This collection of scripts will set up a Web server with SSL certificates, Mail server with anti-spoofing measures, and a VPN. Pure shell scripts + config files, no unneeded dependencies.
Note: IPv4 only and IPv4+IPv6 setups are supported. IPv6 only WILL NOT work. You can still use this repo as a reference though.
If you want to enable IPv6, then add this line to your /etc/hostname.*:
inet6 autoconf -temporary -soii
You will have to set up some DNS records prior to running this script. Create the following DNS records:
;; Host TTL Type Value
*.{domain}. 300 IN A {ip}
{domain}. 300 IN A {ip}
www.{domain}. 300 IN A {ip}
;; Only for IPv6:
*.{domain}. 300 IN AAAA {ipv6}
{domain}. 300 IN AAAA {ipv6}
www.{domain}. 300 IN AAAA {ipv6}
Use ifconfig
to get your IP address or consult your VPS provider.
Note: If you cannot use wildcard (*.{domain}.) record,
set up these domains explicitly instead:
vpn.{domain}, mail.{domain}, www.vpn.{domain}, www.mail.{domain}, www.{domain}, {domain}
wheel
and/or enable doas
for your user) and loginmkdir openbsd-server-setup && cd openbsd-server-setup
wget -O - https://github.com/d32f123/openbsd-server-setup/releases/download/latest/openbsd-server-setup.tar.gzip | tar -xzvf -
./setup.sh
post-install.txt
)./setup.sh [bootstrap] [shell] [nginx] [ssl [--ssl-test]] [mail] [pf] [vpn]
--ssl-test
flag is used for local development
post-install.txt
Stages and their package dependencies are located in ./scripts/ directory.
Look for the doas pkg_add ...
line in the beginning of the corresponding script.
Skip it if doas
is already set up
Bootstrap does some basic configuration.
Currently it enables main user to do doas
and enables slaacd for IPv6.
Sets up an opinionated zsh+tmux environment. Completely optional.
Depends on: doas Dependants: ssl, mail, vpn
Websites are located under /var/www/ Configuration is located at /etc/nginx/
Depends on: doas, nginx Dependants: mail
The certificates obtained here are also used to serve Mail frontend and VPN configurations.
Depends on: doas, nginx, ssl
$ mail ...
to local users) available over IMAPAdditional post-install
Required: This stage will spew out some additional DNS records, which confirm that mail is indeed coming from your domain name (spoofing protection).
Optional: set up a reverseDNS record at your VPS provider
Note to VPS users: port 25 is required to receive mail. If you're using VPS chances are it is blocked by default. You will have to contact your VPS provider to open port 25.
Sets up packet filter to block ips which spam your SSH, HTTP, HTTPS, IMAP, SMTP ports
Depends on: doas, nginx
Sets up WireGuard VPN and optionally OpenIKED IKEv2. Spins up a local Unbound DNS server for better privacy.
VPN configurations for new clients can be created via a script (WireGuard only). Configurations are made available at a random endpoint at vpn.{{domain}}/ QRs are provided to simplify importing configs to mobile clients.
WireGuard uses asymmetric key + Preshared Key authentication. IKEv2 uses Preshared key authentication.
You can override the following envvars prior to running the script to modify it's behavior:
USER_NAME
– the user which will be used for everything in the script. Defaults to current user.DOMAIN_NAME
– the domain name to create websites for. Defaults to $(hostname | cut -d. -f2-)
MAIL_DOMAIN
– the domain name where mail server will be hosted. Defaults to mail.$DOMAIN_NAME
VPN_DOMAIN
– the domain name where VPNs will be hosted (including their configurations). Defaults to vpn.$DOMAIN_NAME
Feel free to provide feedback and imrpovemend ideas / report any issues here on GitHub (issues or pull requests) or mail me at [email protected]. I will be grateful for any kind of feedback!