Category: FreeBSD

These are my notes, tips and howtos about installing and maintaining FreeBSD and third party applications for FreeBSD. If you have feedback, feel free to contact me.

FreeBSD, System Administration

How to install privacy VPN on FreeBSD

This is the procedure for installing, configuring and using a privacy oriented VPN server, such as Mullvad or Proton, with OpenVPN on FreeBSD. Tested with OpenVPN 2.6 .10 on FreeBSD 13.2 on 2024-04-26.

Install OpenVPN client on FreeBSD.

Install OpenVPN. The package comes with an OpenVPN client.

# pkg install openvpn

Create a directory for VPN configuration files. Ensure, that login credentials can only be read by the OpenVPN client.

# find / -type d -name '*openvpn*'
# mkdir /usr/local/etc/openvpn
# chown openvpn:openvpn /usr/local/etc/openvpn

Install VPN configuration file for OpenVPN client on FreeBSD.

Get the VPN configuration file from the website of the VPN service. The configuration file should support FreeBSD or GNU/Linux operating systems. The protocol should be UDP. This ensures, that TCP problems, that can arise from encapsulating TCP packets in TCP packets, is avoided. Copy the VPN configuration file to the OpenVPN directory from above.

# chown openvpn:openvpn /usr/local/etc/openvpn/foobar.ovpn

Configure OpenVPN to start without asking for username and password.

If you want to be able to use VPN without OpenVPN client asking for username and password, then configure it to read the login credentials from a text file.

# nano /usr/local/etc/openvpn/foobar.ovpn
auth-user-pass /usr/local/etc/openvpn/foobar.txt

Then store the username and password in the text file. The username on the first line and the password on the next line. Note, that some VPN services provides optional features the VPN service. Such features can be enabled or disabled by modifying the username.

# touch /usr/local/etc/openvpn/foobar.txt
# chown openvpn:openvpn /usr/local/etc/openvpn/foobar.txt
# nano /usr/local/etc/openvpn/foobar.txt
QfHrW8QGf1OYjubt
5r8JzcOBIPNbq6pqhxA0L-FLTVrl4pIl3a0G8qUqyB-DzwFLLfuNlf6j

Configure DNS resolver up scripts for OpenVPN client on FreeBSD.

Ensure, that up scripts, that takes care of DNS resolver configuration, exist. This is not only important for operation, but also for avoiding DNS leak by using an DNS, that is not related to the VPN. The OpenVPN client comes with up and down scripts for this.

# nano /usr/local/etc/openvpn/foobar.ovpn
up /usr/local/libexec/openvpn-client.up
plugin openvpn-plugin-down-root.so /usr/local/libexec/openvpn-client.down

How to start and stop VPN with OpenVPN on FreeBSD.

Start the VPN by using the OpenVPN client with the VPN configuration file as the argument. Stop the VPN by pressing Ctrl+C.

# openvpn-client /usr/local/etc/openvpn/foobar.ovpn

How to start VPN automatically at boot time on FreeBSD.

Add it to the system configuration.

# nano /etc/rc.conf
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/foobar.ovpn"
openvpn_dir="/usr/local/etc/openvpn"

The VPN can now be started and stopped with the system service utility.

# service openvpn start
# service openvpn stop

If a firewall is used, such as PF, then it might be necessary to create an up script, that can reload the firewall script during the startup process.

# nano /usr/local/etc/openvpn/pfreload.sh
#!/bin/sh
/usr/sbin/service pf reload
# chmod 0700 /usr/local/etc/openvpn/pfreload.sh

Add it to the system configuration.

# nano /etc/rc.conf
openvpn_flags='--script-security 2 --up "/usr/local/etc/openvpn/pfreload.sh"

You might want to let the machine complete the booting, before the VPN is started. This ensures, that FreeBSD can set time and perform other system related Internet access, before the user log in.

Check IP address for VPN.

Go to What is My IP Address? and confirm, that the IP address is related to the VPN server.

Check DNS resolver for DNS leak.

Confirm, that the DNS resolver has been updated, so DNS leak is avoided. The DNS resolver should have the new VPN DNS as the DNS.

# cat /etc/resolv.conf
nameserver 10.10.0.1

More about VPN on FreeBSD.

OpenVPN and PF at startup on FreeBSD Forums. OpenVPN on FreshPorts. Official website for OpenVPN.

FreeBSD, System Administration

Creating a FAT32 file system on USB flash drive with FreeBSD

This is the procedure for creating an MBR boot sector and a FAT32 file system on a USB flash drive and other removable media, so it can used for sharing files with Windows, TVs or other devices. This procedure is also known as formatting or partitioning.

Identifying USB flash drive on FreeBSD.

Attach the external storage and identify the device. Optionally check for existing partitioning schemes and file systems on the device.

# dmesg
da0: < USB DISK 3.0 PMAP> Removable Direct Access SPC-4 SCSI device
da0: Serial Number 0718388514F24105
da0: 400.000MB/s transfers
da0: 118200MB (242073600 512 byte sectors)
da0: quirks=0x3<NO_SYNC_CACHE,NO_6_BYTE>
# gpart show /dev/da0
=>      63  60825537  da0  MBR  (29G)
        63         1       - free -  (512B)
        64  60825536    1  fat32lba  (29G)

Creating MS-DOS FAT32 partioning scheme with GPART on FreeBSD.

Destroy any existing partitioning scheme even if it is not empty. Create a new partitioning scheme with an MBR boot sector. Add a new partition of the FAT32 type. Construct a new MS-DOS FAT32 file system with optional label. This is also known as formatting. The label, that can use up to 11 characters, is used by Windows and some devices to present the file system to the user. Consider putting a physical label on the flash drive as well.

# gpart destroy -F /dev/da0
# gpart create -s mbr /dev/da0
# gpart add -t fat32 /dev/da0
# newfs_msdos -L PROJECTS -F 32 /dev/da0s1

Optionally confirm the new partion scheme.

# gpart show /dev/da0
=>       63  242071337  da0  MBR  (115G)
         63  242071337    1  fat32  (115G)

Mouting and unmounting MS-DOS FAT32 file system on FreeBSD.

The USB flash drive is now ready to be mounted, used and unmounted again. In this example, Alice wants the directories and files in her projects directory copied with RSYNC, so the repeated command will just udpate the drive with changes since last copy. Because the target file system is FAT32, the owner and group can not be set.

# mount -t msdos /dev/da0s1 /mnt
# rsync -ahv --no-owner -no-group /home/alice/projects/ /mnt/
# sync
# umount /mnt

More about creating file systems.

GPART and NEWFS_MSDOS on FreeBSD Manual Pages. How to mount FAT32 formatted SD memory card on FreeBSD and How to mount exFAT formatted SD memory card on FreeBSD by myself.

FreeBSD, Photography

Creating video with KDEnlive on FreeBSD

Importing and renaming raw video clips with creating time on FreeBSD.

Import or copy the raw video clips from the camera and store them on a temporary local fast file system. Rename the raw video clips, so the filename contains the time stamp. This will become convenient later, when listing and loading them. The following csh script uses the stat utility to get the file creation time stamp and then renames the video clips accordingly.

$ cat rename-mp4
#!/bin/csh
foreach file (*.MP4)
  set newname = `stat -f '%SB' -t '%y%m%d-%H%M%S' "$file"`
  mv "$file" "${newname}-${file}"
end

An example of the manual approach, for the same result, would be the following commands.

$ mv MGR103.MP4 240314-213544-MGR103.MP4
$ mv MGP101.MP4 240314-213535-MGP101.MP4

Creating a new project and profile preset in KDEnlive.

Launch KDEnlive and create a new project. KDEnlive will ask you to select a profile preset. In the settings, select or create a profile preset, that matches the raw video clips from the camera and the main format, you will be targetting. If you will be creating a new profile preset, find a general profile preset and I recommend using a naming convention, that reflects the resolution and frame rate.

  • Action cameras, such as the legendary GoPro Hero 3 Black, produces high resolution frames in more narrow aspect ratio and high frame rate, such as 1920×1080@60 (16:9).
  • Cam corders, such as the legendary Sony FDR AX43, produces high resolution frames in traditional film aspect ratio and frame rate, such as 3840×2160@25 (16:9) or 1920×1080@25 (19:6).
  • Mobile phoes, such as Samsung Galaxy A series, produces moderate resolution frames, such as 1920×1080@25 (16:9) or 1080×1920@25 (9:16).

Editing video and audio on the timeline i KDEnlive.

Adding effects i KDEnlive.

If you want to add a watermark, also known as an overlay, you will need an image with your logo or watermark. If the watermark is transparent, it will most likely be in PNG format. Add a track on top of the video in the timeline and place the watermark in it. Stretch it, so it matches the full length of the video. You can now place the watermark, where you want it to be, by opening the effects window, finding the transformation effects and selecting the Crop, Scale and Tilt effect. Adjust the scale and tilt values as necessary. If the video is 1080 pixels wide and the watermark is 200 pixels wide, you might want to scale to 20 and 20 and tilt to 953 and 1779.

Exporting video clips for other use.

If you will be exporting video clips for other use, then use the input and output markers to export those at this point and before any formatting and watermarking. Use a naming convention, that keeps the clips in chronological order, such as a time based prefix and a descriptive tekst. Such clips can later be formatted and watermarked with KDEnlive or FFmpeg for sharing or use on social media.

FreeBSD, System Administration

X and GNOME for FreeBSD

Xrandr.

If you just attached a monitor to your computer, such an external monitor or TV via HDMI, you can activate it in GNOME with Xrandr. Just run the utility. If you want to configure it in GNOME, then go to GNOME settings and Display.

% xrandr
Screen 0: minimum 320 x 200, current 1920 x 1080, maximum 16384 x 16384
eDP-1 connected primary 1920x1080+0+0 (normal left inverted right x axis y axis) 276mm x 155mm
   1920x1080     60.05*+  60.01    59.97    59.96    59.93  
DP-1 disconnected (normal left inverted right x axis y axis)
HDMI-1 disconnected (normal left inverted right x axis y axis)
DP-2 disconnected (normal left inverted right x axis y axis)
HDMI-2 connected (normal left inverted right x axis y axis)
   3840x2160     30.00 +  25.00    24.00    29.97    23.98

GNOME Tweaks.

Go to Appearance and change Applications from Adwaita to Adwaita-dark. This will make non-GTK applications, such as third party applications, dark mode as well as the GNOME applications.

% gnome-tweaks
FreeBSD, System Administration

How to configure SPF policy record in BIND DNS

What is SPF?

SPF is short for Sender Policy Framework and is an internet standard, that ensures, that email is in fact sent from authorized mail servers. SPF is also known as an SPF policy or an SPF record. SPF is a special TXT resource record (RR) for the domain in DNS. The TXT RR contains a list of mail servers, that is authorized to send email on behalf on the domain. You can configure an SPF policy record in BIND DNS.

Continue reading “How to configure SPF policy record in BIND DNS”
FreeBSD, System Administration

How to install OpenDKIM for Sendmail on FreeBSD

What is DKIM?

DKIM is short for Domain Keys Identified Mail and is an internet standard, that ensures, that an email is in fact authorized by the owner of the domain, and, that its content is authentic and has not been modified. DKIM is available for FreeBSD as the OpenDKIM package or port. OpenDKIM is a milter for Sendmail, which is the default mail server in FreeBSD.

Continue reading “How to install OpenDKIM for Sendmail on FreeBSD”