RSS

OpenBSD 6.6 BGP Looking Glass

OpenBSD 6.6 BGP Looking Glass

I’ve written about OpenBSD and BGP Looking Glasses previously and before that. OpenBSD has since removed nginx from base, and replaced it with their own httpd. This is OK with me since I prefer having my OpenBSD systems fully self-contained and running from base.

Install your system as you choose, I did a fairly default install as per the FAQ. My hardware in this case is virtual VMware hardware, 1 vCPU, 1GB vRAM, 12GB vHDD, and 1 vNIC connected to a network shared between both BGP routers.

The applicable configuration files, and changes are below.

rc.conf.local

bgpd_flags=
httpd_flags=
slowcgi_flags=

httpd.conf

Copy this from /etc/examples/httpd.conf to /etc/httpd.conf and add the following to your HTTPS section. You may want to use acme-client to setup a letsencrypt certificate for your looking glass and keep it current.

location "/cgi-bin/*" {
    fastcgi
    root ""
}

and add the following if you want to serve the CGI as the index:

location "/" {
    block return 302 "https://$HTTP_HOST/cgi-bin/bgplg"
}

/etc/fstab

/var will need to be mounted without the nosuid option present by default.

The following will need to be run to allow ping, ping6, traceroute, and traceroute6 to function and resolve domains in the chroot:

chmod 0555 /var/www/cgi-bin/bgplg
chmod 0555 /var/www/bin/bgpctl
mkdir /var/www/etc
cp /etc/resolv.conf /var/www/etc
chmod 4555 /var/www/bin/ping
chmod 4555 /var/www/bin/ping6
chmod 4555 /var/www/bin/traceroute
chmod 4555 /var/www/bin/traceroute6

bgpd.conf

The last stage is to configure your BGP peering sessions in /etc/bgpd.conf

# global configuration
AS 65003
router-id x.x.x.195
fib-update no

# restricted socket for bgplg(8)
socket "/var/www/run/bgpd.rsock" restricted

neighbor 192.0.2.193 {
        remote-as       65003
        descr           BGP1
        announce none
}

neighbor 192.0.2.194 {
        remote-as       65003
        descr           BGP2
        announce none
}

neighbor 2001:DB8::193 {
        remote-as       65003
        descr           BGP1-v6
        announce none
}

neighbor 2001:DB8::194 {
        remote-as       65003
        descr           BGP2-v6
        announce none
}

# see all prefixes, since we want the visibility for a looking glass
allow from any