Skip to main content

OpenBSD Agent Installation

Overview

The Knocknoc OpenBSD Agent is orchestration software for managing just-in-time network access. It runs as the unprivileged _knocknoc-agent user, connects to your Knocknoc server over WebSocket, and enforces access locally through the configured integrations.

On OpenBSD the Knocknoc agent would typically be used to manage pf, however it can also drive remote integrations such as PAN-OS, Firepower, Sophos and AWS.

For more info in the ways the Knocknoc agent can be used, check out the Linux agent guide.

Requirements

  • A supported OpenBSD release.
  • Network egress to your Knocknoc server
  • (Only for initial installation) Network egress to packages.knocknoc.io.
  • (Only for initial installation) Root access on the host.

Installation

  1. Browse to https://your-knocknoc-server**/admin** and login with your admin user.
  2. Click on Agents then Create Agent.
  3. Enter a sensible name e.g. [AgentServerHostname].

cloud-admin-agent.png

  1. Copy the token that is produced.

windows-agent-code.png

  1. Log in to the server hosting the agent via the command line and become the root user.

  2. Run this command to install and configure the Agent.

    ftp -o - https://packages.knocknoc.io/setup/setup_knocknoc_agent.sh | sh

  3. Accept the License Agreement.

  4. Enter the hostname of your Knocknoc server (e.g., your-knocknoc-server.com). If you are using a non-standard port, provide that (e.g., your-server:8888). If this Agent is installed locally and defaults have been applied, use 127.0.0.1:8756

    Enter the hostname of the Knocknoc server
Knocknoc server defaults to port 443. If your port differs, please append it to your hostname below.
[Server hostname (demo.knocknoc.io, demo.knocknoc.io:8756): <YOUR RESPONSE HERE>
Create an agent in the server linux-test.knoc.cloud/admin console and paste the key below.
[Agent key: <YOUR RESPONSE HERE>
[Do you have a valid certificate for linux-test.knoc.cloud (y/n)? <YOUR RESPONSE HERE>
[Do you want custom-scripts enabled? (y/N)? <YOUR RESPONSE HERE>
Configuration saved to /opt/knocknoc-agent/etc/knocknoc-agent.conf.
Executing 'status' for all backends...

  5. Paste the agent token from the Admin portal created earlier.

  6. Confirm if you have a valid SSL certificate on your Knocknoc server. If you are using 127.0.0.1:8756, select No.

  7. You can now start adding and configuring Knocs in the admin panel!

If you made a mistake, you can edit the config file

/etc/knocknoc-agent/knocknoc-agent.conf

Then you will need to restart the Knocknoc agent service

rcctl restart knocknoc_agent

Service management

The agent runs as the knocknoc_agent service:

rcctl restart knocknoc_agent
rcctl stop knocknoc_agent
rcctl check knocknoc_agent      # is it running?

Logs go to syslog at /var/log/daemon.

Updating

Re-run the install command to update the agent to the latest version:

ftp -o - https://packages.knocknoc.io/setup/setup_knocknoc_agent.sh | sh

Your existing config is kept, and the service restarts on the new version.

Uninstalling

pkg_delete knocknoc-agent

Your config and the agent's data folder are left in place so a reinstall keeps working.

Back to top