OpenBSD Notes
Table of Contents
Resources
Setup
These are setup notes for setting up an OpenBSD workstation
Full Disk Encryption
- OpenBSD FAQ: Softraid Full Disk Encryption
- When you see the welcome message press
sto enter the shell - Create the
sd0device node with,cd /dev && sh MAKEDEV sd0 - Write random data to the disk with
dd if=/dev/urandom of=/dev/rsd0c bs=1m - Initialize the disk with
fdisk -iy -g -b 960 sd0 - Use
disklabelto create the partition layout:disklabel -E sd0- At the
sd0>prompt typea a- If there were existing partitions delete them all with
zfirst then typea a
- If there were existing partitions delete them all with
- At the
offset:prompt use the default value and press enter - At the
size:prompt type* - At the
FS type:prompt typeRAID - Back at the
sd0*>prompt write the changes withw - And finally at the
sd0>prompt quitdisklabelwithq
- To create the encrypted device with
bioctl -c C -l sd0a softraid0- This will prompt you for a passphrase for the encrypted drive
- Once you are done it will tell you which device the encrypted volume is attached to, usually
sd1orsd2
- Create the device node for the encrypted volume you just created
cd /dev && sh MAKEDEV sd2 - Write zero to the first byte of the encrypted volume,
dd if=/dev/zero of=/dev/rsd2c bs=1m count=1 - Finally type
exitto get back to the installer - When picking your disk make sure you pick the encrypted volume that was reported after the
bioctlcommand
Swap Caps Lock and Control
- When prompted for your keyboard layout type
us.swapctrlcaps
Networking
- During installation it is probably easier to use a wired connection if possible
- This is typically the
emdevice
WiFi
- OpenBSD man page: hostname.if(5)
- OpenBSD FAQ: Wireless
- Use
ifconfigto see what the interface name of your wireless card. - Next create a file named
/etc/hostname.<WIRELESS_INTERFACE>for example/etc/hostname.iwm0 - Inside this file place the connection details for your wireless network using the below template
nwid <SSID> wpakey <PASSWORD> inet autoconf
- This
hostname.iffile will ensure thatifconfigautomatically joins the network the next time it is started up - To join the network now without restarting run these commands:
ifconfig <WIRELESS_DEVICE> nwid <SSID> wpakey <PASSWORD>ifconfig <WIRELESS_DEVICE> inet autoconf
Disks
- OpenBSD FAQ: Disks and Partitions
- IDE drives are usually
wd*and SCSI drives are usuallysd* - Drive numbers come after the drive type
- Drives are numbered according to how they are discovered at boot
- Use
sysctl hw.disknamesto see a list of hard disk names disklabelis used to manage partitions- A given disk can have up to 16 label partitions that use the letters
a-p - Some labels are special
- The boot disk's root partition is always
a - The boot disk's swap partition is always
b - The
cpartition is always the entire disk
- The boot disk's root partition is always
- Disks have 16 digit random hex strings that serve as the Disklabel Unique Identifiers (DUIDs)
sysctl hw.disknameslists these- The
fstabuses the DUIDs when specifying disks
Man Page Numbers
1- General Commands2- System Calls3- Library Functions3p- Perl Library Functions4- Device Drivers5- File Formats6- Games7- Miscellaneous Information8- System Manager's Manual9- Kernel Developer's Manual
Using rcctl to manage services
- OpenBSD man page: rcctl(8)
- Use
rcctl ls onto view a list of all running services - Use
rcctl enable <SERVICE>to enable a service, this is the same asrcctl set <SERVICE> status on
Becoming Root with doas
- OpenBSD man page: doas.conf(5)
doasis the OpenBSD equivalent ofsudo- The
sucommand works on OpenBSD just like other Unices - Create the file
/etc/doas.confto enabledoas - Add the following line to enable doas for the
wheelgroup and persist the password for a bit:permit persist :wheel
Power Management
- OpenBSD man page: apm(8)
- Use the command
apmto see the current power status, this will include the battery level apmdwill need to be enabled with:rcctl enable apmd- To set the apmd to automatically manage the power level set the flag on
apmdto-Awithrcctl set apmd flags -A - You might need to restart for changes to
apmdto take effect - Use the
zzzcommand to be the computer into suspend state
Packages
- OpenBSD FAQ: Package Management
- To search for a package run
pkg_info -Q <SOME_PACKAGE> - To install a package run
pkg_add <SOME_PACKAGE> pkg_add -uwill update all installed packages- To delete a package run
pkg_delete <SOME_PACKAGE> - There might be dependecies still installed that are no longer needed, to remove them run
pkg_delete -a - Sometimes individual packages have a readme that explains some info related to using it on OpenBSD
- Those readme files are in
/usr/local/share/doc/pkg-readmes/
Packages
doas pkg_add mosh rsync nethack aspell ledger cdparanoia abcde beets zbar unzip ncdu p7zip pv gnupg fzf wget git python py3-pip password-store pass-otp firefox hack-fonts noto-cjk noto-emoji noto-fonts vlc mpv redshift ImageMagick feh thunar arandr syncthing pinentry-gnome3
Syncthing
- You might need to disable
fsWatcherEnabledin the~/.config/syncthing/config.xmlfile after you have added shares
Disable xconsole
- Inside the
/etc/X11/xenodm/Xsetup_0file comment out line withxconsole - You can also change the
xsetrootcommand to change the default background
Building Emacs
- Lars Ingebrigsten: Building the Development Version of Emacs on OpenBSD (6.7)
- To build Emacs on OpenBSD ensure the following packages are installed:
gitautoconfautomakegnutlsgmakegcctexinfo
- Add all the dependencies that the emacs package needs:
pkg_add `pkg_info -f emacs | grep ^@depend | sed 's/^.*://'` - Once the emacs source is clone set the autoconf version to the newly installed one,
export AUTOCONF_VERSION=2.71 - Tell emacs to use
gmakeinfoinstead of the one OpenBSD ships with,export MAKEINFO=gmakeinfo - You should now be able to run
./autogen.sh - After that is complete run configure like so:
CC=egcc ./configure --with-json - OpenBSD does not have a port of libgccjit so for now omit
--with-native-compilation
Environment Variables in Xenocara
- When you login the
.xsessionscript is run - In this script you would want to setup any environment variables you need
Using GNU tools
- OpenBSD ships with its own version of the POSIX tools
- Sometimes those versions do not work the same as the GNU versions which are standard on Linux
- You can still install the GNU tools from the package manager
- The GNU versions typically have a prefix like
gore, for instance the GNU version of gcc isegccand the GNU version of grep isggrep - A simple solution to prefer the GNU version over the standard is to add a local search path like
$HOME/.local/binto the beginning of yourPATHenvironment variable - In your local bin folder symlink the prefixed GNU tool with the standard tool
mkdir -p $HOME/.local/bin cd $HOME/.local/bin ln -s /usr/local/bin/ggrep grep
Updating
Patching
- OpenBSD man page: syspatch
- Run
syspatch -cas root to view the available patches for the system - To apply the patches run
syspatchas root with no argument
Upgrading
- OpenBSD man page: sysupgrade
- Use
sysupgradeto upgrade to the next version of OpenBSD - To view the current version use
uname -a
DHCP
- OpenBSD man page: DHCP
- OpenBSD man page: dhcp.conf
- Below is an example template of a
dhcpd.conf
subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; # Gateway IP option domain-name-servers 192.168.1.1; range 192.168.1.100 192.168.1.254; # Dynamic IP Range host lan-host-1 { # Static IP for some host fixed-address 192.168.6.2; hardware ethernet 01:02:03:04:05:06; } host lan-host-2 { # Another Static IP for some host fixed-address 192.168.6.3; hardware ethernet 02:03:04:05:06:07; } }
- Once you are finished editing the
dhcpd.confrestart the service withrcctl restart dhcpd - To view the current dhcp leases from the server view
/var/db/dhcpd.leases
PF
- OpenBSD Handbook PF Cheat Sheet
- Use
pfctl -n -f /etc/pf.confto test new rules - Use
pfctl -f /etc/pf.confto load rules - Use
pfctl -s rulesto view the current rules
Wireguard
Hostname
- Create a wireguard interface on the server, in
/etc/hostname.wg0 - The following example uses the 10.0.0.0/24 subnet and manually sets the servers IP to 10.0.0.1.
- It also uses the
wgcommand to setup the config stored in/etc/wireguard/server.conf
inet 10.0.0.1 255.255.255.0 !/usr/local/bin/wg setconf wg0 /etc/wireguard/server.conf
pf
- Modify the
/etc/pf.conffile to skip the wg0 and lg0 interface
set skip on { lo0 wg0 }
- Open the wireguard port,
51820for UDP packets
pass in quick on egress proto udp to port 51820
unbound
- Update the unbound DNS server config (
/var/unbound/etc/unbound.conf) to allow the wireguard IP
access-control: 10.0.0.1/24 allow
Wireguard Setup
- Install the Wireguard software with
pkg_add wireguard-tools
Generating Keys
- Wireguard has the
genkeyandpubkeysubcommands to generate keys - Set the
umaskbefore generating the key files,umask 077 wg genkey > server.key- Use the
pubkeysubcommand to derive the public key from the private,wg pubkey < server.key > server.pub.key
Config
- Create the Wireguard server conf file,
/etc/wireguard/server.conf
[Interface] PrivateKey = <<server_private_key>> ListenPort = 51820 [Peer] PublicKey = <<client_public_key>> AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = <<client_public_key>> AllowedIPs = 10.0.0.3/32 ....
- This conf file is where the clients are registered with the server
- You will need to manually specify the IP to associate with a client public key
Bring Up the Wireguard Interface
sh /etc/netstart wg0
View Wireguard Status
- Use the
wgcommand without any args to view the configuration - Check
ifconfigto verify thewg0interface
Reboot
- Reboot the server for all the changes to take effect
Client Setup
- Generate keys on client devices and ensure that each are setup as a peer on the server
- Add the servers public key as a peer on the clients
Xterm
- To bring up the font menu hold control and left click
- From this menu you can select a font size