1. Update FreeBSD to latest patch
   freebsd-update fetch
   freebsd-update install
2. Install git
   pkg install git
3. Updating source file
   git clone -o freebsd https://git.FreeBSD.org/src.git /usr/src
   cd /usr/src
   git checkout stable/13
4. prepare custom kernel file
   mkdir /root/kernels
   cd /usr/src/sys/amd64/conf
   cp GENERIC /root/kernels/MYKERNEL
   ln -s /root/kernels/MYKERNEL

   depends on your CPU architecture, config file location may be different. For usual, Intel/AMD CPU, it will be amd64

5. add/remove options in the MYKERNEL file
6. Compile and install MYKERNEL, then reboot
   cd /usr/src
   make buildkernel KERNCONF=MYKERNEL
   make installkernel KERNCONF=MYKERNEL
   reboot
7. Check if MYKERNEL is installed correctly
   uname -a
   If correct, it should show MYKERNEL

1. Install and config unbound as usual. For basic, remote set up check unbound remote resolver setup
2. Install bgpq4
3. Generate prefix list filter for your AS or AS SET
   bgpq4 -4A -h whois.radb.net -F 'access-control: %n/%l allow\n' AS-SET > /usr/local/etc/unbound/prefix.txt
4. Edit unbound.conf, under server:, add
   include: /usr/local/etc/unbound/prefix.txt
5. Set up cron job to update prefix list and restart unbound periodically

1. Create a new FreeRadius Virtual site for Supermicro IPMI (without enabling SQL support)

FreeRadius With SQL

1. Edit /usr/local/etc/raddb/dictionary and add a new attribute
   ATTRIBUTE IPMI-radius  26 octets
   3. Edit /usr/local/etc/raddb/policy.d/foo and add
   foo {
        update reply {
          # Vendor-Specific = "H=4"
          &Attr-26 = 0x483D34
        }
   }
   0x483D34 is Hex Code for String "H=4"

If you need other type of permission (e.g. H=3) just change the string to hex code.

1. Edit /usr/local/etc/raddb/users and add the following user
   ipmiAdmin Cleartext-Password := "Any-password"
             IPMI-radius += "0x483d34"
   You can replace ipmiAdmin and authorization type.

1. Restart FreeRadius

1. Login to Supermicro IPMI and enable Radius support.

1. Update Port Collection
   portsnap fetch update
   if it is the first time,
   portsnap fetch extract
2. Install OpenSSL
   cd /usr/ports/security/openssl
   make install clean
3. Edit /etc/make.conf, and add
   DEFAULT_VERSIONS+=ssl=openssl
4. Install OpenVPN, easyrsa
   cd /usr/ports/security/easy-rsa
   make install clean
   cd /usr/ports/security/openvpn
   make install clean
5. Create Configuration directory and copy sample configuration file
   mkdir -p /usr/local/etc/openvpn/easy-rsa
   mkdir /usr/local/etc/openvpn/server
   cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
   cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
   
6. Edit  /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL
   set_var EASYRSA_REQ_COUNTRY     "HK"
   set_var EASYRSA_REQ_PROVINCE    "Kowloon"
   set_var EASYRSA_REQ_CITY        "San Po Kong"
   set_var EASYRSA_REQ_ORG         "Laws Cloud Infrastructure Limited"
   set_var EASYRSA_REQ_EMAIL       "demo@example.com"
   set_var EASYRSA_REQ_OU          "VPN Department"
   set_var EASYRSA_KEY_SIZE 2048
   set_var EASYRSA_CA_EXPIRE 3650
   set_var EASYRSA_CERT_EXPIRE 3650
   
7. Initialize PKI
   cd /usr/local/etc/openvpn/easy-rsa
   sh ./easyrsa.real init-pki
8. Build CA Certificate, key, certificate file
   sh ./easyrsa.real build-ca
   sh ./easyrsa.real build-server-full server nopass
   sh ./easyrsa.real build-client-full client nopass
   sh ./easyrsa.real gen-dh
   openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
   cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/

1. Edit /usr/local/etc/openvpn/server/server.conf
   port 1194
   proto udp
   dev tun
   ca /usr/local/etc/openvpn/server/ca.crt
   cert /usr/local/etc/openvpn/server/issued/server.crt
   key /usr/local/etc/openvpn/server/private/server.key  # This file should be kept secret
   dh /usr/local/etc/openvpn/server/dh.pem
   topology subnet
   server 192.168.101.0 255.255.255.0
   ifconfig-pool-persist ipp.txt
   push "redirect-gateway def1 bypass-dhcp"
   push "dhcp-option DNS 208.67.222.222"
   push "dhcp-option DNS 208.67.220.220"
   duplicate-cn
   keepalive 10 120
   tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
   cipher AES-256-CBC
   compress lz4-v2
   push "compress lz4-v2"
   ;comp-lzo
   max-clients 100
   user nobody
   group nobody
   persist-key
   persist-tun
   status /var/log/openvpn/openvpn-status.log
   log-append  /var/log/openvpn/openvpn.log
   verb 3
   explicit-exit-notify 1
   auth sha512
   remote-cert-tls client
2. Create log directory
   mkdir /var/log/openvpn/
3. Edit /etc/rc.conf and enable OpenVPN
   firewall_enable="YES"
   firewall_type="open"
   gateway_enable="YES"
   natd_enable="YES"
   natd_interface="em1"
   natd_flags="-dynamic -m"
   openvpn_enable=YES
   openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"
     **em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP
   ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"
   Network adapter name is the string after ifconfig_ (and before = )

1. Set up client ovpn profile
   client
   tls-client
   pull
   dev tun
   proto udp
   remote IP-address-of-your-VPN 1194
   resolv-retry infinite
   nobind
   dhcp-option DNS 1.1.1.1
   user nobody
   group nogroup
   persist-key
   persist-tun
   key-direction 1
   tls-auth ta.key 1
   compress
   verb 3
   auth SHA512
   remote-cert-tls server
   <ca>
   content of /usr/local/etc/openvpn/server/ca.crt
   </ca>
   <cert>
   content of /usr/local/etc/openvpn/server/issued/client.crt
   </cert>
   <key>
   content of /usr/local/etc/openvpn/server/private/client.key
   </key>
   <tls-auth>
   content of /usr/local/etc/openvpn/server/ta.key
   </tls-auth>
   key-direction 1

Optional: (Enable Radius Authen)

1. Install OpenVPN Radius Plugin
   cd /usr/ports/security/openvpn-auth-radius
   make install clean
2. Copy Sample plugin configure to OpenVPN configuration directory
   cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server
3. Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to
   OpenVPNConfig=/usr/local/etc/openvpn/server/server.conf
   and bottom, find server { and change the port, IP and secret phase to
   server
   {
    # The UDP port for radius accounting.
   acctport=1813
    # The UDP port for radius authentication.
   authport=1812
    # The name or ip address of the radius server.
   name=IP-or-hostname.of.your.radius
    # How many times should the plugin send the if there is no response?
   retry=1
    # How long should the plugin wait for a response?
   wait=1
    # The shared secret.
   sharedsecret=secret-phase-for-free-radius
   }
4. Edit Openvpn config file (server.conf). Add the following to the end of file
   plugin /usr/local/lib/radiusplugin.so /usr/local/etc/openvpn/server/radiusplugin.cnf
5. Edit Client ovpn file and add the following line
   auth-user-pass

1. Create MySQL/ Postgresql Database and user
2. import FreeRadius database schema in
   /usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql
   /usr/local/etc/raddb/mods-config/sql/main/postgresql/schema.sql
3. edit sql configuration file and fill in database details
   /usr/local/etc/raddb/mods-enabled/sql
   
    server = "hostname-here"
    port = 3306
    login = "database-login-here"
    password = "password-here"
    radius_db = "database-name-here"
4. if more than one database (for different application), copy the whole section, add an instance name and change the database details:
   sql {
   to
   sql instance1 {
5. copy "default" configuration file to "virtual1" (or any name)
6. Edit "virtual1" file. and make the following changes
   1. Change the virtual site name:
      server default {
      to
      server virtual1 {
   2. Change the port number
      port = 55555
   3. enable sql,
      find the following line
      #      sql
      and change to
      instance1
      "instance1" is the sql instance name added in step 4
7. Add a client for this virtual host
   /usr/local/etc/raddb/clients.conf
   client your-device {
          ipaddr = 192.168.0.0/24
          secret = secretPhrase
          virtual_server = virtual1
   }
   your-device is profile name

ipaddr is IP address (or IP address range) for your device(s). If more than 1, need to use "|" to separate
secret is the passphrase to use the radius service
virtual_server is the virtual site name used in step 5.

1. add user into the database
   insert into radusergroup (username, groupname, priority) VALUES ('username','groupname', 1);
   insert into radcheck (username, attribute, op, value) VALUES ('username', 'Cleartext-Password', ':=', 'password');
   {{code}}
   9. Restart radiusd

• mods-config - module set up file
• mods-enabled - module configuration file
• site-enabled - default and virtual site configuration file
• radiusd.conf - global configuration file
• clients.conf - client configuration file.

Generate and install SSL certifcate using Certbot:

1. Install Certbot from FreeBSD ports and install python:
   cd /usr/ports/security/py-certbot
   make install clean
   cd /usr/ports/lang/python
   make install clean
2. Generate a free SSL
   certbot certonly --webroot
   
3. Enter the web root and hostname for certificate
4. Make change to Apache configration and restart Apache
5. Add the following command to cron and run once a day
   /usr/local/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot renew

Uninstall an existing SSL certicate generated by Certbot:
certbot delete --cert-name ssl.example.com

where ssl.example.com is the sub-domain that need to be removed.

1. Import Time Zone Data to MySQL
   mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
2. Grant "Select" Privileges to MySQL user
   GRANT SELECT ON mysql.time_zone_name TO cacti@localhost;
   flush privileges;