Nerd blog.

14 May 2014

OpenBSD 5.5 BGP Looking Glass

I’ve written about OpenBSD and BGP Looking Glasses before. OpenBSD has since removed apache from base, and replaced it with nginx. This is OK with me since I prefer the simplicity and raw performance of nginx (and its ability to proxy!). This is an update which applies to OpenBSD after nginx removal (applies to 5.5 and later). This article has also been independently verified to work using OpenBSD 5.6 as well.

Install your system as you choose, I did a fairly default install as per the FAQ. My hardware in this case is virtual VMware hardware, 1 vCPU, 1GB vRAM, 16GB vHDD, and 1 vNIC connected to a network shared between both BGP routers.

The applicable configuration files:

ntpd_flags=             # enabled during install


Uncomment this section:

# FastCGI to CGI wrapper server
location /cgi-bin/ {
    fastcgi_pass   unix:run/slowcgi.sock;
    fastcgi_split_path_info ^(/cgi-bin/[^/]+)(.*);
    fastcgi_param  PATH_INFO $fastcgi_path_info;
    include        fastcgi_params;

and add the following if you want to serve the CGI as the index:

location / {
    index index.html;
    try_files $uri /cgi-bin/bgplg;


/var will need to be mounted without the nosuid option present by default.

The following will need to be run to allow ping, ping6, traceroute, and traceroute6 to function and resolve domains in the chroot:

chmod 0555 /var/www/cgi-bin/bgplg
chmod 0555 /var/www/bin/bgpctl
mkdir /var/www/etc
cp /etc/resolv.conf /var/www/etc
chmod 4555 /var/www/bin/ping
chmod 4555 /var/www/bin/ping6
chmod 4555 /var/www/bin/traceroute
chmod 4555 /var/www/bin/traceroute6

The last stage is to configure your BGP peering sessions in /etc/bgpd.conf

# global configuration
AS 65003
router-id x.x.x.195
fib-update no

# restricted socket for bgplg(8)
socket "/var/www/run/bgpd.rsock" restricted

neighbor {
        remote-as       65003
        descr           BGP1
        announce none

neighbor {
        remote-as       65003
        descr           BGP2
        announce none

neighbor 2001:DB8::193 {
        remote-as       65003
        descr           BGP1-v6
        announce none

neighbor 2001:DB8::194 {
        remote-as       65003
        descr           BGP2-v6
        announce none

# see all prefixes, since we want the visibility for a looking glass
allow from any

Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.