WireGuard on FreeBSD Quick Look: Testing VPN in Jail Network
WireGuard is a new VPN application which focuses on simplicity thus security and speed. Although it was initially developed as a Linux kernel feature, now it has a userspace implementation in Go and binary packages are available for FreeBSD.
I used this weekend to have a quick look at it on FreeBSD 12.0.
This time I focused on site-to-site VPN setup. Maybe I will try remote-access VPN configuration in the near future.
Using FreeBSD's Bootonly Installer Behind a Proxy
I’ve been so busy for the last month that I almost forgot about FreeBSD 12.0 which I had been looking forward to. Now it’s just around the corner!
Although it’s quite late, I tried to install 12.0-RC3 on a host behind a HTTP proxy and found that using a bootonly installer in this environment was a bit tricky. The following are the steps I took.
Boot the host with a bootonly installer.
Learning Spanning Tree Protocol with FreeBSD Bridges
Spanning Tree Protocol is a standard protocol for network bridges (layer-two switches) to autonomously find a logical loop-free topology and provide redundancy to the network.
Several variants have been developed since its birth, in which the most common standard is Rapid Spanning Tree Protocol (RSTP). Many managed switches implement the protocol and often enable it by default.
Although it’s quite common in the networking world where I’m living in its perimeter, it’s been something vague and unfamiliar to me for a long time.
Learning Notes on FreeBSD Jails
I have heard about jails many times since my early days of FreeBSD life but it was only the last year I began to use it in production.
This article is a sort of personal notebook where I summarize what I learned about jails. It would be frequently updated as I learn more.
Assumptions The host is running FreeBSD 11.2/amd64 on ZFS. Each jail has a separate root dataset under /vm on the host.
Encrypted Temporary Storage with GELI
Recently, I wanted an encrypted working directory on a running FreeBSD system. The system was running on a plain (unencrypted) ZFS pool and there’s no plan to add disks to it. I needed the working directory only temporarily.
I came up with the following options.
Use GELI on a ZFS volume (zvol). Use GELI on a memory disk (md). Use PEFS on a directory. I excluded PEFS because I had very little experience.
Connecting to the IPv6 Internet via tunnel (HE TunnelBroker)
I had been playing with IPv6 on various systems in early 2000s. They were mostly NetBSD (1.x) and FreeBSD (4.x) plus Windows XP. My home network had been connected to the IPv6 Internet with a router running NetBSD/hpcmips which was installed on a Windows CE handheld PC.
After a decade and a half, I decided to reconnect my home network to the IPv6 Internet.
Unfortunately, native IPv6 service is still unavailable for me.
Migrating a live system from GEOM mirror to ZFS mirror
I had been wanting to migrate a FreeBSD system on a GEOM mirror (gmirror) to a ZFS mirror.
After several rehearsals on a VM, I have finally achieved that goal with the following steps.
Load ZFS-releated kernel modules and set a tunable to use 4K sector drives.
sudo kldload zfs sudo sysctl vfs.zfs.min_auto_ashift=12 Remove one (da0) of the two disks (da0, da1) which make up the gmirror (gm0).
Route-based VPN with FreeBSD-11.1's IPsec VTI
I have managed to setup route-based IPsec VPN with FreeBSD-11.1 RC3, which had introduced ipsec virtual tunnel interface if_ipsec(4). Here is a record of my experiment just for your information.
Prerequisite FreeBSD-11.1-RC3/amd64 Generic kernel No special packages/ports (just added sudo and a few other must-have utilities) Network configuration NOTE: The following text shows bsd1 configurations only.
10.0.0.1 10.0.0.2 192.168.10.0/24 --- [bsd1] ----- /// ----- [bsd2] --- 192.168.20.0/24 172.