Last modified by Yu Pang Law on 2022/12/14 04:12

8 posts

Jan 24 2023

Compiling Custom Kernel

  1. Update FreeBSD to latest patch
    freebsd-update fetch
    freebsd-update install
  2. Install git
    pkg install git
  3. Updating source file
    git clone -o freebsd /usr/src
    cd /usr/src
    git checkout stable/13
  4. prepare custom kernel file
    mkdir /root/kernels
    cd /usr/src/sys/amd64/conf
    cp GENERIC /root/kernels/MYKERNEL
    ln -s /root/kernels/MYKERNEL

    depends on your CPU architecture, config file location may be different. For usual, Intel/AMD CPU, it will be amd64

  5. add/remove options in the MYKERNEL file
  6. Compile and install MYKERNEL, then reboot
    cd /usr/src
    make buildkernel KERNCONF=MYKERNEL
    make installkernel KERNCONF=MYKERNEL
  7. Check if MYKERNEL is installed correctly
    uname -a
    If correct, it should show MYKERNEL

Jan 02 2023

Configuring Unbound for whole network

  1. Install and config unbound as usual. For basic, remote set up check unbound remote resolver setup
  2. Install bgpq4
  3. Generate prefix list filter for your AS or AS SET
    bgpq4 -4A -h -F 'access-control: %n/%l allow\n' AS-SET > /usr/local/etc/unbound/prefix.txt
  4. Edit unbound.conf, under server:, add
    include: /usr/local/etc/unbound/prefix.txt
  5. Set up cron job to update prefix list and restart unbound periodically

Dec 14 2022

Using FreeRadius for Supermicro IPMI

  1. Create a new FreeRadius Virtual site for Supermicro IPMI (without enabling SQL support)

FreeRadius With SQL

  1. Edit /usr/local/etc/raddb/dictionary and add a new attribute
    ATTRIBUTE IPMI-radius  26 octets
    3. Edit /usr/local/etc/raddb/policy.d/foo and add
    foo {
         update reply {
           # Vendor-Specific = "H=4"
           &Attr-26 = 0x483D34

    0x483D34 is Hex Code for String "H=4"

If you need other type of permission (e.g. H=3) just change the string to hex code.

  1. Edit /usr/local/etc/raddb/users and add the following user
    ipmiAdmin Cleartext-Password := "Any-password"
              IPMI-radius += "0x483d34"

    You can replace ipmiAdmin and authorization type.
  1. Restart FreeRadius
  1. Login to Supermicro IPMI and enable Radius support.

Dec 14 2022

Install OpenVPN on FreeBSD system

  1. Update Port Collection
    portsnap fetch update
    if it is the first time,
    portsnap fetch extract
  2. Install OpenSSL
    cd /usr/ports/security/openssl
    make install clean
  3. Edit /etc/make.conf, and add
  4. Install OpenVPN, easyrsa
    cd /usr/ports/security/easy-rsa
    make install clean
    cd /usr/ports/security/openvpn
    make install clean
  5. Create Configuration directory and copy sample configuration file
    mkdir -p /usr/local/etc/openvpn/easy-rsa
    mkdir /usr/local/etc/openvpn/server
    cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
    cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
  6. Edit  /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL
    set_var EASYRSA_REQ_COUNTRY     "HK"
    set_var EASYRSA_REQ_PROVINCE    "Kowloon"
    set_var EASYRSA_REQ_CITY        "San Po Kong"
    set_var EASYRSA_REQ_ORG         "Laws Cloud Infrastructure Limited"
    set_var EASYRSA_REQ_EMAIL       ""
    set_var EASYRSA_REQ_OU          "VPN Department"
    set_var EASYRSA_KEY_SIZE 2048
    set_var EASYRSA_CA_EXPIRE 3650
    set_var EASYRSA_CERT_EXPIRE 3650
  7. Initialize PKI
    cd /usr/local/etc/openvpn/easy-rsa
    sh ./easyrsa.real init-pki
  8. Build CA Certificate, key, certificate file
    sh ./easyrsa.real build-ca
    sh ./easyrsa.real build-server-full server nopass
    sh ./easyrsa.real build-client-full client nopass
    sh ./easyrsa.real gen-dh
    openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
    cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/
  1. Edit /usr/local/etc/openvpn/server/server.conf
    port 1194
    proto udp
    dev tun
    ca /usr/local/etc/openvpn/server/ca.crt
    cert /usr/local/etc/openvpn/server/issued/server.crt
    key /usr/local/etc/openvpn/server/private/server.key  # This file should be kept secret
    dh /usr/local/etc/openvpn/server/dh.pem
    topology subnet
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS"
    push "dhcp-option DNS"
    keepalive 10 120
    tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
    cipher AES-256-CBC
    compress lz4-v2
    push "compress lz4-v2"
    max-clients 100
    user nobody
    group nobody
    status /var/log/openvpn/openvpn-status.log
    log-append  /var/log/openvpn/openvpn.log
    verb 3
    explicit-exit-notify 1
    auth sha512
    remote-cert-tls client
  2. Create log directory
    mkdir /var/log/openvpn/
  3. Edit /etc/rc.conf and enable OpenVPN
    natd_flags="-dynamic -m"

      **em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP
    ifconfig_em1="inet netmask"
    Network adapter name is the string after ifconfig_ (and before = )
  1. Set up client ovpn profile
    dev tun
    proto udp
    remote IP-address-of-your-VPN 1194
    resolv-retry infinite
    dhcp-option DNS
    user nobody
    group nogroup
    key-direction 1
    tls-auth ta.key 1
    verb 3
    auth SHA512
    remote-cert-tls server
    content of /usr/local/etc/openvpn/server/ca.crt
    content of /usr/local/etc/openvpn/server/issued/client.crt
    content of /usr/local/etc/openvpn/server/private/client.key
    content of /usr/local/etc/openvpn/server/ta.key
    key-direction 1

Optional: (Enable Radius Authen)

  1. Install OpenVPN Radius Plugin
    cd /usr/ports/security/openvpn-auth-radius
    make install clean
  2. Copy Sample plugin configure to OpenVPN configuration directory
    cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server
  3. Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to
    and bottom, find server { and change the port, IP and secret phase to
     # The UDP port for radius accounting.
     # The UDP port for radius authentication.
     # The name or ip address of the radius server.
     # How many times should the plugin send the if there is no response?
     # How long should the plugin wait for a response?
     # The shared secret.
  4. Edit Openvpn config file (server.conf). Add the following to the end of file
    plugin /usr/local/lib/ /usr/local/etc/openvpn/server/radiusplugin.cnf
  5. Edit Client ovpn file and add the following line

Dec 14 2022

FreeRadius enable Virtual site with SQL

  1. Create MySQL/ Postgresql Database and user
  2. import FreeRadius database schema in
  3. edit sql configuration file and fill in database details

     server = "hostname-here"
     port = 3306
     login = "database-login-here"
     password = "password-here"
     radius_db = "database-name-here"
  4. if more than one database (for different application), copy the whole section, add an instance name and change the database details:
    sql {
    sql instance1 {
  5. copy "default" configuration file to "virtual1" (or any name)
  6. Edit "virtual1" file. and make the following changes
    1. Change the virtual site name:
      server default {
      server virtual1 {
    2. Change the port number
      port = 55555
    3. enable sql,
      find the following line
      #      sql
      and change to
      "instance1" is the sql instance name added in step 4
  7. Add a client for this virtual host
    client your-device {
           ipaddr =
           secret = secretPhrase
           virtual_server = virtual1

    your-device is profile name

ipaddr is IP address (or IP address range) for your device(s). If more than 1, need to use "|" to separate
secret is the passphrase to use the radius service
virtual_server is the virtual site name used in step 5.

  1. add user into the database
    insert into radusergroup (username, groupname, priority) VALUES ('username','groupname', 1);
    insert into radcheck (username, attribute, op, value) VALUES ('username', 'Cleartext-Password', ':=', 'password');
    9. Restart radiusd

Dec 14 2022

FreeRadius configure file

  • mods-config - module set up file
  • mods-enabled - module configuration file
  • site-enabled - default and virtual site configuration file
  • radiusd.conf - global configuration file
  • clients.conf - client configuration file.

Dec 14 2022

Certbot usage (Free SSL certificate generation)

Generate and install SSL certifcate using Certbot:

  1. Install Certbot from FreeBSD ports and install python:
    cd /usr/ports/security/py-certbot
    make install clean
    cd /usr/ports/lang/python
    make install clean
  2. Generate a free SSL
    certbot certonly --webroot
  3. Enter the web root and hostname for certificate
  4. Make change to Apache configration and restart Apache
  5. Add the following command to cron and run once a day
    /usr/local/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot renew

Uninstall an existing SSL certicate generated by Certbot:
certbot delete --cert-name

where is the sub-domain that need to be removed.

Dec 14 2022

MySQL time zone Database

  1. Import Time Zone Data to MySQL
    mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
  2. Grant "Select" Privileges to MySQL user
    GRANT SELECT ON mysql.time_zone_name TO cacti@localhost;
    flush privileges;
Copyrighted by