I want to create a home network that can host a domain, email and a website. I want to use FOSS for everything. I've never done this before. Please critique my build.
Router/firewall - openbsd Domain controller - openbsd Email server - openbsd Web server - openbsd.
Openbsd has a reputation for being one of the most secure operating systems in the world. If there's something else better, I'll consider it.
Liam Wright
>le cuck license maymay xD Daily reminder: Only GNU zealots can effectively steal BSD code.
Lincoln Jackson
maybe his computer magically gets credentials from his domain?
Julian Davis
Can I have the same server be a DNS server and domain controller?
Landon Anderson
Sure. All of these things you listed could be the same system.
Justin Martinez
Would qubes be a good choice for that?
Adam Gutierrez
Or would you just install all of it on one openbsd box?
Christopher Butler
yeah, you can run it all on one openbsd box easy. honestly though I would at least put the dns and email on a vps. vultr has $2.50/mo servers - grab two and use them as backups for each other.
router tutorial: openbsd.org/faq/pf/example1.html email: github.com/vedetta-com/caesonia web: easy, just read the manpages dns: you'll need to set glue records and nameservers in your domain registrar, after that just use a simple nsd.conf and zone file
Andrew Brooks
My goal is to be as secure as possible. Would the hosted servers compromise security?
Grayson Butler
well, who are you protecting against?
dns is fundamentally centralized, so ICANN (read: the us govt) can always take over your domain name and redirect the servers anyway. you're fucked anyway at that point, so hosting it elsewhere doesn't make things worse. main reason not to host it at home is 1) most domain registrars require at least two nameservers 2) unless your ISP gives you a static IP you'll have to update your glue records all the time
email is fundamentally insecure also since it's totally unencrypted. if you really want security use signal on a machine behind tor or something. main reason not to host email at home is a lot of ISPs block it as spam.
Ryan Foster
It's just that if I'm going be running a network, I want it to be as secure as possible, as a matter of practicality and pride. I once worked for a company that was hit by a lot of email spoofing attacks and that's what got me interested in security.
Austin Cox
if you use a VPS they (and by extension the government) have hardware access. you can mitigate that a bit by encrypting the disk, but they can always snapshot the ram on a running system so it doesn't buy you much.
if you're not worried about that scale of attack, sure, it's fine and the increased availability and/or ddos protection will be worth it. a vps won't be susceptible to outside attackers any more than your machine at home.
Joseph Bailey
i'm doing everything described in the OP with linux, the only "security" part is a pfsense hardware firewall between me and the modem that runs dhcp, dns, vpn, and obviously the firewall pf tables two linux boxes behind, one is tiny and runs email, nextcloud, ldap, mysql (in a virtual machine) and torrents, flexget (in a virtual machine) the other is just freenas for storage and doesn't have to be on all the time, wake on lan from pfsense or linux box.
feels good.
Luke Green
> (You) >if you really want security use signal on a machine behind tor or something.
Interesting. So just do away with email entirely? Can't email be encrypted? Do you think corporations will move away from email and go with something like signal?
Justin Moore
>>DDOS protection?
What do I need to protect a home network from a DDOS attack? A really powerful server that costs $50k?
Oliver Rogers
you can encrypt your email with pgp before you send it.
most email servers are adding TLS but that doesn't mean the server/host won't read your email before it reaches your recipient.
Chase Hughes
nice. i assume you're not using bind for dns at least.
my openbsd setup is almost how i want it, i just want to add ipsec and ip/domain ad server blocking, and a package build cluster for funsies
Jace Evans
you probably can't protect against ddos it probably wont happen either so idk
Sebastian Hughes
you can "encrypt" email, but: 1) pgp only encrypts the body, not any of the headers including subject line, date, recipient 2) you will never convince your family to use pgp
a really really really fat pipe
Juan Wood
pfsense uses unbound I think I've set up bind, dhcpcd, and host blocking manually. it's not worth it. just get specialized software for it. pfsense can run in a virtual environment and you just pass the ethernet device or route the packets to it. the web interface alone is priceless when you want to set up new port forwards or change logging
Caleb Hernandez
OpenBSD is the only free OS where the same team maintains the OS (kernel and userland) as well as http server and mail server, and the documentation that goes with it.
The result is a very well integrated system.
Logan Richardson
Router/firewall - PFSense Domain controller - Debian (with Samba) Email server - CentOS Web server - CentOS
Owen Ramirez
OpenBSD won't save you when you are cucked by the hardware. It just tells the NSA that you have something they want to hack.