disk encryption for remote server

[04-psyche . totter]

Hi everyone,

Is there any way to use disk encryption without having physical access to the 
device?

A few potential ideas:
- is there a way to enter the encryption passphrase via ssh?
- is there a way to create a non encrypted partition on the same hard drive, 
where the keydisk would be stored, and automatically used? (For various 
reasons, an external usb key is not feasible). And yes, I realize this would 
weaken the security significantly, but I'd still like to know if it's feasible?

My guess is that it's not possible, but I wanted to ask to make sure.

Cheers,
Jake

Re: disk encryption for remote server

[04-psyche . totter]

Thanks all for your thoughts.

Regarding the remote serial console access, unfortunately, it is not
possible in my case.
I do not have IPMI or something similar :(

On Mon, 27 May 2024 at 08:17, Manuel Giraud <
manuel_at_ledu-giraud_fr_rmp93abv53d47h_m6783...@icloud.com> wrote:

> Stefan Kreutz  writes:
>
> > Can you access the machine's serial console, maybe redirected over IP?
>
> I concur that a remote serial console access (maybe via a web interface
> serviced by your provider) is your best option here.
>
> I used to do (almost) FDE without console access but here is list of
> drawbacks/requirements:
>
> - It is not really FDE because / was not encrypted
>
> - It required patching /etc/rc with the patch at the end of this
>   message
>
> - The "/root/sshd" from this patch is a self-contained sshd
>   without the need of any external library.  It is *not* a copy
>   of /usr/sbin/sshd and you have to compile it yourself (and I
>   don't remenber how)
>
>
> Best regards,
> --
> Manuel Giraud
>

How to set number of blocks in fdisk GPT

[04-psyche . totter]

Hi all,

How can I choose the blocks parametres in the command:

fdisk -gy -b blocks disk

The man page does not indicate how to make an informed choice. I couldn’t find 
relevant help on the internet.

Thanks!

umount raid volume before shutdown?

[04-psyche . totter]

Hi all,

on my main hard drive, I have a partition `p` that I have encrypted in the 
following way:

$bioctl -c C -l sd0p softraid0

-> This created the sd1 pseudo-device, on which I ran the following:

$fdisk -g sd1

$disklabel -E sd1 # created partition i, to take all the space. This is the 
unique partition on this

$newfs sd1a

I then mount this via:

$mount /dev/sd1i /decrypt


I have two questions:

- I don't want to have to unmount /decrypt before I shutdown or restart the 
computer. Does OpenBSD unmount cleanly encrypted volumes when shutting down?

- what should I do with the encrypted sd0p ? Should I remove it from my 
/etc/fstab and not even mount it? Or is it fine to keep it mounted?

Thanks!

Jake

Re: How to set number of blocks in fdisk GPT

[04-psyche . totter]

Thanks Kirill.

Yes, I saw that, but in my case, FAT32 is not the file format that I am
using to encrypt the partition. The partition is on an SSD with 4.2BSD
filesystem.

On Thu, 30 May 2024 10:06:11 +0100,
> >
> > How can I choose the blocks parametres in the command:
> >
> > fdisk -gy -b blocks disk
> >
> > The man page does not indicate how to make an informed choice. I
> couldn’t find relevant help on the internet.
> >
>
> As suggested at https://www.openbsd.org/faq/faq14.html you may use 532480.
>
> Which is the minimum size of such partition due to a limitation of FAT32.
>
> Some details can be found here:
>
> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions
>
> --
> wbr, Kirill
>

Call sysctl before sysctl.conf

[04-psyche . totter]

Hi all,

When openBSD runs my processor at 100%, it makes a noise. Interestingly, when 
in bios, this noise does not appear.

To get rid of the noise I call sysctl with this:

sysctl hw.perfpolicy=manual
sysctl hw.setperf=99

The problem is, at the beginning of boot, openBSD runs the processor with 
hw.setperf=100, so the noise is present.

Using a /etc/sysctl.conf with:

hw.perfpolicy=manual
hw.setperf=99

does not help, as this happen too late.

I also tried to use a /etc/rc.securelevel with:
sysctl hw.perfpolicy=manual
sysctl hw.setperf=99

but it also happens too late, and the noise is present (if brief).

Is there a way to make hw.setperf=99 really permanent, or happen even earlier 
during boot?

Thanks!
Jake

Re: umount raid volume before shutdown?

[04-psyche . totter]

From my reading of /etc/rc, it seems that at shutdown or reboot, the OS will 
automatically unmount everything.

So that will unmount my encrypted partition.

However, it does not run bioctl -d sd* for the pseudo-device.

So I guess the question become, is it a problem to exit the system without 
detaching the softraid volume via bioctl?

Thanks!

> 
> Hi all,
> 
> on my main hard drive, I have a partition `p` that I have encrypted in the 
> following way:
> 
> $bioctl -c C -l sd0p softraid0
> 
> -> This created the sd1 pseudo-device, on which I ran the following:
> 
> $fdisk -g sd1
> 
> $disklabel -E sd1 # created partition i, to take all the space. This is the 
> unique partition on this
> 
> $newfs sd1a
> 
> I then mount this via:
> 
> $mount /dev/sd1i /decrypt
> 
> 
> I have two questions:
> 
> - I don't want to have to unmount /decrypt before I shutdown or restart the 
> computer. Does OpenBSD unmount cleanly encrypted volumes when shutting down?
> 
> - what should I do with the encrypted sd0p ? Should I remove it from my 
> /etc/fstab and not even mount it? Or is it fine to keep it mounted?
> 
> Thanks!
> 
> Jake

vim editor with TERM

[04-psyche . totter]

Hi all,

I use the following terminal:

echo $TERM
xterm-256color

when in my ~/.profile I do:

export EDITOR=nano

everything works well.

However, if I do 

export EDITOR=vim

then when I ssh into the machine, up and down arrow in the terminal do not work 
anymore (it does not give me access to previous commands entered).

I have installed the following vim:

$ pkg_info | grep vim 
vim-9.1.139-no_x11  vi clone, many additional features


Does anyone have a clue as to what could cause this issue?

Thanks,
Jake

Using nopass on a single user machine

[04-psyche . totter]

Hi all,

Is there any downside is using the nopass option of doas, for a single user 
machine?

It's a machine that I access to only via ssh, with an identity file.

In what way would it increase the attack surface to do so?

Thanks,
Jake

Re: Debian 12 Under VMM

[04-psyche . totter]

Hi all,

I am trying to run Debian 12 under VMM.

I can see on the email from 2024-04-02 that Bruce managed to make it work, but 
I don't know how.

The crux of the issue is that the Debian ISO installer does not seem to work 
under serial console.

Here's what I did:

/etc/vm.conf

vm "vm1" {
memory 1G
disable
cdrom "/isos/debian-12.5.0-amd64-netinst.iso"
disk "/disks/disk_vm1.qcow2" format qcow2
local interface
}

When I then start the vm, I am greeted with the message:

"Press a key, otherwise speech synthesis will be started in 27 seconds..."


and then after keypress

"
Undefined video mode number: 314
Press  to see video modes available,  to continue, or wait 30 sec
"

and it then crashes.

Can anyone (maybe Bruce) point me in the right direction?

Thanks!
Jake

Using arrows in VMM

[04-psyche . totter]

Greetings,

I am running Debian 12 under VMM, on OpenBSD 7.5.

Whenever I am using the arrows (to retrieve previous history or simply to move 
left or right), there is a long random sleep, of 5 to 10 seconds. Sometimes 
more.

Does anybody know what could be the issue?

Inside the VM, the term is vt200.

The host has xterm-256color as term.

I ssh into the host.

Thanks,
Jake

Re: Debian 12 Under VMM

[04-psyche . totter]

Thank you Dave and Bruce.

This worked for me:

boost install gfxpayload=text console=ttyS0,115200n8

The critical part was that I had to type it and not copy paste it.

For some reasons, I have problems on the terminal of the VM. I can't copy paste 
it correctly, nor use the arrows without glitch.

Also as an FYI for anyone else trying. I have to kill the VM at the end of the 
install, and not let the installation process reboot the machine. Otherwise it 
hangs indefinitely.

Thanks!
Jake




Dave Voutila mailto:d...@sisu.io>> writes:
> 
>> Hi all,
>> 
>> I am trying to run Debian 12 under VMM.
>> 
>> I can see on the email from 2024-04-02 that Bruce managed to make it work, 
>> but I don't know how.
>> 
>> The crux of the issue is that the Debian ISO installer does not seem to work 
>> under serial console.
> 
> You need to modify the kernel boot args to disable video and rely on
> serial console. I can't recall whatever the graphics arg is to the linux
> kernel, but you typically want something like vga=off and then set the
> console arg. I recommend setting both that and io_delay:
> 
> console=ttyS0,115200 io_delay=none
> 
> io_delay will make the kernel skip doing some pointless artificial
> delays that don't matter with vmd.
> 
>> 
>> Here's what I did:
>> 
>> /etc/vm.conf
>> 
>> vm "vm1" {
>>memory 1G
>>disable
>>cdrom "/isos/debian-12.5.0-amd64-netinst.iso"
>>disk "/disks/disk_vm1.qcow2" format qcow2
>>local interface
>> }
>> 
>> When I then start the vm, I am greeted with the message:
>> 
>> "Press a key, otherwise speech synthesis will be started in 27 seconds..."
>> 
>> 
>> and then after keypress
>> 
>> "
>> Undefined video mode number: 314
>> Press  to see video modes available,  to continue, or wait 30 
>> sec
>> "
>> 
>> and it then crashes.
>> 
>> Can anyone (maybe Bruce) point me in the right direction?
>> 
>> Thanks!
>> Jake

Try "gfxpayload=text console=ttyS0,115200" (without the quotes)

I think there's a question about scanning for a graphics card after
setting the boot parameters. Skip it if you can. The timeout was really
long, maybe indefinate. I think I gave up a tried again.

Re: Debian 12 Under VMM

[04-psyche . totter]

Hi Manuel,

this was tricky. First I had to clear out the screen with CTRL+L.

Then I had to use the arrows up and down, and this makes a menu appear.
Then you choose Help, and you enter the boot commands.

I had to go through a few trials and errors. Patience is key ;)

Good luck

> On 14 Jun 2024, at 15:14, Manuel Giraud  wrote:
> 
> 
>> Thank you Dave and Bruce.
>> 
>> This worked for me:
>> 
>> boost install gfxpayload=text console=ttyS0,115200n8
>> 
>> The critical part was that I had to type it and not copy paste it.
> 
> Hi,
> 
> Could you explain how did you entered those instructions?  I'm trying
> the same vm.conf as you but when I start with "vmctl start -c 1", I'm
> presented with a textual menu and I don't know what to do with it.
> 
> Best regards,
> -- 
> Manuel Giraud

Re: Debian 12 Under VMM

[04-psyche . totter]

Great to hear!

The combined power of OpenBSD and Debian is now yours, use it wisely ;)



> On 17 Jun 2024, at 18:56, Manuel Giraud  wrote:
> 
> 
>> Hi Manuel,
>> 
>> this was tricky. First I had to clear out the screen with CTRL+L.
>> 
>> Then I had to use the arrows up and down, and this makes a menu appear.
>> Then you choose Help, and you enter the boot commands.
> 
> Thanks, it works as expected.  FTR, here is what I have done:
> 
>- Select the "Help" menu entry, you get the following prompt:
> 
> Press F2 through F10 for details, or ENTER to boot:
> 
>- Type "install gfxpayload=text console=ttyS0,115200" and enter
>- Press space, proceed with installation
> -- 
> Manuel Giraud

fsck similar to boot

[04-psyche . totter]

Hi all,

I have removed my second drive away from /etc/fstab and I am now manually 
mounting it as needed.

I believe this means there is no automatic fsck check ran, and that feels like 
a bad thing.

I was thinking I should run the same fsck check when I manually mount my drive.

How can I manually run a fast fsck check, equal to what is performed at boot 
time?

I tried fsck -n and fsck -p but both of these are way too long, whereas the 
boot check is fast.

Thanks!

Dual boot with 2 openbsd

[04-psyche . totter]

Hi all!

I want to setup a dual boot system, with 2 OpenBSD system, and I wanted to run 
it past you guys, to see if the idea makes sense (and make sure I implement it 
correctly).

It is for a system that I will not be able to access physically easily.

So I bought 2 drives.

My idea is:

- Install OpenBSD on the 2 drives
+ drive1 : partition a to k for the OS
+ drive 2: partition a to k for the OS and partition m for data
- In UEFI, set up boot priority drive1, then drive2
- In the OS of drive1, mount only partition m of drive2

- As long as drive1 does not fail, I enjoy the OS on drive1 and I still make 
use of drive2
- If drive1 fails, the UEFI will automatically boot on drive2, and I can still 
enjoy the usage of the system, without having needed to access it physically.


Does this idea make sense?
If yes, any tip on how to do it? In particular, when I install OpenBSD on 
drive2, is it better to run the openBSD installer by having booted on drive2, 
or can I just run it from OpenBSD_drive1 and select drive 2 as destination for 
the new OS?

Thanks!
Jake

Re: Dual boot with 2 openbsd

[04-psyche . totter]

I don't use RAID1 because the disks have vastly different capacity (one is 4 
times the size of the other).

> On 17 Jul 2024, at 00:34, Benjamin Stürz  
> wrote:
> 
> On 7/16/24 10:57 PM, 04-psyche.tot...@icloud.com wrote:
>> Hi all!
>> I want to setup a dual boot system, with 2 OpenBSD system, and I wanted to 
>> run it past you guys, to see if the idea makes sense (and make sure I 
>> implement it correctly).
>> It is for a system that I will not be able to access physically easily.
>> So I bought 2 drives.
>> My idea is:
>> - Install OpenBSD on the 2 drives
>> + drive1 : partition a to k for the OS
>> + drive 2: partition a to k for the OS and partition m for data
>> - In UEFI, set up boot priority drive1, then drive2
>> - In the OS of drive1, mount only partition m of drive2
>> - As long as drive1 does not fail, I enjoy the OS on drive1 and I still make 
>> use of drive2
>> - If drive1 fails, the UEFI will automatically boot on drive2, and I can 
>> still enjoy the usage of the system, without having needed to access it 
>> physically.
>> Does this idea make sense?
>> If yes, any tip on how to do it? In particular, when I install OpenBSD on 
>> drive2, is it better to run the openBSD installer by having booted on 
>> drive2, or can I just run it from OpenBSD_drive1 and select drive 2 as 
>> destination for the new OS?
>> Thanks!
>> Jake
> 
> Why don't you just use RAID 1?

Re: Dual boot with 2 openbsd

[04-psyche . totter]

Thanks a lot to you 3 for your thoughts.

RAID1 on the overlapping capacity: I don't like that idea much because RAID1 
has an extra cost where any modification on disk1 will be performed on disk2. I 
want to reap the benefits of having disk1 for the OS and disk2 for data. That 
makes the overall system much faster, because each drive is ddicated to 1 task, 
and each task is independent.

@Crystal, thanks a lot for all the details.

I am not planning to share the home drive, because indeed I feared the extra 
complications. the extra partition m is beyond the OS partitions.

Your point regarding no guarantee for the system to boot to disk 2 is well 
taken. It makes me question if it's worth doing at all. Do yo uhave a sense if 
there is a large enough probability of disk1 failing catastrophically enough 
for the UEFI to directly boot to disk2, rather than being in a bad state on 
disk1?

Thanks!

avoid single-user mode boot

[04-psyche . totter]

Hi all,

I have a machine that will be placed in a remote location, and have no physical 
access to. The connection will be made through ssh only.

I'd like to make it as resilient to failure as possible.

A big concern to me is for a disk failure to happen (say a power outage), and 
the machine to be rebooted in single user mode. At that point, the machine has 
no network access, and so I lose contact to it.

Is there any way to disable going to single user mode when fsck is not happy?

Is it reasonable to change the /etc/fstab to modify the fsck flag from 1 and 2 
to 0, to bypass the fsck checks ?

Alternatively, is there a way to have ssh access in single user mode?

Thanks!
Jake

Re: avoid single-user mode boot

[04-psyche . totter]

Thanks Crystal, unfortunately for this specific case, adding another machine to 
the same network is not an option.

> On 24 Jul 2024, at 11:11, Crystal Kolipe  wrote:
> 
> On Wed, Jul 24, 2024 at 09:04:17AM +0100, 04-psyche.tot...@icloud.com wrote:
>> Alternatively, is there a way to have ssh access in single user mode?
> 
> The normal way to handle this and other boot-related problems is with a serial
> connection from another machine that is still accessible via the network.
> 
> Depending on your budget, what this system is being used for, and the
> connectivity that is available at the remote location, there are various ways
> of making that happen.

Re: avoid single-user mode boot

[04-psyche . totter]

Thanks Stuart for all these thoughts. That's a lot of great ideas.

Let me try to clarify a few things:

- change `do_fsck` to `do_fsck -y`
-
  I assume you mean Line 410. That seems like a great idea.
  Do I understand correctly that the normal behaviour for this `do_fsck` is to 
run the check, and mark filesystems dirty, and then enter single-user mode?
  Whereas if I replace it with `do_fsck -y `, the filesystems will not be 
marked dirty, and it will not enter singe user mode?


- starting network and sshd in single user mode

In /etc/profile, I guess I can add something like:

   if [IS_SINGLE_USER_MODE]; then
sh /etc/netstart
rcctl start sshd
   fi

does that seem reasonable?

(I have to figure out how to check if I am in user mode)


- noatime, memory buffers, mfs
--
All great ideas, I will implement that.


@crystal, thank you, unfortunately, even an SBC on the router is not a viable 
option for this specific use case.

Re: avoid single-user mode boot

[04-psyche . totter]

Thanks Matthew, that's helpful. I will look into that.

wireguard routing

[04-psyche . totter]

Hi all,

I am working on a wireguard network.

I have a setup like this:

serverA (10.0.0.0) => serverB (10.0.0.1) => serverC (10.0.0.2)

- serverA connects to serverB with AllowedIPs = 0.0.0.0/0
- serverB connectes to serverC with AllowedIPs = 0.0.0.0/0

I cannot access serverC directly from serverA (it does not have a public facing 
IP), so I go via serverB.

I therefore need to set up routing on serverB.

If I set my default gateway to serverC:
`route change default 10.0.0.2` 

Then I cannot connect from serverA, because packets from serverA are never 
returned to serverA.

So I need to also add a route like this:

`route add serverA_public_ip serverB_local_gateway`

However, this is problematic with IP roaming (in other words, I don't have a 
good solution to dynamically know serverA's endpoint).

A solution would be to run a crontab every few minutes, parse the output of
`wg show wg0 endpoints` and programatically add the route for the current 
endpoint.

This solution feels atrocious though.

The wireguard website proposes a solution with fwmark:
https://www.wireguard.com/netns/#improved-rule-based-routing

However, this is linux based, and I am not sure this is the optimal solution 
for an openBSD system.

So I have a few questions:

- I am currently using /etc/hostname.wg0 and routing table. Should I use 
wg0-quick instead? Does wg0-quick take care automatically of routing in the 
case of IP roaming?
- Is the fwmark solution a good solution for openBSD as well? If yes, how can I 
implement it? Should I use routing domains?


Thanks!

Re: wireguard routing

[04-psyche . totter]

Hi Crystal,

Yes, both server A and C can access serverB, which has a fixed, public IP.

Thanks for the advice. I can make it work for only ssh’ing into either machine, 
but not for using all internet via serverC’s connection, from serverA.

I believe the wireguard configuration will use allowedIPs to route wireguard 
IPs, but the wireguard config will not route external IPs. I thought I needed 
openBSD’s route for that.

Are you able to make it work for that scenario?

Thanks!
Jake


> On 10 Aug 2024, at 11:11, Crystal Kolipe 
>  wrote:
> 
> On Sat, Aug 10, 2024 at 09:18:48AM +0100, 04-psyche.tot...@icloud.com wrote:
> Hi all,
> 
> I am working on a wireguard network.
> 
> I have a setup like this:
> 
> serverA (10.0.0.0) => serverB (10.0.0.1) => serverC (10.0.0.2)
> 
> - serverA connects to serverB with AllowedIPs = 0.0.0.0/0
> - serverB connectes to serverC with AllowedIPs = 0.0.0.0/0
> 
> I cannot access serverC directly from serverA (it does not have a public
> facing IP), so I go via serverB.
> 
> Can serverA and serverC both make inbound connections to serverB?
> 
> If so, then just:
> 
> * set up a dedicated subnet for each of serverA and serverC
> * include both in the configuration of wgaip on each server
> * use a short wgpka setting on serverA and serverC to ensure that the link
>  stays up.
> 
> No need for manual routing changes, routing domains, cron jobs or other
> cludges.
> 
> It just works.
> 
> I'm ssh'ed in to a machine right now that is at the other end of such a tunnel
> on a dynamic IP, and it's been up for seven days.

Re: wireguard routing

[04-psyche . totter]

Hi David,

thanks for your help.

Currently, serverB has only 1 wireguard interface, which contains both peers 
(serverA and serverC). It is no issue to create a second wireguard interface 
though.

In the configuration you propose (I think there is a typo and the third config 
is for serverC), I don't think the internet packets from serverA will be routed 
to serverC.

As in, if on server A I ping the wikipedia.org address, it will go through 
serverB's local gateway and not serverC.

My understanding is that if I don't change the default gateway on serverB, then 
it will always use its local gateway, instead of the desired outcome of sending 
to serverC, and going via serverC's local gateway.

Am I missing something?

Thanks!

pf route-to

[04-psyche . totter]

Hi all,

I am failing at a basic routing.

I have included this rule in my pf.conf:

pass out quick proto udp from any to any port 51820 route-to 192.168.1.254

I thought this would be force egress traffic with destination port 51820 to use 
 192.168.1.254 as a gateway, instead of the default gateway specified in `route 
show`

Is this incorrect?

It seems to not work, as this scenario fail:

SCENARIO FAIL
---

#pf.conf
pass out quick proto udp from any to any port 51820 route-to 192.168.1.254

# routing
route change default 10.0.0.1 # point all traffic to vpn gateway



whereas this works (everything is the same, but I manually add a route to the 
public ip of the vpn)

SCENARIO WORKS
-
#pf.conf
pass out quick proto udp from any to any port 51820 route-to 192.168.1.254

# routing
route change default 10.0.0.1 # point all traffic to vpn gateway

# routing
route add 135.32.101.17 192.168.1.254 # point vpn_public_ip to local gateway



So it seems my understanding of this pf rule is incorrect.

Can anyone help me use pf to override the default gateway?

Thanks!

Re: resizing Debian virtual machine

[04-psyche . totter]

That makes perfect sense, thank you. I have deleted vda2 and vda5. I agree with 
you, no need for a swap partition. Swap files are working well.



On 12 Feb 2025, at 06:18, Atanas Vladimirov wrote:

On 2025-02-12 01:00, 04-psyche.tot...@icloud.com wrote:
Hi all,
I run a Debian VM on an openBSD system.
I need to increase the size of this VM.
I've increased the size of the disk image via qemu-img resize disk.qcow2 +50G
Now, I need the VM OS to be resized as well.
I tried to resize the partition with fdisk, but this is not possible it seems 
because this is the OS partition (fair enough).
I've then tried with growpart, but this failed as well.
Is it possible to resize the OS partition?
See some commands ran on the VM below:
$lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
vda254:00  100G  0 disk
|-vda1 254:10   49G  0 part /
|-vda2 254:201K  0 part
`-vda5 254:50  975M  0 part [SWAP]
$sudo fdisk /dev/vda1
This disk is currently in use - repartitioning is probably a bad idea.
It's recommended to umount all file systems, and swapoff all swap
partitions on this disk.
The device contains 'ext4' signature and it will be removed by a write command. 
See fdisk(8) man page and --wipe option for more details.
$sudo growpart /dev/vda 1 -v
/dev/vda1 : start=2048, size=   102854656, type=83, bootable
/dev/vda2 : start=   102858750, size= 1996802, type=5
/dev/vda5 : start=   102858752, size= 1996800, type=82
max_end=102858749 tot=209715200 pt_end=102856703 pt_start=2048 pt_size=102854656
NOCHANGE: partition 1 could only be grown by 2046 [fudge=2048]

Hi,

You can't grow the first partition because you have two more partitions after 
it (vda2 and vda5).
You have to delete the swap (vda5) and the logical partition (vda2), then 
expand the vda1.
THen it is up to you if a new swap partition will be made (I would say no :).

Best wishes,
Atanas

Re: pf configuration for virtual machine

[04-psyche . totter]

I am now able to make it work, though it was through trial and errors, so I'll 
appreciate any help in understanding why my solution works!

If my configuration is like this, it all works fine:

block all
pass out inet all keep state

# Config to allow virtual Machine VMM to access the internet
DNS_SERVER="8.8.8.8"
match out on egress from 100.64.0.0/10 to any nat-to (egress)
pass in proto { udp tcp } from 100.64.0.0/10 to any port domain rdr-to 
$DNS_SERVER port domain
pass in on tap0 proto { udp tcp } from 100.64.0.0/10 to any port !=53


I had to add the last line.
It makes sense that I had to allow a pass in on tap0: otherwise the virtual 
machine is not allowed to send messages to this interface at all.
However, I am confused as to why I need to exclude port 53.

I just noticed that if I use instead:

pass in on tap0 proto { udp tcp } from 100.64.0.0/10

Then I can still access the internet, but DNS resolution will fail.

dig google.com
;; communications error to 100.64.1.2#53: connection refused

If I exclude the port 53 (DNS port) then it works.
Does anyone understand why?

@David: thanks for your questions. I am trying to achieve having internet 
connectivity in the virtual machine. And I am trying to understand why it does 
or does not work.

Thanks all,
Jake

> 
> 
> 04-psyche.tot...@icloud.com writes:
> 
>> Hi all,
>> 
>> I have setup a virtual machine on my openbsd box, following the guide 
>> https://www.openbsd.org/faq/faq16.html#VMMnet
>> 
>> I have trouble configuring pf to give the the VM access to the internet.
>> 
>> If my /etc/pf.conf contains the following lines, I don't have access to the 
>> internet from the VM:
>> 
>> --
>> block all
>> pass out inet all keep state
>> 
>> # Config to allow virtual Machine VMM to access the internet
>> DNS_SERVER="8.8.8.8"
>> match out on egress from 100.64.0.0/10 to any nat-to (egress)
>> pass in proto { udp tcp } from 100.64.0.0/10 to any port domain rdr-to 
>> $DNS_SERVER port domain
>> ---
> 
> Is this the entirety of /etc/pf.conf?
> 
>> 
>> 
>> However, if I comment out the first line (block all), or add a "pass in" 
>> line then it works.
>> 
> 
> I'm far from a "pf person" let alone a "network person", but what are
> you trying to achieve with your config?
> 
> The example /etc/examples/pf.conf starts with something like:
> 
>  block return# block stateless traffic
>  pass# establish keep-state
> 
> Why can't you start there?
> 
>> Either is way too permissive though, what is the smallest "pass in" I should 
>> add to allow it internet access?
>> 
>> I tried "pass in to 100.64.0.0/10" but it does not work.
>> 
>> Thank you!
>> 
>> Jake

pf configuration for virtual machine

[04-psyche . totter]

Hi all,

I have setup a virtual machine on my openbsd box, following the guide 
https://www.openbsd.org/faq/faq16.html#VMMnet

I have trouble configuring pf to give the the VM access to the internet.

If my /etc/pf.conf contains the following lines, I don't have access to the 
internet from the VM:

--
block all
pass out inet all keep state

# Config to allow virtual Machine VMM to access the internet  
DNS_SERVER="8.8.8.8"
match out on egress from 100.64.0.0/10 to any nat-to (egress)
pass in proto { udp tcp } from 100.64.0.0/10 to any port domain rdr-to 
$DNS_SERVER port domain
---


However, if I comment out the first line (block all), or add a "pass in" line 
then it works.

Either is way too permissive though, what is the smallest "pass in" I should 
add to allow it internet access?

I tried "pass in to 100.64.0.0/10" but it does not work.

Thank you!

Jake