Cyber security

OpenBSD – Dynamic IP, WireGuard VPN, And Encrypted DNS

This article presents a detailed guide centered around OpenBSD and Linux for enhancing network security through the implementation of dynamic IP filtering, WireGuard VPN configurations, and encrypted DNS services.

It covers initial setups, script-based automation, and firewall configurations to ensure secure, efficient, and scalable network management.

Whether you’re aiming to protect SSH access, secure your VPN connections, or block unwanted ads, this guide offers comprehensive instructions to fortify your network against vulnerabilities.

This project gets you:

  • OpenBSD: Static filtering of static IPs for SSH
  • OpenBSD: Dynamic filtering of dynamic IPs for VPN (Wireguard)
  • Linux: Dynamic filtering of dynamic IPs for VPN (Wireguard)
  • OpenBSD: Encrypted DNS via ODoH / DoT via Unbound + DNScrypt
  • OpenBSD: Adblocker skript to pull adlists for Unbound

Some Steps

  1. Initial Setup: Start by configuring the OpenBSD gateway with the provided PF configuration to set up initial firewall rules.
  2. Dynamic IP Script: Implement the dynamic IP update script to maintain an up-to-date whitelist of IPs that can access the VPN.
  3. Cron Configuration: Schedule the provided cron jobs to automate the updating and maintenance tasks.
  4. DNS Encryption: Follow the DNS setup instructions to encrypt DNS queries, using either DoT or ODoH.
  5. Ad Blocking: Set up the ad blocker script to filter out unwanted ads.

Detailed Configuration Scripts And Commands

  • Dynamic IP Update Script (getpara.sh): This script resolves the current IP address for a specified FQDN and updates the PF table with any changes.
  • PF Configuration (pf.conf): Includes rules for blocking, allowing SSH from specific IPs, handling Wireguard traffic, and default deny policies.
  • Cron Jobs: Automates system updates, VPN renewals, and the dynamic IP update script.
  • DNS Configuration: Setup guides for DoT and ODoH, including configuration changes for dnscrypt-proxy.
  • Ad Blocker Script: Instructions and script for setting up ad blocking on OpenBSD using Unbound.

Some OpenBSD Cronjobs Right Away

  • add via crontab -e
@reboot /bin/sleep 30 && /usr/local/bin/wg-quick up wg0
@reboot /bin/sleep 30 && /usr/sbin/rcctl restart unbound
30 13 * * * /usr/sbin/syspatch -c 
32 13 * * * /usr/sbin/syspatch
35 13 * * * /usr/sbin/pkg_add -u

30 4 * * 3 /usr/local/getpara.sh
0 0 * * * /usr/local/getpara.sh
2 0 * * * /usr/sbin/rcctl restart unbound

Firewall : OpenBSD PF Rules For Static And Dynamic IPS

  • You edit the pf rules on /etc/pf.conf and check via pfctl -nf /etc/pf.conf and load them via pfctl -f /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

# Configuration Variables
dynamic_hosts_file="/usr/local/gotten-para"  # Location for dynamic hosts
wireguard_port="51820"                        # Your WireGuard VPN port
wireguard_net="10.0.0.0/24"                 # Your WireGuard VPN network
ssh_allowed_ips="{6.6.6.6/32, 7.7.7.7/32}"  # IPs allowed for SSH
wireguard_iface="wg0"                       # WireGuard interface identifier

# Block Ipv6 - remember hotspot leakage
block quick inet6

set skip on lo

# Block all incoming on vio0 but allow outgoing
block in on vio0 all

# NAT for outgoing traffic
match out on egress inet from !(egress:network) to any nat-to (egress:0)

# Allow SSH from specified IPs
pass in on vio0 proto tcp from $ssh_allowed_ips to (vio0) port 22 keep state
pass out quick on vio0 keep state

# Allow only IPs from <dynamic_hosts> to access WireGuard port on vio0
pass in on vio0 proto udp from <dynamic_hosts> to any port $wireguard_port keep state
pass out on vio0 proto udp to <dynamic_hosts> port $wireguard_port keep state

# Allow all on WireGuard interface
pass in on $wireguard_iface from $wireguard_net to any
pass out on $wireguard_iface from any to $wireguard_net

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

Skript To Add The Dynamic Hosts

  • Important: All your clients will need to get FQDNs, and you can do that by adding for example containers in your home, work etc, that use tools like ddclient + any DYNDNS-hoster.
  • Next, Ensure you replace myhost.myhoster.org with your actual domain domain.
  • The script below will access the FQDN and add it to the firewall ruletable for access.

I’ve deployed the following script on /usr/local/getpara.sh it creates temp_gotten_para as well as gotten-para which contains the dynamic IPs to be added to the firewall for access.

#!/bin/sh

# FQDN to resolve
FQDN="myhost.myhoster.org"

# Variables
TEMP_IP_FILE="/usr/local/temp_gotten_para"
FINAL_IP_FILE="/usr/local/gotten-para"
MAX_IP_COUNT=3
IP_RETENTION_DAYS=10

# Resolve the current IP address of the FQDN
CURRENT_IP=$(dig +short $FQDN)
CURRENT_TIMESTAMP=$(date +%s)

# Ensure FINAL_IP_FILE exists
if [ ! -f "$FINAL_IP_FILE" ]; then
    touch "$FINAL_IP_FILE"
fi

# Exit if no IP is resolved
[ -z "$CURRENT_IP" ] && echo "No IP address found for $FQDN" && exit 1

# Append current IP with timestamp to TEMP_IP_FILE for processing
echo "$CURRENT_TIMESTAMP $CURRENT_IP" >> "$TEMP_IP_FILE"

# Process TEMP_IP_FILE to ensure uniqueness, limit the number of IPs, and consider the retention period
awk -v max_count=$MAX_IP_COUNT -v retention_days=$IP_RETENTION_DAYS -v current_time=$CURRENT_TIMESTAMP '{
    ip = $2
    timestamp = $1
    if (!seen[ip]++ && (current_time - timestamp) <= (retention_days * 86400)) {
        print ip
        if (++count >= max_count) exit
    }
}' "$TEMP_IP_FILE" | sort -u | tail -n $MAX_IP_COUNT > "$FINAL_IP_FILE"

# Reload the PF table with the updated IP list
pfctl -t dynamic_hosts -T replace -f "$FINAL_IP_FILE" && echo "pf table reloaded with updated IP list."

For more information click here

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

4 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

4 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

6 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

2 weeks ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

2 weeks ago