BSD: OpenBSD/IPSec, SearXNG, FreeBSD
-
New routed IPsec VPN mode committed
The routed IPSec mode we reported on earlier has now been committed to -current by David Gwynne (dlg@), likely to be a prominent item for the upcoming OpenBSD 7.4 release.
-
Self-Hosted SearXNG instance on OpenBSD
Some time ago, I discovered and used searx on OpenBSD . This worked quite well but there were a few annoying bugs that I couldn’t solve. Mainly using OpenSearch with Firefox and timeouts with some Big Tech search engines. After struggling enough, I decided to switch to SearXNG . It has some cons compared to SearX but, regarding my needs and beliefs, the pros win.
The original documentation for Linux is available here . I’m doing it on OpenBSD 7.3.
-
The correct way to configure bridges in FreeBSD for IPv6 (and IPv4).
IPv6 has a the concept of link scope. From IPv6's point of view a bridge interface is a single link (just like multiple hosts connected to a physical Ethernet switch), but if there are IP addresses configured on the member interfaces of a FreeBSD bridge the kernel considers these interfaces as their own links with associated link scope. This will cause IPv6 to break. The only correct configuration is to have no IP addresses configured on the member interfaces. The IP addresses belong exclusively on the bridge interface itself. The member interfaces should be treated as pure Ethernet (OSI layer 2) interfaces instead of both OSI layer 2 (Ethernet like) and OSI layer 3 (IP).
A further complication is that the bridge has to have unmodified access to the Ethernet frames, but most 1Gb/s and faster as well as virtual network interfaces have offloading features like TSO and LRO to rewrite the small (by modern standards) 1500 byte Ethernet frames into “fake” larger frames to reduce the CPU overhead of processing the packet inside each frame. While useful to IP hosts these offloading features have to be disabled to bridge Ethernet or route and filter the IP packets inside.