Gemini with vger

Gemini is a new internet protocol which: is heavier than gopher, is lighter than the web, will not replace either, strives for maximum power to weight ratio, takes user privacy very seriously.

It is quite an amazing protocol to post your writings and favorise content.

Actually, this current documentation is also available with gemini. 😁

There a various servers, but I'd like to give a few advices to install vger, a gemini server designed for OpenBSD involving some of its mitigation mecanism (unveil, pledge...)

In order to keep vger as simple as possible, Solène -- vger's developer -- had the brilliant idea to use tools already in OpenBSD base install :

relayd to deal with TLS
inetd to daemonize vger.

Install vger as a package :

# pkg_add vger

If you read the README, you can learn how to set up a new capsule (a gemini website).

Edit "/etc/inetd.conf" to set how vger will be run, with the required flags.

127.0.0.1:11965 stream tcp nowait _vger /usr/local/bin/vger vger

By default, vger look for requested files in "/var/gemini".

You can add flags according to the manual. As example, if you want to serve multiple capsules, each one stored in a directory named after the domain name requested in /var/gemini (/var/gemini/athome.tld, /var/gemini/other.tld,...) with -v, enable auto index with -i :

# serve files in /var/gemini/chezmoi.tld
localhost:11965 stream tcp6 nowait _vger /usr/local/bin/vger vger -v -d /var/gemini/ -i
localhost:11965 stream tcp nowait _vger /usr/local/bin/vger vger -v -d /var/gemini/ -i

Pay attention to the lines above. inetd listen on localhost on port 11965 and send the incoming request to vger run as user _vger to avoid privilege escalation. A second line with "tcp6" is added to serve on the IpV6. However, you should have filled "/etc/hosts" accordingly so localhost resolve to local ipv6 :

127.0.0.1   localhost
::1         localhost

Then, you can add a new part to relayd in "/etc/relayd.conf":

ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2"
log connection
tcp protocol "gemini" {
        tls keypair chezmoi.tld
}
relay "gemini" {
        listen on $ext_ip4 port 1965 tls
        protocol "gemini"
        forward to localhost port 11965
}
relay "gemini6" {
        listen on $ext_ip6 port 1965 tls
        protocol "gemini"
        forward to localhost port 11965
}

A few words :

ext_ip4 and ext_ip6 : public IP of your server.
log connection : Keep log of incoming connections in "/var/log/daemon"
tcp protocol "gemini"... Here we specify TLS keys location. If you followed instructions before, they might be at "/etc/ssl/private/athome.tld.key" and "/etc/ssl/athome.tld.crt".
relay "gemini" : incoming traffic on external port 1965 must be forwarded to port 11965 localhost for inetd.

              1965       11965
Visitor ---> Relayd ---> inetd ---> vger

Finally, enable and reload daemons :

# rcctl enable inetd relayd
# rcctl start inetd relayd

Finally, open 1965/TCP in "/etc/pf.conf"

To go further :

Gemini official website

vger security analysis

vger source code