Which features of OpenVPN do you need? Wireguard-go has been ported to FreeBSD as well. It is a lot simpler to deploy correctly than OpenVPN and should offer slightly better performance.
The kern.kq_calloutmax sysctl isn't related to open files per queue or process. Instead it limits the number timers that may be created through kqueue system wide. It is better to store events in a time ordered priority queue and invoke the kevent() syscall with the min() of that queue as timeout.
These days pkgng has enough metadata about packages to deal with most cases and help you build the reverse dependencies as well or at least fail at install time (look at synth for an example of how that can work).
A lot of the warnings against mixing ports and packages are old and outdated. The old pkg_* tools were unable to detect the conflicts caused by mixing ports and packages. The resulting breakage could be very tedious to clean up. These days can start with packages an build a few ports in...
Running unencrypted tunnels through the internet is not the best of ideas even with static endpoint addresses. One way to fix both problems at once would be to use strongSwan to encrypt the GRE tunnel in transport mode with NAT-T and a updown script to sync the tunnel configurations. Just make...
It is burned into some small flash area buy the manufacturer and normally doesn't have to be installed. Some old Marvell devices (e.g. Dockstar) shipped with u-boot versions lacking USB boot support but had enough flash to install a full featured u-boot. Only on such devices should you replace...
I would use StronSwan to protect a GRE or IPIP tunnel with IPsec in transport mode and NAT-T as required. Use a leftupdown script to move the tunnel endpoints and a firewall (IPFW or PF) to prevent traffic leaks.
Personally I prefer to run all daemon under runit supervision, but the FreeBSD rc can handle your usecase just fine. You can use daemon to daemonize (and optionally supervise) your script. This article provides a good introduction to FreeBSD rc scripting including writing non-trivial rc scripts...
While the EdgeRouter Lite is a nice piece of gear without drivers for most of the offloading hardware it is just a slow 500MHz scalar dual-core MIPS64 big-endian system. By installing anything but EdgeOS you are limited to what those CPUs can get out of NICs without offloading hardware, but...
If both endpoints support it you can already combine IPsec in transport mode with GRE to get a tunnel interface suitable for dynamic routing at the cost of a 4 byte GRE header. The performance improvements alone are very useful and getting rid of the GRE header is the icing on the cake.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.