Merge pull request #127 from vedetta-com/wip

- Fix #125 Connect to switch0 at reboot, thank you @bentley
- Fix #82 TLS inspection (MITM) with relayd

README.md

@@ -222,7 +222,7 @@ Share what you've got, keep what you need:
   - *Usage:*
     - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
     - `dig ipv6.google.com aaaa`
-* [relayd](https://man.openbsd.org/relayd) - relay daemon for loadbalancing, SSL/TLS acceleration, DNS-sanitizing, SSH gateway, and transparent HTTP proxy
+* [relayd](https://man.openbsd.org/relayd) - relay daemon for loadbalancing, SSL/TLS acceleration, DNS-sanitizing, SSH gateway, transparent HTTP proxy, and TLS inspection ([MITM](https://github.com/vedetta-com/vedetta/issues/82#issuecomment-363907251))
   - *Configure:*
     - [`etc/acme-client.conf`](src/etc/acme-client.conf)
     - [`etc/httpd.conf`](src/etc/httpd.conf)
@@ -235,10 +235,24 @@ Share what you've got, keep what you need:
     - `cd `[`/etc/ssl/private`](src/etc/ssl/private)
     - `ln -s ../acme/private/freedns.afraid.org.key 10.10.10.11:443.key`
     - `ln -s ../acme/private/freedns.afraid.org.key fd80:1fe9:fcee:1337::ace:babe:443.key`
+    - `mkdir -p /etc/ssl/relayd/private`
+    - `openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/relayd/private/ca.key -out /etc/ssl/relayd/ca.crt`
+    - `echo 'subjectAltName=DNS:relay.vedetta.lan' > /etc/ssl/relayd/server.ext`
+    - `openssl genrsa -out /etc/ssl/relayd/private/relay.vedetta.lan.key 2048`
+    - `openssl req -new -key /etc/ssl/relayd/private/relay.vedetta.lan.key -out /etc/ssl/relayd/private/relay.vedetta.lan.csr -nodes`
+    - `openssl x509 -sha256 -req -days 365 -in /etc/ssl/relayd/private/relay.vedetta.lan.csr -CA /etc/ssl/relayd/ca.crt -CAkey /etc/ssl/relayd/private/ca.key -CAcreateserial -extfile /etc/ssl/relayd/server.ext -out /etc/ssl/relayd/relay.vedetta.lan.crt`
+    - `cd /etc/ssl`
+    - `ln -s relayd/relay.vedetta.lan.crt 127.0.0.1.crt`
+    - `ln -s relayd/relay.vedetta.lan.crt ::1.crt`
+    - `cd /etc/ssl/private`
+    - `ln -s ../relayd/private/relay.vedetta.lan.key 127.0.0.1.key`
+    - `ln -s ../relayd/private/relay.vedetta.lan.key ::1.key`
   - *Usage:*
     - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
     - [`rcctl`](https://man.openbsd.org/rcctl)` enable relayd`
     - [`rcctl`](https://man.openbsd.org/rcctl)` start relayd`
+    - [`pfctl`](https://man.openbsd.org/pfctl)` -T add -t httpfilter $ip`
+    - [`pfctl`](https://man.openbsd.org/pfctl)` -T add -t tlsinspect $ip`
 * [rtadvd](https://man.openbsd.org/rtadvd) - router advertisement daemon
   - *Configure:*
     - [`etc/pf.conf`](src/etc/pf.conf)

src/etc/hostname.switch0

@@ -2,4 +2,3 @@ description "switchd interface"
 addlocal vether0
 #add tap0
 up
-!switchctl connect /dev/switch0

src/etc/iked-vedetta.conf

@@ -1,5 +1,3 @@
-# (!) strongSwan http://marc.info/?l=openbsd-tech&m=149844148709729&w=2
-
 ikev2 "road-warrior-IPv4" passive ipcomp esp inet \
 	from 0.0.0.0/0 to 10.10.200.0/24 \
 	local em0 peer 0.0.0.0/0 \
@@ -19,4 +17,4 @@ ikev2 "road-warrior-IPv6" passive ipcomp esp inet6 \
 	config access-server 2001:470:b35c:deaf::ace:face \
 	config protected-subnet ::0/0 \
 	tag VPN \
-	tap enc1
+	tap "enc1"

src/etc/pf.conf

@@ -352,6 +352,16 @@ anchor "internal" on { lan wlan enc tun } proto { tcp udp } {
     tag LAN6_SELF6
   }
 
+  # relayd HTTP layer7 TLS inspection (split IPv4/6)
+  anchor proto tcp from <tlsinspect> to port https tagged LAN_INET {
+   pass log inet \   
+    divert-to lo0 port 8443 \
+    tag LAN_SELF
+   pass log inet6 \
+    divert-to lo0 port 8443 \
+    tag LAN6_SELF6
+  }
+
   # Split IPv4/6 from LAN_INET (!) not for proxy (e.g. divert-to, rdr-to)
   anchor inet6 tagged LAN_INET {
    match tag LAN6_INET6

src/etc/rc.conf.local

@@ -18,7 +18,6 @@ switchd_flags=
 syslogd_flags="${syslogd_flags} -a /var/unbound/dev/log -a /var/nsd/dev/log"
 hotplugd_flags=
 sensorsd_flags=
-pf=YES
 # IKEv1 or IKEv2
 #ipsec=YES # Load ipsec.conf(5)
 # IKEv2 

src/etc/relayd.conf

@@ -1,4 +1,4 @@
-# $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk Exp $
+# $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $
 #
 # Macros
 #
@@ -68,4 +68,5 @@ include "/etc/relayd.conf.proxy.http"
 #
 # Relay and protocol for a transparent HTTPS proxy
 #
-# -current only (!) see https://github.com/vedetta-com/vedetta/issues/82
+# (!) see https://github.com/vedetta-com/vedetta/issues/82
+include "/etc/relayd.conf.proxy.https"

src/etc/relayd.conf.proxy.https

@@ -0,0 +1,24 @@
+http protocol httpsfilter {
+	return error
+	match header set "Connection" value "close"
+
+	pass
+#	pass quick url file "/etc/relayd.d/custom_whitelist"
+#	block url file "/etc/relayd.d/custom_blacklist"
+#	include "/etc/relayd.d/auto_blacklist"
+
+	tls ca key "/etc/ssl/relayd/private/ca.key" password "AvenaCrucio"
+	tls ca cert "/etc/ssl/relayd/ca.crt" # import on client
+}
+
+relay tlsinspect {
+	# Listen on localhost, accept diverted connections from pf(4)
+	listen on 127.0.0.1 port 8443 tls
+	listen on ::1 port 8443 tls
+
+	protocol httpsfilter
+
+	# Forward to the original target host
+	forward with tls to destination
+}
+

src/etc/relayd.conf.relay.https

@@ -22,7 +22,7 @@ http protocol https {
 	# (!) Non-standard
 #	match header set "Keep-Alive" value "$TIMEOUT"
 
-        # Anonimize (opt-in data collection and tracking)
+	# Anonimize (opt-in data collection and tracking)
 	match response header set "Server" value "OpenBSD relayd"
 	match response header remove "X-Powered-By"
 

src/var/cron/tabs/root

@@ -30,4 +30,4 @@ HOME=/var/log
 # schedule ends at 5pm
 0	17	*	*	*	pfctl -t schedule -T flush  > /dev/null 2>&1; /sbin/pfctl -k label -k schedule > /dev/null 2>&1
 # sticky mfs /tmp
-@reboot					chmod 1777 /tmp
+@reboot					chmod 1777 /tmp; switchctl connect /dev/switch0