DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default VPN Setup on OpenBSD 7.2

Hi All,

I've recently got OpenBSD (AMDx64) installed on a 10 year old HP Probook laptop, and now I need to give it secure internet using my VPN subscription. I've currently got ExpressVPN, and I understand it might be possible for me to connect to it using OpenVPN running in OpenBSD?

What do you think of this as a step by step guide for getting it working? Any other links you'd suggest?

Looking ahead: even once I get an OpenVPN connection to ExpressVPN servers, I'm then going to use a combination of FFox (I believe I need the ESR release for it to work well with OpenBSD?) and my Lastpass PW manager. Now I understand there's a Lastpass port but what about the Yubikey that I need to login with? How on earth will that work in combination with the Lastpass CLI here ?
Reply With Quote
  #2   (View Single Post)  
Old 25th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

Just like with Firefox, there is an OpenBSD README installed with the OpenVPN package that provides OpenBSD-specific provisioning guidance.

I found a closed issue on Github from 2014 that mentions a working Yubikey in the problem description: https://github.com/lastpass/lastpass-cli/issues/47. But I have no other knowledge about the integration -- or lack thereof -- of Yubikeys and lastpass-cli. You might reach out to that project for guidance if needed.
Reply With Quote
  #3   (View Single Post)  
Old 30th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Thanks jggimi. I think I'll be able to avoid the lastpass client now that I've got FFox installed. I should be able to goto lastpass.com and log in there and hopefully when it prompts me for the yubikey it will actually do so in the same way it does when i go there on my Macbook. I suspect not, but getting that device recognised/enabled may be a topic for another thread.

Of course I don't want to have my login credentials exposed over regular internet and so I still need to get this OpenVPN connection established to my VPN provided (ExpressVPN). As things are I'm writing these posts and doing all my OpenBSD article finding on this Macbook. I just tried looking up the OpenVPN provisioning guidance readme as you suggest using a duckduckgo search on this mac but found nothing (suprising actually) so I'm using this which is actually a pretty solid guide, as far as I can tell, for getting my OpenVPN client connection setup in OpenBSD..

So per the instructions on that page I've successfully downloaded the OpenVPN using
Code:
pkg_add -v openvpn
At the next step I also don't have any errors (making the directory /etc/openvpn) though I am confused as to why we have to do this in any event. Wouldn't the pkg_add command have already installed OpenVPN to /etc/openvpn meaning the directory has already been made as part of the installation process?

Now comes the main issue: The transferring of the ovpn config files that I've downloaded from within my ExpressVPN account from the USB stick to the OpenBSD system. For that I've used this excellent helper article here. Now before I get to the main issue I need help with, and so that I have a holistic understanding of whats going on when I employ these commands: is this mounting process basically about making a directory on the OpenBSD called /mnt/pen and then copying the entire USB drive's contents across (in this case my OVPN config files) to this newly created directory using the command:
Code:
 mount /dev/sd0i /mnt/pen
Actual issue:
After doing the mount / copy of the USB contents to the newly created /mnt/pen directory, I then tried to copy them across to /etc/openvpn where according to this they need to be for the final editing with vi. After using
Code:
 #cp /mnt/pen /etc/openvpn
it seems to do the copy over, but then when I navigate to /etc/openvpn and do
Code:
#ls -l
to check for the newly added OVPN files, it reports 0 (no files in this DIR)...

Does it matter that when I copied the OVPN files originally to the USB it was done as a simple GUI interface copy on MacOS (not DD or CP in the mac terminal) If so, why am I able to see them fine when I mount the USB drive to /mnt/pen ? As you can see this is a pretty basic step I need to overcome to get the OpenVPN client up and running to secure my internet in OpenBSD. Any help would be appreciated!
Reply With Quote
  #4   (View Single Post)  
Old 30th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

Quote:
Originally Posted by Entropic View Post
Of course I don't want to have my login credentials exposed over regular internet....
If your session is using HTTPS protocol, the contents of your traffic is not exposed. The enciphered traffic is sent back and forth between your IP address and the web server's IP address, though.
Quote:
...I just tried looking up the OpenVPN provisioning guidance readme as you suggest using a duckduckgo search on this mac but found nothing (suprising actually) so I'm using this which is actually a pretty solid guide, as far as I can tell, for getting my OpenVPN client connection setup in OpenBSD..

So per the instructions on that page I've successfully downloaded the OpenVPN using
Code:
pkg_add -v openvpn
...
Then you have now installed the README file, which you can find in /usr/local/share/doc/pkg-readmes/.
Quote:
..Wouldn't the pkg_add command have already installed OpenVPN to /etc/openvpn meaning the directory has already been made as part of the installation process?
Not the way it is currently packaged. I cannot tell you why, as I am not an openvpn user. You could reach out to the port/package maintainer for an explanation of why it is packaged this way, if you wish. Jeremie Courreges-Anglas's email address can be found in the output of $ pkg_info openvpn.
Quote:
...After using
Code:
 #cp /mnt/pen /etc/openvpn
it seems to do the copy over, but then when I navigate to /etc/openvpn and do
Code:
#ls -l
to check for the newly added OVPN files, it reports 0 (no files in this DIR)...
You are not using the cp(1) command correctly. To copy contents from one directory to another, a recursive copy should be used, with the -R option. From the cp(1) man page:
Code:
     -R      If source designates a directory, cp copies the directory and the
             entire subtree connected at that point.
Reply With Quote
  #5   (View Single Post)  
Old 30th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
If your session is using HTTPS protocol, the contents of your traffic is not exposed. The enciphered traffic is sent back and forth between your IP address and the web server's IP address, though.Then you have now installed the README file, which you can find in /usr/local/share/doc/pkg-readmes/.
You do realise that for someone to resort to learning such a different OS as OpenBSD is usually a pretty good indicator that reliance on something as downgradeable or interceptable as HTTPS alone is not going to wash... I need a VPN.

Quote:
Not the way it is currently packaged. I cannot tell you why, as I am not an openvpn user. You could reach out to the port/package maintainer for an explanation of why it is packaged this way, if you wish. Jeremie Courreges-Anglas's email address can be found in the output of $ pkg_info openvpn.
I'm not fussed over why its packaged one way or another. I just want it to work and I'm not going to "reach out" to a developer for something that is but a mere side concern to my basic objective of getting it working with my OVPN config files.

Quote:
You are not using the cp(1) command correctly. To copy contents from one directory to another, a recursive copy should be used, with the -R option. From the cp(1) man page:
Code:
     -R      If source designates a directory, cp copies the directory and the
             entire subtree connected at that point.
Now this is helpful. Thankyou. I've just done a
Code:
man cp
to learn more about the cp command in readiness for trying the same with the OpenVPN readme that you say I should now be able to view. On that point: how do I open this readme file for OpenVPN? Would I type the following to firstly navigate to the openVPN readme's DIR:
Code:
cd /usr/local/share/doc/pkg-readmes/
and then the following once in the DIR:
Code:
 vi readme.txt
?

UPDATE (since original version of this post): I've just gone back into my OpenBSD system to give this cp a retry using the -R argument and found that the files I mounted successfully yesterday to the /mnt/pen folder are no longer there. So I've gone through the mounting process again (In short: MKDIR /mnt/usb followed by mount /dev/sd0i /mnt/usb) to get the files available for the system. Now when I then navigate to the /mnt/usb and its subfolder to copy the OVPN files using this new -R argument method, I end up with the same
Code:
total 0
message which AFAIK means there's nothing in the destination directory?

I'm going to provide exactly what I'm inputting into the command line in case you can point out what I'm missing or doing wrong in my input:
Code:
cp -R ._my_expressvpn_switzerland.udp.ovpn /etc/openvpn
So given the above, why am I still not finding anything in the destination DIR?
Do I need to specify the source directory within the command? Surely not since I'm already sitting within the relevant directory when issuing the cp command right?

Does it really need to be this hard

UPDATE 2: Have now also tried specifying the source directory and filename in the source component of the command line. ie.
Code:
 cp -R /mnt/usb/ExpressVPN\OpenVPN/ ._my_expressvpn_switzerland_udp.ovpn /etc/openvpn
same freaking issue: "total 0" when I do ls -l in the /openvpn destination dir.

OMG it's been a long time since an operating system made me this frustrated! Somebody help me with this!

Last edited by Entropic; 30th November 2022 at 01:05 PM.
Reply With Quote
  #6   (View Single Post)  
Old 30th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

You could use the vi(1) editor, but a "pager" such as less(1) or more(1) could also be used without the risk of accidentally editing a file. The names of the README files in that directory are the package names, so you could use something like $ less /usr/local/share/doc/pkg-readmes/openvpn or you could change to the directory and list the files within, then select a file to review with a pager utility. For example, on this laptop I'm using:
Code:
t450$ cd /usr/local/share/doc/pkg-readmes/
t450$ ls
avahi               dbus                gnupg               jdk-11              qemu-ga             texlive_base
chromium            ffmpeg              gtk+2               keepassxc           rawtherapee         tor-browser
consolekit2         firefox             gtk+3               libgphoto           sane-backends       udfclient
cups                foomatic-db-engine  gtk+4               llvm                sdl2                xdg-utils
cups-filters        git                 hplip-common        miniupnpc           tarsnap-gui
cvechecker          glib2               jack                qemu                terminus-font
t450$ less firefox
Reply With Quote
  #7   (View Single Post)  
Old 30th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
You could use the vi(1) editor, but a "pager" such as less(1) or more(1) could also be used without the risk of accidentally editing a file. The names of the README files in that directory are the package names, so you could use something like $ less /usr/local/share/doc/pkg-readmes/openvpn or you could change to the directory and list the files within, then select a file to review with a pager utility. For example, on this laptop I'm using:
Code:
t450$ cd /usr/local/share/doc/pkg-readmes/
t450$ ls
avahi               dbus                gnupg               jdk-11              qemu-ga             texlive_base
chromium            ffmpeg              gtk+2               keepassxc           rawtherapee         tor-browser
consolekit2         firefox             gtk+3               libgphoto           sane-backends       udfclient
cups                foomatic-db-engine  gtk+4               llvm                sdl2                xdg-utils
cups-filters        git                 hplip-common        miniupnpc           tarsnap-gui
cvechecker          glib2               jack                qemu                terminus-font
t450$ less firefox
Oh cool you use keepass. I've been intending to move my lastpass across to keepass after mentally bookmarking its benefits a couple months ago, but of course I have to get this connection secured to then worry about those next level issues..

I'm not sure if you've noticed but I've updated todays post a couple times after trying/retrying various forms of the cp -R command to no avail.
I've just noticed that when I navigate to the /mnt/usb directory I can only type
Code:
cd usb
when coming from the /mnt directory that I had to specify
Code:
cd /mnt
to get into. Why can I only access the USB subdirectory without the forward slash in the command line? Does this mean I didn't actually create the USB directory and I perhaps created it as a file instead?? As you can see, the frustration with being unable to do this simple task is driving me somewhat insane...
Reply With Quote
  #8   (View Single Post)  
Old 30th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

I just happened by and noticed you edited your post to add
Quote:
Originally Posted by Entropic View Post
UPDATE (since original version of this post):...
I'm sorry that you're frustrated with using Unix/Linux utilities, which you've never used before. Briefly:
  • mount(8) attaches and makes a filesystem available underneath a "mount point", such as in your use-case, an otherwise empty directory you previously created, /mnt/pen.
  • cp(1) copies files and, if used recursively with a directory, an entire branch of a filesystem.
Check the contents of /mnt/pen after mounting it, before you blame the cp(1) command for any failures to copy. If the contents are empty, there will be nothing to copy.

Here's an example of a recursive directory copy with cp(1). In this example I have created a directory "a" and then under it created files "b" and "c", a sub-directory "d" and within that files "e" and "f":
Code:
t450$ ls -FR a
a:
b  c  d/

a/d:
e  f
Now, I do a recursive copy of directory "a" to "g" with cp(1). This copies the contents of "a" and every file and directory within "a" to a new directory "g", created by that cp command:
Code:
t450$ cp -R a g
t450$ ls -FR g
g:
b  c  d/

g/d:
e  f
Reply With Quote
  #9   (View Single Post)  
Old 30th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
Check the contents of /mnt/pen after mounting it, before you blame the cp(1) command for any failures to copy. If the contents are empty, there will be nothing to copy.
I thought I'd made this clear in my earlier posts. To be clear, I'm seeing the full list of files when I
Code:
 cd /mnt/pen (or /mnt/usb)
after mounting so the files are definitely there for the copying.

Quote:
Here's an example of a recursive directory copy with cp(1). In this example I have created a directory "a" and then under it created files "b" and "c", a sub-directory "d" and within that files "e" and "f":
Code:
t450$ ls -FR a
a:
b  c  d/

a/d:
e  f
Now, I do a recursive copy of directory "a" to "g" with cp(1). This copies the contents of "a" and every file and directory within "a" to a new directory "g", created by that cp command:
Code:
t450$ cp -R a g
t450$ ls -FR g
g:
b  c  d/

g/d:
e  f
Thanks for giving this example, but in relating it to my scenario I don't see how it helps. In my last main post a couple messages above I showed how i used cp with the -R argument in at least two different forms where I included the source directory together with the file name and also the form where i just specify the file as the source noting that I'm already in the directory that I'm copying from (and thus shouldn't have to specify its path? - again please answer that direct question as that might clear up a critical misunderstanding in my command line inputs) Or even better, just look at what I put in as my command line and say where the error is!? Just a thought?
Reply With Quote
Old 30th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

Your file names appear to have leading dots, and that's atypical: on Unix-based platforms, files with leading dots are considered "hidden" in that some commands, such as ls(1), will not show them without the addition of the -a option. Perhaps, then, you have successfully copied files but do not see them with ls(1) because you are not using -a.


If using $ ls -a is not the solution, then more information will be needed. The use of script(1) to record a console session might shed more light on what is going on.
Reply With Quote
Old 1st December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
Your file names appear to have leading dots, and that's atypical: on Unix-based platforms, files with leading dots are considered "hidden" in that some commands, such as ls(1), will not show them without the addition of the -a option. Perhaps, then, you have successfully copied files but do not see them with ls(1) because you are not using -a.


If using $ ls -a is not the solution, then more information will be needed. The use of script(1) to record a console session might shed more light on what is going on.
On going into my OpenBSD system and the destination to which I'd already copied these files yesterday (/etc/openvpn) to try this new
Code:
ls -a
command it just reports
Code:
. ..
. What does this mean? Does it mean there's nothing in the directory? Or does it mean there's a couple of hidden files?
Reply With Quote
Old 1st December 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

It means there is nothing in the directory. The "." is a pointer to the current directory, and the ".." is a pointer to the directory above.


===


If you can produce one, I'd love to see a console log -- a "typescript" file, output from the script(1) utility -- from a new attempted copy session. If you are able to transfer the file, of course.



In particular, I'd like to see the contents of the source directory structure you are trying to copy out of, using ls(1) with the -l option, so that the file types and file access modes are displayed, and, if there are any errors or warnings from the cp(1) command.
Reply With Quote
Old 2nd December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
It means there is nothing in the directory. The "." is a pointer to the current directory, and the ".." is a pointer to the directory above.


===


If you can produce one, I'd love to see a console log -- a "typescript" file, output from the script(1) utility -- from a new attempted copy session. If you are able to transfer the file, of course.


In particular, I'd like to see the contents of the source directory structure you are trying to copy out of, using ls(1) with the -l option, so that the file types and file access modes are displayed, and, if there are any errors or warnings from the cp(1) command.
I've just used script(1) to create command line outputs using
Code:
 script -a cpfail.typescript
but when I try and upload these script outputs to a new post in these forums whilst in my OpenBSD firefox, the "browse" to file upload option just gives a blank screen. Is this because of OpenBSD's built in sandboxing preventing FFox from seeing anything else in the system? Either way, how do I get the script uploaded to a new post from within the OpenBSD system!? I'm guessing I may need to use a third party service to upload the files to (e.g. pastebin?) but won't I just encounter the same issue when I inevitably use the "browse to" option to select the file I want to upload to pastebin? How can I get the typescript output up here for you to view!

In the meantime I'm going to briefly summarise this thread as its already getting quite long, and I've actually already faithfully listed all the command line inputs used to date anyway. In post #3 in this thread I showed how I'd mounted the OVPN config files to the newly made directory /mnt/pen (and later /mnt/usb). I confirmed that this had been successful because using ls-l from within the /mnt/usb directory showed the full contents of the USB that I know to exist from having put it on the USB in a MacOS system beforehand.

Since then I've also done at least two posts showing my command line input of the cp command (including the recursive -R argument and including a form where I specified the full path to the sourcefile)
Code:
cp -R ._my_expressvpn_switzerland.udp.ovpn /etc/openvpn
and how when I then navigate to the relevant destination directory (/etc/openvpn) it shows nothing upon inputting
Code:
ls -l
Today I've redone the whole process again (as I found no contents within the /mnt/usb directory) and found that aside from the ._myexpressvpn_switzerland.udp.ovpn file there is actually a more standard (unhidden) form of the same file: my_expressvpn_switzerland.udp.ovpn, so I've copied this standard file across to the /etc/openvpn destination folder only to navigate in there and find nothing again (as usual). What was different this time, however, was that my terminal script output (typescript file) was showing when I listed the directory contents, meaning that whatever is preventing the successful copying to that destination is not a permissions issue (I'm doing this all in root anyway)...

When I use the copy command from within the mounted directory of USB contents I get no feedback from the console after pressing enter on the following
Code:
cp *.ovpn /etc/openvpn
and it returns me to the # console. This means the cp command ran without error right? Another observation that may be relevant here: When I use the
Code:
cd
command to navigate to the /mnt/usb directory, I find that I can only get into it by first typing (from root)
Code:
cd /mnt
followed by
Code:
cd usb
If I type cd /usb (from within the /mnt directory), it says no file or directory exists. Why does typing cd without the forward slash get me into this /usb directory but doing it with the forward slash not. It is a directory after all, and I've confirmed its mounted contents previously....
Reply With Quote
Old 2nd December 2022
bsd-keith bsd-keith is offline
Real Name: Keith
Open Source Software user
 
Join Date: Jun 2014
Location: Surrey/Hants Border, England
Posts: 272
Default

Because /mnt is a system/root directory you need to use the slash, but /mnt/usb is a sub directory of /mnt so you don't need it, if you are in /mnt, but if you aren't in /mnt, you need cd /mnt/usb.
__________________
Linux since 1999, & also a BSD user.
Reply With Quote
Old 2nd December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by bsd-keith View Post
Because /mnt is a system/root directory you need to use the slash, but /mnt/usb is a sub directory of /mnt so you don't need it, if you are in /mnt, but if you aren't in /mnt, you need cd /mnt/usb.
Thanks Keith... and as a general update: I went back to basics and read a basic unix command tutorial. It turns out that the openvpn directory that I was copying to was actually a file. I was able to figure this out by navigating to the directory and doing the "ls -l" command whereupon with the benefit of my recent command line learnings I realised that its only a directory if its got a d at the far left of the descriptive listings (next to the permissions of rw -r--r-- etc.) Still, its sad that no error msg was produced when I tried copying this file to a file named 'openvpn'. I'm presuming it did nothing, but it didn't either give me an error message or anything..

As a caveat, however, I had to delete the openvpn file in /etc before I could create a directory with the same name. I'm pretty sure the openvpn file I deleted in /etc was of no significance as it was something I'd probably created with an erroneous cp command early in my trials on doing this about a week ago, but I'm not 100% sure :/
It would be good as a learning experience to know how I created a file named openvpn in the first place mind you. From today's unix basics I think a file can only be created by typing vi /<filename> meaning I must have typed the following at some point in all of this?
Code:
vi openvpn
Anyway I'm now going to try and get this openVPN connection to my Expressvpn using the guide referred to in post one - wish me luck!
Reply With Quote
Old 2nd December 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

You are correct that Firefox is restricted to only specific storage locations, such as /tmp and $HOME/Downloads.

Here -- as an example only -- is a set of commands that I would use to copy contents from a USB stick into a new directory. In this example, the commands are shown with with "#" in the prompt because they are performed as the superuser, root.

First, when I insert the stick into my laptop, the kernel produces messages on the console informing me of the attachment and, on this laptop here, the assignment of the USB stick to sd(4) device number 2. This is the actual output, which is captured on the console and in my dmesg(8):
Code:
umass0 at uhub0 port 12 configuration 1 interface 0 "INDMEM M-Trive" rev 3.00/1.00 addr 4
umass0: using SCSI over Bulk-Only
scsibus4 at umass0: 2 targets, initiator 0
sd2 at scsibus4 targ 1 lun 0: <INDMEM, M-Trive, 0> serial.174c55aa6B7782967799
sd2: 114473MB, 512 bytes/sector, 234441648 sectors
Now, I use the disklabel(8) command to inspect the available filesystems on this USB stick, which happens to hold an installed and bootable Microsoft Windows system:
Code:
t450# disklabel sd2
# /dev/rsd2c:
type: SCSI
disk: SCSI disk
label: M-Trive         
duid: 0000000000000000
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 14593
total sectors: 234441648
boundstart: 34
boundend: 234441615

16 partitions:
#                size           offset  fstype [fsize bsize   cpg]
  c:        234441648                0  unused                    
  i:           204800             2048   MSDOS            
  j:           262144           206848 unknown                    
  k:        232736700           468992   NTFS
I can see two small partitions, "i" and "j" and a third, large partition "k". (Partition "c" is the entire drive, from the first sector to the last.)

I will mount that large "k" partition under /mnt, which on my laptop is just an empty directory. I've used ls with -a to prove it is empty to myself, then I mount partition k, and take a quick look at all the files and directories that get listed under /mnt:
Code:
t450# ls /mnt           
t450# ls -a /mnt
.  ..
t450# mount /dev/sd2k /mnt
t450# ls -F /mnt
$AttrDef                       $UpCase                        ESD                            System Volume Information
$BadClus                       $Volume                        Garmin                         Users
$Bitmap                        $WINDOWS.~BT                   Intel                          Windows
$Boot                          $WinREAgent                    OneDriveTemp                   e9433bf69c2fde6e687b
$Extend                        $Windows.~WS                   PerfLogs                       hiberfil.sys
$LogFile                       AVScanner.ini                  Program Files                  inetpub
$MFTMirr                       Config.Msi                     Program Files (x86)            pagefile.sys
$Recycle.Bin                   Documents and Settings         ProgramData                    swapfile.sys
$Secure                        DumpStack.log.tmp              Recovery
t450# ls -F /mnt
$AttrDef*                      $UpCase*                       ESD/                           System Volume Information/
$BadClus*                      $Volume*                       Garmin/                        Users/
$Bitmap*                       $WINDOWS.~BT/                  Intel/                         Windows/
$Boot*                         $WinREAgent/                   OneDriveTemp/                  e9433bf69c2fde6e687b/
$Extend/                       $Windows.~WS/                  PerfLogs/                      hiberfil.sys*
$LogFile*                      AVScanner.ini*                 Program Files/                 inetpub/
$MFTMirr*                      Config.Msi/                    Program Files (x86)/           pagefile.sys*
$Recycle.Bin/                  Documents and Settings/        ProgramData/                   swapfile.sys*
$Secure*                       DumpStack.log.tmp*             Recovery/
For this example, I will copy the entire contents of the /mnt/Intel directory into a new directory, /etc/test. First, I'll list the contents:
Code:
t450# ls -lR /mnt/Intel/
/mnt/Intel/:
total 0
drwxr-xr-x  1 root  wheel  0 Aug 22  2019 Logs
drwxr-xr-x  1 root  wheel  0 Nov 24 11:31 gp

/mnt/Intel/Logs:
total 576
-rwxr-xr-x  1 root  wheel       0 Aug 22  2019 IntelCPHS.log
-rwxr-xr-x  1 root  wheel  210610 Jul 22 19:24 IntelGFX.log
-rwxr-xr-x  1 root  wheel   22588 Jul 22 19:24 IntelGFXCoin.log
-rwxr-xr-x  1 root  wheel    5158 Aug 22  2019 IntelICCS.log
-rwxr-xr-x  1 root  wheel   45330 Aug 22  2019 IntelOCL.log

/mnt/Intel/gp:
total 0
I have learned there are two sub-directories, "Logs" which has some files, and "gp" which is empty. Now, I will first check to see if there is an /etc/test directory, because I don't want to overwrite anything on my laptop by accident, then I will copy the structure:
Code:
t450# ls -lR /etc/test
ls: /etc/test: No such file or directory
t450# cp -R /mnt/Intel /etc/test
t450# ls -lR /etc/test
/etc/test:
total 8
drwxr-xr-x  2 root  wheel  512 Dec  2 08:06 Logs
drwxr-xr-x  2 root  wheel  512 Dec  2 08:06 gp

/etc/test/Logs:
total 600
-rwxr-xr-x  1 root  wheel       0 Dec  2 08:06 IntelCPHS.log
-rwxr-xr-x  1 root  wheel  210610 Dec  2 08:06 IntelGFX.log
-rwxr-xr-x  1 root  wheel   22588 Dec  2 08:06 IntelGFXCoin.log
-rwxr-xr-x  1 root  wheel    5158 Dec  2 08:06 IntelICCS.log
-rwxr-xr-x  1 root  wheel   45330 Dec  2 08:06 IntelOCL.log

/etc/test/gp:
total 0
The entire structure of the "Intel" directory from that stick's "k" partition has been copied. I did not need to change my working directory to copy this structure. Now that the structure has been copied, I can unmount the filesystem:
Code:
t450# umount /mnt
And, when I yank the stick, the console shows the USB disconnection:
Code:
sd2 detached
scsibus4 detached
umass0 detached

Last edited by jggimi; 2nd December 2022 at 01:18 PM. Reason: typo
Reply With Quote
Old 2nd December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Righteo, now that I've got my .ovpn files copied into /etc/openvpn apparently I just need to use vi to edit a file called hostname.tun0 that OpenVPN for BSD opens by default (if my interpretation of this page is correct).

So I used vi to "append" the following to the hostname.tun0 file. Firstly, I'm still not 100% sure if I needed to be editing "hostname.tun0" specifically, or whether it should be the name of my root user before .tun0? I'm assuming the former is correct given the pages instruction:

"OpenVPN normally re-creates the tun/tap interface at startup. OpenVPN should be started from the hostname.tun0"
As a precaution I edited the latter named .tun0 in vi by "appending" the same command as for the hostname.tun0 file to ensure that whichever one was the actual .tun0 file being referred to by the programme, that it would have the same scripting:
Code:
up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/openbsd.ovpn
before quitting with write command ":wq!"

So the next instruction is to run the following command to start the OpenVPN connection using the ovpn config files I copied over to /etc/openvpn:
Code:
/usr/local/sbin/openvpn --daemon --config /etc/openvpn/openbsd.ovpn
I'm immediately prompted for a username and pw (both of which I notice were created from my ExpressVPN providers manual config pages after I logged into the account and specified that I wanted manual OVPN config files) On entering these credentials it puts me back to the # prompt as if its been successful, but then when I verify it using the following, it says "status: down"
Code:
ifconfig tun0
so whats wrong? I suspect its to do with my editing of the hostname.tun0 file using vi. I'm not sure if "append" means I need to put it somewhere in particular, or whether its fine that I put it at the top of the page. I didn't see any existing text other than several lines of tilde (~) on each line on entering the hostname.tun0 file with vi, so there was nothing to "append" to... so I just stuck the command (up (top line) then !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/openbsd.ovpn (second line) before writing with quit (:wq!)... I assume this is fine, but is it? What else could it be then if this isn't the issue thats preventing me from connecting to my ExpressVPN servers?
Reply With Quote
Old 2nd December 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

Quote:
Originally Posted by Entropic View Post
Firstly, I'm still not 100% sure if I needed to be editing "hostname.tun0" specifically, or whether it should be the name of my root user before .tun0?
OpenBSD's uses hostname.if(5) files to provision Network Interface Connectors (NICs). These are files stored in the /etc directory, and named after the interfaces they provision. These files are read during network startup by the netstart(8) script that gets executed during boot. As an example, on my laptop, I have six NICs provisioned -- two physical NICs, an em(4) NIC for wired Ethernet, an iwm(4) NIC for WiFi, and four pseudo-NICs, including a wg(4) pseudo-NIC for use with a WireGuard VPN:
Code:
t450$ ls /etc/hostname.*
/etc/hostname.em0       /etc/hostname.lo1       /etc/hostname.vlan0
 /etc/hostname.iwm0      /etc/hostname.trunk0    /etc/hostname.wg0
Quote:
...so whats wrong? I suspect its to do with my editing of the hostname.tun0 file using vi. I'm not sure if "append" means I need to put it somewhere in particular, or whether its fine that I put it at the top of the page. I didn't see any existing text other than several lines of tilde (~) on each line on entering the hostname.tun0 file with vi, so there was nothing to "append" to... so I just stuck the command (up (top line) then !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/openbsd.ovpn (second line) before writing with quit (:wq!)... I assume this is fine, but is it? What else could it be then if this isn't the issue thats preventing me from connecting to my ExpressVPN servers?
I'm not an OpenVPN user, so don't have any specific guidance. I'd first ensure that the hostname.tun0 file is correct, as noted above, and then I'd look to see if the OpenVPN daemon is running with something like $ pgreg -lf openvpn. As I don't have any direct knowledge of OpenVPN use the thing that concerns me from your problem report is the prompt for authentication (userid, pw) during startup of the daemon. I would look for ways to provide a certificate or other authentication methods that don't require prompts, because the netstart(8) script doesn't have a way to operate interactively.

You can either wait for an OpenVPN user to respond here, reach out to the author of the guide you are using for clarification, or obtain guidance on provisioning OpenVPN from your VPN service provider.
Reply With Quote
Old 4th December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
OpenBSD's uses hostname.if(5) files to provision Network Interface Connectors (NICs). These are files stored in the /etc directory, and named after the interfaces they provision. These files are read during network startup by the netstart(8) script that gets executed during boot. As an example, on my laptop, I have six NICs provisioned -- two physical NICs, an em(4) NIC for wired Ethernet, an iwm(4) NIC for WiFi, and four pseudo-NICs, including a wg(4) pseudo-NIC for use with a WireGuard VPN:
Code:
t450$ ls /etc/hostname.*
/etc/hostname.em0       /etc/hostname.lo1       /etc/hostname.vlan0
 /etc/hostname.iwm0      /etc/hostname.trunk0    /etc/hostname.wg0
I just tried the list command to see that I only have hostname.tun0 listed in my /etc directory.
Code:
ls /etc/hostname.*
When I plug my ethernet cable into the machine, however, I have a fully working internet connection so it seems provisioning isn't necessary for my em0 ethernet (and thus internet) to work.. right?

Quote:
I'm not an OpenVPN user, so don't have any specific guidance. I'd first ensure that the hostname.tun0 file is correct, as noted above, and then I'd look to see if the OpenVPN daemon is running with something like $ pgreg -lf openvpn.
If by "correct" you mean the hostname.tun0 shows up in an ls command then yes its "correct". As for the formatting within the hostname.tun0 file this is something I've already asked about in my previous post but you may have missed reading and therefore replying to it. To re-ask: is my "appending" (see previous post) at the top of the hostname.tun0 file "correct".. Still waiting on a response to this if anyone can help..

Quote:
As I don't have any direct knowledge of OpenVPN use the thing that concerns me from your problem report is the prompt for authentication (userid, pw) during startup of the daemon. I would look for ways to provide a certificate or other authentication methods that don't require prompts, because the netstart(8) script doesn't have a way to operate interactively.
Can you try and give reasons for your statements. Why for example, would a prompt for authentication be of concern here? You seem to relate it to netstart not being interactive, but as I demonstrated above, it seems netstart isn't involved or necessary for my internet connection (em0) to work.. yet alone for OpenVPN...

What I have noticed since creating the hostname.tun0 file in /etc/openvpn is that when I start my OpenBSD system, it no longer goes straight through to the x-window login screen with the blowfish pic. Instead it prompts me beforehand, in terminal, for the user authentication and pw. I assume this is the openvpn daemon starting up at startup? Either way, when I enter the details (user and pass), and go through and login normally at the main login screen, a "ifconfig tun0" reveals "down" still for my openvpn connection, and thats in spite of having working internet otherwise..

I tried $ pgreg -lf openvpn and it says pgreg is not known in ksh..
Reply With Quote
Old 4th December 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,014
Default

The shell cannot find 'pgreg' because that is not an existing program. Is a typo . It should be:
Code:
$ pgrep -lf openvpn
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD Vlan setup Crypt OpenBSD Security 6 13th August 2020 01:25 AM
Your OpenBSD shell setup hanzer OpenBSD General 11 23rd October 2017 09:35 PM
OpenBSD Multiple VPN Setup Dr-D OpenBSD Security 10 7th April 2014 10:50 AM
OpenBSD VPN Setup Dr-D OpenBSD Security 2 4th April 2014 01:23 PM
how setup arpwatch for OpenBSD mfaridi OpenBSD Packages and Ports 1 11th December 2008 05:22 PM


All times are GMT. The time now is 10:33 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick