Blog

Identify device.

Attach the external storage and identify the device.

# dmesg
da0 at umass-sim0 bus 0 scbus7 target 0 lun 0
da0: <Seagate Performance 1337> Fixed Direct Access SPC-4 SCSI device
da0: Serial Number 1337XSCZ
da0: 400.000MB/s transfers
da0: 1907729MB (3907029167 512 byte sectors)
da0: quirks=0x2<NO_6_BYTE>

Create encryption key.

Create a secure encryption key component. The block size of this file is not directly related to the data key length for the encryption algorithm.

# dd if=/dev/random of=foobar.key bs=256 count=1
1+0 records in
1+0 records out
256 bytes transferred in 0.000037 secs (9560043 bytes/sec)

Initialize GELI encryption.

The sector size is set to 4.096 bytes for better alignment with SSDs. The default encryption algorithm is AES-XTS. The data key length for the encryption algorithm is 256 bit. A backup of the metadata is written to the file foobar.eli. The utility will ask for a password to be used as the component of the key.

# geli init -s 4096 -K foobar.key -e aes-xts -l 256 -B foobar.eli /dev/da0
Enter new passphrase: 
Reenter new passphrase: 
Metadata backup for provider /dev/da0 can be found in foobar.eli
and can be restored with the following command:
  # geli restore foobar.eli /dev/da0

Attach provider.

Attach the encrypted provider and get an accessible block device.

# geli attach -k foobar.key /dev/da0
Enter passphrase: 

Create ZFS pool.

Create a ZFS pool on the encrypted device. Optimize the pool for 4.096 byte sectors, which is common for SSDs, as this setting controls the alignment of ZFS data.

# zpool create -o ashift=12 foobar /dev/da0.eli

Optimize ZFS pool.

If the device will be used for backup, you might want to enable LZ4 compression and disable access time updates for increased performance.

# zfs set compression=lz4 foobar
# zfs set atime=off foobar

Create ZFS datasets.

Create ZFS datasets in the pool as needed.

# zfs create foobar/backup

Set mountpoint.

Set ZFS mountpoint.

# zfs set mountpoint=/mnt/foobar foobar

Export ZFS pool.

When the USB SSD is no longer to be used, then it can be prepared for disconnection by exporting the ZFS pool.

# zpool export -f foobar

Detach provider.

# geli detach /dev/da0.eli

The external USB SSD can now by physically disconnected from the USB port and storead in a safe place.

Attach provider.

When the USB SSD is to be used again, it is connected via USB and the GELI provider is attached by supplying the encryption key component and the password component.

# geli attach -k foobar.key /dev/da0
Enter passphrase:

Import ZFS pool.

The ZFS pool can not be imported.

# zpool import foobar

The external USB SSD is now mounted and is ready to be used.

References.

• https://man.freebsd.org/cgi/man.cgi?geli(8)

What is Dynamic DNS?

Dynamic DNS, also referred to has DynDNS or just DDNS, is a method, that can update ressource records (RR) in the zone of a DNS. An example of this is updating the IP address of a hostname. DNS updates must be authenticated by a transaction signature (TSIG). The update is performed using a DNS update utility.

Where is DDNS used?

DDNS is a requirement, where a client needs to provide a service from a server or host, that does not have a static IP address from the ISP. DDNS is also a requirement, where a client has security devices, such as DVRs and IP security surveillance cameras, that can not be reached via a static IP address from the ISP.

Confirm connection to IP address.

Confirm, that the service can be reached via the currently assigned IP address from Internet. If the service is behind a router, the dashboard of the router will show the currently assigned IP address. If you are using a VPN service, you can not use the IP address from the VPN exit node. If necessary, you will also need to allow and map access from Internet via the router to the service on your LAN.

% ping 13.37.13.37
% ssh -p 1337 -l foobar 13.37.13.37

If the service is behind a 5G router, that is connected to a modern 5G network, that use carrier-grade NAT, also known as CG-NAT or just CGN, then you will not be able to reach the service via the assigned IP address from Internet. The reason is, that the assigned IP address is actually shared between other routers. In that case, DDNS is no longer a solution. You might want to use a VPN instead. This way, the client and server can connect to a VPN server on a VPS with a static IP address.

To be continued…

More about DDNS.

• https://en.wikipedia.org/wiki/Dynamic_DNS
• https://en.wikipedia.org/wiki/TSIG
• https://en.wikipedia.org/wiki/Carrier-grade_NAT

Why use exFAT for USB drives and removable drives?

The exFAT, short for Extended File Allocation Table, file system supports very large volume sizes, which is one of the reasons, that it is used for larger USB drives and SD cards. exFAT does not have the 4 GB file size limit, that the FAT32 has. exFAT is compatible with different operating systems and physical devices.

Create exFAT on USB drive or removable drive.

If the the drive is already mounted, then unmount it, before creating the exFAT file system.

# umount /dev/da0

Create the exFAT file system on the removable USB drive. The exFAT file system willl not have a partition scheme. This ensures compatibility.

# mkexfatfs /dev/da0
mkexfatfs 1.4.0
Creating... done.
Flushing... done.
File system created successfully.

Confirm, that it mounts.

# mount.exfat /dev/da0 /mnt
FUSE exfat 1.4.0 (libfuse2)

More about exFAT.

• How to mount exFAT formatted SD memory card on FreeBSD

This page is about installing Baïkal (Baikal) address book and calendar server on FreeBSD with Apache, PHP and Let’s Encrypt. Tested with Baikal 0.5.9 on FreeBSD 13.2. Updated 2024-06-27.

Continue reading “Installing Baïkal (Baikal) on FreeBSD with Apache, PHP and Let’s Encrypt” →

This is the procedure for installing, configuring and using a VPN server with OpenVPN on FreeBSD. Tested with OpenVPN 2.6 .10 on FreeBSD 13.2 on 2024-04-26.

Install OpenVPN client on FreeBSD.

Install OpenVPN. The package comes with an OpenVPN client.

# pkg install openvpn

Create a directory for VPN configuration files. Ensure, that login credentials can only be read by the OpenVPN client.

# find / -type d -name '*openvpn*'
# mkdir /usr/local/etc/openvpn
# chown openvpn:openvpn /usr/local/etc/openvpn

Install VPN configuration file for OpenVPN client on FreeBSD.

Get the VPN configuration file from the website of the VPN service. The configuration file should support FreeBSD or GNU/Linux operating systems. The protocol should be UDP. This ensures, that TCP problems, that can arise from encapsulating TCP packets in TCP packets, is avoided. Copy the VPN configuration file to the OpenVPN directory from above.

# chown openvpn:openvpn /usr/local/etc/openvpn/foobar.ovpn

Configure OpenVPN to start without asking for username and password.

If you want to be able to use VPN without OpenVPN client asking for username and password, then configure it to read the login credentials from a text file.

# nano /usr/local/etc/openvpn/foobar.ovpn
auth-user-pass /usr/local/etc/openvpn/foobar.txt

Then store the username and password in the text file. The username on the first line and the password on the next line. Note, that some VPN services provides optional features the VPN service. Such features can be enabled or disabled by modifying the username.

# touch /usr/local/etc/openvpn/foobar.txt
# chown openvpn:openvpn /usr/local/etc/openvpn/foobar.txt
# nano /usr/local/etc/openvpn/foobar.txt
QfHrW8QGf1OYjubt
5r8JzcOBIPNbq6pqhxA0L-FLTVrl4pIl3a0G8qUqyB-DzwFLLfuNlf6j

Configure DNS resolver up scripts for OpenVPN client on FreeBSD.

Ensure, that up scripts, that takes care of DNS resolver configuration, exist. This is not only important for operation, but also for avoiding DNS leak by using an DNS, that is not related to the VPN. The OpenVPN client comes with up and down scripts for this.

# nano /usr/local/etc/openvpn/foobar.ovpn
up /usr/local/libexec/openvpn-client.up
plugin openvpn-plugin-down-root.so /usr/local/libexec/openvpn-client.down

How to start and stop VPN with OpenVPN on FreeBSD.

Start the VPN by using the OpenVPN client with the VPN configuration file as the argument. Stop the VPN by pressing Ctrl+C.

# openvpn-client /usr/local/etc/openvpn/foobar.ovpn

How to start VPN automatically at boot time on FreeBSD.

Add it to the system configuration.

# nano /etc/rc.conf
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/foobar.ovpn"
openvpn_dir="/usr/local/etc/openvpn"

The VPN can now be started and stopped with the system service utility.

# service openvpn start
# service openvpn stop

If a firewall is used, such as PF, then it might be necessary to create an up script, that can reload the firewall script during the startup process.

# nano /usr/local/etc/openvpn/pfreload.sh
#!/bin/sh
/usr/sbin/service pf reload
# chmod 0700 /usr/local/etc/openvpn/pfreload.sh

Add it to the system configuration.

# nano /etc/rc.conf
openvpn_flags='--script-security 2 --up "/usr/local/etc/openvpn/pfreload.sh"

Check DNS resolver for DNS leak.

Confirm, that the DNS resolver has been updated, so DNS leak is avoided.

# cat /etc/resolv.conf

Check IP address for VPN.

Go to What is My IP Address? and confirm, that the IP address is related to the VPN server.

More about VPN on FreeBSD.

OpenVPN and PF at startup on FreeBSD Forums. OpenVPN on FreshPorts. Official website for OpenVPN.

This is the procedure for creating an MBR boot sector and a FAT32 file system on a USB flash drive and other removable media, so it can used for sharing files with Windows, TVs or other devices. This procedure is also known as formatting or partitioning.

Attach the external storage and identify the device. Optionally check for existing partitioning schemes and file systems on the device. Destroy any existing partitioning scheme even if it is not empty. Create a new partitioning scheme with an MBR boot sector. Add a new partition of the FAT32 type. Optionally confirm the new boot sector and partition. Construct a new MS-DOS FAT32 file system with optional label. The label, that can use up to 11 characters, is used by Windows and some devices to present the file system to the user. Consider putting a physical label on the flash drive as well. The USB flash drive is now ready to be mounted, used and unmounted again.

# dmesg
# gpart show
# gpart destroy -F /dev/da0
# gpart create -s mbr /dev/da0
# gpart add -t fat32 /dev/da0
# gpart show
# newfs_msdos -L FOOBAR -F 32 /dev/da0s1
# mkdir /mnt/foobar
# mount -t msdos /dev/da0s1 /mnt/foobar
# cp /home/foobar/foo.* /mnt/foobar/
# df -H /mnt/foobar
# umount /mnt/foobar

More about creating file systems.

GPART and NEWFS_MSDOS on FreeBSD Manual Pages. How to mount FAT32 formatted SD memory card on FreeBSD and How to mount exFAT formatted SD memory card on FreeBSD by myself.