Building an OpenBSD router using an APU4D4

Tested on OpenBSD 6.8

NOTE (2023-07-22): the APU platform is end-of-life. In addition, this article is probably due for a rewrite. Many of the principles still apply on a broad level, but tread with caution.

Foreword

It’s no secret that consumer routers have security problems (600 CVEs between 1999 and 2017, and those were only the disclosed vulnerabilities) as a result of poorly engineered software. The paper “So You Think Your Router Is Safe?” addresses this subject well.

Confronted with this reality, as someone who’s been bitten by the OpenBSD bug (or pufferfish, same difference), the solution that came to mind was to build my own router. So I did, and what follows is how I did it.

Hardware

To purchase an APU4D4 or similar, visit PC Engines. Their boards come with coreboot preinstalled and so far it’s been a great experience.

APU4B4 board on a wooden surface (front side).

APU4B4 board on a wooden surface (back side).

Include a USB to DB9F serial adapter in the purchase, as it’s needed for the installation.

USB to DB9F serial adapter on a wooden surface.

Consult the manual for assembly instructions.

Download OpenBSD

Download, verify, and flash the amd64 image that includes the file sets (installXX.img) to a USB drive. OpenBSD’s FAQ covers this.

Install OpenBSD

Connect to the serial port. I run OpenBSD on my laptop, so I use cu(1) for serial connections. Note that the user must be part of the dialer group to use cua(4) devices, so I’ll briefly outline how to make sure that’s the case.

Display the current user and groups they belong to with id(1).

$ id

Add the user to the dialer group if necessary with usermod(8).

# usermod -G dialer [user]

Finally, connect to the serial port. This indicates the line to use (-l) and the baud rate (-s). The APU4D4 requires a baud rate of 115200.

$ cu -l cuaU0 -s 115200

Please remember to enter this at the boot prompt afterward, to configure the serial connection. Later on, the installer will set these.

boot> stty com0 115200
boot> set tty com0
boot> boot

From here, the FAQ provides enough information to get through the rest of the installation procedure. Be sure to look at the documentation for the relevant architecture. In this case, that means to consult the notes on amd64.

After installation

Do the usual (in other words, read afterboot(8), check system mail, and so on). After that, there’s a couple of things that must be implemented.

A firewall, DHCP server, and DNS server. See my pf.conf.
A way to connect to the Internet, which can vary between providers. For some, a PPPoE connection may be needed. See pppoe(4).

Some other things that can be added:

Many use cases require a network bridge for ethernet interfaces. As of 6.9, I’m using veb(4) with good results.
IPv6, depending on use case and whether the ISP supports it.
DNS sinkhole with unbound(8), see Creating a DNS sinkhole with Perl and unbound(8).
Authoritative DNS for devices on the home network with the special-use domain home.arpa, see Local authoritative DNS on OpenBSD using dhcpd(8) and unbound(8).

As always, give official OpenBSD documentation preferential treatment and cross-reference it when using unofficial documentation. Keep it simple and if what a knob changes is unclear, don’t change it.

WireGuard

Solene has a great article on this.