OpenBSD Home Server - The Plan                               05 Sep 2020
------------------------------------------------------------------------

Here's a diagram showing the physical layout of my home network:

+---------+   +-------------------+   +-------------------+   +--------+
| Outside |   |       Pace        |   |                   |   |        |
| Network +###+      5268AC       +###+     Big Switch    |###+ Server |
| (AT&T)  |   |      (AT&T)       |   |                   |   |        |
+---------+   +-------------------+   +-------------------+   +--------+
                z     z        z        #     #       #
              +-+-+ +-+-+   +-+-+     +-+-+ +-+-+   +-+-+
              | a | | b |...| z |     | A | | B |...| Z |
              +---+ +---+   +---+     +---+ +---+   +---+
                  WiFi Nodes            Ethernet Nodes

The Pace 5268AC that AT&T provided sits in a cabinet under our TV, with
a big network switch and the OpenBSD server. The switch is connected to
the gateway, the server, and all the ethernet ports through the rest of
the house. The 5268AC is also a wireless access point, so there's any
number of devices connected to it via WiFi.

On my previous attempt at using my server hardware as a router[0], it
sat between the 5268AC and the Big Switch, passing packets back and
forth with pf, handing out IP addresses with dhcpd, and answering DNS
queries with Unbound. All of those are part of OpenBSD's base install.
That didn't work out too well, likely because the 5268AC doesn't handle
cascaded router configurations very well. Whatever.

Now, the server is just another node connected to the switch, not doing
anything in particular besides accepting SSH connections. Besides the
base OpenBSD 6.7 install, the only other software on it at the moment is
ZSH (installed with pkg_add), so I can use my prefered shell set up[1].
I don't expect to install much else, since OpenBSD is a very capable
server OS right out of the box.

Here's the rough plan:

1) Get Unbound set up to accept DNS queries from the local network, with
  DNSSEC enabled. That means changing just a few configuration settings
  for Unbound, and opening port 53 with pf.

2) Configure the 5268AC's DHCP server to use my nameserver when passing
  out network configuration settings. I'd rather just use my server for
  DHCP as well, but there doesn't seem to be a way to turn it off in
  the 5268AC. Oh well.

  UPDATE: It turns out, AT&T doesn't let you change the DNS settings in
  their gateway. So I'll need to figure out a workaround. Maybe setting
  its DHCP range to a single address (for the gateway), and running a
  separate DHCP server myself (like I'd wanted to anyway).

3) Set up a blocklist for ad servers and malware. I'll most likely use
  Steven Black's hosts list[2] for that, with a little bit of sed-foo
  to get it into the right format for Unbound. Maybe I'll set up a cron
  job to keep the list up-to-date as well.

Beyond that, I may configure Unbound to forward to dnscrypt_proxy, so
DNS requests are encrypted as well as signed when they leave my network.
I haven't decided yet.

Once DNS is working the way I want it to, I'll look into setting up a
VPN server (WireGuard?), so I can make use of it from outside my house
as well. One thing at a time, though.

[0]: gopher://sdf.org/0/users/jingram/openbsd/2020-09-04.background.txt
[1]: gopher://sdf.org/0/users/jingram/dotfiles/zshrc
[2]: https://github.com/StevenBlack/hosts

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.