polarian: all my music is stored locally and i use Navidrome to stream it to devices (it's also exported via NFS, but i like having centralised playlists and stuff)

Good morning. Which host-to-host VPN solution do you recommend ?

L3Fr0g: that's a pretty broad question

but wireguard seems be a popular solution and is in base

why not ipsec?

gre with ipsec i guess

heh, I tried to set up wireguard as a vpn server yesterday, but somehow it doesn't work so far

I followed this guide: vlads.me/post/create-a-wireguard-server-on-freebsd-in-15-minutes

Title: Create a WireGuard® server on FreeBSD in no time | webdev & tech

yourfate: What is not working? I've been using it just fine for quite some time.

Are all cloned interfaces not exposed via netgraph? If so, why?

(this question is unrelated to the response above)

I was confused for a second :D

as I have not used netgraph before

I can connect to the wireguard server (I think), but then I don't have any internet connectivity anymore

What did you put inside allowedips and interface address?

server side: allowed IPs 0.0.0.0/0

interface address I used the 10.96.100.1

L3Fr0g: please take a look at if_ipsec(4)

which, if I understand it correctly, is then NAT-ed using PF

on the client I also used 0.0.0.0/0 in the allowed IPs

You can look at your routing table. This configuration would mean that the server should add your client as a default gateway and on the client should put default gateway the server.

That is probably not what you wanted.

ah, so what would I need to change?

I can share you my configuration if you want. I just have issues with bsd.to (pastebin) at the moment...

tbh, bsd.to is very falkey

I personally just use gitlab snippets, which I can manage better

requires an account though

I'll send it to you via direct messages.

sure

L3Fr0g: if you want something simple wireguard is hard to beat

but ipsec can be faster since it gets to use hardware offloading

ipsec + gre ?

the major downside to ipsec is the complex configuration

L3Fr0g: if it's freebsd <-> freebsd i would use if_ipsec (aka ipsec vti)

which on the wire is ipsec tunnel mode, but the important difference to traditional ipsec tunnel mode ist that it has a dedicated interface and the policy is scoped to the interface

so it plays nice with (dynamic) routing

crest: if_ipsec(4) is not that complex if you skip IKE

and IKE is optional

mzar: you need ike for dynamic keying

static manual keys are just a toy setup

toy... could be

in theory you could write your own key exchange daemon, but you probably already know how badly that can go

bsdrp.net/documentation/examples/gre_ipsec_and_openvpn <-- plenty of examples

Title: VPN with GRE, GIF, IPSec, OpenVPN and Wireguard [BSD Router Project]

L3Fr0g: ^^^

an other option would be openvpn with DCO (data channel offloading) if you're on freebsd 14.0 or newer

there are better options for 1:1 FreeBSD with public addresses

mzar: have you looked at the performance of ovpn(4)?

sure

I am using in production since a longer while

in some benchmarks it even beats ipsec according to the author of the freebsd dco driver

hm..

but according to my older benchmarks the fastest vpn available in freebsd that plays nice with dynamic routing is ipsec vti

+1

if the endpoins can reach each other if_ipsec is a way to go

for one to few I'd choose wireguard, for one to many ovpn

this is my old stongswan config for ipsec vti

Title: FreeBSD IPsec VTI · GitHub

the only strange thing about it is the leftsubnet/rightsubnet. i never found a way to make strongswan and the kernel agree perfectly

because ipsec vti interfaces want to install their own policy matching all traffic via the interface

and strongswan wants to install a 0/0 policy

i side-stepped this conflict my letting strongswan install a policy for the ancient chaos protocol instead of ip

it's left as an exercise (exorcism?) to the reader to convert it to the new config syntax

I followed this guide: vlads.me/post/create-a-wireguard-server-on-freebsd-in-15-minutes and now my configs look like this: gitlab.com/-/snippets/3717879

Title: Create a WireGuard® server on FreeBSD in no time | webdev & tech

weirdly tho, it seems that when I connect to that it messes with the network of the server

and some services running on the server lose internet connection

i got clear_tmp_enable="YES" on all my systems. but only some of them have /etc/rc.d/cleartmp in the sudo service -e output. why??

sfox and L3Fr0g wireguard tends to be faster... iirc

list #freebsd

Hi, I'm trying to get the number of ACL entries on a directory. Is there a better way than: getfacl testfolder | sed '/^#/d' | wc -l

Or any other method to add ACL antries at the end with setfacl?

hi FreeBSD!

Who is responsible for Local User Groups ?

My mom.

I am considering slapping OpenBSD in a vm using bhyve however I do not want to use vnc (the server is headless and only accessible via ssh), is there any guides on accessing the vm over a serial device?

therefore I can simply manage it over ssh

I have read through the handbook on bhyve I didn't see anything mentioning i t

polarian: #bhyve for this type of question, but of course you can connect over serial with bhyve, using a nmdm device. using vm-bhyve helps streamline this (it'll start a console for you) and for OpenBSD you need the magic words at the boot prompt: stty com0 115200 & set tty com0

vm-bhyve is a package for managing bhyve VMs

vortexx: thanks for the advice :)

bhyve is its own channel cause how big it is :P

65 nicks, I've been in there for close to a decade

65 nicks! why so many?

it's just easier to answer all the specific "how do I runs this $OS in bhyve" questions in one place where it's more likely to get attention

from people who are actually running said $OS and know the tricks to getting it installed and booted

not that many tricks are needed these days

I also found this: wiki.freebsd.org/bhyve/OpenBSD

Title: bhyve/OpenBSD - FreeBSD Wiki

but yeah I will join the channel thanks

Title: Supported Guest Examples · churchers/vm-bhyve Wiki · GitHub

although in that link it says to use grub to boot OpenBSD, which isn't necessary. UEFI works fine and has ever since OpenBSD grew UEFI support

your wiki page has the correct information too

Guys, i have a freebsd machine with two disks having the same size, i want to set-up soft raid and have no success. I have managed to mirror efi and freebsd-boot, however, after reboot it looks like the system does not know where to boot from

how can i fix this ?

L3Fr0g: why raiding them, use zfs no?

mirror them in a zfs pool

let zfs do all the heavy lifting, thats the FreeBSD way :P

@polarian, can you please tell me how to mirror efi and freebsd-boot partition with zfs ? :-)

i guess that these devices need to be set up as geom mirrors

docs.freebsd.org/en/books/handbook/jails/#creating-thin-jail-nullfs -> `mv /usr/local/jails/templates/13.2-RELEASE-base/var /usr/local/jails/templates/13.2-RELEASE-skeleton/var' fails with `mv: /{snip}/var/empty: Operation not permitted' - because of the schg flag on /var/empty

Title: Chapter 17. Jails and Containers | FreeBSD Documentation Portal

L3Fr0g: you want to boot from both of the disks, don't mirror boot, ZFS will do it for you, just install bootloader on both drives

@mzar, what about efi ?

the installer does this all for you :P

you can have efi partiotions on both drives

they don't have to be mirrored, but loader has to be updated when you upgrade ZFS pool

if you are not upgrading, usually you don't have to bother about updatin .efi

L3Fr0g: how do you like FreeBSD ?

i didn't use it in the last 20 years, i forgot everything

OK, I was using all that time for you, it's still great OS, maybe even better now ;-)

@mzar, i want to create a freebsd bhyve cluster with storage in sync using hast over zfs and carp fail-over, is this doable ?

ha.. probably overcomplicated

do you have anything better in mind? i really need a high-available set-up, i want to move to freebsd from SLES

zfs has it's own replication mechanism, carp code is working fine, but I don't know how are you going to manage that cluster ?

not sure what answer to provide :-)) i don't really know what you mean

when i try to install the bootloader on the second partition i get: gpart: No such geom: /dev/nda0p2

nevermind, i got it

@mzar, any idea on how to take a disk offline to check if the above implementation is working fine? I have no physical access to the system

stopping the disks with camcontrol or glabel won't do it apparently

the disks are not managed using any raid controller

i really need to simulate a disk failure

got it, editing the bootlader conf and blacklisting the device

what happens with camcontrol ?

Operation not permitted

L3Fr0g: I don't have any NVM drives, but in CURRENT there is nvmft(4) - The nvmft driver provides the kernel component of an NVM Express over Fabrics controller. The NVMeoF controller is the server exporting namespaces backed by local files and volumes to remote hosts - interesting

booting from both drives seems to be working fine, thanks

i got clear_tmp_enable="YES" on all my systems. but only some of them have /etc/rc.d/cleartmp in the sudo service -e output. why??

i got clear_tmp_enable="YES" on all my systems. but only some of them have /etc/rc.d/cleartmp in the sudo service -e output. why??

oops

but cleartmp isn't really a service

nicklist.pl