… and you thought that cgi is dead …

httpd.conf

cat << 'EOF' > /etc/httpd.conf
types {
  include "/usr/share/misc/mime.types"
}


## A minimal default server ##
server "default" {
  listen on *   port 80
  log { access "default-access.log", error "default-error.log" }
  location "/cgi-bin/*" {
    fastcgi socket "/run/slowcgi.sock"
    root "/"
  }
}
EOF

chmod 644 /etc/httpd.conf
rcctl enable httpd
rcctl start httpd

Slowcgi

rcctl enable slowcgi
rcctl start slowcgi

CGI

cat << 'EOF' > /var/www/cgi-bin/test.cgi
#!/bin/sh

echo "Content-type: text/html\n\n";
echo "<HTML>\n";
echo "<HEAD>\n";
echo "  <title>Ich bin ein Titel :)</title>\n";
echo "</HEAD>\n";
echo "Test from /bin/sh ..!\n";
echo "</HTML>\n";
EOF

chown www /var/www/cgi-bin/test.cgi
chmod 500 /var/www/cgi-bin/test.cgi

Install Interpreter (Chrooted !)

mkdir /var/www/bin/
cp /bin/sh /var/www/bin/

Test

curl http://ip-of-device/cgi-bin/test.cgi

---

Any Comments ?

sha256: c102990dbf0d3903c8a066e7add79f0d1cac8b99557fb01874b2708d0135b710

OpenBSD Current

Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots FAQ

Assuming, you can’t wait for the next release, or you wanna test features, find bugs and so participate on the community, this little script will help you:

Upgrade to Current

and remove game*,comp*,xf* and xs* Packages before reboot

cat << 'EOF' > upgrade_to_current.sh
#!/bin/sh

echo "let's check for news ..."

local _response=$(sysupgrade -n -s)

if [[ $_response == *reboot ]]; then
  echo "\nInstalled! Let's reboot ...\n"
  rm /home/_sysupgrade/{game,comp,xf,xs}*
  reboot
else
  echo "Nothing todo ..."
fi

exit 0
EOF

chmod 755 upgrade_to_current.sh

---

Any Comments ?

sha256: c6eb0b5142102775f26c373f1d16c378ade7683af62ca77bb3d088fdbb52c603

doas, an alternative to sudo

Everybody knows sudo … right ? but the openbsd guys hacked a small and secure replacement called doas …

simple, secure and clever

here a good and quick tutorial

An introduction on Vultr, the Source Code on Github and the Man Page

Installation OpenBSD

On OpenBSD, it’s already in the Base System and no need to install anything.

Installation Linux

On Linux, for Example, you have to add the Package

ssh-audit is a tool for ssh server auditing.

Features

SSH1 and SSH2 protocol server support;

grab banner, recognize device or software and operating system, detect compression;

gather key-exchange, host-key, encryption and message authentication code algorithms;

output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

output algorithm recommendations (append or remove based on recognized software version);

output security information (related issues, assigned CVE list, etc);

analyze SSH version compatibility based on algorithm information;

red

blue

green

yellow

nothing to add ;)

---

Any Comments ?

sha256: 4c3348e17608fe296942aef18b8044221d7f882006eb5b5ce931ec6a898f706a

Medien Navigator

von NATO konform bis NATO kritisch, eine schoene Übersicht …

Medien Navigator PDF

---

Any Comments ?

sha256: 8b7ae1266099eb7a85aaeeeabfbf37b4021d7d0fa37c28cb1a88d8aa9a298ddd

Wanna add some simple forms and process the Content with PHP ?

Add RawHTML Template

if not yet done

mkdir layouts/shortcodes/
cat << 'EOF' > layouts/shortcodes/rawhtml.html
<!-- raw html -->
{{.Inner}}
EOF

Create Script

cat << 'EOF' > static/welcome.php
<html>
<body>

Welcome <?php echo $_POST["name"]; ?><br>
Your email address is: <?php echo $_POST["email"]; ?>

</body>
</html>
EOF

Create new Post and add rawhtml

without " " between { and {

hugo new content/post/rawtest.md

vim content/post/rawtest.md

{ {<rawhtml>} }
<form action="/welcome.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
{ {</rawhtml>} }

Example

Just a small Form Example

Name:
E-mail:

Custom Template Stuff

mkdir -p layouts/shortcodes

cat << 'EOF' > layouts/shortcodes/date.html
{{ now.Format "2006-01-02 03:04:05" }}
EOF

Insert Code in Template

current date ? { {< date >} }

Result ?

current date ?? 2026-04-17 11:57:21

Add RawHTML

Create Template

cat << 'EOF' > layouts/shortcodes/rawhtml.html
<!-- raw html -->
{{.Inner}}
EOF

Add Code

{ {< rawhtml >} }
  <p class="speshal-fancy-custom">
    This is <strong>raw HTML</strong>, inside Markdown.
  </p>
{ {< /rawhtml >} }

Result ?

This is raw HTML, inside Markdown.

Intro

Stage two Machines, puffy206 and puffy207 Both Maschines needs static IP Adresses

puffy206

Loopback & Gif

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.6/32
up
EOF

cat << 'EOF' > /etc/hostname.gif0
description "Point2Point Interface for OSPF"
mtu 1420
10.10.10.6 10.10.10.7 netmask 255.255.255.255
tunnel 192.168.108.206 192.168.108.207
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike active esp transport from 192.168.108.206 to 192.168.108.207 peer 192.168.108.207 \
main auth "hmac-sha2-256" enc "aes-128" group modp3072 \
quick enc "aes-128-gcm" group modp3072 \
srcid 192.168.108.206 \
psk "my-tunnel-is-private"
EOF

chmod 600 /etc/ipsec.conf

Create ospfd.conf

cat << 'EOF' > /etc/ospfd.conf
# macros
id="192.168.108.206"

# global configuration
router-id id
fib-update yes
stub router yes
spf-delay 1
spf-holdtime 5

# areas
area 0.0.0.0 {
  interface gif0
  interface lo1 {}
}
EOF

chmod 600 /etc/ospfd.conf
rcctl enable ospfd

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

puffy207

Loopback & Gif

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.7/32
up
EOF

cat << 'EOF' > /etc/hostname.gif0
description "Point2Point Interface for OSPF"
mtu 1420
10.10.10.7 10.10.10.6 netmask 255.255.255.255
tunnel 192.168.108.207 192.168.108.206
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike active esp transport from 192.168.108.207 to 192.168.108.206 peer 192.168.108.206 \
main auth "hmac-sha2-256" enc "aes-128" group modp3072 \
quick enc "aes-128-gcm" group modp3072 \
srcid 192.168.108.207 \
psk "my-tunnel-is-private"
EOF

chmod 600 /etc/ipsec.conf

Create ospfd.conf

cat << 'EOF' > /etc/ospfd.conf
# macros
id="192.168.108.207"

# global configuration
router-id $id
fib-update yes
stub router yes
spf-delay 1
spf-holdtime 5

# areas
area 0.0.0.0 {
  interface gif0
  interface lo1 {}
}
EOF

chmod 600 /etc/ospfd.conf
rcctl enable ospfd

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

Test

ifconfig gif
ipsecctl -s all
route -n show -inet
ospfctl show nei

Throughput Test

root@client2 ~# tcpbench 10.0.0.7
  elapsed_ms          bytes         mbps   bwidth
        1000        2801664       22.413  100.00%
Conn:   1 Mbps:       22.413 Peak Mbps:       22.413 Avg Mbps:       22.413
        2009        2775672       22.007  100.00%
Conn:   1 Mbps:       22.007 Peak Mbps:       22.413 Avg Mbps:       22.007
        3014        3173760       25.264  100.00%
Conn:   1 Mbps:       25.264 Peak Mbps:       25.264 Avg Mbps:       25.264
        4021        3192912       25.391  100.00%
Conn:   1 Mbps:       25.391 Peak Mbps:       25.391 Avg Mbps:       25.391

---

Any Comments ?

sha256: d27ad9e5808a63352b5e5070af2abd82a9924129b713f98d1d10d4f8a8085df4

Intro

Stage a few Machines, puffy206 - 209 puffy206 has got a static ip, while puffy207 - 209 got dynamic ip addresses

Master, puffy206

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.6/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.7/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"

ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.8/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"

ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.8/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

Slave, puffy207

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.7/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.7/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Slave, puffy208

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.8/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.8/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Slave, puffy209

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.9/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.9/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Full IPSEC Example

cat /etc/ipsec.conf

#
# https://man.openbsd.org/ipsec.conf.5
# http://www.kernel-panic.it/openbsd/vpn/vpn3.html
# https://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
#
# ike [mode] [encap] [tmode] [proto protocol] \
    # from src [port sport] [(srcnat)] to dst [port dport] \
    # [local localip] [peer remote] \
    # [mode auth algorithm enc algorithm group group] \
    # [quick auth algorithm enc algorithm group group] \
    # [srcid string] [dstid string] \
    # [psk string] [tag string]

# mode:   active (default), passive, dynamic
# encap:  esp (default), ah
# tmode:  tunnel (default), transport
# mode:   main (default), aggressive -> this is phase 1
# quick:  -> this is phase 2


# Var

local_gw    = "MEINE-PUBLIC-IP"
local_net   = "MEIN-NETZWERK/MASK"

auth1       = "hmac-sha1"       # hmac-sha1, hmac-sha2-256, hmac-sha2-384, hmac-sha2-512
enc1        = "aes-128"         # aes-128 (=aes), aes-192, aes-256, blowfish
group1      = "modp3072"        # modp768 (g1), modp1024 (g2), modp1536 (g5), modp2048 (g14), modp3072 (g15), modp4096 (g16), modp6144 (g17), modp8192 (g18), ... (g30)
time1       = "3600"            # in Seconds, or 10m, resp 12h

auth2       = "hmac-sha2-256"   # siehe oben
enc2        = "aes-128"         # siehe oben
group2      = "modp3072"        # siehe oben
time2       = "1200"            # siehe oben


# Tunnel to Remote

remote_gw   = "DEINE-PUBLIC-IP"
remote_net  = "DEIN-NETZWERK/MASK"
key         = "super-huper-secret-key""

ike dynamic esp tunnel from $local_net to $remote_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

ike dynamic esp tunnel from $remote_net to $local_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

Links

Packetmischief