep]] searches for the line that begins with @@znc@@ in [[https://man.openbsd.org/./man5/passwd.5|/etc/passwd]].%0a%0aThe 5th field needs to say znc:%0a%0a[@%0a$ doas grep '^znc' /etc/master.passwd | cut -d : -f 5%0aznc%0a@]%0a%0a'''NOTE''': If /etc/login.conf.db exists, make sure to delete it (or recreate the database), otherwise login.conf changes won't apply.%0a%0aTo delete:%0a%0a[@%0a$ doas rm /etc/login.conf.db%0a@]%0a%0aNext, we temporarily change znc's shell to ksh:%0a%0a[@%0a$ doas chsh -s /bin/ksh znc%0a@]%0a%0aNext, we login with the username znc, with the login class znc:%0a%0a[@%0a$ doas su -c znc znc%0a$ ulimit -a%0atime(cpu-seconds) unlimited%0afile(blocks) unlimited%0acoredump(blocks) unlimited%0adata(kbytes) 33554432%0astack(kbytes) 32768%0alockedmem(kbytes) 329478%0amemory(kbytes) 985092%0anofiles(descriptors) 4096%0aprocesses 1310%0a@]%0a%0a@@ulimit -a@@ displays all process limits for our current user.%0a%0a'''WARNING''': If nofiles(descriptors) is not 4096, you may have an error in your configuration!%0a%0aPress ctrl+d to signal the end of file to logout and change znc's login shell back to /sbin/nologin. Then, while inside znc-1.8.2, run the chroot.sh script as root:%0a%0a[@%0a$ ^D%0a$ doas chsh -s /sbin/nologin znc%0a$ cd ~/znc-1.8.2%0a$ doas sh chroot.sh%0a@]%0a%0a!! Configuring ZNC%0a%0a!!! Makeconf%0a%0aAt first, you will need to create a conf file:%0a%0a[@%0a$ doas su%0a# export HOME=/home/znc/%0a# chroot -u znc -g znc /home/znc znc --makeconf%0a[ .. ] Checking for list of available modules...%0a[ ** ]%0a[ ** ] -- Global settings --%0a[ ** ]%0a[ ?? ] Listen on port (1025 to 65534): 31337%0a[ ?? ] Listen using SSL (yes/no) [no]: yes%0a[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no%0a[ .. ] Verifying the listener...%0a[ ** ] Unable to locate pem file: [/home/znc/.znc/znc.pem], creating it%0a[ .. ] Writing Pem file [/home/znc/.znc/znc.pem]...%0a[ ** ] Enabled global modules [webadmin]%0a[ ** ]%0a@]%0a%0aWe're going to configure ZNC to listen on ports 1337 and 31337. Port 1337 will be plaintext, port 31337 will be SSL. This convention is followed by IRCNow's public servers.%0a%0a'''WARNING''': Do '''not''' listen to both IPv4 and IPv6. There appears to be a bug in ZNC v1.8.2 on OpenBSD 6.9 where selecting 'yes' will cause IPv4 to stop working. Instead, as shown later in the guide, you can create separate listeners to allow listening to both IPv4 and IPv6.%0a%0aYou will want to enable connecting both with and without [[tls/overview|SSL]]. Although SSL helps to encrypt messages, some older IRC programs don't support it, so it is important to offer ZNC in plaintext.%0a%0aZNC will automatically create its own SSL certificate. This certificate, however, will be self-signed and hence will show up as invalid or untrusted by your IRC client. To get a properly signed SSL certificate, you will need to configure [[openhttpd/configure|openhttpd]] and request the certificate with [[acme-client/configure|acme-client]].%0a%0a[@%0a[ ** ] -- Admin user settings --%0a[ ** ]%0a[ ?? ] Username (alphanumeric): username%0a[ ?? ] Enter password:%0a[ ?? ] Confirm password:%0a[ ?? ] Nick [username]:%0a[ ?? ] Alternate nick [username_]:%0a[ ?? ] Ident [username]:%0a[ ?? ] Real name (optional):%0a@]%0a%0a!!! Bindhosts%0a%0aNext, you'll be asked to specify an optional bindhost. For now, we will leave this blank.%0a%0a[@%0a[ ?? ] Bind host (optional):%0a@]%0a%0a'''WARNING''': You cannot pick any arbitrary [[dns/vhost|bindhost]] that you want. If the bindhost does not work, your vhost will not show up properly, and you may not be able to connect at all!%0a%0aThe bindhost is used to pick which IP address to use for a server with multiple IP addresses. It can allow you to pick a nice-looking vhost, like @@username@username.example.com@@, once [[dns/overview|DNS]] has been properly set up.%0a%0aA [[dns/vhost|vhost]] must have proper [[dns/overview|forward]] and [[DNS/rDNS|reverse DNS]] [[dns/records|records]] to work. If these have not been configured properly, first leave the bindhost blank.%0a%0aTo test if your bindhost works properly, check the [[host/usage|host]] guide. You will want to run host on your hostname and IP address to make sure they both match.%0a%0a[@%0a[ ** ] Enabled user modules [chansaver, controlpanel]%0a[ ** ]%0a[ ?? ] Set up a network? (yes/no) [yes]:%0a[ ** ]%0a@]%0a%0aWe will turn on the chansaver and controlpanel modules and set up a network.%0a%0a[@%0a[ ** ] -- Network settings --%0a[ ** ]%0a[ ?? ] Name [freenode]: example%0a[ ?? ] Server host (host only): irc.example.com%0a[ ?? ] Server uses SSL? (yes/no) [no]: yes%0a[ ?? ] Server port (1 to 65535) [6697]:%0a[ ?? ] Server password (probably empty):%0a[ ?? ] Initial channels: #channel%0a[ ** ] Enabled network modules [simple_away]%0a@]%0a%0aConfigure a network. The network name is usually just a single word; it is not the same as the server host. IRC normally uses port 6667 if there is no SSL, and 6697 if there is SSL.%0a%0a[@%0a[ ** ]%0a[ .. ] Writing config [/home/znc//.znc/configs/znc.conf]...%0a[ ** ]%0a[ ** ] To connect to this ZNC you need to connect to it as your IRC server%0a[ ** ] using the port that you supplied. You have to supply your login info%0a[ ** ] as the IRC server password like this: user/network:pass.%0a[ ** ]%0a[ ** ] Try something like this in your IRC client...%0a[ ** ] /server %3cznc_server_ip> +31337 username:%3cpass>%0a[ ** ]%0a[ ** ] To manage settings, users and networks, point your web browser to%0a[ ** ] https://%3cznc_server_ip>:31337/%0a[ ** ]%0a[ ?? ] Launch ZNC now? (yes/no) [yes]: no%0a@]%0a%0aFor now, avoid setting up the web server on port 31337. We will instead use [[relayd/acceleration|relayd]] so that the web server can viewed on the default port for https: port 443.%0a%0a!! Configuring SSL%0a%0aIn order to provide SSL for the bouncer, you must first configure [[openhttpd/configure|OpenHTTPd]] and request a certificate with [[acme-client/configure|acme-client]].%0a%0aOnce that is done, you can copy the certificate:%0a%0a[@%0a# cp /etc/ssl/bnc.example.com.crt /home/znc/home/znc/.znc/%0a# cp /etc/ssl/private/bnc.example.com.key /home/znc/home/znc/.znc/%0a# chown znc:znc /home/znc/home/znc/.znc/bnc.example.com.{crt,key}%0a@]%0a%0aIn the above commands, replace @@bnc.example.com@@ with your real hostname.%0a%0aNext, we create dhparam:%0a%0a[@%0a$ openssl dhparam -out dhparam.pem 2048%0a$ doas chown znc:znc dhparam.pem%0a$ doas mv dhparam.pem /home/znc/home/znc/.znc/%0a@]%0a%0aNext, edit [[https://wiki.znc.in/Configuration|/home/znc/home/znc/.znc/configs/znc.conf]] to use this configuration:%0a%0a[@%0a// WARNING%0a//%0a// Do NOT edit this file while ZNC is running!%0a// Use webadmin or *controlpanel instead.%0a//%0a// Read up on /znc saveconfig and /znc rehash.%0a// Also check https://wiki.znc.in/Configuration%0a%0aAnonIPLimit = 10000%0aAuthOnlyViaModule = false%0aConfigWriteDelay = 60%0aConnectDelay = 1%0aHideVersion = false%0aLoadModule = chansaver%0aLoadModule = lastseen%0aLoadModule = adminlog%0aLoadModule = identfile%0aLoadModule = webadmin%0aLoadModule = certauth%0aMaxBufferSize = 10000%0aProtectWebSessions = true%0aSSLCertFile = /home/znc/.znc/bnc.example.com.crt%0aSSLDHParamFile = /home/znc/.znc/dhparam.pem%0aSSLKeyFile = /home/znc/.znc/bnc.example.com.key%0aPidFile = /home/znc/.znc/znc.pid%0aServerThrottle = 1%0aVersion = 1.8.2%0a%0a%3cListener listener0>%0a AllowIRC = true%0a AllowWeb = false%0a Host = 192.168.1.1%0a IPv4 = true%0a IPv6 = false%0a Port = 1337%0a SSL = false%0a URIPrefix = /%0a%3c/Listener>%0a%0a%3cListener listener1>%0a AllowIRC = true%0a AllowWeb = false%0a Host = 192.168.1.1%0a IPv4 = true%0a IPv6 = false%0a Port = 31337%0a SSL = true%0a URIPrefix = /%0a%3c/Listener>%0a%0a%3cListener listener2>%0a AllowIRC = true%0a AllowWeb = false%0a Host = 2001:db8::%0a IPv4 = false%0a IPv6 = true%0a Port = 1337%0a SSL = false%0a URIPrefix = /%0a%3c/Listener>%0a%0a%3cListener listener3>%0a AllowIRC = true%0a AllowWeb = false%0a Host = 2001:db8::%0a IPv4 = false%0a IPv6 = true%0a Port = 31337%0a SSL = true%0a URIPrefix = /%0a%3c/Listener>%0a%0a%3cListener listener4>%0a AllowIRC = true%0a AllowWeb = false%0a Host = 127.0.0.1%0a IPv4 = true%0a IPv6 = false%0a Port = 1337%0a SSL = false%0a URIPrefix = /%0a%3c/Listener>%0a%0a%3cListener listener5>%0a AllowIRC = false%0a AllowWeb = true%0a Host = 127.0.0.1%0a IPv4 = true%0a IPv6 = false%0a Port = 1338%0a SSL = false%0a URIPrefix = /%0a%3c/Listener>%0a%0a%3cUser username>%0a Pass = sha256#014eab533f25fe65621963f712ecaf3b86fe840859ab6f4c675200c73d02e6d1#ytZ8/L,:MtZ5cMCe5IJX#%0a Admin = true%0a Nick = username%0a AltNick = username_%0a Ident = username%0a LoadModule = chansaver%0a LoadModule = controlpanel%0a%0a %3cNetwork example>%0a LoadModule = simple_away%0a Server = irc.example.com +6697 %0a %3cChan #channel>%0a %3c/Chan>%0a %3c/Network>%0a%3c/User>%0a@]%0a%0aMake sure you read the [[https://wiki.znc.in/Configuration|ZNC wiki]] to understand the meaning of each option.%0a%0aYou must replace @@bnc.example.com@@ with your actual hostname.%0a%0aIn the listeners, you must replace @@192.168.1.1@@ and @@2001:db8::@@ with your server's [[IP/myaddress|public IPv4 and IPv6 address]].%0a%0a'''NOTE''': Do '''not''' replace @@127.0.0.1@@. This is [[localhost/intro|localhost]] and must not be changed.%0a%0aWe recommended you use ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a%0a'''WARNING''': Within the same listener, do '''not''' listen to both IPv4 and IPv6. You need separate listeners for each.%0a%0aFor the username block, use the defaults that ZNC's makeconf generated. Don't edit or delete the values that ZNC generated automatically.%0a%0aPlease read the [[https://wiki.znc.in/Configuration|ZNC wiki]] to understand the meaning of each option.%0a%0a!! Ident%0a%0aNotice the above config loads the identfile module by default. This is necessary to provide proper ident using [[oidentd/ZNC|oidentd]]. You will need to configure [[oidentd/ZNC|oidentd]] for the module to work.%0a%0a!! Packet Filter%0a%0aIf [[pf/intro|packet filter]] is set to deny all incoming connects, you can add this rule to /etc/pf.conf:%0a%0a[@%0apass in log quick proto tcp to port {http https} keep state (max-src-conn 300, max-src-conn-rate 300/60) #relayd web%0apass in log quick proto tcp to port {1337 31337} keep state (max 3000, max-src-conn 300) #bnc%0a@]%0a%0aTo load the new ruleset:%0a%0a[@%0a# pfctl -f /etc/pf.conf%0a@]%0a%0a!! Starting ZNC%0a%0aTo run znc:%0a%0a[@%0a# export HOME=/home/znc%0a# /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &%0a@]%0a%0a!! Recreate znc.conf%0a%0aIf at any time you mess up the configuration, move your current znc.conf to%0aa new location (to back it up), then rerun the makeconf command again:%0a%0a[@%0a$ doas mv /home/znc/home/znc/.znc/configs/{znc.conf,znc.conf.bak}%0a$ doas chroot -u znc -g znc /home/znc znc --makeconf%0a@]%0a%0a!! Changing Password%0aIf you forget the password you set during the --makeconf, you can generate a new one like this:%0a%0a[@%0a# /usr/sbin/chroot -u znc -g znc /home/znc znc --makepass %0a[ ** ] Type your new password.%0a[ ?? ] Enter password: %0a[ ?? ] Confirm password: %0a[ ** ] Kill ZNC process, if it's running.%0a[ ** ] Then replace password in the %3cUser> section of your config with this:%0a%3cPass password>%0a Method = sha256%0a Hash = 49396054dc8263b573d11c9c01e43f89ee772f6dc89b3c630e6dffa9acea4a3e%0a Salt = ovexwSL50cC?jE2eCM?x%0a %3c/Pass>%0a[ ** ] After that start ZNC again, and you should be able to login with the new password.%0a@]%0a%0aThe example output above shows the hash generated for a password of "password". This gives you the password block you need to add to your [[https://wiki.znc.in/Configuration|/home/znc/home/znc/.znc/configs/znc.conf]] file. %0a'''NOTE:''' You'll need to replace the original generated Pass = line. The new user section of your config will look something like this:%0a%0a[@%0a%3cUser username>%0a %3cPass password>%0a Method = sha256%0a Hash = 49396054dc8263b573d11c9c01e43f89ee772f6dc89b3c630e6dffa9acea4a3e%0a Salt = ovexwSL50cC?jE2eCM?x%0a %3c/Pass>%0a Admin = true%0a Nick = username%0a AltNick = username_%0a Ident = username%0a LoadModule = chansaver%0a LoadModule = controlpanel%0a%0a %3cNetwork example>%0a LoadModule = simple_away%0a Server = irc.example.com +6697 %0a %3cChan #channel>%0a %3c/Chan>%0a %3c/Network>%0a%3c/User>%0a@]%0a%0a%0a%0a!! Editing Config%0a%0aThe best way to edit the conf file is by [[bouncer/bouncer|logging in to znc]] with your IRC client, then using the *status or *controlpanel module. You can also use the [[znc/webpanel|webpanel]] once it has been set up.%0a%0aSometimes, however, it may be necessary to edit your configuration file directly and then reload it (rehash).%0a%0a!!! Shutting down and restarting%0a%0aIf the only person using ZNC is yourself, you can easily shut down ZNC, edi the conf, then restart ZNC.%0a%0a[@%0a# pkill -U znc%0a@]%0a%0aThis will kill all processes run by the user znc, which should kill the bouncer. Then edit the znc.conf file, and restart ZNC as described above.%0a%0a!!! Live rehash%0a%0aIf you have other users connected to a public ZNC, or you cannot afford to take ZNC offline, you may need to rehash ZNC. First, [[bouncer/bouncer|log in to znc]] with your IRC client, then save the config:%0a%0a[@%0a/msg *status saveconfig%0a@]%0a%0aNext, edit [[https://wiki.znc.in/Configuration|/home/znc/home/znc/.znc/configs/znc.conf]]. Finally, send a rehash message over IRC to ZNC:%0a%0a[@%0a/msg *status rehash%0a@]%0a%0aWe add a [[openbsd/cron|cron job]] to have ZNC restart every 5 minutes. ZNC will only start if no other ZNC instance is running, so this is safe:%0a%0a[@%0a# echo "HOME=/home/znc" >> /var/cron/tabs/root%0a# echo "*/5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &" >> /var/cron/tabs/root%0a@]%0a%0a!! Testing ZNC%0a%0aTo test the connection in plaintext ('''warning''': insecure), consult the [[netcat/irc|netcat irc guide]].%0a%0aTo test the connection using SSL, run:%0a%0a[@%0a$ openssl s_client -connect bnc.example.com:31337%0a@]%0a%0aReplace @@bnc.example.com@@ with your actual hostname. Check to make sure you have the proper SSL cert configured. Once an SSL session has been established, consult the [[netcat/irc|netcat irc guide]].%0a%0a!! Web Panel%0a%0aUse [[znc/relayd|relayd]] to allow visitors to use port 443 to access the ZNC web panel.%0a%0a!! Control Panel%0a%0aSee [[znc/usage]] for help on how to use the controlpanel.%0a%0a(:if false:)%0a!! rc.d script%0a%0aCreate /etc/rc.d/znc:%0a%0a[@%0a#!/bin/ksh%0a#%0a# $OpenBSD: znc,v 1.2 2020/01/21 19:27:07 rpe Exp $%0a%0adaemon_pidfile="/home/znc/home/znc/.znc/znc.pid"%0adaemon="env HOME=/home/znc /usr/sbin/chroot -u znc -g znc /home/znc znc"%0a%0aservice_stop() {%0a if [ -f $daemon_pidfile ]; then%0a pid=$(sed 's/[^0-9]*//g' $daemon_pidfile)%0a kill $pid%0a fi%0a}%0a%0acase "$1" in%0a stop)%0a service_stop%0a ;;%0aesac%0a%0a. /etc/rc.d/rc.subr%0a%0arc_reload=NO%0a%0arc_cmd $1%0a%0a@]%0a%0a[@%0adoas chmod +x /etc/rc.d/znc%0a@]%0a%0a!! Automatic start%0a%0aThis script will automatically restart znc in case it crashes.%0a%0a[@%0adoas mkdir /usr/local/project_name/%0adoas touch /usr/local/project_name/checker_znc.sh%0adoas chmod +x /usr/local/project_name/checker_znc.sh%0a@]%0a%0a[@%0a#!/bin/sh%0a%0aSERVICE_NAME="znc"%0aSERVICE_USER="znc"%0aSERVICE_PID="/home/znc/home/znc/.znc/znc.pid"%0a%0aif ! pgrep -u $SERVICE_USER -x "$SERVICE_NAME" > /dev/null%0athen%0a if [ -f $SERVICE_PID ]; then%0a rm -f $SERVICE_PID%0a rcctl -d restart $SERVICE_NAME%0a fi%0afi%0a@]%0a%0a# echo "*/2 * * * * /usr/local/project_name/checker_znc.sh 2>&1 &" >> /var/cron/tabs/root%0a%0a(:ifend:)%0a%0a!! Custom vhosts%0a%0a'''WARNING''': do '''not''' set individual IPv6 addresses for a user's bindhost. Do not set a user's bindhost to be something like 2605:6400:10::. If you specify an IPv6 address for the bindhost, that user can *only* connect to networks that support IPv6. IPv4-only networks completely fail.%0a%0aIt is better to set the bindhost to be username.fruit.ircnow.org. Then, for the [[openbsd/nsd|nameserver]], create an AAAA record and an A record. That way, the bindhost will use IPv6 if the network is IPv6-only, and IPv4 if it is an IPv4-only network. This solution is more flexible and allows your user to fall back to IPv4 when IPv6 is not supported.%0a%0aIf a user requests to change their vhost, do not edit the bindhost -- all you need to do is update the rDNS record (see the [[openbsd/buyvm|buyvm web panel]]. Don't delete the bindhost or the DNS A/AAAA records.%0a%0aFor example, suppose the vhost was formerly user.fruit.ircnow.org. If the user wants to change it to example.com, you just need to update the rDNS to example.com, but leave the znc bindhost as username.fruit.ircnow.org and keep the A/AAAA records for username.fruit.ircnow.org.%0a%0aOnce example.com's AAAA record is working, and the rDNS has been configured properly, you can reconnect the user (either the user types @@/znc connect@@ or you type @@/msg *controlpanel reconnect %3cusername> %3cnetwork>@@), and the vhost will update properly.%0a%0aKeeping the old A/AAAA record and bindhost working will make it easier if the user changes vhosts or if their 3rd party dns server for example.com fails for whatever reason. This method will allow the user to still connect. Otherwise, if the 3rd party dns server fails for example.com (which frequently happens with cheap, free dns services), users will be unable to connect and blame you. %0a%0a!! Troubleshooting%0a%0aIf your user is getting disconnected, these are the most likely causes:%0a%0a# mismatch of ports or SSL (using plaintext on 6697 or SSL on 6667)%0a# SSL is not supported%0a# user has a server password where none belongs (most likely he confused server password with nickserv password)%0a# ident is not working%0a# ircd bans a certain username or ident for no good reason (the ircd mistakenly assumes your connection is a bot and glines it)%0a# typo of server name or IP address%0a# dns lookup error%0a%0aYou may be need to install icu4c-68.2v0.%0a%0a!!! IPv4/IPv6 mismatch%0a%0aIf a znc user has a bindhost that is IPv6 only but the network is IPv4 only, or vice versa, it will not connect.%0a%0aTo prevent this, you '''must''' use a symbolic hostname (such as username.example.com) for the bindhost. Each hostname needs a single [[dns/records|A record]] and a single [[dns/records|AAAA record]] in the [[nsd/zone|DNS zone]]. If any part is misconfigured, users will be unable to connect.%0a%0aTo check if any bindhosts are incorrectly using fixed IPv6 or IPv4 addresses, run:%0a%0a[@%0a# sed -nE '/.*(\%3cBindHost|\%3cDCCBindHost) = (.*:.*|[0-9.]+)/s//\2/p' /home/znc/home/znc/.znc/configs/znc.conf%0a@]%0a%0aIf you see IP addresses like the following, then your bindhosts are incorrectly set to use IPv4 or IPv6 addreses directly instead of symbolic hostnames:%0a%0a[@%0a192.168.1.1%0a2001:db8::%0a@]%0a%0a!!! Bindhost Errors%0a%0aA quick way to check if there are DNS errors is to run%0athe following two commands:%0a%0a[@%0a# sed -nE '/.*(\%3cBindHost|\%3cDCCBindHost) = (.*)/s//\2/p' /home/znc/home/znc/.znc/configs/znc.conf | xargs -n 1 -t host%0a@]%0a%0aEvery hostname should have both an IPv4 and IPv6 address. The IPv4 address should match your [[openbsd/ddos|DDoS-filtered]] public address. Each IPv6 address should be unique.%0a%0aIf you see duplicate entries (the same hostname returns multiple IPv6 addresses), you must delete the duplicate [[dns/vhost|DNS entries]].%0a%0aHere are error messages that indicate there are DNS problems with the bindhost:%0a%0a[@%0ahost username.example.com%0a;; connection timed out; no servers could be reached%0a@]%0a%0aThere is an error because means that the DNS server could not be reached.%0a%0a[@%0ahost username.example.com%0aHost username.example.com not found: 3(NXDOMAIN)%0a@]%0a%0aThis indicates there are no DNS records for the bindhost.%0a%0a[@%0a$ doas grep -i host /home/znc/home/znc/.znc/configs/znc.conf | grep -v > ~/bindhost%0a$ vi ~/bindhost%0a@]%0a%0aThen with vi:%0a%0a[@%0a:%25s_.* = _host _g%0a@]%0a%0aThen:%0a%0a[@%0a$ sh ~/bindhost%0a@]%0a%0aIf you see any records there with only a single IPv4 address but no IPv6, or a single IPv6 but no IPv4, or any NXDOMAIN responses, you need to fix your DNS records. There should be exactly one shared IPv4 and one unique IPv6 for each hostname, and zero NXDOMAIN responses.%0a%0a!!! Missing libraries%0a%0aIf you are get errors such as:%0a%0a[@%0ald.so: znc: can't load library 'libc++abi.so.5.0'%0a@]%0a%0aThen you may be on the wrong OpenBSD version (6.9 or earlier); or you did not apply [[openbsd/syspatch|syspatch]]; or you did not upgrade all dependencies:%0a%0a[@%0a$ doas syspatch%0a$ doas pkg_add -Uu%0a@]%0a%0aDelete the build folder and compile again.%0a time=1673252742 title=Chroot ZNC author:1673252742=mkf diff:1673252742:1655655491:minor=79c79%0a%3c We want to [[openbsd/adduser|create a new unprivileged user account]] for security:%0a---%0a> We want to [[openbsd/adduser|add a new user]]: create a new unprivileged user account for security:%0a host:1673252742=198.251.81.133 author:1655655491=jrmu diff:1655655491:1655222994:=171,172c171,172%0a%3c Press ctrl+d to signal the end of file to logout and change znc's login shell back to /sbin/nologin. Then, while inside znc-1.8.2, run the chroot.sh script as root:%0a%3c %0a---%0a> Press ctrl+d to signal the end of file to logout, then while inside znc-1.8.2, run the chroot.sh script as root:%0a> %0a175d174%0a%3c $ doas chsh -s /sbin/nologin znc%0a host:1655655491=38.87.162.8 author:1655222994=jrmu diff:1655222994:1655222654:=426,429c426,429%0a%3c We recommended you use ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a%3c %0a%3c '''WARNING''': Within the same listener, do '''not''' listen to both IPv4 and IPv6. You need separate listeners for each.%0a%3c %0a---%0a> It's recommended you keep ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a> %0a> '''WARNING''': Do '''not''' listen to both IPv4 and IPv6. As mentioned above, you need separate listeners.%0a> %0a464,466c464,466%0a%3c If at any time you mess up the configuration, move your current znc.conf to%0a%3c a new location (to back it up), then rerun the makeconf command again:%0a%3c %0a---%0a> If at any time you mess up the configuration, you can delete your znc.conf%0a> and rerun the makeconf command again:%0a> %0a468c468%0a%3c $ doas mv /home/znc/home/znc/.znc/configs/{znc.conf,znc.conf.bak}%0a---%0a> $ doas rm /home/znc/home/znc/.znc/configs/znc.conf%0a host:1655222994=38.87.162.154 author:1655222654=jrmu diff:1655222654:1655222391:=303,304c303,304%0a%3c Next, edit [[https://wiki.znc.in/Configuration|/home/znc/home/znc/.znc/configs/znc.conf]] to use this configuration:%0a%3c %0a---%0a> Next, edit [[https://wiki.znc.in/Configuration|/home/znc/home/znc/.znc/configs/znc.conf]] so that the configuration resembles:%0a> %0a311c311,313%0a%3c // Read up on /znc saveconfig and /znc rehash.%0a---%0a> // Altering this file by hand will forfeit all support.%0a> //%0a> // But if you feel risky, you might want to read help on /znc saveconfig and /znc rehash.%0a418,423c420,425%0a%3c Make sure you read the [[https://wiki.znc.in/Configuration|ZNC wiki]] to understand the meaning of each option.%0a%3c %0a%3c You must replace @@bnc.example.com@@ with your actual hostname.%0a%3c %0a%3c In the listeners, you must replace @@192.168.1.1@@ and @@2001:db8::@@ with your server's [[IP/myaddress|public IPv4 and IPv6 address]].%0a%3c %0a---%0a> Please read the [[https://wiki.znc.in/Configuration|ZNC wiki]] to understand the meaning of each option.%0a> %0a> You will need to replace @@bnc.example.com@@ with your actual hostname.%0a> %0a> In the listeners, you need to replace @@192.168.1.1@@ and @@2001:db8::@@ with your server's [[IP/myaddress|public IPv4 and IPv6 address]].%0a> %0a426c428%0a%3c It's recommended you keep ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a---%0a> It's recommended to keep the ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a host:1655222654=38.87.162.154 author:1655222391=jrmu diff:1655222391:1655222228:minor=298,300c298,300%0a%3c $ openssl dhparam -out dhparam.pem 2048%0a%3c $ doas chown znc:znc dhparam.pem%0a%3c $ doas mv dhparam.pem /home/znc/home/znc/.znc/%0a---%0a> # openssl dhparam -out dhparam.pem 2048%0a> # chown znc:znc dhparam.pem%0a> # mv dhparam.pem /home/znc/home/znc/.znc/%0a host:1655222391=38.87.162.154 author:1655222228=jrmu diff:1655222228:1655222104:minor=290c290%0a%3c # chown znc:znc /home/znc/home/znc/.znc/bnc.example.com.{crt,key}%0a---%0a> # chown znc:znc /home/znc/home/znc/.znc/bnc.example.com.*%0a host:1655222228=38.87.162.154 author:1655222104=jrmu diff:1655222104:1655222010:=288c288%0a%3c # cp /etc/ssl/bnc.example.com.crt /home/znc/home/znc/.znc/%0a---%0a> # cp /etc/ssl/bnc.example.com.fullchain.pem /home/znc/home/znc/.znc/%0a329c329%0a%3c SSLCertFile = /home/znc/.znc/bnc.example.com.crt%0a---%0a> SSLCertFile = /home/znc/.znc/bnc.example.com.fullchain.pem%0a host:1655222104=38.87.162.154 author:1655222010=jrmu diff:1655222010:1655191029:=231c231%0a%3c '''WARNING''': You cannot pick any arbitrary [[dns/vhost|bindhost]] that you want. If the bindhost does not work, your vhost will not show up properly, and you may not be able to connect at all!%0a---%0a> '''WARNING''': You cannot pick any arbitrary [[dns/vhost|bindhost]] that you want. If you bindhost does not work, your vhost will not show up properly, and you may not be able to connect at all!%0a host:1655222010=38.87.162.154 author:1655191029=jrmu diff:1655191029:1655190914:minor=233c233%0a%3c The bindhost is used to pick which IP address to use for a server with multiple IP addresses. It can allow you to pick a nice-looking vhost, like @@username@username.example.com@@, once [[dns/overview|DNS]] has been properly set up.%0a---%0a> The bindhost is used to pick which IP address to use for a server with multiple IP addresses. It can allow you to pick a nice-looking vhost, like @@username@user name.example.com@@, once [[dns/overview|DNS]] has been properly set up.%0a host:1655191029=38.87.162.154 author:1655190914=jrmu diff:1655190914:1655190717:=186d185%0a%3c $ doas su%0a host:1655190914=38.87.162.154 author:1655190717=jrmu diff:1655190717:1655190648:=175d174%0a%3c $ cd ~/znc-1.8.2%0a host:1655190717=38.87.162.154 author:1655190648=jrmu diff:1655190648:1655190328:=171c171%0a%3c Press ctrl+d to signal the end of file to logout, then while inside znc-1.8.2, run the chroot.sh script as root:%0a---%0a> Press ctrl+d to signal the end of file to logout, then run the script as root:%0a host:1655190648=38.87.162.154 author:1655190328=jrmu diff:1655190328:1655190304:=61c61%0a%3c $ tar xvzf znc-1.8.2.tar.gz%0a---%0a> $ tar xvzf znc-1.8.2.tar.gz :DEL]%0a host:1655190328=38.87.162.154 author:1655190304=jrmu diff:1655190304:1655190175:=57,62d56%0a%3c %0a%3c Next, [[tar/usage|extract and unzip]] the files:%0a%3c %0a%3c [@%0a%3c $ tar xvzf znc-1.8.2.tar.gz :DEL]%0a%3c @]%0a host:1655190304=38.87.162.154 author:1655190175=jrmu diff:1655190175:1655167403:minor=131,133c131%0a%3c '''NOTE''': If /etc/login.conf.db exists, make sure to delete it (or recreate the database), otherwise login.conf changes won't apply.%0a%3c %0a%3c To delete:%0a---%0a> '''NOTE''': If /etc/login.conf.db exists, make sure to delete it, otherwise login.conf changes won't apply:%0a host:1655190175=38.87.162.154 author:1655167403=jrmu diff:1655167403:1655167262:=115c115%0a%3c To confirm that the login class has been changed, check [[https://man.openbsd.org/./man5/passwd.5|/etc/master.passwd]].%0a---%0a> To confirm that the login class has been changed, check [[https://man.openbsd.org/./man5/passwd.5|/etc/passwd]].%0a host:1655167403=38.87.162.154 author:1655167262=jrmu diff:1655167262:1654995096:=118c118%0a%3c $ doas grep '^znc' /etc/master.passwd%0a---%0a> $ doas grep '^znc' /etc/passwd%0a127c127%0a%3c $ doas grep '^znc' /etc/master.passwd | cut -d : -f 5%0a---%0a> $ doas grep '^znc' /etc/passwd | cut -d : -f 5%0a host:1655167262=38.87.162.154 author:1654995096=jrmu diff:1654995096:1654995012:=79c79%0a%3c @@-m@@ tells [[https://man.openbsd.org/useradd|useradd]] to create a home folder; @@-d@@ says the home folder is @@/home/znc@@; @@-s@@ specifies the default shell as @@/sbin/nologin@@, meaning no user can login. The username created is znc.%0a---%0a> @@-m@@ tells [[https://man.openbsd.org/useradd|useradd]] to create a home folder; @@-d@@ says the home folder is @@/home/znc@@; @@-s@@ specifies the default shell is @@/sbin/nologin@@; meaning no user can login. The username created is znc.%0a host:1654995096=38.87.162.154 author:1654995012=jrmu diff:1654995012:1654994984:=68a69,96%0a> @]%0a> %0a> !!! Upstream Source%0a> %0a> You can choose to use the upstream source code, but you must apply patches to get it to build properly.%0a> %0a> '''WARNING''': If you are on OpenBSD 7.0, you must patch znc-1.8.2 to avoid a threading bug that causes segfaults and to fix a bug in the schat module.%0a> %0a> First, download the latest stable release:%0a> %0a> [@%0a> $ cd ~%0a> $ ftp https://znc.in/releases/znc-1.8.2.tar.gz%0a> @]%0a> %0a> We recommend you verify the [[gpg/verify|gpg signature]]:%0a> %0a> [@%0a> $ doas pkg_add gnupg%0a> $ ftp https://znc.in/releases/znc-1.8.2.tar.gz.sig%0a> $ gpg2 --recv-key D5823CACB477191CAC0075555AE420CC0209989E%0a> $ gpg2 --verify znc-1.8.2.tar.gz.sig znc-1.8.2.tar.gz%0a> @]%0a> %0a> Next, [[tar/usage|extract and unzip]] the files:%0a> %0a> [@%0a> $ tar xvzf znc-1.8.2.tar.gz %0a host:1654995012=38.87.162.154 author:1654994984=jrmu diff:1654994984:1654994162:=37c37%0a%3c '''WARNING''': OpenBSD 6.9 (and later) may contain a bug that causes ZNC to crash with a segmentation fault. To avoid this, we recommend applying a [[znc/patch|custom patch to ZNC]].%0a---%0a> '''WARNING''': OpenBSD 6.9 (and later) may contain a bug that causes ZNC to crash with a segmentation fault. To avoid this, we recommend applying a custom patch to ZNC as described below in '''Patched Source'''.%0a host:1654994984=38.87.162.154 author:1654994162=jrmu diff:1654994162:1654758971:=25c25%0a%3c OpenBSD username.example.com 7.1 GENERIC#443 amd64%0a---%0a> OpenBSD jrmu.host.bsdforall.org 7.1 GENERIC#443 amd64%0a host:1654994162=38.87.162.8 author:1654758971=jrmu diff:1654758971:1654757971:=8a9,10%0a> Read the [[chroot/intro|introduction to chroots]] to get familiar with the concept of chroots. In this guide, we use a chroot for extra security.%0a> %0a10,11d11%0a%3c %0a%3c Next, read the [[chroot/intro|introduction to chroots]] to get familiar with the concept of chroots. In this guide, we use a chroot for extra security.%0a host:1654758971=38.87.162.154 author:1654757971=jrmu diff:1654757971:1651875506:=49,50c49,50%0a%3c Due to a bug in OpenBSD 6.9, we have applied a [[znc/patch|custom patch to ZNC]]:%0a%3c %0a---%0a> Due to a bug in OpenBSD 6.9, we have applied a custom patch to ZNC to avoid segfaults on multicore servers:%0a> %0a52,53c52,61%0a%3c $ cd ~%0a%3c $ ftp https://ircnow.org/software/znc-1.8.2b.tar.gz%0a---%0a> diff -ru znc-1.8.2-old/src/main.cpp znc-1.8.2-new/src/main.cpp%0a> --- znc-1.8.2-old/src/main.cpp Mon Sep 7 18:57:50 2020%0a> +++ znc-1.8.2-new/src/main.cpp Thu Dec 24 17:04:37 2020%0a> @@ -292,6 +292,7 @@%0a> }%0a> %0a> int main(int argc, char** argv) {%0a> + pthread_attr_t a; pthread_attr_init(&a);%0a> CString sConfig;%0a> CString sDataDir = "";%0a56,61c64,130%0a%3c On OpenBSD, [[ftp/usage|ftp]] can also be used to download files from the web.%0a%3c %0a%3c For [[tar/usage|tar]], the options xvzf stand for e(x)tract, (v)erbose, un(z)ip, and (f)ile.%0a%3c %0a%3c Next, we build ZNC:%0a%3c %0a---%0a> The schat module also needs patching for [[libressl/intro|libreSSL]]:%0a> %0a> [@%0a> --- modules/schat.cpp.orig%0a> +++ modules/schat.cpp%0a> @@ -25,8 +25,8 @@%0a> #include %3cznc/User.h>%0a> #include %3cznc/IRCNetwork.h>%0a> %0a> -#if !defined(OPENSSL_VERSION_NUMBER) || defined(LIBRESSL_VERSION_NUMBER) || \%0a> - OPENSSL_VERSION_NUMBER %3c 0x10100007%0a> +#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER %3c 0x10100007 || \%0a> + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER %3c 0x3040000fL)%0a> /* SSL_SESSION was made opaque in OpenSSL 1.1.0, cipher accessor was added 2%0a> weeks before the public release.%0a> See openssl/openssl@e92813234318635639dba0168c7ef5568757449b.%0a> */%0a> @]%0a> %0a> @@crypt.cpp@@ also needs to be patched:%0a> %0a> [@%0a> DH_set0_pqg() has been available since LibreSSL version 2.7. This version%0a> won't compile with opaque DH in LibreSSL 3.5.%0a> %0a> Index: modules/crypt.cpp%0a> --- modules/crypt.cpp.orig%0a> +++ modules/crypt.cpp%0a> @@ -68,7 +68,7 @@ class CCryptMod : public CModule {%0a> CString m_sPrivKey;%0a> CString m_sPubKey;%0a> %0a> -#if OPENSSL_VERSION_NUMBER %3c 0X10100000L || defined(LIBRESSL_VERSION_NUMBER)%0a> +#if OPENSSL_VERSION_NUMBER %3c 0X10100000L%0a> static int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) {%0a> /* If the fields p and g in dh are nullptr, the corresponding input%0a> * parameters MUST be non-nullptr. q may remain nullptr.%0a> @]%0a> %0a> [@%0a> diff -u znc-1.8.2/CMakeLists.txt.orig znc-1.8.2/CMakeLists.txt%0a> --- znc-1.8.2/CMakeLists.txt.orig Mon Sep 7 18:57:50 2020%0a> +++ znc-1.8.2/CMakeLists.txt Fri May 6 03:50:26 2022%0a> @@ -44,6 +44,7 @@%0a> include(TestCXX11)%0a> set(CMAKE_CXX_STANDARD 11)%0a> set(CMAKE_CXX_STANDARD_REQUIRED true)%0a> +set(CMAKE_CXX_FLAGS "-DHAVE_OPAQUE_SSL" CACHE STRING "compile flags" FORCE)%0a> if(NOT CYGWIN)%0a> # We don't want to use -std=gnu++11 instead of -std=c++11, but among other%0a> # things, -std=c++11 on cygwin defines __STRICT_ANSI__ which makes cygwin%0a> @]%0a> %0a> IRCNow provides a patched version of ZNC:%0a> %0a> [@%0a> $ cd ~%0a> $ ftp https://ircnow.org/software/znc-1.8.2b.tar.gz%0a> @]%0a> %0a> On OpenBSD, [[ftp/usage|ftp]] can also be used to download files from the web.%0a> %0a> For [[tar/usage|tar]], the options xvzf stand for e(x)tract, (v)erbose, un(z)ip, and (f)ile.%0a> %0a> [@%0a> $ tar xvzf znc-1.8.2b.tar.gz%0a> @]%0a host:1654757971=38.87.162.154 author:1651875506=jrmu diff:1651875506:1651874517:=503a504%0a> %0a host:1651875506=38.87.162.154 author:1651874517=jrmu diff:1651874517:1651824426:=138c138%0a%3c $ cmake ..%0a---%0a> $ cmake .. -DCMAKE_CXX_FLAGS='-DHAVE_OPAQUE_SSL'%0a host:1651874517=38.87.162.154 author:1651824426=jrmu diff:1651824426:1651823808:=561,562c561,562%0a%3c $ doas rm /home/znc/home/znc/.znc/configs/znc.conf%0a%3c $ doas chroot -u znc -g znc /home/znc znc --makeconf%0a---%0a> $ rm ~/.znc/configs/znc.conf%0a> $ ~/.local/bin/znc --makeconf%0a563a564%0a> %0a host:1651824426=38.87.162.154 author:1651823808=jrmu diff:1651823808:1651823777:=121c121%0a%3c $ ftp https://ircnow.org/software/znc-1.8.2b.tar.gz%0a---%0a> $ ftp https://ircnow.org/software/znc-1.8.2a.tar.gz%0a129c129%0a%3c $ tar xvzf znc-1.8.2b.tar.gz%0a---%0a> $ tar xvzf znc-1.8.2a.tar.gz%0a host:1651823808=38.87.162.154 author:1651823777=jrmu diff:1651823777:1651798369:=101,114d100%0a%3c @]%0a%3c %0a%3c [@%0a%3c diff -u znc-1.8.2/CMakeLists.txt.orig znc-1.8.2/CMakeLists.txt%0a%3c --- znc-1.8.2/CMakeLists.txt.orig Mon Sep 7 18:57:50 2020%0a%3c +++ znc-1.8.2/CMakeLists.txt Fri May 6 03:50:26 2022%0a%3c @@ -44,6 +44,7 @@%0a%3c include(TestCXX11)%0a%3c set(CMAKE_CXX_STANDARD 11)%0a%3c set(CMAKE_CXX_STANDARD_REQUIRED true)%0a%3c +set(CMAKE_CXX_FLAGS "-DHAVE_OPAQUE_SSL" CACHE STRING "compile flags" FORCE)%0a%3c if(NOT CYGWIN)%0a%3c # We don't want to use -std=gnu++11 instead of -std=c++11, but among other%0a%3c # things, -std=c++11 on cygwin defines __STRICT_ANSI__ which makes cygwin%0a host:1651823777=38.87.162.154 author:1651798369=jrmu diff:1651798369:1650871079:=124c124%0a%3c $ cmake .. -DCMAKE_CXX_FLAGS='-DHAVE_OPAQUE_SSL'%0a---%0a> $ cmake ..%0a host:1651798369=38.87.162.154 author:1650871079=jrmu diff:1650871079:1650869831:=249,250c249,250%0a%3c Press ctrl+d to signal the end of file to logout, then run the script as root:%0a%3c %0a---%0a> Press ctrl+d to signal the end of file to logout, then run as root:%0a> %0a253c253%0a%3c $ doas sh chroot.sh%0a---%0a> $ doas su%0a254a255,299%0a> %0a> Then run this list of commands:%0a> %0a> [@%0a> mkdir -p /home/znc/usr/lib/%0a> mkdir -p /home/znc/usr/local/lib/pkgconfig%0a> mkdir -p /home/znc/usr/local/bin/%0a> mkdir -p /home/znc/usr/local/share/%0a> mkdir -p /home/znc/usr/local/man/man1/%0a> mkdir -p /home/znc/usr/libexec/%0a> mkdir -p /home/znc/etc/ssl%0a> mkdir -p /home/znc/dev/%0a> mkdir -p /home/znc/var/run/%0a> mkdir -p /home/znc/home/znc/.znc%0a> mknod -m 644 /home/znc/dev/random c 45 0%0a> mknod -m 644 /home/znc/dev/urandom c 45 2%0a> mknod -m 666 /home/znc/dev/null c 2 2%0a> cp /usr/lib/lib{c++,c++abi,c,crypto,m,pthread,ssl,z}.so.* /home/znc/usr/lib/%0a> cp /usr/libexec/ld.so /home/znc/usr/libexec/%0a> cp /etc/resolv.conf /home/znc/etc/%0a> cp /etc/ssl/cert.pem /home/znc/etc/ssl/%0a> cp /var/run/ld.so.hints /home/znc/var/run/%0a> cp /usr/local/bin/znc /home/znc/usr/local/bin/%0a> cp /usr/local/man/man1/znc.1 /home/znc/usr/local/man/man1/%0a> cp /usr/local/man/man1/znc-buildmod.1 /home/znc/usr/local/man/man1/%0a> cp /usr/local/bin/znc-buildmod /home/znc/usr/local/bin/%0a> cp /usr/local/lib/pkgconfig/znc.pc /home/znc/usr/local/lib/pkgconfig/%0a> cp /usr/local/lib/libicu{uc,data,i18n}.so.* /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_{locale,chrono,system,thread}-mt.so.* /home/znc/usr/local/lib/%0a> cp -R /usr/local/share/znc /home/znc/usr/local/share/%0a> cp -R /usr/local/lib/znc /home/znc/usr/local/lib/%0a> cp -R /usr/local/share/icu /home/znc/usr/local/share/%0a> cp -R /usr/local/lib/icu /home/znc/usr/local/lib/%0a> cp -R /usr/local/include/znc /home/znc/usr/local/include/%0a> for LANG in pt_BR bg_BG de_DE el_GR es_ES fr_FR id_ID it_IT nl_NL pl_PL ru_RU%0a> do%0a> mkdir -p /home/znc/usr/local/share/locale/$LANG/LC_MESSAGES%0a> cp -R /usr/local/share/locale/$LANG/LC_MESSAGES/znc*.mo /home/znc/usr/local/share/locale/$LANG/LC_MESSAGES%0a> done%0a> chown -R znc:znc /home/znc/%0a> chown -R root:wheel /home/znc/dev /home/znc/etc /home/znc/usr /home/znc/var%0a> chmod -R o-rx /home/znc/home/znc/.znc/%0a> usermod -G znc _identd%0a> @]%0a> %0a host:1650871079=38.87.162.154 author:1650869831=jrmu diff:1650869831:1650867717:=73c73,74%0a%3c -#if !defined(OPENSSL_VERSION_NUMBER) || defined(LIBRESSL_VERSION_NUMBER) || \%0a---%0a> -#if !defined(OPENSSL_VERSION_NUMBER) || defined(LIBRESSL_VERS%0a> ION_NUMBER) || \%0a75,77c76,81%0a%3c +#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER %3c 0x10100007 || \%0a%3c + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER %3c 0x3040000fL)%0a%3c /* SSL_SESSION was made opaque in OpenSSL 1.1.0, cipher accessor was added 2%0a---%0a> +#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBE%0a> R %3c 0x10100007 || \%0a> + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUM%0a> BER %3c 0x3040000fL)%0a> /* SSL_SESSION was made opaque in OpenSSL 1.1.0, cipher acces%0a> sor was added 2%0a81,100d84%0a%3c @]%0a%3c %0a%3c @@crypt.cpp@@ also needs to be patched:%0a%3c %0a%3c [@%0a%3c DH_set0_pqg() has been available since LibreSSL version 2.7. This version%0a%3c won't compile with opaque DH in LibreSSL 3.5.%0a%3c %0a%3c Index: modules/crypt.cpp%0a%3c --- modules/crypt.cpp.orig%0a%3c +++ modules/crypt.cpp%0a%3c @@ -68,7 +68,7 @@ class CCryptMod : public CModule {%0a%3c CString m_sPrivKey;%0a%3c CString m_sPubKey;%0a%3c %0a%3c -#if OPENSSL_VERSION_NUMBER %3c 0X10100000L || defined(LIBRESSL_VERSION_NUMBER)%0a%3c +#if OPENSSL_VERSION_NUMBER %3c 0X10100000L%0a%3c static int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) {%0a%3c /* If the fields p and g in dh are nullptr, the corresponding input%0a%3c * parameters MUST be non-nullptr. q may remain nullptr.%0a host:1650869831=38.87.162.154 author:1650867717=jrmu diff:1650867717:1650867660:= host:1650867717=38.87.162.154 author:1650867660=jrmu diff:1650867660:1645129830:=19,22c19,22%0a%3c The below installation was tested on [[openbsd/syspatch|OpenBSD 7.1 stable]]. ZNC will run inside a chroot at /home/znc.%0a%3c %0a%3c Before beginning the installation, check to make sure you are using OpenBSD 7.1 and that your system is patched:%0a%3c %0a---%0a> The below installation was tested on [[openbsd/syspatch|OpenBSD 7.0 stable]]. ZNC will run inside a chroot at /home/znc.%0a> %0a> Before beginning the installation, check to make sure you are using OpenBSD 7.0 and that your system is patched:%0a> %0a25c25%0a%3c OpenBSD jrmu.host.bsdforall.org 7.1 GENERIC#443 amd64%0a---%0a> OpenBSD example.com 7.0 GENERIC#224 amd64%0a host:1650867660=38.87.162.154 author:1645129830=izzyb csum:1645129830=corrected --makeconfig to --makeconfig and copied Recreate znc.conf from znc.install diff:1645129830:1644862990:minor=570,582c570,572%0a%3c !! Recreate znc.conf%0a%3c %0a%3c If at any time you mess up the configuration, you can delete your znc.conf%0a%3c and rerun the makeconf command again:%0a%3c %0a%3c [@%0a%3c $ rm ~/.znc/configs/znc.conf%0a%3c $ ~/.local/bin/znc --makeconf%0a%3c @]%0a%3c %0a%3c %0a%3c !! Changing Password%0a%3c If you forget the password you set during the --makeconf, you can generate a new one like this:%0a---%0a> !! Changing Password%0a> If you forget the password you set during the --makeconfig, you can generate a new one like this:%0a> %0a host:1645129830=68.148.177.239 author:1644862990=izzyb csum:1644862990=changed example password hash as it may have been wrong before. hash is for 'password' diff:1644862990:1644822214:=581,584c581,584%0a%3c Method = sha256%0a%3c Hash = 49396054dc8263b573d11c9c01e43f89ee772f6dc89b3c630e6dffa9acea4a3e%0a%3c Salt = ovexwSL50cC?jE2eCM?x%0a%3c %3c/Pass>%0a---%0a> Method = sha256%0a> Hash = 4190cfcb28a8f7ab1e002f2428dcc8b544933bb1fdf61c153eac0ef65a02f189%0a> Salt = U;67;10v*naf:G3eu*s-%0a> %3c/Pass>%0a594,596c594,596%0a%3c Method = sha256%0a%3c Hash = 49396054dc8263b573d11c9c01e43f89ee772f6dc89b3c630e6dffa9acea4a3e%0a%3c Salt = ovexwSL50cC?jE2eCM?x%0a---%0a> Method = sha256%0a> Hash = 4190cfcb28a8f7ab1e002f2428dcc8b544933bb1fdf61c153eac0ef65a02f189%0a> Salt = U;67;10v*naf:G3eu*s-%0a597a598%0a> %0a host:1644862990=68.148.177.239 author:1644822214=izzyb csum:1644822214=Added section on resetting the password diff:1644822214:1644817256:=569,615d568%0a%3c %0a%3c !! Changing Password%0a%3c If you forget the password you set during the --makeconfig, you can generate a new one like this:%0a%3c %0a%3c [@%0a%3c # /usr/sbin/chroot -u znc -g znc /home/znc znc --makepass %0a%3c [ ** ] Type your new password.%0a%3c [ ?? ] Enter password: %0a%3c [ ?? ] Confirm password: %0a%3c [ ** ] Kill ZNC process, if it's running.%0a%3c [ ** ] Then replace password in the %3cUser> section of your config with this:%0a%3c %3cPass password>%0a%3c Method = sha256%0a%3c Hash = 4190cfcb28a8f7ab1e002f2428dcc8b544933bb1fdf61c153eac0ef65a02f189%0a%3c Salt = U;67;10v*naf:G3eu*s-%0a%3c %3c/Pass>%0a%3c [ ** ] After that start ZNC again, and you should be able to login with the new password.%0a%3c @]%0a%3c %0a%3c The example output above shows the hash generated for a password of "password". This gives you the password block you need to add to your [[https://wiki.znc.in/Configuration|/home/znc/home/znc/.znc/configs/znc.conf]] file. %0a%3c '''NOTE:''' You'll need to replace the original generated Pass = line. The new user section of your config will look something like this:%0a%3c %0a%3c [@%0a%3c %3cUser username>%0a%3c %3cPass password>%0a%3c Method = sha256%0a%3c Hash = 4190cfcb28a8f7ab1e002f2428dcc8b544933bb1fdf61c153eac0ef65a02f189%0a%3c Salt = U;67;10v*naf:G3eu*s-%0a%3c %3c/Pass>%0a%3c %0a%3c Admin = true%0a%3c Nick = username%0a%3c AltNick = username_%0a%3c Ident = username%0a%3c LoadModule = chansaver%0a%3c LoadModule = controlpanel%0a%3c %0a%3c %3cNetwork example>%0a%3c LoadModule = simple_away%0a%3c Server = irc.example.com +6697 %0a%3c %3cChan #channel>%0a%3c %3c/Chan>%0a%3c %3c/Network>%0a%3c %3c/User>%0a%3c @]%0a%3c %0a%3c %0a host:1644822214=68.148.177.239 author:1644817256=izzyb csum:1644817256=deleted extra [@ before Configuring ZNC diff:1644817256:1635951006:=283a284%0a> [@%0a host:1644817256=68.148.177.239 author:1635951006=jrmu diff:1635951006:1635950033:=270,271d269%0a%3c cp -R /usr/local/share/icu /home/znc/usr/local/share/%0a%3c cp -R /usr/local/lib/icu /home/znc/usr/local/lib/%0a806a805,821%0a> %0a> !! Adding ICU support%0a> %0a> Copy the following directories:%0a> %0a> [@%0a> # cp -R /usr/local/share/icu /home/znc/usr/local/share/%0a> # cp -R /usr/local/lib/icu /home/znc/usr/local/lib/%0a> @]%0a> %0a> Then, restart BNC. Encoding options should be available.%0a> %0a> (The patched ZNC was made before ICU support is added. So, we cannot ensure that adding ICU support after the patch will not cause any other bugs.)%0a> %0a> !! Running znc in debug mode%0a> %0a> There is a guide for [[znc/debug|building ZNC]] in debug mode.%0a host:1635951006=38.87.162.47 author:1635950033=jrmu diff:1635950033:1635918466:=620c620,639%0a%3c Use [[znc/relayd|relayd]] to allow visitors to use port 443 to access the ZNC web panel.%0a---%0a> While you are at it, you will want to redirect any plaintext requests to the webpanel on port 80 to use SSL on port 443. Add this to /etc/httpd.conf:%0a> %0a> [@%0a> server "bnc.example.com" {%0a> listen on * port 80%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a> }%0a> }%0a> @]%0a> %0a> Go ahead and reboot the web server:%0a> %0a> [@%0a> $ doas rcctl restart httpd%0a> @]%0a host:1635950033=38.87.162.47 author:1635918466=jrmu diff:1635918466:1635903538:=747,787c747,748%0a%3c To check if any bindhosts are incorrectly using fixed IPv6 or IPv4 addresses, run:%0a%3c %0a%3c [@%0a%3c # sed -nE '/.*(\%3cBindHost|\%3cDCCBindHost) = (.*:.*|[0-9.]+)/s//\2/p' /home/znc/home/znc/.znc/configs/znc.conf%0a%3c @]%0a%3c %0a%3c If you see IP addresses like the following, then your bindhosts are incorrectly set to use IPv4 or IPv6 addreses directly instead of symbolic hostnames:%0a%3c %0a%3c [@%0a%3c 192.168.1.1%0a%3c 2001:db8::%0a%3c @]%0a%3c %0a%3c !!! Bindhost Errors%0a%3c %0a%3c A quick way to check if there are DNS errors is to run%0a%3c the following two commands:%0a%3c %0a%3c [@%0a%3c # sed -nE '/.*(\%3cBindHost|\%3cDCCBindHost) = (.*)/s//\2/p' /home/znc/home/znc/.znc/configs/znc.conf | xargs -n 1 -t host%0a%3c @]%0a%3c %0a%3c Every hostname should have both an IPv4 and IPv6 address. The IPv4 address should match your [[openbsd/ddos|DDoS-filtered]] public address. Each IPv6 address should be unique.%0a%3c %0a%3c If you see duplicate entries (the same hostname returns multiple IPv6 addresses), you must delete the duplicate [[dns/vhost|DNS entries]].%0a%3c %0a%3c Here are error messages that indicate there are DNS problems with the bindhost:%0a%3c %0a%3c [@%0a%3c host username.example.com%0a%3c ;; connection timed out; no servers could be reached%0a%3c @]%0a%3c %0a%3c There is an error because means that the DNS server could not be reached.%0a%3c %0a%3c [@%0a%3c host username.example.com%0a%3c Host username.example.com not found: 3(NXDOMAIN)%0a%3c @]%0a%3c %0a%3c This indicates there are no DNS records for the bindhost.%0a---%0a> A quick way to check if there are DNS errors:%0a> %0a host:1635918466=38.87.162.47 author:1635903538=jrmu diff:1635903538:1635871169:=645d644%0a%3c (:if false:)%0a683,687c682,687%0a%3c !! Automatic start%0a%3c %0a%3c This script will automatically restart znc in case it crashes.%0a%3c %0a%3c [@%0a---%0a> '''Automatic start'''%0a> %0a> Automatic start of the service in case of a crash. %0a> %0a> This prevents the loss of users due to software errors. Make sure your users feel good.%0a> [=%0a691,693c691,693%0a%3c @]%0a%3c %0a%3c [@%0a---%0a> =]%0a> %0a> [=%0a707,711c707,718%0a%3c @]%0a%3c %0a%3c # echo "*/2 * * * * /usr/local/project_name/checker_znc.sh 2>&1 &" >> /var/cron/tabs/root%0a%3c %0a%3c (:ifend:)%0a---%0a> %0a> =]%0a> This may have issues in the 6.9 release.%0a> [=%0a> doas crontab -e%0a> =]%0a> %0a> [=%0a> */2 * * * * /usr/local/project_name/checker_znc.sh 2>&1 &%0a> =]%0a> %0a> (:if false:)%0a host:1635903538=38.87.162.47 author:1635871169=jrmu diff:1635871169:1635866739:=32c32%0a%3c $ doas pkg_add icu4c boost cmake gettext-runtime gettext-tools%0a---%0a> $ doas pkg_add icu4c boost cmake%0a271,275d270%0a%3c for LANG in pt_BR bg_BG de_DE el_GR es_ES fr_FR id_ID it_IT nl_NL pl_PL ru_RU%0a%3c do%0a%3c mkdir -p /home/znc/usr/local/share/locale/$LANG/LC_MESSAGES%0a%3c cp -R /usr/local/share/locale/$LANG/LC_MESSAGES/znc*.mo /home/znc/usr/local/share/locale/$LANG/LC_MESSAGES%0a%3c done%0a281,282d275%0a%3c %0a%3c [@%0a host:1635871169=38.87.162.47 author:1635866739=jrmu diff:1635866739:1635860141:=634,637d633%0a%3c !! Control Panel%0a%3c %0a%3c See [[znc/usage]] for help on how to use the controlpanel.%0a%3c %0a640,641d635%0a%3c Create /etc/rc.d/znc:%0a%3c %0a642a637,640%0a> doas touch /etc/rc.d/znc%0a> doas chmod +x /etc/rc.d/znc%0a> @]%0a> %0a671,674d668%0a%3c [@%0a%3c doas chmod +x /etc/rc.d/znc%0a%3c @]%0a%3c %0a712c706,767%0a%3c %0a---%0a> '''ZNC console'''%0a> %0a> Connect%0a> [=%0a> /quote PASS admin:mysuperadminpassqwerty%0a> =]%0a> %0a> Generate new pass for user%0a> [=%0a> Go to site: https://passwordsgenerator.net/%0a> and disable "Include Symbols"%0a> click "generate password"%0a> or you can create a password yourself (the password must be between 12 and 16 characters long and include numbers and letters)%0a> =]%0a> (:ifend:)%0a> %0a> User login%0a> [=%0a> username must be the same or derived from the network login (contain a suffix)%0a> =]%0a> %0a> Create new user%0a> [=%0a> /msg *controlpanel AddUser bob 12345678%0a> /msg *controlpanel LoadModule bob perform%0a> =]%0a> %0a> Add network for new ner%0a> [=%0a> /msg *controlpanel AddNetwork bob IRCNow%0a> /msg *controlpanel AddServer vasya IRCNow irc.ircnow.org +6697%0a> /msg *controlpanel SetNetwork BindHost bob IRCNow bob.fruit.ircnow.org%0a> /msg *controlpanel help%0a> =]%0a> %0a> Set channels%0a> [=%0a> /msg *controlpanel AddChan bob IRCNow #ircnow%0a> =]%0a> %0a> Set pass (this must be done with a user account or offer to run this command yourself) %0a> [=%0a> /msg *perform add PRIVMSG NickServ IDENTIFY bob 12345678%0a> /msg *perform help%0a> =]%0a> %0a> Reconnect user`s network%0a> [=%0a> /msg *controlpanel Reconnect bob IRCNow%0a> =]%0a> %0a> Saving settings to disk (please save your changes to disk immediately)%0a> [=%0a> /msg *status SaveConfig%0a> =]%0a> %0a> Deleting user and user entities%0a> [=%0a> /msg *controlpanel DelUser bob%0a> /msg *controlpanel DelNetwork bob IRCNow%0a> =]%0a> %0a741,746c796,801%0a%3c !!! IPv4/IPv6 mismatch%0a%3c %0a%3c If a znc user has a bindhost that is IPv6 only but the network is IPv4 only, or vice versa, it will not connect.%0a%3c %0a%3c To prevent this, you '''must''' use a symbolic hostname (such as username.example.com) for the bindhost. Each hostname needs a single [[dns/records|A record]] and a single [[dns/records|AAAA record]] in the [[nsd/zone|DNS zone]]. If any part is misconfigured, users will be unable to connect.%0a%3c %0a---%0a> !! WARNING%0a> %0a> If a znc user has a bindhost that is IPv6 only but the network is IPv4 only, it will not connect.%0a> %0a> To prevent this, you '''must be absolutely 100%25 certain''' that each bindhost is symbolic (such as username.fruit.ircnow.org) and that each hostname has a single A record and a single AAAA record in your DNS zone. If any part is misconfigured, users will be unable to connect.%0a> %0a770,771c825,826%0a%3c If you are get errors such as:%0a%3c %0a---%0a> If you are getting errors such as:%0a> %0a773c828%0a%3c ld.so: znc: can't load library 'libc++abi.so.5.0'%0a---%0a> ld.so: znc: can't load library 'libc++abi.so.5.0' %0a776,777c831,832%0a%3c Then you may be on the wrong OpenBSD version (6.9 or earlier); or you did not apply [[openbsd/syspatch|syspatch]]; or you did not upgrade all dependencies:%0a%3c %0a---%0a> Then it could be due to the fact that you are on the wrong OpenBSD version (6.8 or earlier), you did not apply [[openbsd/syspatch|syspatch]], and you have not upgraded all dependencies:%0a> %0a783,784c838,839%0a%3c Delete the build folder and compile again.%0a%3c %0a---%0a> Then, delete the build folder and compile again.%0a> %0a800c855,915%0a%3c There is a guide for [[znc/debug|building ZNC]] in debug mode.%0a---%0a> [@%0a> $ cd ~%0a> $ ftp https://znc.in/releases/znc-1.8.2.tar.gz%0a> $ ftp https://znc.in/releases/znc-1.8.2.tar.gz.sig%0a> $ tar xvzf znc-1.8.2.tar.gz%0a> $ cd znc-1.8.2%0a> $ mkdir build%0a> $ cd build%0a> $ ../configure --enable-debug CXX=c++%0a> $ gmake%0a> $ doas make install%0a> @]%0a> %0a> [@%0a> mkdir -p /home/znc/usr/lib/%0a> mkdir -p /home/znc/usr/local/lib/pkgconfig%0a> mkdir -p /home/znc/usr/local/bin/%0a> mkdir -p /home/znc/usr/local/share/%0a> mkdir -p /home/znc/usr/local/man/man1/%0a> mkdir -p /home/znc/usr/libexec/%0a> mkdir -p /home/znc/etc/ssl%0a> mkdir -p /home/znc/dev/%0a> mkdir -p /home/znc/var/run/%0a> mkdir -p /home/znc/home/znc/%0a> mknod -m 644 /home/znc/dev/random c 45 0%0a> mknod -m 644 /home/znc/dev/urandom c 45 2%0a> mknod -m 666 /home/znc/dev/null c 2 2%0a> cp /usr/lib/libc++.so.7.0 /home/znc/usr/lib/libc++.so.7.0 %0a> cp /usr/lib/libc++abi.so.5.0 /home/znc/usr/lib/libc++abi.so.5.0%0a> cp /usr/lib/libc.so.96.0 /home/znc/usr/lib/libc.so.96.0%0a> cp /usr/lib/libcrypto.so.46.2 /home/znc/usr/lib/libcrypto.so.46.2%0a> cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1%0a> cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1%0a> cp /usr/lib/libssl.so.48.2 /home/znc/usr/lib/libssl.so.48.2%0a> cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0%0a> cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so%0a> cp /etc/resolv.conf /home/znc/etc/resolv.conf%0a> cp /etc/ssl/cert.pem /home/znc/etc/ssl/cert.pem%0a> cp /var/run/ld.so.hints /home/znc/var/run/ld.so.hints%0a> cp /usr/local/bin/znc /home/znc/usr/local/bin/znc%0a> cp /usr/local/man/man1/znc.1 /home/znc/usr/local/man/man1/znc.1%0a> cp /usr/local/man/man1/znc-buildmod.1 /home/znc/usr/local/man/man1/znc-buildmod.1%0a> cp /usr/local/bin/znc-buildmod /home/znc/usr/local/bin/znc-buildmod%0a> cp /usr/local/lib/pkgconfig/znc.pc /home/znc/usr/local/lib/pkgconfig/znc.pc%0a> cp /usr/local/lib/libicuuc.so.19.2 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libicudata.so.19.2 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_locale-mt.so.13.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_system-mt.so.13.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_thread-mt.so.13.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_chrono-mt.so.13.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libicui18n.so.19.2 /home/znc/usr/local/lib/%0a> cp -R /usr/local/share/znc /home/znc/usr/local/share/%0a> cp -R /usr/local/lib/znc /home/znc/usr/local/lib/%0a> cp -R /usr/local/include/znc /home/znc/usr/local/include/%0a> chown -R znc:znc /home/znc/%0a> chown -R root:wheel /home/znc/dev /home/znc/etc /home/znc/usr /home/znc/var%0a> chmod -R o-rx /home/znc/home/znc/.znc/%0a> usermod -G znc _identd%0a> @]%0a> %0a> $ doas gdb chroot%0a host:1635866739=38.87.162.47 author:1635860141=jrmu diff:1635860141:1635839341:=5,6c5,6%0a%3c [[https://wiki.znc.in|ZNC]] is an IRC bouncer. It runs on a server and stays connected after you turn off your computer or phone. It saves chat messages and replays them when you reconnect, and also helps to hide your IP address. If you are running it on IRCNow, your server may also offer [[openbsd/ddos|DDoS protection]] to keep you online.%0a%3c %0a---%0a> [[https://wiki.znc.in|ZNC]] is an IRC bouncer. It runs on a server and stays connected after you turn off your computer or phone. It saves chat messages and replays them when you reconnect, and also helps to hide your IP address. If you are running it on IRCNow, your server may also offer DDoS protection to keep you online.%0a> %0a102,103c102,103%0a%3c Next, we build ZNC:%0a%3c %0a---%0a> We then use build ZNC:%0a> %0a135,136c135,136%0a%3c Next, [[tar/usage|extract and unzip]] the files:%0a%3c %0a---%0a> Next, extract and unzip the files:%0a> %0a277,280d276%0a%3c !! Configuring ZNC%0a%3c %0a%3c !!! Makeconf%0a%3c %0a306,307c302,305%0a%3c ZNC will automatically create its own SSL certificate. This certificate, however, will be self-signed and hence will show up as invalid or untrusted by your IRC client. To get a properly signed SSL certificate, you will need to configure [[openhttpd/configure|openhttpd]] and request the certificate with [[acme-client/configure|acme-client]].%0a%3c %0a---%0a> ZNC will automatically create its own SSL certificate. This ce%0a> rtificate, however, will be self-signed and hence will show up%0a> as invalid or untrusted by your IRC client. To get a properly signed SSL certificate, you will need to configure [[openhttpd/configure|openhttpd]] and request the certificate with [[acme-client/configure|acme-client]].%0a> %0a320,321c318,319%0a%3c !!! Bindhosts%0a%3c %0a---%0a> !! Bindhosts%0a> %0a328,329c326,330%0a%3c '''WARNING''': You cannot pick any arbitrary [[dns/vhost|bindhost]] that you want. If you bindhost does not work, your vhost will not show up properly, and you may not be able to connect at all!%0a%3c %0a---%0a> '''WARNING''': You cannot pick any arbitrary [[dns/vhost|bindh%0a> ost]] that you want. If you bindhost does not work, your vhost%0a> will not show up properly, and you may not be able to connect%0a> at all!%0a> %0a332,335c333,338%0a%3c A [[dns/vhost|vhost]] must have proper [[dns/overview|forward]] and [[DNS/rDNS|reverse DNS]] [[dns/records|records]] to work. If these have not been configured properly, first leave the bindhost blank.%0a%3c %0a%3c To test if your bindhost works properly, check the [[host/usage|host]] guide. You will want to run host on your hostname and IP address to make sure they both match.%0a%3c %0a---%0a> A [[dns/vhost|vhost]] must have proper [[dns/overview|forward]] and [[DNS/rD%0a> NS|reverse DNS]] [[dns/records|records]] to work. If these have not been configured properly, first leave the bindhost blank.%0a> %0a> To test if your bindhost works properly, check the [[host/usag%0a> e|host]] guide. You will want to run host on your hostname and IP address to make sure they both match.%0a> %0a524,525c527,528%0a%3c '''NOTE''': Do '''not''' replace @@127.0.0.1@@. This is [[localhost/intro|localhost]] and must not be changed.%0a%3c %0a---%0a> Do '''not''' replace @@127.0.0.1@@. This is [[localhost/intro|localhost]] and must not be changed.%0a> %0a562,571c565,570%0a%3c !! Editing Config%0a%3c %0a%3c The best way to edit the conf file is by [[bouncer/bouncer|logging in to znc]] with your IRC client, then using the *status or *controlpanel module. You can also use the [[znc/webpanel|webpanel]] once it has been set up.%0a%3c %0a%3c Sometimes, however, it may be necessary to edit your configuration file directly and then reload it (rehash).%0a%3c %0a%3c !!! Shutting down and restarting%0a%3c %0a%3c If the only person using ZNC is yourself, you can easily shut down ZNC, edi the conf, then restart ZNC.%0a%3c %0a---%0a> !! Rehashing Config%0a> %0a> It may be necessary to edit your configuration file and then reload it (rehash). If your bouncer is already online, make sure to first [[bouncer/bouncer|log in to znc]] with your IRC client, then save the config.%0a> %0a> After logging in with your IRC client, type this:%0a> %0a573c572,573%0a%3c # pkill -U znc%0a---%0a> /msg *status saveconfig%0a> /msg *status rehash%0a576,581c576,577%0a%3c This will kill all processes run by the user znc, which should kill the bouncer. Then edit the znc.conf file, and restart ZNC as described above.%0a%3c %0a%3c !!! Live rehash%0a%3c %0a%3c If you have other users connected to a public ZNC, or you cannot afford to take ZNC offline, you may need to rehash ZNC. First, [[bouncer/bouncer|log in to znc]] with your IRC client, then save the config:%0a%3c %0a---%0a> We add a [[openbsd/cron|cron job]] to have ZNC restart every 5 minutes. ZNC will only start if no other ZNC instance is running, so this is safe:%0a> %0a583c579,580%0a%3c /msg *status saveconfig%0a---%0a> # echo "HOME=/home/znc" >> /var/cron/tabs/root%0a> # echo "*/5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &" >> /var/cron/tabs/root%0a586,587c583,586%0a%3c Next, edit [[https://wiki.znc.in/Configuration|/home/znc/home/znc/.znc/configs/znc.conf]]. Finally, send a rehash message over IRC to ZNC:%0a%3c %0a---%0a> !! Testing ZNC%0a> %0a> To test the connection (and SSL certificate), run:%0a> %0a589c588%0a%3c /msg *status rehash%0a---%0a> $ openssl s_client -connect bnc.example.com:31337%0a592,609c591,593%0a%3c We add a [[openbsd/cron|cron job]] to have ZNC restart every 5 minutes. ZNC will only start if no other ZNC instance is running, so this is safe:%0a%3c %0a%3c [@%0a%3c # echo "HOME=/home/znc" >> /var/cron/tabs/root%0a%3c # echo "*/5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &" >> /var/cron/tabs/root%0a%3c @]%0a%3c %0a%3c !! Testing ZNC%0a%3c %0a%3c To test the connection in plaintext ('''warning''': insecure), consult the [[netcat/irc|netcat irc guide]].%0a%3c %0a%3c To test the connection using SSL, run:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect bnc.example.com:31337%0a%3c @]%0a%3c %0a%3c Replace @@bnc.example.com@@ with your actual hostname. Check to make sure you have the proper SSL cert configured. Once an SSL session has been established, consult the [[netcat/irc|netcat irc guide]].%0a---%0a> Replace @@bnc.example.com@@ with your actual hostname. Check to make sure you have the proper SSL cert configured.%0a> %0a> Consult the [[netcat/irc|netcat irc guide]].%0a host:1635860141=38.87.162.47 author:1635839341=jrmu diff:1635839341:1635827083:=383,386d382%0a%3c In order to provide SSL for the bouncer, you must first configure [[openhttpd/configure|OpenHTTPd]] and request a certificate with [[acme-client/configure|acme-client]].%0a%3c %0a%3c Once that is done, you can copy the certificate:%0a%3c %0a388,390c384,386%0a%3c # cp /etc/ssl/bnc.example.com.fullchain.pem /home/znc/home/znc/.znc/%0a%3c # cp /etc/ssl/private/bnc.example.com.key /home/znc/home/znc/.znc/%0a%3c # chown znc:znc /home/znc/home/znc/.znc/bnc.example.com.*%0a---%0a> # cp /etc/ssl/my.example.com.fullchain.pem /home/znc/home/znc/.znc/%0a> # cp /etc/ssl/private/my.example.com.key /home/znc/home/znc/.znc/%0a> # chown znc:znc /home/znc/home/znc/.znc/my.example.com.*%0a393,396c389,390%0a%3c In the above commands, replace @@bnc.example.com@@ with your real hostname.%0a%3c %0a%3c Next, we create dhparam:%0a%3c %0a---%0a> Inside ~:%0a> %0a398,400c392,394%0a%3c # openssl dhparam -out dhparam.pem 2048%0a%3c # chown znc:znc dhparam.pem%0a%3c # mv dhparam.pem /home/znc/home/znc/.znc/%0a---%0a> $ openssl dhparam -out dhparam.pem 2048%0a> $ doas chown znc:znc dhparam.pem%0a> $ doas mv dhparam.pem /home/znc/home/znc/.znc/%0a403,404c397,398%0a%3c Next, edit [[https://wiki.znc.in/Configuration|/home/znc/home/znc/.znc/configs/znc.conf]] so that the configuration resembles:%0a%3c %0a---%0a> Afterwards, to run znc:%0a> %0a406,415c400,431%0a%3c // WARNING%0a%3c //%0a%3c // Do NOT edit this file while ZNC is running!%0a%3c // Use webadmin or *controlpanel instead.%0a%3c //%0a%3c // Altering this file by hand will forfeit all support.%0a%3c //%0a%3c // But if you feel risky, you might want to read help on /znc saveconfig and /znc rehash.%0a%3c // Also check https://wiki.znc.in/Configuration%0a%3c %0a---%0a> # export HOME=/home/znc%0a> # /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &%0a> @]%0a> %0a> Now you must add this rule in /etc/pf.conf:%0a> %0a> [@%0a> pass in log quick proto tcp to port {http https} keep state (max-src-conn 30, max-src-conn-rate 20/60) #relayd web%0a> pass in log quick proto tcp to port {1337 31337} keep state (max 3000, max-src-conn 200) #bnc%0a> @]%0a> %0a> [@%0a> $ doas pfctl -f /etc/pf.conf%0a> @]%0a> %0a> (Here the steps are a bit out of chronology)%0a> %0a> To start the bouncer, I run this command:%0a> %0a> [@%0a> # HOME=/home/znc && /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &%0a> @]%0a> %0a> If your bouncer is already online, make sure to save the config by logging into your irc client, connected to the bouncer:%0a> %0a> [@%0a> /msg *status saveconfig%0a> @]%0a> %0a> Then, go add this at the top of /home/znc/home/znc/.znc/configs/znc.conf (yes I deliberately ignore the warnings):%0a> %0a> [@%0a429c445%0a%3c SSLCertFile = /home/znc/.znc/bnc.example.com.fullchain.pem%0a---%0a> SSLCertFile = /home/znc/.znc/my.example.com.fullchain.pem%0a431c447%0a%3c SSLKeyFile = /home/znc/.znc/bnc.example.com.key%0a---%0a> SSLKeyFile = /home/znc/.znc/my.example.com.key%0a501,518d516%0a%3c %0a%3c %3cUser username>%0a%3c Pass = sha256#014eab533f25fe65621963f712ecaf3b86fe840859ab6f4c675200c73d02e6d1#ytZ8/L,:MtZ5cMCe5IJX#%0a%3c Admin = true%0a%3c Nick = username%0a%3c AltNick = username_%0a%3c Ident = username%0a%3c LoadModule = chansaver%0a%3c LoadModule = controlpanel%0a%3c %0a%3c %3cNetwork example>%0a%3c LoadModule = simple_away%0a%3c Server = irc.example.com +6697 %0a%3c %0a%3c %3cChan #channel>%0a%3c %3c/Chan>%0a%3c %3c/Network>%0a%3c %3c/User>%0a521,544c519,524%0a%3c Please read the [[https://wiki.znc.in/Configuration|ZNC wiki]] to understand the meaning of each option.%0a%3c %0a%3c You will need to replace @@bnc.example.com@@ with your actual hostname.%0a%3c %0a%3c In the listeners, you need to replace @@192.168.1.1@@ and @@2001:db8::@@ with your server's [[IP/myaddress|public IPv4 and IPv6 address]].%0a%3c %0a%3c Do '''not''' replace @@127.0.0.1@@. This is [[localhost/intro|localhost]] and must not be changed.%0a%3c %0a%3c It's recommended to keep the ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a%3c %0a%3c '''WARNING''': Do '''not''' listen to both IPv4 and IPv6. As mentioned above, you need separate listeners.%0a%3c %0a%3c For the username block, use the defaults that ZNC's makeconf generated. Don't edit or delete the values that ZNC generated automatically.%0a%3c %0a%3c Please read the [[https://wiki.znc.in/Configuration|ZNC wiki]] to understand the meaning of each option.%0a%3c %0a%3c !! Ident%0a%3c %0a%3c Notice the above config loads the identfile module by default. This is necessary to provide proper ident using [[oidentd/ZNC|oidentd]]. You will need to configure [[oidentd/ZNC|oidentd]] for the module to work.%0a%3c %0a%3c !! Packet Filter%0a%3c %0a%3c If [[pf/intro|packet filter]] is set to deny all incoming connects, you can add this rule to /etc/pf.conf:%0a%3c %0a---%0a> We will load the identfile module by default. This is necessary to provide proper ident using [[oidentd/ZNC|oidentd]]. Please follow the instructions in the link to configure ident.%0a> %0a> I have znc bind to port 1338 without SSL for the web server. I will later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a> %0a> Replace with your own IP addresses. Then, on your irc client logged into the bouncer:%0a> %0a546,547c526%0a%3c pass in log quick proto tcp to port {http https} keep state (max-src-conn 300, max-src-conn-rate 300/60) #relayd web%0a%3c pass in log quick proto tcp to port {1337 31337} keep state (max 3000, max-src-conn 300) #bnc%0a---%0a> /msg *status rehash%0a550,551d528%0a%3c To load the new ruleset:%0a%3c %0a553c530%0a%3c # pfctl -f /etc/pf.conf%0a---%0a> $ doas crontab -e%0a556,559c533,534%0a%3c !! Starting ZNC%0a%3c %0a%3c To run znc:%0a%3c %0a---%0a> Add a few lines to have ZNC reconnect every 5 minutes. ZNC will only connect if no other ZNC instance is running:%0a> %0a561,562c536,537%0a%3c # export HOME=/home/znc%0a%3c # /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &%0a---%0a> HOME=/home/znc%0a> */5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &%0a565,570c540,541%0a%3c !! Rehashing Config%0a%3c %0a%3c It may be necessary to edit your configuration file and then reload it (rehash). If your bouncer is already online, make sure to first [[bouncer/bouncer|log in to znc]] with your IRC client, then save the config.%0a%3c %0a%3c After logging in with your IRC client, type this:%0a%3c %0a---%0a> To test the connection (and SSL certificate), run:%0a> %0a572,573c543%0a%3c /msg *status saveconfig%0a%3c /msg *status rehash%0a---%0a> $ openssl s_client -connect my.example.com:31337%0a576,577c546,549%0a%3c We add a [[openbsd/cron|cron job]] to have ZNC restart every 5 minutes. ZNC will only start if no other ZNC instance is running, so this is safe:%0a%3c %0a---%0a> Make sure you have the proper SSL cert configured.%0a> %0a> While you are at it, you will want to redirect any plaintext requests to the webpanel on port 80 to use SSL on port 443. Add this to /etc/httpd.conf:%0a> %0a579,580c551,560%0a%3c # echo "HOME=/home/znc" >> /var/cron/tabs/root%0a%3c # echo "*/5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &" >> /var/cron/tabs/root%0a---%0a> server "bnc.example.com" {%0a> listen on * port 80%0a> location "/.well-known/acme-challenge/*" {%0a> root "/acme"%0a> request strip 2%0a> }%0a> location * {%0a> block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a> }%0a> }%0a583,586c563,564%0a%3c !! Testing ZNC%0a%3c %0a%3c To test the connection (and SSL certificate), run:%0a%3c %0a---%0a> Go ahead and reboot the web server:%0a> %0a588c566%0a%3c $ openssl s_client -connect bnc.example.com:31337%0a---%0a> $ doas rcctl restart httpd%0a591,598c569,572%0a%3c Replace @@bnc.example.com@@ with your actual hostname. Check to make sure you have the proper SSL cert configured.%0a%3c %0a%3c Consult the [[netcat/irc|netcat irc guide]].%0a%3c %0a%3c !! Web Panel%0a%3c %0a%3c While you are at it, you will want to redirect any plaintext requests to the webpanel on port 80 to use SSL on port 443. Add this to /etc/httpd.conf:%0a%3c %0a---%0a> Note: If you are using IPv6 and IPv4 for the same listener, perl IO::Socket::INET is unable to connect. Use two separate listeners.%0a> %0a> '''Integration with the operating system'''%0a> %0a600,609c574,575%0a%3c server "bnc.example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a---%0a> doas touch /etc/rc.d/znc%0a> doas chmod +x /etc/rc.d/znc%0a612,624c578%0a%3c Go ahead and reboot the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart httpd%0a%3c @]%0a%3c %0a%3c !! rc.d script%0a%3c %0a%3c [@%0a%3c doas touch /etc/rc.d/znc%0a%3c doas chmod +x /etc/rc.d/znc%0a%3c @]%0a%3c %0a---%0a> [= %0a631a586%0a> %0a644a600%0a> %0a651c607,608%0a%3c @]%0a---%0a> %0a> =]%0a host:1635839341=38.87.162.47 author:1635827083=jrmu diff:1635827083:1635825144:=296,305c296,297%0a%3c We're going to configure ZNC to listen on ports 1337 and 31337. Port 1337 will be plaintext, port 31337 will be SSL. This convention is followed by IRCNow's public servers.%0a%3c %0a%3c '''WARNING''': Do '''not''' listen to both IPv4 and IPv6. There appears to be a bug in ZNC v1.8.2 on OpenBSD 6.9 where selecting 'yes' will cause IPv4 to stop working. Instead, as shown later in the guide, you can create separate listeners to allow listening to both IPv4 and IPv6.%0a%3c %0a%3c You will want to enable connecting both with and without [[tls/overview|SSL]]. Although SSL helps to encrypt messages, some older IRC programs don't support it, so it is important to offer ZNC in plaintext.%0a%3c %0a%3c ZNC will automatically create its own SSL certificate. This ce%0a%3c rtificate, however, will be self-signed and hence will show up%0a%3c as invalid or untrusted by your IRC client. To get a properly signed SSL certificate, you will need to configure [[openhttpd/configure|openhttpd]] and request the certificate with [[acme-client/configure|acme-client]].%0a%3c %0a---%0a> We're going to configure ZNC to listen on ports 1337 and 31337. Port 1337 will be plaintext, port 31337 will be SSL.%0a> %0a316,322d307%0a%3c @]%0a%3c %0a%3c !! Bindhosts%0a%3c %0a%3c Next, you'll be asked to specify an optional bindhost. For now, we will leave this blank.%0a%3c %0a%3c [@%0a324,339d308%0a%3c @]%0a%3c %0a%3c '''WARNING''': You cannot pick any arbitrary [[dns/vhost|bindh%0a%3c ost]] that you want. If you bindhost does not work, your vhost%0a%3c will not show up properly, and you may not be able to connect%0a%3c at all!%0a%3c %0a%3c The bindhost is used to pick which IP address to use for a server with multiple IP addresses. It can allow you to pick a nice-looking vhost, like @@username@user name.example.com@@, once [[dns/overview|DNS]] has been properly set up.%0a%3c %0a%3c A [[dns/vhost|vhost]] must have proper [[dns/overview|forward]] and [[DNS/rD%0a%3c NS|reverse DNS]] [[dns/records|records]] to work. If these have not been configured properly, first leave the bindhost blank.%0a%3c %0a%3c To test if your bindhost works properly, check the [[host/usag%0a%3c e|host]] guide. You will want to run host on your hostname and IP address to make sure they both match.%0a%3c %0a%3c [@%0a344,348d312%0a%3c @]%0a%3c %0a%3c We will turn on the chansaver and controlpanel modules and set up a network.%0a%3c %0a%3c [@%0a358,362d321%0a%3c @]%0a%3c %0a%3c Configure a network. The network name is usually just a single word; it is not the same as the server host. IRC normally uses port 6667 if there is no SSL, and 6697 if there is SSL.%0a%3c %0a%3c [@%0a379,381c338%0a%3c For now, avoid setting up the web server on port 31337. We will instead use [[relayd/acceleration|relayd]] so that the web server can viewed on the default port for https: port 443.%0a%3c %0a%3c !! Configuring SSL%0a---%0a> %0a host:1635827083=38.87.162.47 author:1635825144=jrmu diff:1635825144:1635825069:=297,298d296%0a%3c %0a%3c [@%0a host:1635825144=38.87.162.47 author:1635825069=jrmu diff:1635825069:1635788750:=47,50c47,52%0a%3c !!! Patched Source%0a%3c %0a%3c Due to a bug in OpenBSD 6.9, we have applied a custom patch to ZNC to avoid segfaults on multicore servers:%0a%3c %0a---%0a> !!! Upstream Source%0a> %0a> '''WARNING''': If you are on a multicore system on OpenBSD, you should use a patched version of znc-1.8.2 release to avoid a threading bug that causes segfaults. See '''Patched Source''' below.%0a> %0a> First, download the latest stable release:%0a> %0a52,61c54,55%0a%3c diff -ru znc-1.8.2-old/src/main.cpp znc-1.8.2-new/src/main.cpp%0a%3c --- znc-1.8.2-old/src/main.cpp Mon Sep 7 18:57:50 2020%0a%3c +++ znc-1.8.2-new/src/main.cpp Thu Dec 24 17:04:37 2020%0a%3c @@ -292,6 +292,7 @@%0a%3c }%0a%3c %0a%3c int main(int argc, char** argv) {%0a%3c + pthread_attr_t a; pthread_attr_init(&a);%0a%3c CString sConfig;%0a%3c CString sDataDir = "";%0a---%0a> $ cd ~%0a> $ ftp https://znc.in/releases/znc-1.8.2.tar.gz%0a64,65c58,62%0a%3c The schat module also needs patching for [[libressl/intro|libreSSL]]:%0a%3c %0a---%0a> On OpenBSD, [[ftp/usage|ftp]] can also be used to download fil%0a> es from the web.%0a> %0a> We recommend you verify the [[gpg/verify|gpg signature]]:%0a> %0a67,84c64,67%0a%3c --- modules/schat.cpp.orig%0a%3c +++ modules/schat.cpp%0a%3c @@ -25,8 +25,8 @@%0a%3c #include %3cznc/User.h>%0a%3c #include %3cznc/IRCNetwork.h>%0a%3c %0a%3c -#if !defined(OPENSSL_VERSION_NUMBER) || defined(LIBRESSL_VERS%0a%3c ION_NUMBER) || \%0a%3c - OPENSSL_VERSION_NUMBER %3c 0x10100007%0a%3c +#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBE%0a%3c R %3c 0x10100007 || \%0a%3c + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUM%0a%3c BER %3c 0x3040000fL)%0a%3c /* SSL_SESSION was made opaque in OpenSSL 1.1.0, cipher acces%0a%3c sor was added 2%0a%3c weeks before the public release.%0a%3c See openssl/openssl@e92813234318635639dba0168c7ef5568757449b.%0a%3c */%0a---%0a> $ doas pkg_add gnupg%0a> $ ftp https://znc.in/releases/znc-1.8.2.tar.gz.sig%0a> $ gpg2 --recv-key D5823CACB477191CAC0075555AE420CC0209989E%0a> $ gpg2 --verify znc-1.8.2.tar.gz.sig znc-1.8.2.tar.gz%0a86,88c69,71%0a%3c %0a%3c IRCNow provides a patched version of ZNC:%0a%3c %0a---%0a> %0a> Next, extract and unzip the files:%0a> %0a90,91c73%0a%3c $ cd ~%0a%3c $ ftp https://ircnow.org/software/znc-1.8.2a.tar.gz%0a---%0a> $ tar xvzf znc-1.8.2.tar.gz %0a94,95d75%0a%3c On OpenBSD, [[ftp/usage|ftp]] can also be used to download files from the web.%0a%3c %0a97a78,81%0a> !!! Patched Source%0a> %0a> Due to a bug in OpenBSD 6.9, we have applied a custom patch to ZNC to avoid segfaults on multicore servers:%0a> %0a99c83,92%0a%3c $ tar xvzf znc-1.8.2a.tar.gz%0a---%0a> diff -ru znc-1.8.2-old/src/main.cpp znc-1.8.2-new/src/main.cpp%0a> --- znc-1.8.2-old/src/main.cpp Mon Sep 7 18:57:50 2020%0a> +++ znc-1.8.2-new/src/main.cpp Thu Dec 24 17:04:37 2020%0a> @@ -292,6 +292,7 @@%0a> }%0a> %0a> int main(int argc, char** argv) {%0a> + pthread_attr_t a; pthread_attr_init(&a);%0a> CString sConfig;%0a> CString sDataDir = "";%0a101,103c94,96%0a%3c %0a%3c We then use build ZNC:%0a%3c %0a---%0a> %0a> Download and install the patched tarball:%0a> %0a104a98,100%0a> $ cd ~%0a> $ ftp https://ircnow.org/software/znc-1.8.2a.tar.gz%0a> $ tar xvzf znc-1.8.2a.tar.gz%0a113,120c109,110%0a%3c !!! Upstream Source%0a%3c %0a%3c You can choose to use the upstream source code, but you must apply patches to get it to build properly.%0a%3c %0a%3c '''WARNING''': If you are on OpenBSD 7.0, you must patch znc-1.8.2 to avoid a threading bug that causes segfaults and to fix a bug in the schat module.%0a%3c %0a%3c First, download the latest stable release:%0a%3c %0a---%0a> We want to [[openbsd/adduser|add a new user]]: create a new unprivileged user account for security:%0a> %0a122,123c112%0a%3c $ cd ~%0a%3c $ ftp https://znc.in/releases/znc-1.8.2.tar.gz%0a---%0a> $ doas useradd -m -d /home/znc -s /sbin/nologin znc%0a126,127c115,120%0a%3c We recommend you verify the [[gpg/verify|gpg signature]]:%0a%3c %0a---%0a> @@-m@@ tells [[https://man.openbsd.org/useradd|useradd]] to create a home folder; @@-d@@ says the home folder is @@/home/znc@@; @@-s@@ specifies the default shell is @@/sbin/nologin@@; meaning no user can login. The username created is znc.%0a> %0a> !!! Login Class%0a> %0a> Add the following lines to the end of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a> %0a129,132c122,130%0a%3c $ doas pkg_add gnupg%0a%3c $ ftp https://znc.in/releases/znc-1.8.2.tar.gz.sig%0a%3c $ gpg2 --recv-key D5823CACB477191CAC0075555AE420CC0209989E%0a%3c $ gpg2 --verify znc-1.8.2.tar.gz.sig znc-1.8.2.tar.gz%0a---%0a> znc:\%0a> :openfiles-cur=4096:\%0a> :openfiles-max=8182:\%0a> :openfiles=4096:\%0a> :stacksize-cur=48M:\%0a> :stacksize-max=48M:\%0a> :maxproc-max=infinity:\%0a> :maxproc-cur=4096:\%0a> :tc=daemon:%0a135,136c133,144%0a%3c Next, extract and unzip the files:%0a%3c %0a---%0a> '''WARNING''': Use tabs and not spaces. Spaces will fail and as a result, znc will not get the file resources it needs.%0a> %0a> The [[openbsd/loginconf|login.conf]] guide explains the attributes in more detail.%0a> %0a> Each time znc creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, znc will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.%0a> %0a> The current and maximum stack size controls how much stack memory a user can use. We set it at 48M to give ZNC plenty of room.%0a> %0a> @@maxproc@@ limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096. @@tc=daemon@@ means that the default values will come from the @@daemon@@ login class.%0a> %0a> Now we change znc's default login class to znc:%0a> %0a138c146%0a%3c $ tar xvzf znc-1.8.2.tar.gz %0a---%0a> $ doas usermod -L znc znc%0a141,144c149,152%0a%3c !! Configuring the Chroot%0a%3c %0a%3c We want to [[openbsd/adduser|add a new user]]: create a new unprivileged user account for security:%0a%3c %0a---%0a> This can also be edited with a text editor using [[openbsd/vipw]].%0a> %0a> To confirm that the login class has been changed, check [[https://man.openbsd.org/./man5/passwd.5|/etc/passwd]].%0a> %0a146c154,155%0a%3c $ doas useradd -m -d /home/znc -s /sbin/nologin znc%0a---%0a> $ doas grep '^znc' /etc/passwd%0a> znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin%0a149,154c158,161%0a%3c @@-m@@ tells [[https://man.openbsd.org/useradd|useradd]] to create a home folder; @@-d@@ says the home folder is @@/home/znc@@; @@-s@@ specifies the default shell is @@/sbin/nologin@@; meaning no user can login. The username created is znc.%0a%3c %0a%3c !!! Login Class%0a%3c %0a%3c Add the following lines to the end of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a%3c %0a---%0a> [[grep/usage|grep]] searches for the line that begins with @@znc@@ in [[https://man.openbsd.org/./man5/passwd.5|/etc/passwd]].%0a> %0a> The 5th field needs to say znc:%0a> %0a156,164c163,164%0a%3c znc:\%0a%3c :openfiles-cur=4096:\%0a%3c :openfiles-max=8182:\%0a%3c :openfiles=4096:\%0a%3c :stacksize-cur=48M:\%0a%3c :stacksize-max=48M:\%0a%3c :maxproc-max=infinity:\%0a%3c :maxproc-cur=4096:\%0a%3c :tc=daemon:%0a---%0a> $ doas grep '^znc' /etc/passwd | cut -d : -f 5%0a> znc%0a167,178c167,168%0a%3c '''WARNING''': Use tabs and not spaces. Spaces will fail and as a result, znc will not get the file resources it needs.%0a%3c %0a%3c The [[openbsd/loginconf|login.conf]] guide explains the attributes in more detail.%0a%3c %0a%3c Each time znc creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, znc will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.%0a%3c %0a%3c The current and maximum stack size controls how much stack memory a user can use. We set it at 48M to give ZNC plenty of room.%0a%3c %0a%3c @@maxproc@@ limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096. @@tc=daemon@@ means that the default values will come from the @@daemon@@ login class.%0a%3c %0a%3c Now we change znc's default login class to znc:%0a%3c %0a---%0a> '''NOTE''': If /etc/login.conf.db exists, make sure to delete it, otherwise login.conf changes won't apply:%0a> %0a180c170%0a%3c $ doas usermod -L znc znc%0a---%0a> $ doas rm /etc/login.conf.db%0a183,186c173,174%0a%3c This can also be edited with a text editor using [[openbsd/vipw]].%0a%3c %0a%3c To confirm that the login class has been changed, check [[https://man.openbsd.org/./man5/passwd.5|/etc/passwd]].%0a%3c %0a---%0a> Next, we temporarily change znc's shell to ksh:%0a> %0a188,189c176%0a%3c $ doas grep '^znc' /etc/passwd%0a%3c znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin%0a---%0a> $ doas chsh -s /bin/ksh znc%0a192,195c179,180%0a%3c [[grep/usage|grep]] searches for the line that begins with @@znc@@ in [[https://man.openbsd.org/./man5/passwd.5|/etc/passwd]].%0a%3c %0a%3c The 5th field needs to say znc:%0a%3c %0a---%0a> Next, we login with the username znc, with the login class znc:%0a> %0a197,198c182,192%0a%3c $ doas grep '^znc' /etc/passwd | cut -d : -f 5%0a%3c znc%0a---%0a> $ doas su -c znc znc%0a> $ ulimit -a%0a> time(cpu-seconds) unlimited%0a> file(blocks) unlimited%0a> coredump(blocks) unlimited%0a> data(kbytes) 33554432%0a> stack(kbytes) 32768%0a> lockedmem(kbytes) 329478%0a> memory(kbytes) 985092%0a> nofiles(descriptors) 4096%0a> processes 1310%0a201,202c195,200%0a%3c '''NOTE''': If /etc/login.conf.db exists, make sure to delete it, otherwise login.conf changes won't apply:%0a%3c %0a---%0a> @@ulimit -a@@ displays all process limits for our current user.%0a> %0a> '''WARNING''': If nofiles(descriptors) is not 4096, you may have an error in your configuration!%0a> %0a> Press ctrl+d to signal the end of file to logout, then run as root:%0a> %0a204c202,203%0a%3c $ doas rm /etc/login.conf.db%0a---%0a> $ ^D%0a> $ doas su%0a207,208c206,207%0a%3c Next, we temporarily change znc's shell to ksh:%0a%3c %0a---%0a> Then run this list of commands:%0a> %0a210,242d208%0a%3c $ doas chsh -s /bin/ksh znc%0a%3c @]%0a%3c %0a%3c Next, we login with the username znc, with the login class znc:%0a%3c %0a%3c [@%0a%3c $ doas su -c znc znc%0a%3c $ ulimit -a%0a%3c time(cpu-seconds) unlimited%0a%3c file(blocks) unlimited%0a%3c coredump(blocks) unlimited%0a%3c data(kbytes) 33554432%0a%3c stack(kbytes) 32768%0a%3c lockedmem(kbytes) 329478%0a%3c memory(kbytes) 985092%0a%3c nofiles(descriptors) 4096%0a%3c processes 1310%0a%3c @]%0a%3c %0a%3c @@ulimit -a@@ displays all process limits for our current user.%0a%3c %0a%3c '''WARNING''': If nofiles(descriptors) is not 4096, you may have an error in your configuration!%0a%3c %0a%3c Press ctrl+d to signal the end of file to logout, then run as root:%0a%3c %0a%3c [@%0a%3c $ ^D%0a%3c $ doas su%0a%3c @]%0a%3c %0a%3c Then run this list of commands:%0a%3c %0a%3c [@%0a280,281c246,247%0a%3c # export HOME=/home/znc/%0a%3c # chroot -u znc -g znc /home/znc znc --makeconf%0a---%0a> export HOME=/home/znc/%0a> chroot -u znc -g znc /home/znc znc --makeconf%0a283c249%0a%3c [ ** ]%0a---%0a> [ ** ] %0a285c251%0a%3c [ ** ]%0a---%0a> [ ** ] %0a293,296c259%0a%3c [ ** ]%0a%3c @]%0a%3c %0a%3c We're going to configure ZNC to listen on ports 1337 and 31337. Port 1337 will be plaintext, port 31337 will be SSL.%0a---%0a> [ ** ] %0a298,333c261,262%0a%3c [ ** ]%0a%3c [ ?? ] Username (alphanumeric): username%0a%3c [ ?? ] Enter password:%0a%3c [ ?? ] Confirm password:%0a%3c [ ?? ] Nick [username]:%0a%3c [ ?? ] Alternate nick [username_]:%0a%3c [ ?? ] Ident [username]:%0a%3c [ ?? ] Real name (optional):%0a%3c [ ?? ] Bind host (optional):%0a%3c [ ** ] Enabled user modules [chansaver, controlpanel]%0a%3c [ ** ]%0a%3c [ ?? ] Set up a network? (yes/no) [yes]:%0a%3c [ ** ]%0a%3c [ ** ] -- Network settings --%0a%3c [ ** ]%0a%3c [ ?? ] Name [freenode]: example%0a%3c [ ?? ] Server host (host only): irc.example.com%0a%3c [ ?? ] Server uses SSL? (yes/no) [no]: yes%0a%3c [ ?? ] Server port (1 to 65535) [6697]:%0a%3c [ ?? ] Server password (probably empty):%0a%3c [ ?? ] Initial channels: #channel%0a%3c [ ** ] Enabled network modules [simple_away]%0a%3c [ ** ]%0a%3c [ .. ] Writing config [/home/znc//.znc/configs/znc.conf]...%0a%3c [ ** ]%0a%3c [ ** ] To connect to this ZNC you need to connect to it as your IRC server%0a%3c [ ** ] using the port that you supplied. You have to supply your login info%0a%3c [ ** ] as the IRC server password like this: user/network:pass.%0a%3c [ ** ]%0a%3c [ ** ] Try something like this in your IRC client...%0a%3c [ ** ] /server %3cznc_server_ip> +31337 username:%3cpass>%0a%3c [ ** ]%0a%3c [ ** ] To manage settings, users and networks, point your web browser to%0a%3c [ ** ] https://%3cznc_server_ip>:31337/%0a%3c [ ** ]%0a%3c [ ?? ] Launch ZNC now? (yes/no) [yes]: no%0a---%0a> [ ** ] %0a> [ ?? ] Username (alphanumeric): %0a335,336d263%0a%3c %0a%3c %0a host:1635825069=38.87.162.47 author:1635788750=jrmu diff:1635788750:1635562473:=17,22c17,20%0a%3c !! Installing Dependencies%0a%3c %0a%3c The below installation was tested on [[openbsd/syspatch|OpenBSD 7.0 stable]]. ZNC will run inside a chroot at /home/znc.%0a%3c %0a%3c Before beginning the installation, check to make sure you are using OpenBSD 7.0 and that your system is patched:%0a%3c %0a---%0a> !! Installing from packages%0a> %0a> First, download the latest stable release:%0a> %0a24,26c22%0a%3c $ uname -a%0a%3c OpenBSD example.com 7.0 GENERIC#224 amd64%0a%3c $ doas syspatch%0a---%0a> $ ftp https://znc.in/releases/znc-1.8.2.tar.gz%0a29,30c25,29%0a%3c Next, we install needed dependencies:%0a%3c %0a---%0a> On OpenBSD, [[ftp/usage|ftp]] can also be used to download files from the w%0a> eb.%0a> %0a> Next, extract and unzip the files:%0a> %0a32c31%0a%3c $ doas pkg_add icu4c boost cmake%0a---%0a> $ tar xvzf znc-1.8.2.tar.gz %0a35,40c34,38%0a%3c !! Installing from Packages%0a%3c %0a%3c '''WARNING''': OpenBSD 6.9 (and later) may contain a bug that causes ZNC to crash with a segmentation fault. To avoid this, we recommend applying a custom patch to ZNC as described below in '''Patched Source'''.%0a%3c %0a%3c If you are running on a single core server, you can install znc from packages:%0a%3c %0a---%0a> For [[tar/usage|tar]], the options xvzf stand for e(x)tract, (v)erbose, un(%0a> z)ip, and (f)ile.%0a> %0a> Create the user znc:%0a> %0a42c40%0a%3c $ doas pkg_add znc%0a---%0a> $ doas adduser%0a45,52c43,44%0a%3c !! Compiling from Source%0a%3c %0a%3c !!! Upstream Source%0a%3c %0a%3c '''WARNING''': If you are on a multicore system on OpenBSD, you should use a patched version of znc-1.8.2 release to avoid a threading bug that causes segfaults. See '''Patched Source''' below.%0a%3c %0a%3c First, download the latest stable release:%0a%3c %0a---%0a> Note: If this is the first user you are creating after the initial install process, you will first be asked for global defaults. Do not change any of these.%0a> %0a54,55c46,55%0a%3c $ cd ~%0a%3c $ ftp https://znc.in/releases/znc-1.8.2.tar.gz%0a---%0a> Name: znc%0a> Password: ****%0a> Fullname: znc%0a> Uid: 1001%0a> Gid: 1001 (znc)%0a> Groups: znc %0a> Login Class: default%0a> HOME: /home/znc%0a> Shell: /sbin/nologin%0a> OK? (y/n) [y]: y%0a58,62c58,59%0a%3c On OpenBSD, [[ftp/usage|ftp]] can also be used to download fil%0a%3c es from the web.%0a%3c %0a%3c We recommend you verify the [[gpg/verify|gpg signature]]:%0a%3c %0a---%0a> I am not sure if this is necessary, but in /etc/login.conf, I add the following:%0a> %0a64,67c61,69%0a%3c $ doas pkg_add gnupg%0a%3c $ ftp https://znc.in/releases/znc-1.8.2.tar.gz.sig%0a%3c $ gpg2 --recv-key D5823CACB477191CAC0075555AE420CC0209989E%0a%3c $ gpg2 --verify znc-1.8.2.tar.gz.sig znc-1.8.2.tar.gz%0a---%0a> znc:\%0a> :openfiles-cur=4096:\%0a> :openfiles-max=8182:\%0a> :openfiles=4096:\%0a> :stacksize-cur=48M:\%0a> :stacksize-max=48M:\%0a> :maxproc-max=infinity:\%0a> :maxproc-cur=4096:\%0a> :tc=daemon:%0a70,71c72,75%0a%3c Next, extract and unzip the files:%0a%3c %0a---%0a> '''WARNING''': Use tabs and not spaces. Spaces will not parse properly.%0a> %0a> I check to make sure znc is set to the right login class.%0a> %0a73c77%0a%3c $ tar xvzf znc-1.8.2.tar.gz %0a---%0a> $ doas vipw%0a76,81c80,81%0a%3c For [[tar/usage|tar]], the options xvzf stand for e(x)tract, (v)erbose, un(z)ip, and (f)ile.%0a%3c %0a%3c !!! Patched Source%0a%3c %0a%3c Due to a bug in OpenBSD 6.9, we have applied a custom patch to ZNC to avoid segfaults on multicore servers:%0a%3c %0a---%0a> There should be a line with znc that looks like this (I check to make sure znc has the right login class; the '1001' is the uid, which you may find to be different from this example, but it should not be changed):%0a> %0a83,92c83%0a%3c diff -ru znc-1.8.2-old/src/main.cpp znc-1.8.2-new/src/main.cpp%0a%3c --- znc-1.8.2-old/src/main.cpp Mon Sep 7 18:57:50 2020%0a%3c +++ znc-1.8.2-new/src/main.cpp Thu Dec 24 17:04:37 2020%0a%3c @@ -292,6 +292,7 @@%0a%3c }%0a%3c %0a%3c int main(int argc, char** argv) {%0a%3c + pthread_attr_t a; pthread_attr_init(&a);%0a%3c CString sConfig;%0a%3c CString sDataDir = "";%0a---%0a> znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin%0a94,96c85,87%0a%3c %0a%3c Download and install the patched tarball:%0a%3c %0a---%0a> %0a> You will want to make sure that any login.conf.db database is deleted:%0a> %0a98,106c89%0a%3c $ cd ~%0a%3c $ ftp https://ircnow.org/software/znc-1.8.2a.tar.gz%0a%3c $ tar xvzf znc-1.8.2a.tar.gz%0a%3c $ cd znc-1.8.2%0a%3c $ mkdir build%0a%3c $ cd build%0a%3c $ cmake ..%0a%3c $ make%0a%3c $ doas make install%0a---%0a> $ doas rm /etc/login.conf.db%0a109,110c92,93%0a%3c We want to [[openbsd/adduser|add a new user]]: create a new unprivileged user account for security:%0a%3c %0a---%0a> Now change znc shell to ksh with [@ doas chsh -s /bin/ksh znc@], then continue with the steps below.%0a> %0a112c95,105%0a%3c $ doas useradd -m -d /home/znc -s /sbin/nologin znc%0a---%0a> $ doas su -c znc znc%0a> $ ulimit -a%0a> time(cpu-seconds) unlimited%0a> file(blocks) unlimited%0a> coredump(blocks) unlimited%0a> data(kbytes) 33554432%0a> stack(kbytes) 32768%0a> lockedmem(kbytes) 329478%0a> memory(kbytes) 985092%0a> nofiles(descriptors) 4096%0a> processes 1310%0a115,120c108,112%0a%3c @@-m@@ tells [[https://man.openbsd.org/useradd|useradd]] to create a home folder; @@-d@@ says the home folder is @@/home/znc@@; @@-s@@ specifies the default shell is @@/sbin/nologin@@; meaning no user can login. The username created is znc.%0a%3c %0a%3c !!! Login Class%0a%3c %0a%3c Add the following lines to the end of [[https://man.openbsd.org/login.conf|/etc/login.conf]]:%0a%3c %0a---%0a> Switch user to your username%0a> [@ $ su yourusername @]%0a> %0a> I then set the default shell to nologin with [@doas chsh -s /sbin/nologin znc@] (note: the '1001' is the uid, which you may find to be different from this example, but it should not be changed.):%0a> %0a122,130c114,118%0a%3c znc:\%0a%3c :openfiles-cur=4096:\%0a%3c :openfiles-max=8182:\%0a%3c :openfiles=4096:\%0a%3c :stacksize-cur=48M:\%0a%3c :stacksize-max=48M:\%0a%3c :maxproc-max=infinity:\%0a%3c :maxproc-cur=4096:\%0a%3c :tc=daemon:%0a---%0a> $ doas vipw%0a> %0a> ...%0a> %0a> znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin%0a133,144c121,126%0a%3c '''WARNING''': Use tabs and not spaces. Spaces will fail and as a result, znc will not get the file resources it needs.%0a%3c %0a%3c The [[openbsd/loginconf|login.conf]] guide explains the attributes in more detail.%0a%3c %0a%3c Each time znc creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, znc will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.%0a%3c %0a%3c The current and maximum stack size controls how much stack memory a user can use. We set it at 48M to give ZNC plenty of room.%0a%3c %0a%3c @@maxproc@@ limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096. @@tc=daemon@@ means that the default values will come from the @@daemon@@ login class.%0a%3c %0a%3c Now we change znc's default login class to znc:%0a%3c %0a---%0a> %0a> %0a> %0a> %0a> Install needed dependencies:%0a> %0a146c128,130%0a%3c $ doas usermod -L znc znc%0a---%0a> $ doas pkg_add icu4c-68.2v0%0a> $ doas pkg_add boost-1.72.0%0a> $ doas pkg_add cmake-3.19.4p0v0%0a149,152c133,134%0a%3c This can also be edited with a text editor using [[openbsd/vipw]].%0a%3c %0a%3c To confirm that the login class has been changed, check [[https://man.openbsd.org/./man5/passwd.5|/etc/passwd]].%0a%3c %0a---%0a> The below install scripts are tested for OpenBSD 6.9 [[openbsd/syspatch|stable]] and our patched znc-1.8.2. It will put znc inside the chroot at /home/znc. Before you begin the installation, check that you are using OpenBSD 6.9 and that your system is patched:%0a> %0a154,155c136,138%0a%3c $ doas grep '^znc' /etc/passwd%0a%3c znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin%0a---%0a> $ uname -a%0a> OpenBSD example.ircnow.org 6.9 GENERIC#464 amd64%0a> $ doas syspatch%0a158,161d140%0a%3c [[grep/usage|grep]] searches for the line that begins with @@znc@@ in [[https://man.openbsd.org/./man5/passwd.5|/etc/passwd]].%0a%3c %0a%3c The 5th field needs to say znc:%0a%3c %0a163,164c142,143%0a%3c $ doas grep '^znc' /etc/passwd | cut -d : -f 5%0a%3c znc%0a---%0a> $ cd ~%0a> $ ftp https://ircnow.org/software/znc-1.8.2a.tar.gz%0a167,168c146,147%0a%3c '''NOTE''': If /etc/login.conf.db exists, make sure to delete it, otherwise login.conf changes won't apply:%0a%3c %0a---%0a> If you want to verify to verify the [[gpg/verify|gpg signature]]:%0a> %0a170c149%0a%3c $ doas rm /etc/login.conf.db%0a---%0a> %0a173,174d151%0a%3c Next, we temporarily change znc's shell to ksh:%0a%3c %0a176c153,159%0a%3c $ doas chsh -s /bin/ksh znc%0a---%0a> $ tar xvzf znc-1.8.2a.tar.gz%0a> $ cd znc-1.8.2%0a> $ mkdir build%0a> $ cd build%0a> $ cmake ..%0a> $ make%0a> $ doas make install%0a179,180c162,165%0a%3c Next, we login with the username znc, with the login class znc:%0a%3c %0a---%0a> '''NOTE''': A patched version of znc-1.8.2 release is used to prevent a threading bug. Please do '''not''' use the standard znc 1.8.2 release.%0a> %0a> Then run as root:%0a> %0a182,208d166%0a%3c $ doas su -c znc znc%0a%3c $ ulimit -a%0a%3c time(cpu-seconds) unlimited%0a%3c file(blocks) unlimited%0a%3c coredump(blocks) unlimited%0a%3c data(kbytes) 33554432%0a%3c stack(kbytes) 32768%0a%3c lockedmem(kbytes) 329478%0a%3c memory(kbytes) 985092%0a%3c nofiles(descriptors) 4096%0a%3c processes 1310%0a%3c @]%0a%3c %0a%3c @@ulimit -a@@ displays all process limits for our current user.%0a%3c %0a%3c '''WARNING''': If nofiles(descriptors) is not 4096, you may have an error in your configuration!%0a%3c %0a%3c Press ctrl+d to signal the end of file to logout, then run as root:%0a%3c %0a%3c [@%0a%3c $ ^D%0a%3c $ doas su%0a%3c @]%0a%3c %0a%3c Then run this list of commands:%0a%3c %0a%3c [@%0a222,233c180,203%0a%3c cp /usr/lib/lib{c++,c++abi,c,crypto,m,pthread,ssl,z}.so.* /home/znc/usr/lib/%0a%3c cp /usr/libexec/ld.so /home/znc/usr/libexec/%0a%3c cp /etc/resolv.conf /home/znc/etc/%0a%3c cp /etc/ssl/cert.pem /home/znc/etc/ssl/%0a%3c cp /var/run/ld.so.hints /home/znc/var/run/%0a%3c cp /usr/local/bin/znc /home/znc/usr/local/bin/%0a%3c cp /usr/local/man/man1/znc.1 /home/znc/usr/local/man/man1/%0a%3c cp /usr/local/man/man1/znc-buildmod.1 /home/znc/usr/local/man/man1/%0a%3c cp /usr/local/bin/znc-buildmod /home/znc/usr/local/bin/%0a%3c cp /usr/local/lib/pkgconfig/znc.pc /home/znc/usr/local/lib/pkgconfig/%0a%3c cp /usr/local/lib/libicu{uc,data,i18n}.so.* /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_{locale,chrono,system,thread}-mt.so.* /home/znc/usr/local/lib/%0a---%0a> cp /usr/lib/libc++.so.7.0 /home/znc/usr/lib/libc++.so.7.0%0a> cp /usr/lib/libc++abi.so.5.0 /home/znc/usr/lib/libc++abi.so.5.0%0a> cp /usr/lib/libc.so.96.0 /home/znc/usr/lib/libc.so.96.0%0a> cp /usr/lib/libcrypto.so.46.2 /home/znc/usr/lib/libcrypto.so.46.2%0a> cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1%0a> cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1%0a> cp /usr/lib/libssl.so.48.2 /home/znc/usr/lib/libssl.so.48.2%0a> cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0%0a> cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so%0a> cp /etc/resolv.conf /home/znc/etc/resolv.conf%0a> cp /etc/ssl/cert.pem /home/znc/etc/ssl/cert.pem%0a> cp /var/run/ld.so.hints /home/znc/var/run/ld.so.hints%0a> cp /usr/local/bin/znc /home/znc/usr/local/bin/znc%0a> cp /usr/local/man/man1/znc.1 /home/znc/usr/local/man/man1/znc.1%0a> cp /usr/local/man/man1/znc-buildmod.1 /home/znc/usr/local/man/man1/znc-buildmod.1%0a> cp /usr/local/bin/znc-buildmod /home/znc/usr/local/bin/znc-buildmod%0a> cp /usr/local/lib/pkgconfig/znc.pc /home/znc/usr/local/lib/pkgconfig/znc.pc%0a> cp /usr/local/lib/libicuuc.so.19.2 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libicudata.so.19.2 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_locale-mt.so.13.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_chrono-mt.so.13.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_system-mt.so.13.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_thread-mt.so.13.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libicui18n.so.19.2 /home/znc/usr/local/lib/%0a239a210%0a> usermod -G znc botnow%0a246,247c217,221%0a%3c export HOME=/home/znc/%0a%3c chroot -u znc -g znc /home/znc znc --makeconf%0a---%0a> # export HOME=/home/znc/%0a> # chroot -u znc -g znc /home/znc znc --makeconf%0a> @]%0a> %0a> [@%0a734a709%0a> usermod -G znc botnow%0a host:1635788750=38.87.162.47 author:1635562473=jrmu diff:1635562473:1635561782:=16,35d15%0a%3c %0a%3c !! Installing from packages%0a%3c %0a%3c First, download the latest stable release:%0a%3c %0a%3c [@%0a%3c $ ftp https://znc.in/releases/znc-1.8.2.tar.gz%0a%3c @]%0a%3c %0a%3c On OpenBSD, [[ftp/usage|ftp]] can also be used to download files from the w%0a%3c eb.%0a%3c %0a%3c Next, extract and unzip the files:%0a%3c %0a%3c [@%0a%3c $ tar xvzf znc-1.8.2.tar.gz %0a%3c @]%0a%3c %0a%3c For [[tar/usage|tar]], the options xvzf stand for e(x)tract, (v)erbose, un(%0a%3c z)ip, and (f)ile.%0a host:1635562473=38.87.162.47 author:1635561782=jrmu diff:1635561782:1635561700:=124,132d123%0a%3c @]%0a%3c %0a%3c If you want to verify to verify the [[gpg/verify|gpg signature]]:%0a%3c %0a%3c [@%0a%3c %0a%3c @]%0a%3c %0a%3c [@%0a host:1635561782=38.87.162.47 author:1635561700=jrmu diff:1635561700:1635561556:=625,626c625%0a%3c $ ftp https://znc.in/releases/znc-1.8.2.tar.gz%0a%3c $ ftp https://znc.in/releases/znc-1.8.2.tar.gz.sig%0a---%0a> $ curl -L -O https://znc.in/releases/znc-1.8.2.tar.gz%0a host:1635561700=38.87.162.47 author:1635561556=jrmu diff:1635561556:1635561169:=15c15,17%0a%3c If you are offering a public ZNC service for many users, you will want to get a ddos-filtered IPv4 address and an IPv6 subnet from your internet provider ([[openbsd/buyvm|BuyVM guide]]).%0a---%0a> If you are offering a public ZNC service for many users, you will want to get a ddos-filtered IPv4 address and an IPv6 subnet from your internet provider.%0a> %0a> If you are using BuyVM%0a host:1635561556=38.87.162.47 author:1635561169=jrmu diff:1635561169:1635560047:=3,17c3,4%0a%3c In this guide, we will install ZNC inside a chroot.%0a%3c %0a%3c [[https://wiki.znc.in|ZNC]] is an IRC bouncer. It runs on a server and stays connected after you turn off your computer or phone. It saves chat messages and replays them when you reconnect, and also helps to hide your IP address. If you are running it on IRCNow, your server may also offer DDoS protection to keep you online.%0a%3c %0a%3c !! Before You Begin%0a%3c %0a%3c Read the [[chroot/intro|introduction to chroots]] to get familiar with the concept of chroots. In this guide, we use a chroot for extra security.%0a%3c %0a%3c You will want to set up [[Znc/Install|ZNC]] once without a chroot, as a normal user without root powers. This will give you a better understanding of how ZNC works before you attempt a more complex, chrooted install.%0a%3c %0a%3c !! Public ZNCs%0a%3c %0a%3c If you are offering a public ZNC service for many users, you will want to get a ddos-filtered IPv4 address and an IPv6 subnet from your internet provider.%0a%3c %0a%3c If you are using BuyVM%0a---%0a> %0a> You will want to get a ddos-filtered IPv4 and an IPv6 subnet from your internet provider.%0a host:1635561169=38.87.162.47 author:1635560047=jrmu diff:1635560047:1634526599:=1,3d0%0a%3c (:title Chroot ZNC:)%0a%3c %0a%3c %0a host:1635560047=38.87.162.47 author:1634526599=jrmu diff:1634526599:1627563171:=109c109%0a%3c $ ftp https://ircnow.org/software/znc-1.8.2a.tar.gz%0a---%0a> $ curl -L -O https://ircnow.org/software/znc-1.8.2a.tar.gz%0a host:1634526599=38.87.162.8 author:1627563171=jrmu diff:1627563171:1627475631:=332,333c332,333%0a%3c We will load the identfile module by default. This is necessary to provide proper ident using [[oidentd/ZNC|oidentd]]. Please follow the instructions in the link to configure ident.%0a%3c %0a---%0a> We will load the identfile module by default. This is necessary to provide proper ident using [[oidentd/znc|oidentd]]. Please follow the instructions in the link to configure ident.%0a> %0a669c669%0a%3c $ doas gdb chroot%0a---%0a> $ doas gdb chroot%0a\ No newline at end of file%0a host:1627563171=125.231.19.62 author:1627475631=mistera diff:1627475631:1627475527:=108c108%0a%3c $ cd ~%0a---%0a> $ cd /home/znc%0a host:1627475631=204.111.39.57 author:1627475527=mistera diff:1627475527:1627475166:=87,90c87,89%0a%3c %0a%3c %0a%3c %0a%3c %0a---%0a> Switch user to znc again%0a> [@ $ su znc @]%0a> %0a108c107%0a%3c $ cd /home/znc%0a---%0a> $ cd ~%0a host:1627475527=204.111.39.57 author:1627475166=mistera diff:1627475166:1627389815:=75,76c75,76%0a%3c [@ $ su yourusername @]%0a%3c %0a---%0a> [@ $ su username @]%0a> %0a86,88d85%0a%3c %0a%3c Switch user to znc again%0a%3c [@ $ su znc @]%0a host:1627475166=204.111.39.57 author:1627389815=mistera diff:1627389815:1620722815:=73,75d72%0a%3c %0a%3c Switch user to your username%0a%3c [@ $ su username @]%0a host:1627389815=204.111.39.57 author:1620722815=jrmu diff:1620722815:1620722752:=484c484%0a%3c /msg *controlpanel SetNetwork BindHost bob IRCNow bob.fruit.ircnow.org%0a---%0a> /msg *controlpanel SetNetwork BindHost bob IRCNow 2605:6400:20:bb8:dae2:32a2%0a host:1620722815=198.251.81.119 author:1620722752=jrmu diff:1620722752:1620722693:=213c213%0a%3c pass in log quick proto tcp to port {http https} keep state (max-src-conn 30, max-src-conn-rate 20/60) #relayd web%0a---%0a> pass in log quick proto tcp to port {80 443} keep state (max-src-conn 30, max-src-conn-rate 20/60) #relayd web%0a host:1620722752=198.251.81.119 author:1620722693=jrmu diff:1620722693:1620722656:=74c74%0a%3c I then set the default shell to nologin with [@doas chsh -s /sbin/nologin znc@] (note: the '1001' is the uid, which you may find to be different from this example, but it should not be changed.):%0a---%0a> I then set the default shell to nologin with [@doas usermod -s /sbin/nologin znc@] (note: the '1001' is the uid, which you may find to be different from this example, but it should not be changed.):%0a host:1620722693=198.251.81.119 author:1620722656=jrmu diff:1620722656:1620722195:=58c58%0a%3c Now change znc shell to ksh with [@ doas chsh -s /bin/ksh znc@], then continue with the steps below.%0a---%0a> Now change znc shell to ksh with [@ doas usermod -s /bin/ksh znc@], then continue with the steps below.%0a host:1620722656=198.251.81.119 author:1620722195=jrmu diff:1620722195:1619406890:=9,10d8%0a%3c Note: If this is the first user you are creating after the initial install process, you will first be asked for global defaults. Do not change any of these.%0a%3c %0a58,59c56,57%0a%3c Now change znc shell to ksh with [@ doas usermod -s /bin/ksh znc@], then continue with the steps below.%0a%3c %0a---%0a> Now change znc shell to /bin/ksh , then continue with the steps below.%0a> %0a74,75c72,73%0a%3c I then set the default shell to nologin with [@doas usermod -s /sbin/nologin znc@] (note: the '1001' is the uid, which you may find to be different from this example, but it should not be changed.):%0a%3c %0a---%0a> I then set the default shell to /sbin/nologin (note: the '1001' is the uid, which you may find to be different from this example, but it should not be changed.):%0a> %0a87,89c85,87%0a%3c $ doas pkg_add icu4c-68.2v0%0a%3c $ doas pkg_add boost-1.72.0%0a%3c $ doas pkg_add cmake-3.19.4p0v0%0a---%0a> $ doas pkg_add icu4c-67.1%0a> $ doas pkg_add boost-1.67.0p0%0a> $ doas pkg_add cmake%0a92,93c90,91%0a%3c The below install scripts are tested for OpenBSD 6.9 [[openbsd/syspatch|stable]] and our patched znc-1.8.2. It will put znc inside the chroot at /home/znc. Before you begin the installation, check that you are using OpenBSD 6.9 and that your system is patched:%0a%3c %0a---%0a> The below install scripts are tested for OpenBSD 6.8 [[openbsd/syspatch|stable]] and znc-1.8.2. It will put znc inside the chroot at /home/znc. Before you begin the installation, check that you are using OpenBSD 6.8 and that your system is patched:%0a> %0a96c94%0a%3c OpenBSD example.ircnow.org 6.9 GENERIC#464 amd64%0a---%0a> OpenBSD example.ircnow.org 6.8 GENERIC#97 amd64%0a130,131c128,129%0a%3c cp /usr/lib/libc++.so.7.0 /home/znc/usr/lib/libc++.so.7.0%0a%3c cp /usr/lib/libc++abi.so.5.0 /home/znc/usr/lib/libc++abi.so.5.0%0a---%0a> cp /usr/lib/libc++.so.5.0 /home/znc/usr/lib/libc++.so.5.0%0a> cp /usr/lib/libc++abi.so.3.0 /home/znc/usr/lib/libc++abi.so.3.0%0a133c131%0a%3c cp /usr/lib/libcrypto.so.46.2 /home/znc/usr/lib/libcrypto.so.46.2%0a---%0a> cp /usr/lib/libcrypto.so.46.1 /home/znc/usr/lib/libcrypto.so.46.1%0a136c134%0a%3c cp /usr/lib/libssl.so.48.2 /home/znc/usr/lib/libssl.so.48.2%0a---%0a> cp /usr/lib/libssl.so.48.1 /home/znc/usr/lib/libssl.so.48.1%0a147,153c145,151%0a%3c cp /usr/local/lib/libicuuc.so.19.2 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libicudata.so.19.2 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_locale-mt.so.13.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_chrono-mt.so.13.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_system-mt.so.13.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_thread-mt.so.13.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libicui18n.so.19.2 /home/znc/usr/local/lib/%0a---%0a> cp /usr/local/lib/libicuuc.so.18.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libicudata.so.18.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_locale-mt.so.11.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_chrono-mt.so.11.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_system-mt.so.11.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_thread-mt.so.11.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libicui18n.so.18.0 /home/znc/usr/local/lib/%0a213,214c211,212%0a%3c pass in log quick proto tcp to port {80 443} keep state (max-src-conn 30, max-src-conn-rate 20/60) #relayd web%0a%3c pass in log quick proto tcp to port {1337 31337} keep state (max 3000, max-src-conn 200) #bnc%0a---%0a> pass in log quick proto tcp to port {http https} keep state (max-src-conn 30, max-src-conn-rate 20/60)%0a> pass in log quick proto tcp to port { 1337 31337 } keep state (max 3000, max-src-conn 200) #bnc%0a443c441%0a%3c This may have issues in the 6.9 release.%0a---%0a> %0a484c482%0a%3c /msg *controlpanel SetNetwork BindHost bob IRCNow 2605:6400:20:bb8:dae2:32a2%0a---%0a> /msg *controlpanel SetNetwork BindHost bob IRCNow 2703:6401:30:faa1:6184:399c:dae2:32a2%0a541,542c539,540%0a%3c You may be need to install icu4c-68.2v0.%0a%3c %0a---%0a> You may be need to install icu4c-67.1 .%0a> %0a552c550%0a%3c $ doas grep -i host /home/znc/home/znc/.znc/configs/znc.conf | grep -v > ~/bindhost%0a---%0a> $ doas grep Host /home/znc/home/znc/.znc/configs/znc.conf | grep -v > ~/bindhost%0a575c573%0a%3c ld.so: znc: can't load library 'libc++abi.so.5.0' %0a---%0a> ld.so: znc: can't load library 'libc++abi.so.2.1' %0a578,579c576,577%0a%3c Then it could be due to the fact that you are on the wrong OpenBSD version (6.8 or earlier), you did not apply [[openbsd/syspatch|syspatch]], and you have not upgraded all dependencies:%0a%3c %0a---%0a> Then it could be due to the fact that you are on the wrong OpenBSD version (6.7 or earlier), you did not apply [[openbsd/syspatch|syspatch]], and you have not upgraded all dependencies:%0a> %0a582c580%0a%3c $ doas pkg_add -Uu%0a---%0a> $ doas pkg_add -u%0a600,601c598,601%0a%3c !! Running znc in debug mode%0a%3c %0a---%0a> !! Obsolete Setups%0a> %0a> The old install script (tested for OpenBSD 6.7 and znc-1.7.5) is now '''obsoleted''':%0a> %0a603,614d602%0a%3c $ cd ~%0a%3c $ curl -L -O https://znc.in/releases/znc-1.8.2.tar.gz%0a%3c $ tar xvzf znc-1.8.2.tar.gz%0a%3c $ cd znc-1.8.2%0a%3c $ mkdir build%0a%3c $ cd build%0a%3c $ ../configure --enable-debug CXX=c++%0a%3c $ gmake%0a%3c $ doas make install%0a%3c @]%0a%3c %0a%3c [@%0a616,619d603%0a%3c mkdir -p /home/znc/usr/local/lib/pkgconfig%0a%3c mkdir -p /home/znc/usr/local/bin/%0a%3c mkdir -p /home/znc/usr/local/share/%0a%3c mkdir -p /home/znc/usr/local/man/man1/%0a628,629c612,613%0a%3c cp /usr/lib/libc++.so.7.0 /home/znc/usr/lib/libc++.so.7.0 %0a%3c cp /usr/lib/libc++abi.so.5.0 /home/znc/usr/lib/libc++abi.so.5.0%0a---%0a> cp /usr/lib/libc++.so.5.0 /home/znc/usr/lib/libc++.so.5.0%0a> cp /usr/lib/libc++abi.so.3.0 /home/znc/usr/lib/libc++abi.so.3.0%0a631c615%0a%3c cp /usr/lib/libcrypto.so.46.2 /home/znc/usr/lib/libcrypto.so.46.2%0a---%0a> cp /usr/lib/libcrypto.so.46.1 /home/znc/usr/lib/libcrypto.so.46.1%0a634c618%0a%3c cp /usr/lib/libssl.so.48.2 /home/znc/usr/lib/libssl.so.48.2%0a---%0a> cp /usr/lib/libssl.so.48.1 /home/znc/usr/lib/libssl.so.48.1%0a639a624,670%0a> pkg_add -B /home/znc znc%0a> chown -R root:wheel /home/znc/dev /home/znc/etc /home/znc/usr /home/znc/var%0a> chown -R znc:znc /home/znc/%0a> usermod -G znc botnow%0a> usermod -G znc _identd%0a> @]%0a> %0a> !! Running znc in debug mode%0a> %0a> [@%0a> $ cd ~%0a> $ curl -L -O https://znc.in/releases/znc-1.8.2.tar.gz%0a> $ tar xvzf znc-1.8.2.tar.gz%0a> $ cd znc-1.8.2%0a> $ mkdir build%0a> $ cd build%0a> $ ../configure --enable-debug CXX=c++%0a> $ gmake%0a> $ doas make install%0a> @]%0a> %0a> [@%0a> mkdir -p /home/znc/usr/lib/%0a> mkdir -p /home/znc/usr/local/lib/pkgconfig%0a> mkdir -p /home/znc/usr/local/bin/%0a> mkdir -p /home/znc/usr/local/share/%0a> mkdir -p /home/znc/usr/local/man/man1/%0a> mkdir -p /home/znc/usr/libexec/%0a> mkdir -p /home/znc/etc/ssl%0a> mkdir -p /home/znc/dev/%0a> mkdir -p /home/znc/var/run/%0a> mkdir -p /home/znc/home/znc/%0a> mknod -m 644 /home/znc/dev/random c 45 0%0a> mknod -m 644 /home/znc/dev/urandom c 45 2%0a> mknod -m 666 /home/znc/dev/null c 2 2%0a> cp /usr/lib/libc++.so.5.0 /home/znc/usr/lib/libc++.so.5.0 %0a> cp /usr/lib/libc++abi.so.3.0 /home/znc/usr/lib/libc++abi.so.3.0%0a> cp /usr/lib/libc.so.96.0 /home/znc/usr/lib/libc.so.96.0%0a> cp /usr/lib/libcrypto.so.46.1 /home/znc/usr/lib/libcrypto.so.46.1%0a> cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1%0a> cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1%0a> cp /usr/lib/libssl.so.48.1 /home/znc/usr/lib/libssl.so.48.1%0a> cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0%0a> cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so%0a> cp /etc/resolv.conf /home/znc/etc/resolv.conf%0a> cp /etc/ssl/cert.pem /home/znc/etc/ssl/cert.pem%0a> cp /var/run/ld.so.hints /home/znc/var/run/ld.so.hints%0a645,651c676,682%0a%3c cp /usr/local/lib/libicuuc.so.19.2 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libicudata.so.19.2 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_locale-mt.so.13.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_system-mt.so.13.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_thread-mt.so.13.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_chrono-mt.so.13.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libicui18n.so.19.2 /home/znc/usr/local/lib/%0a---%0a> cp /usr/local/lib/libicuuc.so.18.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libicudata.so.18.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_locale-mt.so.11.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_system-mt.so.11.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_thread-mt.so.11.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libboost_chrono-mt.so.11.0 /home/znc/usr/local/lib/%0a> cp /usr/local/lib/libicui18n.so.18.0 /home/znc/usr/local/lib/%0a host:1620722195=198.251.81.119 author:1619406890=jrmu diff:1619406890:1617764503:=238c238%0a%3c ConfigWriteDelay = 60%0a---%0a> ConfigWriteDelay = 0%0a host:1619406890=198.251.81.119 author:1617764503=jrmu diff:1617764503:1617764487:=465c465%0a%3c (:ifend:)%0a---%0a> (:endif:)%0a host:1617764503=125.231.27.27 author:1617764487=jrmu diff:1617764487:1617020057:=450d449%0a%3c (:if false:)%0a465d463%0a%3c (:endif:)%0a host:1617764487=125.231.27.27 author:1617020057=jrmu diff:1617020057:1617019937:=548c548%0a%3c $ doas grep Host /home/znc/home/znc/.znc/configs/znc.conf | grep -v > ~/bindhost%0a---%0a> $ doas grep Host /home/znc/home/znc/.znc/configs/znc.conf | grep -v 'DenySet' | grep -v '#' > ~/bindhost%0a host:1617020057=198.251.81.44 author:1617019937=miniontoby csum:1617019937=channels removed diff:1617019937:1617019860:=548c548%0a%3c $ doas grep Host /home/znc/home/znc/.znc/configs/znc.conf | grep -v 'DenySet' | grep -v '#' > ~/bindhost%0a---%0a> $ doas grep Host /home/znc/home/znc/.znc/configs/znc.conf | grep -v 'DenySet' > ~/bindhost%0a host:1617019937=145.132.146.30 author:1617019860=miniontoby csum:1617019860=grep -v 'DenySet' diff:1617019860:1615027550:=548c548%0a%3c $ doas grep Host /home/znc/home/znc/.znc/configs/znc.conf | grep -v 'DenySet' > ~/bindhost%0a---%0a> $ doas grep Host /home/znc/home/znc/.znc/configs/znc.conf | grep -v > ~/bindhost%0a host:1617019860=145.132.146.30 author:1615027550=jrmu diff:1615027550:1614444529:=50,51c50,51%0a%3c You will want to make sure that any login.conf.db database is deleted:%0a%3c %0a---%0a> You will want to run cap_mkdb:%0a> %0a53c53%0a%3c $ doas rm /etc/login.conf.db%0a---%0a> $ doas cap_mkdb /etc/login.conf%0a host:1615027550=198.251.81.119 author:1614444529=jrmu diff:1614444529:1614444529:=1,691d0%0a%3c You will want to get a ddos-filtered IPv4 and an IPv6 subnet from your internet provider.%0a%3c %0a%3c Create the user znc:%0a%3c %0a%3c [@%0a%3c $ doas adduser%0a%3c @]%0a%3c %0a%3c [@%0a%3c Name: znc%0a%3c Password: ****%0a%3c Fullname: znc%0a%3c Uid: 1001%0a%3c Gid: 1001 (znc)%0a%3c Groups: znc %0a%3c Login Class: default%0a%3c HOME: /home/znc%0a%3c Shell: /sbin/nologin%0a%3c OK? (y/n) [y]: y%0a%3c @]%0a%3c %0a%3c I am not sure if this is necessary, but in /etc/login.conf, I add the following:%0a%3c %0a%3c [@%0a%3c znc:\%0a%3c :openfiles-cur=4096:\%0a%3c :openfiles-max=8182:\%0a%3c :openfiles=4096:\%0a%3c :stacksize-cur=48M:\%0a%3c :stacksize-max=48M:\%0a%3c :maxproc-max=infinity:\%0a%3c :maxproc-cur=4096:\%0a%3c :tc=daemon:%0a%3c @]%0a%3c %0a%3c '''WARNING''': Use tabs and not spaces. Spaces will not parse properly.%0a%3c %0a%3c I check to make sure znc is set to the right login class.%0a%3c %0a%3c [@%0a%3c $ doas vipw%0a%3c @]%0a%3c %0a%3c There should be a line with znc that looks like this (I check to make sure znc has the right login class; the '1001' is the uid, which you may find to be different from this example, but it should not be changed):%0a%3c %0a%3c [@%0a%3c znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin%0a%3c @]%0a%3c %0a%3c You will want to run cap_mkdb:%0a%3c %0a%3c [@%0a%3c $ doas cap_mkdb /etc/login.conf%0a%3c @]%0a%3c %0a%3c Now change znc shell to /bin/ksh , then continue with the steps below.%0a%3c %0a%3c [@%0a%3c $ doas su -c znc znc%0a%3c $ ulimit -a%0a%3c time(cpu-seconds) unlimited%0a%3c file(blocks) unlimited%0a%3c coredump(blocks) unlimited%0a%3c data(kbytes) 33554432%0a%3c stack(kbytes) 32768%0a%3c lockedmem(kbytes) 329478%0a%3c memory(kbytes) 985092%0a%3c nofiles(descriptors) 4096%0a%3c processes 1310%0a%3c @]%0a%3c %0a%3c I then set the default shell to /sbin/nologin (note: the '1001' is the uid, which you may find to be different from this example, but it should not be changed.):%0a%3c %0a%3c [@%0a%3c $ doas vipw%0a%3c %0a%3c ...%0a%3c %0a%3c znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin%0a%3c @]%0a%3c %0a%3c Install needed dependencies:%0a%3c %0a%3c [@%0a%3c $ doas pkg_add icu4c-67.1%0a%3c $ doas pkg_add boost-1.67.0p0%0a%3c $ doas pkg_add cmake%0a%3c @]%0a%3c %0a%3c The below install scripts are tested for OpenBSD 6.8 [[openbsd/syspatch|stable]] and znc-1.8.2. It will put znc inside the chroot at /home/znc. Before you begin the installation, check that you are using OpenBSD 6.8 and that your system is patched:%0a%3c %0a%3c [@%0a%3c $ uname -a%0a%3c OpenBSD example.ircnow.org 6.8 GENERIC#97 amd64%0a%3c $ doas syspatch%0a%3c @]%0a%3c %0a%3c [@%0a%3c $ cd ~%0a%3c $ curl -L -O https://ircnow.org/software/znc-1.8.2a.tar.gz%0a%3c $ tar xvzf znc-1.8.2a.tar.gz%0a%3c $ cd znc-1.8.2%0a%3c $ mkdir build%0a%3c $ cd build%0a%3c $ cmake ..%0a%3c $ make%0a%3c $ doas make install%0a%3c @]%0a%3c %0a%3c '''NOTE''': A patched version of znc-1.8.2 release is used to prevent a threading bug. Please do '''not''' use the standard znc 1.8.2 release.%0a%3c %0a%3c Then run as root:%0a%3c %0a%3c [@%0a%3c mkdir -p /home/znc/usr/lib/%0a%3c mkdir -p /home/znc/usr/local/lib/pkgconfig%0a%3c mkdir -p /home/znc/usr/local/bin/%0a%3c mkdir -p /home/znc/usr/local/share/%0a%3c mkdir -p /home/znc/usr/local/man/man1/%0a%3c mkdir -p /home/znc/usr/libexec/%0a%3c mkdir -p /home/znc/etc/ssl%0a%3c mkdir -p /home/znc/dev/%0a%3c mkdir -p /home/znc/var/run/%0a%3c mkdir -p /home/znc/home/znc/.znc%0a%3c mknod -m 644 /home/znc/dev/random c 45 0%0a%3c mknod -m 644 /home/znc/dev/urandom c 45 2%0a%3c mknod -m 666 /home/znc/dev/null c 2 2%0a%3c cp /usr/lib/libc++.so.5.0 /home/znc/usr/lib/libc++.so.5.0%0a%3c cp /usr/lib/libc++abi.so.3.0 /home/znc/usr/lib/libc++abi.so.3.0%0a%3c cp /usr/lib/libc.so.96.0 /home/znc/usr/lib/libc.so.96.0%0a%3c cp /usr/lib/libcrypto.so.46.1 /home/znc/usr/lib/libcrypto.so.46.1%0a%3c cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1%0a%3c cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1%0a%3c cp /usr/lib/libssl.so.48.1 /home/znc/usr/lib/libssl.so.48.1%0a%3c cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0%0a%3c cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so%0a%3c cp /etc/resolv.conf /home/znc/etc/resolv.conf%0a%3c cp /etc/ssl/cert.pem /home/znc/etc/ssl/cert.pem%0a%3c cp /var/run/ld.so.hints /home/znc/var/run/ld.so.hints%0a%3c cp /usr/local/bin/znc /home/znc/usr/local/bin/znc%0a%3c cp /usr/local/man/man1/znc.1 /home/znc/usr/local/man/man1/znc.1%0a%3c cp /usr/local/man/man1/znc-buildmod.1 /home/znc/usr/local/man/man1/znc-buildmod.1%0a%3c cp /usr/local/bin/znc-buildmod /home/znc/usr/local/bin/znc-buildmod%0a%3c cp /usr/local/lib/pkgconfig/znc.pc /home/znc/usr/local/lib/pkgconfig/znc.pc%0a%3c cp /usr/local/lib/libicuuc.so.18.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libicudata.so.18.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_locale-mt.so.11.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_chrono-mt.so.11.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_system-mt.so.11.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_thread-mt.so.11.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libicui18n.so.18.0 /home/znc/usr/local/lib/%0a%3c cp -R /usr/local/share/znc /home/znc/usr/local/share/%0a%3c cp -R /usr/local/lib/znc /home/znc/usr/local/lib/%0a%3c cp -R /usr/local/include/znc /home/znc/usr/local/include/%0a%3c chown -R znc:znc /home/znc/%0a%3c chown -R root:wheel /home/znc/dev /home/znc/etc /home/znc/usr /home/znc/var%0a%3c chmod -R o-rx /home/znc/home/znc/.znc/%0a%3c usermod -G znc botnow%0a%3c usermod -G znc _identd%0a%3c @]%0a%3c %0a%3c At first, you will need to create a conf file:%0a%3c %0a%3c [@%0a%3c # export HOME=/home/znc/%0a%3c # chroot -u znc -g znc /home/znc znc --makeconf%0a%3c @]%0a%3c %0a%3c [@%0a%3c [ .. ] Checking for list of available modules...%0a%3c [ ** ] %0a%3c [ ** ] -- Global settings --%0a%3c [ ** ] %0a%3c [ ?? ] Listen on port (1025 to 65534): 31337%0a%3c [ ?? ] Listen using SSL (yes/no) [no]: yes%0a%3c [ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no%0a%3c [ .. ] Verifying the listener...%0a%3c [ ** ] Unable to locate pem file: [/home/znc/.znc/znc.pem], creating it%0a%3c [ .. ] Writing Pem file [/home/znc/.znc/znc.pem]...%0a%3c [ ** ] Enabled global modules [webadmin]%0a%3c [ ** ] %0a%3c [ ** ] -- Admin user settings --%0a%3c [ ** ] %0a%3c [ ?? ] Username (alphanumeric): %0a%3c @]%0a%3c %0a%3c [@%0a%3c # cp /etc/ssl/my.example.com.fullchain.pem /home/znc/home/znc/.znc/%0a%3c # cp /etc/ssl/private/my.example.com.key /home/znc/home/znc/.znc/%0a%3c # chown znc:znc /home/znc/home/znc/.znc/my.example.com.*%0a%3c @]%0a%3c %0a%3c Inside ~:%0a%3c %0a%3c [@%0a%3c $ openssl dhparam -out dhparam.pem 2048%0a%3c $ doas chown znc:znc dhparam.pem%0a%3c $ doas mv dhparam.pem /home/znc/home/znc/.znc/%0a%3c @]%0a%3c %0a%3c Afterwards, to run znc:%0a%3c %0a%3c [@%0a%3c # export HOME=/home/znc%0a%3c # /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &%0a%3c @]%0a%3c %0a%3c Now you must add this rule in /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in log quick proto tcp to port {http https} keep state (max-src-conn 30, max-src-conn-rate 20/60)%0a%3c pass in log quick proto tcp to port { 1337 31337 } keep state (max 3000, max-src-conn 200) #bnc%0a%3c @]%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c (Here the steps are a bit out of chronology)%0a%3c %0a%3c To start the bouncer, I run this command:%0a%3c %0a%3c [@%0a%3c # HOME=/home/znc && /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &%0a%3c @]%0a%3c %0a%3c If your bouncer is already online, make sure to save the config by logging into your irc client, connected to the bouncer:%0a%3c %0a%3c [@%0a%3c /msg *status saveconfig%0a%3c @]%0a%3c %0a%3c Then, go add this at the top of /home/znc/home/znc/.znc/configs/znc.conf (yes I deliberately ignore the warnings):%0a%3c %0a%3c [@%0a%3c AnonIPLimit = 10000%0a%3c AuthOnlyViaModule = false%0a%3c ConfigWriteDelay = 0%0a%3c ConnectDelay = 1%0a%3c HideVersion = false%0a%3c LoadModule = chansaver%0a%3c LoadModule = lastseen%0a%3c LoadModule = adminlog%0a%3c LoadModule = identfile%0a%3c LoadModule = webadmin%0a%3c LoadModule = certauth%0a%3c MaxBufferSize = 10000%0a%3c ProtectWebSessions = true%0a%3c SSLCertFile = /home/znc/.znc/my.example.com.fullchain.pem%0a%3c SSLDHParamFile = /home/znc/.znc/dhparam.pem%0a%3c SSLKeyFile = /home/znc/.znc/my.example.com.key%0a%3c PidFile = /home/znc/.znc/znc.pid%0a%3c ServerThrottle = 1%0a%3c Version = 1.8.2%0a%3c %0a%3c %3cListener listener0>%0a%3c AllowIRC = true%0a%3c AllowWeb = false%0a%3c Host = 192.168.1.1%0a%3c IPv4 = true%0a%3c IPv6 = false%0a%3c Port = 1337%0a%3c SSL = false%0a%3c URIPrefix = /%0a%3c %3c/Listener>%0a%3c %0a%3c %3cListener listener1>%0a%3c AllowIRC = true%0a%3c AllowWeb = false%0a%3c Host = 192.168.1.1%0a%3c IPv4 = true%0a%3c IPv6 = false%0a%3c Port = 31337%0a%3c SSL = true%0a%3c URIPrefix = /%0a%3c %3c/Listener>%0a%3c %0a%3c %3cListener listener2>%0a%3c AllowIRC = true%0a%3c AllowWeb = false%0a%3c Host = 2001:db8::%0a%3c IPv4 = false%0a%3c IPv6 = true%0a%3c Port = 1337%0a%3c SSL = false%0a%3c URIPrefix = /%0a%3c %3c/Listener>%0a%3c %0a%3c %3cListener listener3>%0a%3c AllowIRC = true%0a%3c AllowWeb = false%0a%3c Host = 2001:db8::%0a%3c IPv4 = false%0a%3c IPv6 = true%0a%3c Port = 31337%0a%3c SSL = true%0a%3c URIPrefix = /%0a%3c %3c/Listener>%0a%3c %0a%3c %3cListener listener4>%0a%3c AllowIRC = true%0a%3c AllowWeb = false%0a%3c Host = 127.0.0.1%0a%3c IPv4 = true%0a%3c IPv6 = false%0a%3c Port = 1337%0a%3c SSL = false%0a%3c URIPrefix = /%0a%3c %3c/Listener>%0a%3c %0a%3c %3cListener listener5>%0a%3c AllowIRC = false%0a%3c AllowWeb = true%0a%3c Host = 127.0.0.1%0a%3c IPv4 = true%0a%3c IPv6 = false%0a%3c Port = 1338%0a%3c SSL = false%0a%3c URIPrefix = /%0a%3c %3c/Listener>%0a%3c @]%0a%3c %0a%3c We will load the identfile module by default. This is necessary to provide proper ident using [[oidentd/znc|oidentd]]. Please follow the instructions in the link to configure ident.%0a%3c %0a%3c I have znc bind to port 1338 without SSL for the web server. I will later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a%3c %0a%3c Replace with your own IP addresses. Then, on your irc client logged into the bouncer:%0a%3c %0a%3c [@%0a%3c /msg *status rehash%0a%3c @]%0a%3c %0a%3c [@%0a%3c $ doas crontab -e%0a%3c @]%0a%3c %0a%3c Add a few lines to have ZNC reconnect every 5 minutes. ZNC will only connect if no other ZNC instance is running:%0a%3c %0a%3c [@%0a%3c HOME=/home/znc%0a%3c */5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 &%0a%3c @]%0a%3c %0a%3c To test the connection (and SSL certificate), run:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -connect my.example.com:31337%0a%3c @]%0a%3c %0a%3c Make sure you have the proper SSL cert configured.%0a%3c %0a%3c While you are at it, you will want to redirect any plaintext requests to the webpanel on port 80 to use SSL on port 443. Add this to /etc/httpd.conf:%0a%3c %0a%3c [@%0a%3c server "bnc.example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c Go ahead and reboot the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart httpd%0a%3c @]%0a%3c %0a%3c Note: If you are using IPv6 and IPv4 for the same listener, perl IO::Socket::INET is unable to connect. Use two separate listeners.%0a%3c %0a%3c '''Integration with the operating system'''%0a%3c %0a%3c [@%0a%3c doas touch /etc/rc.d/znc%0a%3c doas chmod +x /etc/rc.d/znc%0a%3c @]%0a%3c %0a%3c [= %0a%3c #!/bin/ksh%0a%3c #%0a%3c # $OpenBSD: znc,v 1.2 2020/01/21 19:27:07 rpe Exp $%0a%3c %0a%3c daemon_pidfile="/home/znc/home/znc/.znc/znc.pid"%0a%3c daemon="env HOME=/home/znc /usr/sbin/chroot -u znc -g znc /home/znc znc"%0a%3c %0a%3c %0a%3c service_stop() {%0a%3c if [ -f $daemon_pidfile ]; then%0a%3c pid=$(sed 's/[^0-9]*//g' $daemon_pidfile)%0a%3c kill $pid%0a%3c fi%0a%3c }%0a%3c %0a%3c case "$1" in%0a%3c stop)%0a%3c service_stop%0a%3c ;;%0a%3c esac%0a%3c %0a%3c %0a%3c . /etc/rc.d/rc.subr%0a%3c %0a%3c rc_reload=NO%0a%3c %0a%3c rc_cmd $1%0a%3c %0a%3c %0a%3c =]%0a%3c %0a%3c '''Automatic start'''%0a%3c %0a%3c Automatic start of the service in case of a crash. %0a%3c %0a%3c This prevents the loss of users due to software errors. Make sure your users feel good.%0a%3c [=%0a%3c doas mkdir /usr/local/project_name/%0a%3c doas touch /usr/local/project_name/checker_znc.sh%0a%3c doas chmod +x /usr/local/project_name/checker_znc.sh%0a%3c =]%0a%3c %0a%3c [=%0a%3c #!/bin/sh%0a%3c %0a%3c SERVICE_NAME="znc"%0a%3c SERVICE_USER="znc"%0a%3c SERVICE_PID="/home/znc/home/znc/.znc/znc.pid"%0a%3c %0a%3c if ! pgrep -u $SERVICE_USER -x "$SERVICE_NAME" > /dev/null%0a%3c then%0a%3c if [ -f $SERVICE_PID ]; then%0a%3c rm -f $SERVICE_PID%0a%3c rcctl -d restart $SERVICE_NAME%0a%3c fi%0a%3c fi%0a%3c %0a%3c =]%0a%3c %0a%3c [=%0a%3c doas crontab -e%0a%3c =]%0a%3c %0a%3c [=%0a%3c */2 * * * * /usr/local/project_name/checker_znc.sh 2>&1 &%0a%3c =]%0a%3c %0a%3c '''ZNC console'''%0a%3c %0a%3c Connect%0a%3c [=%0a%3c /quote PASS admin:mysuperadminpassqwerty%0a%3c =]%0a%3c %0a%3c Generate new pass for user%0a%3c [=%0a%3c Go to site: https://passwordsgenerator.net/%0a%3c and disable "Include Symbols"%0a%3c click "generate password"%0a%3c or you can create a password yourself (the password must be between 12 and 16 characters long and include numbers and letters)%0a%3c =]%0a%3c %0a%3c User login%0a%3c [=%0a%3c username must be the same or derived from the network login (contain a suffix)%0a%3c =]%0a%3c %0a%3c Create new user%0a%3c [=%0a%3c /msg *controlpanel AddUser bob 12345678%0a%3c /msg *controlpanel LoadModule bob perform%0a%3c =]%0a%3c %0a%3c Add network for new ner%0a%3c [=%0a%3c /msg *controlpanel AddNetwork bob IRCNow%0a%3c /msg *controlpanel AddServer vasya IRCNow irc.ircnow.org +6697%0a%3c /msg *controlpanel SetNetwork BindHost bob IRCNow 2703:6401:30:faa1:6184:399c:dae2:32a2%0a%3c /msg *controlpanel help%0a%3c =]%0a%3c %0a%3c Set channels%0a%3c [=%0a%3c /msg *controlpanel AddChan bob IRCNow #ircnow%0a%3c =]%0a%3c %0a%3c Set pass (this must be done with a user account or offer to run this command yourself) %0a%3c [=%0a%3c /msg *perform add PRIVMSG NickServ IDENTIFY bob 12345678%0a%3c /msg *perform help%0a%3c =]%0a%3c %0a%3c Reconnect user`s network%0a%3c [=%0a%3c /msg *controlpanel Reconnect bob IRCNow%0a%3c =]%0a%3c %0a%3c Saving settings to disk (please save your changes to disk immediately)%0a%3c [=%0a%3c /msg *status SaveConfig%0a%3c =]%0a%3c %0a%3c Deleting user and user entities%0a%3c [=%0a%3c /msg *controlpanel DelUser bob%0a%3c /msg *controlpanel DelNetwork bob IRCNow%0a%3c =]%0a%3c %0a%3c !! Custom vhosts%0a%3c %0a%3c '''WARNING''': do '''not''' set individual IPv6 addresses for a user's bindhost. Do not set a user's bindhost to be something like 2605:6400:10::. If you specify an IPv6 address for the bindhost, that user can *only* connect to networks that support IPv6. IPv4-only networks completely fail.%0a%3c %0a%3c It is better to set the bindhost to be username.fruit.ircnow.org. Then, for the [[openbsd/nsd|nameserver]], create an AAAA record and an A record. That way, the bindhost will use IPv6 if the network is IPv6-only, and IPv4 if it is an IPv4-only network. This solution is more flexible and allows your user to fall back to IPv4 when IPv6 is not supported.%0a%3c %0a%3c If a user requests to change their vhost, do not edit the bindhost -- all you need to do is update the rDNS record (see the [[openbsd/buyvm|buyvm web panel]]. Don't delete the bindhost or the DNS A/AAAA records.%0a%3c %0a%3c For example, suppose the vhost was formerly user.fruit.ircnow.org. If the user wants to change it to example.com, you just need to update the rDNS to example.com, but leave the znc bindhost as username.fruit.ircnow.org and keep the A/AAAA records for username.fruit.ircnow.org.%0a%3c %0a%3c Once example.com's AAAA record is working, and the rDNS has been configured properly, you can reconnect the user (either the user types @@/znc connect@@ or you type @@/msg *controlpanel reconnect %3cusername> %3cnetwork>@@), and the vhost will update properly.%0a%3c %0a%3c Keeping the old A/AAAA record and bindhost working will make it easier if the user changes vhosts or if their 3rd party dns server for example.com fails for whatever reason. This method will allow the user to still connect. Otherwise, if the 3rd party dns server fails for example.com (which frequently happens with cheap, free dns services), users will be unable to connect and blame you. %0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If your user is getting disconnected, these are the most likely causes:%0a%3c %0a%3c # mismatch of ports or SSL (using plaintext on 6697 or SSL on 6667)%0a%3c # SSL is not supported%0a%3c # user has a server password where none belongs (most likely he confused server password with nickserv password)%0a%3c # ident is not working%0a%3c # ircd bans a certain username or ident for no good reason (the ircd mistakenly assumes your connection is a bot and glines it)%0a%3c # typo of server name or IP address%0a%3c # dns lookup error%0a%3c %0a%3c You may be need to install icu4c-67.1 .%0a%3c %0a%3c !! WARNING%0a%3c %0a%3c If a znc user has a bindhost that is IPv6 only but the network is IPv4 only, it will not connect.%0a%3c %0a%3c To prevent this, you '''must be absolutely 100%25 certain''' that each bindhost is symbolic (such as username.fruit.ircnow.org) and that each hostname has a single A record and a single AAAA record in your DNS zone. If any part is misconfigured, users will be unable to connect.%0a%3c %0a%3c A quick way to check if there are DNS errors:%0a%3c %0a%3c [@%0a%3c $ doas grep Host /home/znc/home/znc/.znc/configs/znc.conf | grep -v > ~/bindhost%0a%3c $ vi ~/bindhost%0a%3c @]%0a%3c %0a%3c Then with vi:%0a%3c %0a%3c [@%0a%3c :%25s_.* = _host _g%0a%3c @]%0a%3c %0a%3c Then:%0a%3c %0a%3c [@%0a%3c $ sh ~/bindhost%0a%3c @]%0a%3c %0a%3c If you see any records there with only a single IPv4 address but no IPv6, or a single IPv6 but no IPv4, or any NXDOMAIN responses, you need to fix your DNS records. There should be exactly one shared IPv4 and one unique IPv6 for each hostname, and zero NXDOMAIN responses.%0a%3c %0a%3c !!! Missing libraries%0a%3c %0a%3c If you are getting errors such as:%0a%3c %0a%3c [@%0a%3c ld.so: znc: can't load library 'libc++abi.so.2.1' %0a%3c @]%0a%3c %0a%3c Then it could be due to the fact that you are on the wrong OpenBSD version (6.7 or earlier), you did not apply [[openbsd/syspatch|syspatch]], and you have not upgraded all dependencies:%0a%3c %0a%3c [@%0a%3c $ doas syspatch%0a%3c $ doas pkg_add -u%0a%3c @]%0a%3c %0a%3c Then, delete the build folder and compile again.%0a%3c %0a%3c !! Adding ICU support%0a%3c %0a%3c Copy the following directories:%0a%3c %0a%3c [@%0a%3c # cp -R /usr/local/share/icu /home/znc/usr/local/share/%0a%3c # cp -R /usr/local/lib/icu /home/znc/usr/local/lib/%0a%3c @]%0a%3c %0a%3c Then, restart BNC. Encoding options should be available.%0a%3c %0a%3c (The patched ZNC was made before ICU support is added. So, we cannot ensure that adding ICU support after the patch will not cause any other bugs.)%0a%3c %0a%3c !! Obsolete Setups%0a%3c %0a%3c The old install script (tested for OpenBSD 6.7 and znc-1.7.5) is now '''obsoleted''':%0a%3c %0a%3c [@%0a%3c mkdir -p /home/znc/usr/lib/%0a%3c mkdir -p /home/znc/usr/libexec/%0a%3c mkdir -p /home/znc/etc/ssl%0a%3c mkdir -p /home/znc/dev/%0a%3c mkdir -p /home/znc/var/run/%0a%3c mkdir -p /home/znc/home/znc/%0a%3c mknod -m 644 /home/znc/dev/random c 45 0%0a%3c mknod -m 644 /home/znc/dev/urandom c 45 2%0a%3c mknod -m 666 /home/znc/dev/null c 2 2%0a%3c cp /usr/lib/libc++.so.5.0 /home/znc/usr/lib/libc++.so.5.0%0a%3c cp /usr/lib/libc++abi.so.3.0 /home/znc/usr/lib/libc++abi.so.3.0%0a%3c cp /usr/lib/libc.so.96.0 /home/znc/usr/lib/libc.so.96.0%0a%3c cp /usr/lib/libcrypto.so.46.1 /home/znc/usr/lib/libcrypto.so.46.1%0a%3c cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1%0a%3c cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1%0a%3c cp /usr/lib/libssl.so.48.1 /home/znc/usr/lib/libssl.so.48.1%0a%3c cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0%0a%3c cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so%0a%3c cp /etc/resolv.conf /home/znc/etc/resolv.conf%0a%3c cp /etc/ssl/cert.pem /home/znc/etc/ssl/cert.pem%0a%3c cp /var/run/ld.so.hints /home/znc/var/run/ld.so.hints%0a%3c pkg_add -B /home/znc znc%0a%3c chown -R root:wheel /home/znc/dev /home/znc/etc /home/znc/usr /home/znc/var%0a%3c chown -R znc:znc /home/znc/%0a%3c usermod -G znc botnow%0a%3c usermod -G znc _identd%0a%3c @]%0a%3c %0a%3c !! Running znc in debug mode%0a%3c %0a%3c [@%0a%3c $ cd ~%0a%3c $ curl -L -O https://znc.in/releases/znc-1.8.2.tar.gz%0a%3c $ tar xvzf znc-1.8.2.tar.gz%0a%3c $ cd znc-1.8.2%0a%3c $ mkdir build%0a%3c $ cd build%0a%3c $ ../configure --enable-debug CXX=c++%0a%3c $ gmake%0a%3c $ doas make install%0a%3c @]%0a%3c %0a%3c [@%0a%3c mkdir -p /home/znc/usr/lib/%0a%3c mkdir -p /home/znc/usr/local/lib/pkgconfig%0a%3c mkdir -p /home/znc/usr/local/bin/%0a%3c mkdir -p /home/znc/usr/local/share/%0a%3c mkdir -p /home/znc/usr/local/man/man1/%0a%3c mkdir -p /home/znc/usr/libexec/%0a%3c mkdir -p /home/znc/etc/ssl%0a%3c mkdir -p /home/znc/dev/%0a%3c mkdir -p /home/znc/var/run/%0a%3c mkdir -p /home/znc/home/znc/%0a%3c mknod -m 644 /home/znc/dev/random c 45 0%0a%3c mknod -m 644 /home/znc/dev/urandom c 45 2%0a%3c mknod -m 666 /home/znc/dev/null c 2 2%0a%3c cp /usr/lib/libc++.so.5.0 /home/znc/usr/lib/libc++.so.5.0 %0a%3c cp /usr/lib/libc++abi.so.3.0 /home/znc/usr/lib/libc++abi.so.3.0%0a%3c cp /usr/lib/libc.so.96.0 /home/znc/usr/lib/libc.so.96.0%0a%3c cp /usr/lib/libcrypto.so.46.1 /home/znc/usr/lib/libcrypto.so.46.1%0a%3c cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1%0a%3c cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1%0a%3c cp /usr/lib/libssl.so.48.1 /home/znc/usr/lib/libssl.so.48.1%0a%3c cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0%0a%3c cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so%0a%3c cp /etc/resolv.conf /home/znc/etc/resolv.conf%0a%3c cp /etc/ssl/cert.pem /home/znc/etc/ssl/cert.pem%0a%3c cp /var/run/ld.so.hints /home/znc/var/run/ld.so.hints%0a%3c cp /usr/local/bin/znc /home/znc/usr/local/bin/znc%0a%3c cp /usr/local/man/man1/znc.1 /home/znc/usr/local/man/man1/znc.1%0a%3c cp /usr/local/man/man1/znc-buildmod.1 /home/znc/usr/local/man/man1/znc-buildmod.1%0a%3c cp /usr/local/bin/znc-buildmod /home/znc/usr/local/bin/znc-buildmod%0a%3c cp /usr/local/lib/pkgconfig/znc.pc /home/znc/usr/local/lib/pkgconfig/znc.pc%0a%3c cp /usr/local/lib/libicuuc.so.18.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libicudata.so.18.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_locale-mt.so.11.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_system-mt.so.11.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_thread-mt.so.11.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libboost_chrono-mt.so.11.0 /home/znc/usr/local/lib/%0a%3c cp /usr/local/lib/libicui18n.so.18.0 /home/znc/usr/local/lib/%0a%3c cp -R /usr/local/share/znc /home/znc/usr/local/share/%0a%3c cp -R /usr/local/lib/znc /home/znc/usr/local/lib/%0a%3c cp -R /usr/local/include/znc /home/znc/usr/local/include/%0a%3c chown -R znc:znc /home/znc/%0a%3c chown -R root:wheel /home/znc/dev /home/znc/etc /home/znc/usr /home/znc/var%0a%3c chmod -R o-rx /home/znc/home/znc/.znc/%0a%3c usermod -G znc botnow%0a%3c usermod -G znc _identd%0a%3c @]%0a%3c %0a%3c $ doas gdb chroot%0a\ No newline at end of file%0a host:1614444529=198.251.81.119