OpenBSD Home Server - The Plan 05 Sep 2020 ------------------------------------------------------------------------ Here's a diagram showing the physical layout of my home network: +---------+ +-------------------+ +-------------------+ +--------+ | Outside | | Pace | | | | | | Network +###+ 5268AC +###+ Big Switch |###+ Server | | (AT&T) | | (AT&T) | | | | | +---------+ +-------------------+ +-------------------+ +--------+ z z z # # # +-+-+ +-+-+ +-+-+ +-+-+ +-+-+ +-+-+ | a | | b |...| z | | A | | B |...| Z | +---+ +---+ +---+ +---+ +---+ +---+ WiFi Nodes Ethernet Nodes The Pace 5268AC that AT&T provided sits in a cabinet under our TV, with a big network switch and the OpenBSD server. The switch is connected to the gateway, the server, and all the ethernet ports through the rest of the house. The 5268AC is also a wireless access point, so there's any number of devices connected to it via WiFi. On my previous attempt at using my server hardware as a router[0], it sat between the 5268AC and the Big Switch, passing packets back and forth with pf, handing out IP addresses with dhcpd, and answering DNS queries with Unbound. All of those are part of OpenBSD's base install. That didn't work out too well, likely because the 5268AC doesn't handle cascaded router configurations very well. Whatever. Now, the server is just another node connected to the switch, not doing anything in particular besides accepting SSH connections. Besides the base OpenBSD 6.7 install, the only other software on it at the moment is ZSH (installed with pkg_add), so I can use my prefered shell set up[1]. I don't expect to install much else, since OpenBSD is a very capable server OS right out of the box. Here's the rough plan: 1) Get Unbound set up to accept DNS queries from the local network, with DNSSEC enabled. That means changing just a few configuration settings for Unbound, and opening port 53 with pf. 2) Configure the 5268AC's DHCP server to use my nameserver when passing out network configuration settings. I'd rather just use my server for DHCP as well, but there doesn't seem to be a way to turn it off in the 5268AC. Oh well. UPDATE: It turns out, AT&T doesn't let you change the DNS settings in their gateway. So I'll need to figure out a workaround. Maybe setting its DHCP range to a single address (for the gateway), and running a separate DHCP server myself (like I'd wanted to anyway). 3) Set up a blocklist for ad servers and malware. I'll most likely use Steven Black's hosts list[2] for that, with a little bit of sed-foo to get it into the right format for Unbound. Maybe I'll set up a cron job to keep the list up-to-date as well. Beyond that, I may configure Unbound to forward to dnscrypt_proxy, so DNS requests are encrypted as well as signed when they leave my network. I haven't decided yet. Once DNS is working the way I want it to, I'll look into setting up a VPN server (WireGuard?), so I can make use of it from outside my house as well. One thing at a time, though. [0]: gopher://sdf.org/0/users/jingram/openbsd/2020-09-04.background.txt [1]: gopher://sdf.org/0/users/jingram/dotfiles/zshrc [2]: https://github.com/StevenBlack/hosts