├── etc ├── hostname.em0 ├── hostname.em2 ├── resolv.conf.tail ├── boot.conf ├── sensorsd.conf ├── hostname.pflow0 ├── hostname.em1 ├── dhclient.conf ├── sysctl.conf ├── hostname.bridge0 ├── rc.conf.local ├── ntpd.conf ├── hostname.athn0 ├── httpd.conf ├── vm.conf ├── dhcpd.conf ├── relayd.conf ├── newsyslog.conf ├── flowd.conf ├── syslog.conf └── pf.conf ├── front-open.jpeg ├── diff_git ├── usr └── local │ ├── sbin │ ├── parse-relayd │ ├── parse-netflow │ └── update-webpage │ └── bin │ └── list-dhcpd-leases ├── var ├── cron │ └── tabs │ │ └── root └── unbound │ └── etc │ └── unbound.conf ├── LICENSE └── README.md /etc/hostname.em0: -------------------------------------------------------------------------------- 1 | dhcp 2 | -------------------------------------------------------------------------------- /etc/hostname.em2: -------------------------------------------------------------------------------- 1 | up media autoselect 2 | -------------------------------------------------------------------------------- /etc/resolv.conf.tail: -------------------------------------------------------------------------------- 1 | lookup file bind 2 | -------------------------------------------------------------------------------- /etc/boot.conf: -------------------------------------------------------------------------------- 1 | stty com0 115200 2 | set tty com0 3 | -------------------------------------------------------------------------------- /etc/sensorsd.conf: -------------------------------------------------------------------------------- 1 | hw.sensors.km0.temp0:high=70C 2 | -------------------------------------------------------------------------------- /etc/hostname.pflow0: -------------------------------------------------------------------------------- 1 | flowsrc 127.0.0.1 flowdst 127.0.0.1:9995 2 | pflowproto 10 3 | -------------------------------------------------------------------------------- /front-open.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/northox/openbsd-apu2/HEAD/front-open.jpeg -------------------------------------------------------------------------------- /etc/hostname.em1: -------------------------------------------------------------------------------- 1 | inet 192.168.1.1 255.255.255.0 192.168.1.255 2 | up media autoselect 3 | -------------------------------------------------------------------------------- /etc/dhclient.conf: -------------------------------------------------------------------------------- 1 | send host-name "barricade"; 2 | supersede domain-name-servers 127.0.0.1; 3 | -------------------------------------------------------------------------------- /etc/sysctl.conf: -------------------------------------------------------------------------------- 1 | net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets 2 | ddb.panic=0 3 | -------------------------------------------------------------------------------- /diff_git: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | FILES=`find etc usr/ var -type f` 3 | for i in $FILES; do doas diff -u ./$i /$i ; done 4 | -------------------------------------------------------------------------------- /etc/hostname.bridge0: -------------------------------------------------------------------------------- 1 | add em1 2 | add em2 3 | add athn0 4 | blocknonip em1 5 | blocknonip em2 6 | blocknonip athn0 7 | up 8 | -------------------------------------------------------------------------------- /etc/rc.conf.local: -------------------------------------------------------------------------------- 1 | dhcpd_flags=em1 2 | httpd_flags= 3 | pkg_scripts=flowd 4 | sensorsd_flags=-c 5 5 | sndiod_flags=NO 6 | unbound_flags= 7 | vmd_flags= 8 | -------------------------------------------------------------------------------- /etc/ntpd.conf: -------------------------------------------------------------------------------- 1 | servers pool.ntp.org 2 | server time.cloudflare.com 3 | sensor * 4 | listen on 192.168.1.1 5 | 6 | constraints from "9.9.9.9" 7 | constraints from "2620:fe::fe" 8 | -------------------------------------------------------------------------------- /etc/hostname.athn0: -------------------------------------------------------------------------------- 1 | inet 192.168.1.2 255.255.255.0 192.168.1.255 2 | media autoselect mediaopt hostap 3 | nwid "your wifi name" 4 | wpakey "your wifi secret key" 5 | wpaprotos wpa2 6 | chan 1 7 | up 8 | -------------------------------------------------------------------------------- /etc/httpd.conf: -------------------------------------------------------------------------------- 1 | ext_addr="em1" 2 | 3 | prefork 1 4 | 5 | server "default" { 6 | listen on $ext_addr port 80 7 | no log 8 | root "/htdocs/status" 9 | } 10 | 11 | types { 12 | include "/usr/share/misc/mime.types" 13 | } 14 | -------------------------------------------------------------------------------- /etc/vm.conf: -------------------------------------------------------------------------------- 1 | vm "nagios" { 2 | disable 3 | memory 1024M 4 | cdrom "/backup/vm/iso/alpine-virt-3.8.1-x86_64.iso" 5 | disk "/backup/vm/img/nagios.qcow2" 6 | interface { 7 | group "vm" 8 | switch "vswitch0" 9 | locked lladdr 00:00:00:00:00:03 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /usr/local/sbin/parse-relayd: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | grep -E 'GET|POST|UPDATE' /var/log/relayd | awk -F '[' '{print $3}' | awk -F ']' '{print $1}' | awk -F ':' '{print $1}' | awk -F ';' '{print $1}' | sort | uniq -c | sort -r 3 | 4 | #| sed 's/^[ \t]*//;s/[ \t\n\r]*$//' #| uniq -c | sort -r 5 | -------------------------------------------------------------------------------- /usr/local/bin/list-dhcpd-leases: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | awk '/{/{if(x)print x;x=""}{gsub(";","");x=(!x)?$0:x" "$0}END{print x}' /var/db/dhcpd.leases | \ 3 | sed -E -n -e 's/lease ([0-9.]+).*ethernet ([0-9a-f:]+)(.*hostname "([^"]*)" }|.*([^hostname].)* })/\1 \2 \4/p' | \ 4 | sort -u | column -t 5 | -------------------------------------------------------------------------------- /etc/dhcpd.conf: -------------------------------------------------------------------------------- 1 | option domain-name "mantor.org"; 2 | option domain-name-servers 192.168.1.1; 3 | option ntp-servers 192.168.1.1; 4 | 5 | subnet 192.168.1.0 netmask 255.255.255.0 { 6 | option routers 192.168.1.1; 7 | 8 | range 192.168.1.10 192.168.1.200; 9 | 10 | # host static-client { 11 | # hardware ethernet 22:33:44:55:66:77; 12 | # fixed-address 192.168.1.200; 13 | # } 14 | 15 | } 16 | -------------------------------------------------------------------------------- /usr/local/sbin/parse-netflow: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | TMP1=`mktemp` 3 | TMP2=`mktemp` 4 | 5 | /usr/local/bin/flowd-reader /var/log/flowd | awk '{print $13}' | grep -Ev '192.168.1.|0.0.0.0' | sed -E 's/\[(.*)]:[0-9]*$/\1/' | sort -u > $TMP1 6 | 7 | for i in `cat $TMP1`; do 8 | IP=`host $i` 9 | if [ $? -eq 0 ]; then 10 | echo $IP | grep -v 'has no PTR record' | sed 's/.*domain name pointer //' >> $TMP2 11 | fi 12 | done 13 | 14 | awk -F '.' '{print $(NF-2)"."$(NF-1)}' $TMP2 | sort | uniq -c | sort -r 15 | 16 | rm $TMP1 $TMP2 17 | -------------------------------------------------------------------------------- /etc/relayd.conf: -------------------------------------------------------------------------------- 1 | ext_addr="192.168.1.1" 2 | 3 | # interval 10 4 | # timeout 1000 5 | # prefork 5 6 | 7 | log updates 8 | 9 | #table { $webhost1 $webhost2 } 10 | table { 127.0.0.1 } 11 | 12 | http protocol "httpfilter" { 13 | tcp { nodelay, sack, socket buffer 65536, backlog 1000 } 14 | return error 15 | pass url log 16 | # header change "Keep-Alive" to "$TIMEOUT" 17 | # header change "Connection" to "close" 18 | 19 | # label "BAD Host request" 20 | # request headder filter "*youtube.com*" from "Host" 21 | } 22 | 23 | relay httpproxy { 24 | listen on 127.0.0.1 port 8080 25 | protocol "httpfilter" 26 | forward to nat lookup 27 | } 28 | -------------------------------------------------------------------------------- /var/cron/tabs/root: -------------------------------------------------------------------------------- 1 | # $OpenBSD: crontab,v 1.22 2016/09/04 09:37:26 tb Exp $ 2 | # 3 | # /var/cron/tabs/root - root's crontab 4 | # 5 | SHELL=/bin/sh 6 | PATH=/bin:/sbin:/usr/bin:/usr/sbin 7 | HOME=/var/log 8 | # 9 | #minute hour mday month wday command 10 | # 11 | # rotate log files every hour, if necessary 12 | 0 * * * * /usr/bin/newsyslog 13 | # send log file notifications, if necessary 14 | #1-59 * * * * /usr/bin/newsyslog -m 15 | # 16 | # do daily/weekly/monthly maintenance 17 | 30 1 * * * /bin/sh /etc/daily 18 | 30 3 * * 6 /bin/sh /etc/weekly 19 | 30 5 1 * * /bin/sh /etc/monthly 20 | #0 * * * * sleep $((RANDOM \% 2048)) && /usr/libexec/spamd-setup 21 | */5 * * * * /usr/local/sbin/update-webpage 22 | 55 4 * * * /usr/local/sbin/parse-netflow 23 | 55 4 * * * /usr/local/sbin/parse-relayd 24 | -------------------------------------------------------------------------------- /usr/local/sbin/update-webpage: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | $top = qx(top -nC 666); 3 | $top =~ s/\n*$/\n/; 4 | $uname = qx(uname -a); 5 | $date = qx(date); 6 | $temp = qx(sysctl hw.sensors.km0.temp0); 7 | $lease = `/usr/local/bin/list-dhcpd-leases`; 8 | 9 | $out = <Router status 11 | 12 | 
13 | EOF
14 | $out .="\$ uname -a\n$uname";
15 | $out .="\$ date\n$date";
16 | $out .="\$ sysctl hw.sensors.km0.temp0\n$temp";
17 | $out .="\$ top -nC 666\n$top";
18 | $out .="\$ list-dhcpd-leases\n$lease";
19 | $out .="\$ ^D\n
\n"; 20 | 21 | open ($fh, '>', '/var/www/htdocs/status/index.html') or die "Could not open file: $!"; 22 | print $fh $out; 23 | close $fh; 24 | -------------------------------------------------------------------------------- /etc/newsyslog.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: newsyslog.conf,v 1.36 2016/12/27 09:17:52 jca Exp $ 2 | # 3 | # configuration file for newsyslog 4 | # 5 | # logfile_name owner:group mode count size when flags 6 | /var/cron/log root:wheel 600 3 10 * Z 7 | /var/log/authlog root:wheel 640 7 * 168 Z 8 | /var/log/daemon 640 5 300 * Z 9 | /var/log/lpd-errs 640 7 10 * Z 10 | /var/log/maillog 640 7 * 24 Z 11 | /var/log/messages 644 5 300 * Z 12 | /var/log/secure 600 7 * 168 Z 13 | /var/log/wtmp 644 7 * $W6D4 B 14 | /var/log/xferlog 640 7 250 * Z 15 | /var/log/pflog 600 3 250 * ZB "pkill -HUP -u root -U root -t - -x pflogd" 16 | /var/www/logs/access.log 644 4 * $W0 Z "pkill -USR1 -u root -U root -x httpd" 17 | /var/www/logs/error.log 644 7 250 * Z "pkill -USR1 -u root -U root -x httpd" 18 | /var/log/flowd 644 14 * $D5 ZB "pkill -USR1 -u root -U root -x flowd" 19 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2016, Danny Fullerton 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | * Neither the name of openbsd-apu2 nor the names of its 15 | contributors may be used to endorse or promote products derived from 16 | this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | -------------------------------------------------------------------------------- /etc/flowd.conf: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | # Specify where flowd should store its flow records 4 | logfile "/var/log/flowd" 5 | 6 | # Specify what addresses/ports flowd should listen on. 7 | # Multiple addresses may be specified 8 | listen on 127.0.0.1:9995 9 | #listen on 0.0.0.0:12345 10 | #listen on [::]:12345 11 | 12 | # Select which hosts we trust to send us flows (leave blank to trust any) 13 | # May be specified multiple times to allow more than one host/network 14 | flow source 127.0.0.1 15 | #flow source 10.0.0.0/8 16 | 17 | # Specify multicast groups to join (default: none) 18 | # IPv6 addresses may be specified with or without interface scope 19 | #join group 224.0.1.20 20 | #join group ff02::114%em0 21 | 22 | # Specify which flow records are recorded in the log. Multiple options may be 23 | # specified. 24 | store ALL 25 | #store PROTO_FLAGS_TOS 26 | #store AGENT_ADDR 27 | #store SRC_ADDR 28 | #store DST_ADDR 29 | #store SRCDST_PORT 30 | #store PACKETS 31 | #store OCTETS 32 | #store CRC32 33 | 34 | # Flow filtering rules 35 | discard all 36 | accept agent 127.0.0.1 37 | 38 | # Example of some local variables 39 | #internal_traffic = "1" 40 | #somehost = "88.88.88.88" 41 | #business_hours_traffic = "2" 42 | 43 | # Example of a filter policy using local variables 44 | #discard agent 1.1.1.0/24 45 | #discard agent 1.1.1.0/24 proto tcp 46 | #accept tag $internal_traffic src 2.2.2.0/25 port 666 dst 33.33.0.0/16 port 888 47 | #accept tag 3 src 3.3.3.0/25 port 111 dst 44.44.55.0/16 port 222 proto tcp 48 | #discard agent $somehost tos 0x80 49 | #discard proto tcp tcp_flags mask 0x04 !equal 0x04 50 | #accept tag $business_hours_traffic after 08:30:0 before 17:30:00 51 | -------------------------------------------------------------------------------- /etc/syslog.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: syslog.conf,v 1.20 2016/12/27 13:38:14 jca Exp $ 2 | # 3 | 4 | *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages 5 | kern.debug;syslog,user.info /var/log/messages 6 | auth.info /var/log/authlog 7 | authpriv.debug /var/log/secure 8 | cron.info /var/cron/log 9 | daemon.info /var/log/daemon 10 | ftp.info /var/log/xferlog 11 | lpr.debug /var/log/lpd-errs 12 | mail.info /var/log/maillog 13 | 14 | # Uncomment this line to send "important" messages to the system 15 | # console: be aware that this could create lots of output. 16 | #*.err;auth.notice;authpriv.none;kern.debug;mail.crit /dev/console 17 | 18 | # Uncomment this to have all messages of notice level and higher 19 | # as well as all authentication messages sent to root. 20 | #*.notice;auth.debug root 21 | 22 | # Everyone gets emergency messages. 23 | #*.emerg * 24 | 25 | # Uncomment to log to a central host named "loghost". You need to run 26 | # syslogd with the -u option on the remote host if you are using this. 27 | # (This is also required to log info from things like routers and 28 | # ISDN-equipment). If you run -u, you are vulnerable to syslog bombing, 29 | # and should consider blocking external syslog packets. 30 | #*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @loghost 31 | #auth,daemon,syslog,user.info;authpriv,kern.debug @loghost 32 | 33 | # Uncomment to log messages from doas(1) to its own log file. Matches are done 34 | # based on the program name. 35 | # Program-specific logs: 36 | #!doas 37 | #*.* /var/log/doas 38 | 39 | # Mantor 40 | !relayd 41 | *.* /var/log/relayd 42 | -------------------------------------------------------------------------------- /etc/pf.conf: -------------------------------------------------------------------------------- 1 | ext_if="em0" 2 | int_ifs="{ athn0 em1 em2 }" 3 | int_if="em1" 4 | 5 | htpc_ip="192.168.1.222" 6 | xbox_ip="192.168.1.201" 7 | xbox_tcp="{ 1863, 3074 }" 8 | xbox_udp="{ 1780, 1863, 3074, 3544, 4500, 8083, 49164 }" 9 | 10 | table const { 131.103.20.160/27 165.254.145.0/26 104.192.143.0/24 } 11 | table const { 192.30.252.0/22 } 12 | table persist file "/etc/pita" 13 | table persist 14 | 15 | set skip on lo 16 | set block-policy return 17 | set loginterface egress 18 | set state-defaults pflow 19 | 20 | queue up on $ext_if bandwidth 12M burst 20M for 1000ms 21 | queue htpc parent up bandwidth 6M 22 | queue std parent up bandwidth 6M default 23 | queue down on $int_ifs bandwidth 32M burst 40M for 1600ms 24 | queue htpc parent down bandwidth 16M 25 | queue std parent down bandwidth 16M default 26 | 27 | match in on egress scrub (no-df random-id max-mss 1440 reassemble tcp) 28 | match out log on egress from $htpc_ip to any nat-to (egress:0) port 1024:65535 set queue htpc set prio 5 29 | match out log on egress from !$xbox_ip to any nat-to (egress:0) port 1024:65535 30 | match out log on egress from $xbox_ip to any nat-to (egress:0) static-port 31 | match in on $int_ifs inet proto { tcp udp } to any port 53 rdr-to 192.168.1.1 32 | match in on $int_ifs inet proto udp to any port 123 rdr-to 192.168.1.1 33 | 34 | block in quick on egress from 35 | block out quick on egress to 36 | pass in quick on $int_ifs from $int_if:network to $int_if:network 37 | 38 | block in log 39 | block out 40 | 41 | pass out on egress inet keep state 42 | pass out on $int_ifs inet keep state 43 | pass in on $int_ifs inet 44 | pass in on $int_ifs proto esp keep state 45 | pass in on $int_ifs inet from $htpc_ip set queue htpc set prio 5 46 | 47 | pass in on egress inet proto tcp from any to (egress) port 22 synproxy state \ 48 | (max-src-conn 40, max-src-conn-rate 10/30, overload flush global) 49 | pass in on egress proto tcp from any to (egress) port $xbox_tcp rdr-to $xbox_ip 50 | pass in on egress proto udp from any to (egress) port $xbox_udp rdr-to $xbox_ip 51 | -------------------------------------------------------------------------------- /var/unbound/etc/unbound.conf: -------------------------------------------------------------------------------- 1 | server: 2 | interface: 127.0.0.1 3 | interface: 192.168.1.1 4 | do-ip6: yes 5 | 6 | access-control: 0.0.0.0/0 refuse 7 | access-control: 127.0.0.0/8 allow 8 | access-control: 192.168.1.0/24 allow 9 | 10 | hide-identity: yes 11 | hide-version: yes 12 | 13 | # Uncomment to enable qname minimisation. 14 | # https://tools.ietf.org/html/draft-ietf-dnsop-qname-minimisation-08 15 | # 16 | # qname-minimisation: yes 17 | 18 | # Uncomment to enable DNSSEC validation. 19 | # 20 | auto-trust-anchor-file: "/var/unbound/db/root.key" 21 | 22 | # Serve zones authoritatively from Unbound to resolver clients. 23 | # Not for external service. 24 | # 25 | #local-zone: "local." static 26 | #local-data: "mycomputer.local. IN A 192.0.2.51" 27 | #local-zone: "2.0.192.in-addr.arpa." static 28 | #local-data-ptr: "192.0.2.51 mycomputer.local" 29 | 30 | # UDP EDNS reassembly buffer advertised to peers. Default 4096. 31 | # May need lowering on broken networks with fragmentation/MTU issues, 32 | # particularly if validating DNSSEC. 33 | # 34 | #edns-buffer-size: 1480 35 | 36 | # Use TCP for "forward-zone" requests. Useful if you are making 37 | # DNS requests over an SSH port forwarding. 38 | # 39 | #tcp-upstream: yes 40 | 41 | # DNS64 options, synthesizes AAAA records for hosts that don't have 42 | # them. For use with NAT64 (PF "af-to"). 43 | # 44 | #module-config: "dns64 validator iterator" 45 | #dns64-prefix: 64:ff9b::/96 # well-known prefix (default) 46 | #dns64-synthall: no 47 | 48 | remote-control: 49 | control-enable: yes 50 | control-use-cert: no 51 | control-interface: /var/run/unbound.sock 52 | 53 | # Use an upstream forwarder (recursive resolver) for specific zones. 54 | # Example addresses given below are public resolvers valid as of 2014/03. 55 | # 56 | #forward-zone: 57 | # name: "." # use for ALL queries 58 | # forward-addr: 74.82.42.42 # he.net 59 | # forward-addr: 2001:470:20::2 # he.net v6 60 | # forward-addr: 8.8.8.8 # google.com 61 | # forward-addr: 2001:4860:4860::8888 # google.com v6 62 | # forward-addr: 208.67.222.222 # opendns.com 63 | # forward-first: yes # try direct if forwarder fails 64 | 65 | #dnstap: 66 | # dnstap-enable: yes 67 | # dnstap-socket-path: "/var/run/unbound/dnstap.sock" 68 | # dnstap-send-identity: yes 69 | # dnstap-send-version: yes 70 | # dnstap-log-resolver-response-messages: yes 71 | # dnstap-log-client-query-messages: yes 72 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenBSD-APU2 2 | This repo contains the necessary configs to create a WIFI router out of [PC Engine's APU2](http://pcengines.ch/apu2c4.htm) running OpenBSD >=5.9. 3 | 4 | The APU2 is a fanless board with 4x 1Ghz CPUs and 4GB of RAM (AMD GX-412TC SOC, amd64 intruction set) - quite capable. Well, actually it's totally overkill for a router but anyway, it's still cheaper then the alternatives. Oh and it use an open source firmware: [coreboot](https://www.coreboot.org). 5 | ![front panel open top](https://raw.githubusercontent.com/northox/openbsd-apu2/master/front-open.jpeg) 6 | 7 | It's stable. We've been using it for a few years now and had very few hiccups. The biggest limitation is the support for 802.11ac and poor performance of 802.11n. 8 | 9 | ## Why? 10 | Well frankly, we were tired of unreliable, inpotent routers with unknown ([crappy](https://www.helpnetsecurity.com/2019/09/17/vulnerabilities-iot-devices/)) security posture. Our objective was to setup this thing once and forget about it - not a techy-powertrip. 11 | 12 | ## Instructions 13 | - The APU2 is setup as such and cost 245$cad: 14 |  - board: [apu2c4](http://pcengines.ch/apu2c4.htm) - 4x 1Ghz, 4 GB RAM, 3 1000baseT, 2 USB3, 1 SATA, 2 mPCI, etc 15 | - wifi: [wle200nx](http://pcengines.ch/wle200nx.htm) - A B G N, 2 antenna 16 | - hd: [msata16d](http://pcengines.ch/msata16d.htm) 17 | - Follow [Elad's instructions](https://github.com/elad/openbsd-apu2) to install OpenBSD on the APU2. 18 | - Set the proper console to boot from installation media: wintin the boot shell `stty com0 115200` `set tty com0` 19 | - The config files are pretty much self explanatory. Really, if you don't know what it does... RTFM or it's simply not for you. OpenBSD's doc is quite simple and complete. 20 | - Execute this for a status web page: `echo '*/5 * * * * /usr/local/sbin/update_webpage' >> /var/cron/tabs/root` 21 | 22 | ## Status (update_webpage) 23 | ``` 24 | $ uname -a 25 | OpenBSD barricade.mantor.org 5.9 GENERIC.MP#1888 amd64 26 | $ sysctl hw.sensors.km0.temp0 27 | hw.sensors.km0.temp0=62.75 degC 28 | $ top -nC 666 29 | load averages: 0.62, 0.52, 0.56 barricade.mantor.org 13:15:01 30 | 33 processes: 32 idle, 1 on processor up 12 days, 22:27 31 | CPU0 states: 0.2% user, 0.0% nice, 0.1% system, 0.2% interrupt, 99.4% idle 32 | CPU1 states: 0.0% user, 0.0% nice, 0.1% system, 0.1% interrupt, 99.8% idle 33 | CPU2 states: 0.0% user, 0.0% nice, 0.1% system, 0.1% interrupt, 99.8% idle 34 | CPU3 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.9% idle 35 | Memory: Real: 48M/247M act/tot Free: 3698M Cache: 123M Swap: 0K/890M 36 | 37 | PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 38 | 14875 _unbound 2 0 27M 32M sleep kqread 1:03 0.00% unbound -c /var/unbound/etc/unbound.conf 39 | 31702 _ntp 2 -20 1300K 1656K sleep poll 0:50 0.00% ntpd: ntp engine 40 | 30018 _pflogd 4 0 688K 508K sleep bpf 0:25 0.00% pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog 41 | 26667 root 2 0 916K 1440K idle select 0:11 0.00% /usr/sbin/sshd 42 | 4198 _syslogd 2 0 1060K 1444K sleep kqread 0:10 0.00% /usr/sbin/syslogd 43 | 27374 root 2 0 760K 1104K sleep poll 0:09 0.00% /usr/sbin/cron 44 | 2301 _dhcp 2 0 768K 680K idle poll 0:03 0.00% dhclient: em0 45 | 1 root 10 0 464K 564K idle wait 0:02 0.00% /sbin/init 46 | 2454 _dhcp 2 0 708K 1400K idle poll 0:01 0.00% /usr/sbin/dhcpd athn0 47 | 15368 root 2 0 3552K 3292K idle poll 0:01 0.00% sshd: northox [priv] 48 | 30674 _smtpd 2 0 1676K 2784K idle kqread 0:00 0.00% smtpd: pony express 49 | 497 root 2 0 1576K 2180K idle kqread 0:00 0.00% /usr/sbin/smtpd 50 | 2020 _smtpq 2 0 1676K 2380K idle kqread 0:00 0.00% smtpd: queue 51 | 30436 _smtpd 2 0 1540K 2364K idle kqread 0:00 0.00% smtpd: lookup 52 | 2118 _smtpd 2 0 1648K 2324K idle kqread 0:00 0.00% smtpd: control 53 | 16322 root 2 0 1060K 1268K idle netio 0:00 0.00% syslogd: [priv] 54 | 15619 root 2 0 624K 608K idle netio 0:00 0.00% pflogd: [priv] 55 | 16011 _smtpd 2 0 1308K 2084K idle kqread 0:00 0.00% smtpd: scheduler 56 | 24867 root 2 -20 804K 1664K idle poll 0:00 0.00% /usr/sbin/ntpd 57 | 1856 root 2 0 648K 548K idle poll 0:00 0.00% dhclient: em0 [priv] 58 | 252 root 2 0 864K 1876K idle kqread 0:00 0.00% /usr/sbin/httpd 59 | 1211 _smtpd 2 0 1376K 1988K idle kqread 0:00 0.00% smtpd: klondike 60 | 31513 www 2 0 884K 1884K idle kqread 0:00 0.00% httpd: server 61 | 11225 www 2 0 744K 1616K idle kqread 0:00 0.00% httpd: logger 62 | 18802 _ntp 2 0 688K 1424K idle poll 0:00 0.00% ntpd: dns engine 63 | 7354 root 3 0 336K 1120K idle ttyin 0:00 0.00% /usr/libexec/getty std.115200 tty00 64 | $ list-dhcpd-leases 65 | 192.168.1.16 55:f9:35:43:32:11 "iPad" 66 | 192.168.1.17 78:44:87:13:56:6e "android-35375e65e664b13d" 67 | 192.168.1.21 74:86:23:1d:a6:61 "laserbeak" 68 | $ ^D 69 | ``` 70 | 71 | ## dmesg 72 | ``` 73 | OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016 74 | deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP 75 | real mem = 4261076992 (4063MB) 76 | avail mem = 4127739904 (3936MB) 77 | mpath0 at root 78 | scsibus0 at mpath0: 256 targets 79 | mainbus0 at root 80 | bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdffb7020 (7 entries) 81 | bios0: vendor coreboot version "88a4f96" date 03/11/2016 82 | bios0: PC Engines apu2 83 | acpi0 at bios0: rev 2 84 | acpi0: sleep states S0 S1 S2 S3 S4 S5 85 | acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET 86 | acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4) 87 | acpitimer0 at acpi0: 3579545 Hz, 32 bits 88 | acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat 89 | cpu0 at mainbus0: apid 0 (boot processor) 90 | cpu0: AMD GX-412TC SOC, 998.30 MHz 91 | cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3, 92 | PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG, 93 | SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1 94 | cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache 95 | cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative 96 | cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative 97 | cpu0: smt 0, core 0, package 0 98 | mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges 99 | cpu0: apic clock running at 99MHz 100 | cpu0: mwait min=64, max=64, IBE 101 | 102 | ``` 103 | 104 | ## Performance 105 | ``` 106 | Ubench CPU: 288530 107 | Ubench MEM: 37347 108 | -------------------- 109 | Ubench AVG: 162938 110 | ``` 111 | 112 | ``` 113 | $ openssl speed md5 sha1 sha256 sha512 des des-ede3 aes-128-cbc aes-192-cbc aes-256-cbc rsa2048 dsa2048 114 | LibreSSL 2.3.2 115 | built on: date not available 116 | options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 117 | compiler: information not available 118 | The 'numbers' are in 1000s of bytes per second processed. 119 | type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 120 | md5 4565.65k 16729.20k 49299.48k 96037.93k 132775.72k 121 | sha1 4481.83k 15422.45k 40502.69k 68271.20k 86173.85k 122 | des cbc 11858.55k 12263.08k 12356.64k 12401.29k 12530.22k 123 | des ede3 4589.16k 4710.53k 4785.33k 4759.05k 4765.51k 124 | aes-128 cbc     14778.42k   15650.49k   16148.75k   44138.14k   44958.02k 125 | aes-192 cbc 12427.81k 13167.48k 13322.04k 37420.23k 38020.68k 126 | aes-256 cbc 10770.22k 11232.15k 11495.93k 32585.99k 32885.03k 127 | sha256 5399.91k 12679.80k 22259.16k 27965.75k 30307.68k 128 | sha512 4807.39k 19008.23k 29792.79k 41931.95k 47916.40k 129 | sign verify sign/s verify/s 130 | rsa 2048 bits 0.009785s 0.000316s 102.2 3168.6 131 | sign verify sign/s verify/s 132 | dsa 2048 bits 0.003073s 0.003696s 325.4 270.5 133 | ``` 134 | 135 | ## Caveats (6.1) 136 | - athn limited 802.11n performance 137 | - 802.11ac is not supported 138 | 139 | ## License 140 | BSD 141 | 142 | ## Authors 143 | - Danny Fullerton - Mantor Organization 144 | - Jean-Francois Rioux - Mantor Organization 145 | --------------------------------------------------------------------------------