Ever get into a situation that your router is too slow, has a firmware no longer supported, or you are scary of tons of reported vulnerabilities and your vendor does not even care?
It is time to use set up a better router at home! With this, you can upgrade easily, always up-to-date, have security vulnerabilities fixed as soon as possible, and nearly zero downtime because of its reliability.
I used OpenBSD as my home router. It has a lot of advantages, like the following:
- It runs on a normal machine as long as OpenBSD supports it, but in my case, I used a low powered FitLet2 from CompuLab. You do need at least 2 ethernet port though. Before the FitLet2, I used a PC Engines APU for almost 5 years and it keeps being upgraded.
- OpenBSD is one of the more secure operating system in the world. The community focus on 1 thing - Security.
- It has the easiest to configure firewall ruleset in the world, and it is a stateful firewall.
- You can run a lot of other network related options from here, like a VPN server for iOS / Mac / Android, multiple LAN support, update your dynamic DNS entry (as long as you know scripting), or even allow different machines to go to the Internet using different outgoing providers!
- It has excellent documentation and manual pages, which accurately describes its functionality and limitations so that you can think through what you need to do.
What do you need?
To build yourself a router, you will need the following:
- A computer with 2 network ports at minimum, obviously with monitor and keyboard, which can be disconnected later. You do not need a monitor or keyboard to conduct upgrades / configuration changes.
- A copy of OpenBSD downloaded from their website and installed through their standard installation guide. The default OpenBSD installation will have SSH enabled, and if you choose to, DHCP client enabled so that you can get a proper IP address from your original router. If you have PPPoE based Internet connectivity, refer to the appendix below for additional information.
- A WIFI router which will be used as a bridge for your WIFI only devices. WIFI support is not a strong selling point for OpenBSD due to its strict open-source nature.
- Assuming your internet network interface is em0, and your internal network interface is em1. If you are using Intel-based ethernet chipsets this will normally be the case. The internal network address range will be 192.168.0.0-192.168.0.255 (which is commonly referred to as 192.168.0.0/24, with a netmask of 255.255.255.0).
- The router's internal IP address is 192.168.0.1
What's in the router?
After setup, you will get:
- A fully functional router with firewall for your home, which can allow you to connect to multiple devices and share the connection.
- Stateful inspection L2 / L3 firewall through packet filter, a long time trustworthy firewall implementation from OpenBSD
- DHCP server through DNSmasq, a very popular DHCP server that is used in almost all router distributions.
- DNS server through unbound, again, another popular choice for DNS server.
- Later in another article, I will share how you can setup a VPN for iOS, Android and MacOS (never tried Windows, so not sure if it will work) through IKED, a secured clean implementation of IPSec IKEv2 protocol.
Additional softwares that need to be installed on OpenBSD
We try to stick with OpenBSD networking software as much as possible, which is beneficial because OpenBSD's standard software are often of very high quality standard with security in mind. We will explain the reasons behind the following additional softwares. You can use the following command to install the software packages pre-compiled and hosted in OpenBSD website.
In OpenBSD, pre-built packaged softwares are called ports. They can either be compiled from source, or download from OpenBSD ports repository if the default compilation options are sufficient.
# Add doas (doas pkg_add) if you are running it # with your admin user rather than root pkg_add <software_package_name>
We use dnsmasq as our DHCP server, which is responsible for distributing IP addresses to the machines within your home network. In OpenBSD, there is also another built-in software called dhcpd serving the same purpose. However, dhcpd does not serve DNS requests, nor it is integrated with the DNS server for OpenBSD (unbound). As a result, you cannot do reverse DNS lookup and find your machines by their name easily.
avahi_daemon (strictly optional just for convenience)
avahi is a software which will both broadcast and receive Bonjour requests to and from the machines in your network. If you use a Mac OS based machine, or if you use iOS, you can have this optionally installed to allow the Mac-based softwares set your router.
Installing avahi_daemon also installs messagebus as part of the requirement.
Setting up OpenBSD networking
It is really simple to setup OpenBSD networking. According to the assumption:
- em0 is your Internet port (WAN), where you plug your upstream Internet connection to, and
- em1 is your internal network port (LAN).
- Also, since we will be setting up a IPSec VPN, we will need to enable the enc0 interface as well.
Thus you will have 2 configuration files in /etc folder.
/etc/hostname.em0 probably already exist when you setup OpenBSD, it should contain 1 line only:
Create a file called /etc/hostname.em1, and it should look like below:
Create another file called /etc/hostname.enc0, and it should look like below:
Base Operating System configuration
Adjust the system parameters to enable forwarding of packets, which essentially makes the operating system act like a router.
# Enable packet forwarding net.inet.ip.forwarding=1 #net.inet6.ip6.forwarding=1 # Enable IP compression, required for IPSec net.inet.ipcomp.enable=1 # Do go to panic console when the system crash, # instead simply reboot it. (Never crashed anyway!) ddb.panic=0
Enable the following software by modifying the file /etc/rc.conf.local, which controls all daemons in OpenBSD. It has a very simple syntax which we will describe below:
We will use unbound, a very popular DNS server package which is also in the base package of OpenBSD, as our DNS. The following is a very simple working DNS configuration for this purpose. In this configuration, we will forward all DNS queries received by unbound from your network to the Google DNS, utilising DNS over TLS technology, which secures DNS traffic.
Create the file /var/unbound/etc/unbound.conf and use the contents similar to below:
You can use the following command to restart unbound service:
# Should be run as root, or use doas rcctl restart unbound
The following is a sample /etc/dnsmasq.conf for DHCP configuration. We will be listening to port 55 (instead of 53) for the DNS portion of DNSmasq so that we can stick with unbound as the default DNS server.
OpenBSD's firewall component, packet filter (PF), is extremely famous in the world of Unix operating system. It is the foundation of multiple other operating systems' firewall, such as FreeBSD, Mac OS and iOS.
It has a very simple syntax, and is very easy to understand. In our sample configuration below, we will use pf using "quick" rules so that all rules in the beginning will take precedence, which makes things easier to understand.
Create a file called /etc/pf.conf and it should look like below as a standard working configuration.
As of this point, you can restart the services to make things effective:
# Run the following as root, or use # doas sysctl -w net.inet.ip.forwarding=1 rcctl restart dnsmasq unbound pfctl -ef /etc/pf.conf
And you have a working Internet router already!