OpenBSD Archive
This blog post is a guide explaining how to setup a full-featured email server on OpenBSD 7.5. It was commissioned by a customer of my consultancy who wanted it to be published on my blog. Setting up a modern email stack that does not appear as a spam platform to the world can be a daunting task, the guide will cover what you need for a secure, functional and low maintenance email system. ↫ Solène Rapenne If you ever wanted to set up and run your own email server, this is a great way to do it. Solène, an OpenBSD developer, will help you through setting up IMAP, POP, and Webmail, an SMTP server with server-to-server encryption and hidden personal information, every possible measure to make sure your server is regarded as legitimate, and all the usual firewall and anti-spam stuff you are definitely going to need. Taking back email from Google – or even Proton, which is now doing both machine learning and Bitcoin, of all things – is probably one of the most daunting tasks for anyone willing to cut ties with as much of big tech as possible. Not only is there the technical barrier, there’s also the fact that the major email providers, like Gmail or whatever Microsoft offers these days, are trying their darnest to make self-hosting email as cumbersome as possible by trying to label everything you send as spam or downright malicious. It’s definitely not an easy task, but at least with guides like this there’s some set of easy steps to follow to get there.
This is an attempt at building an OpenBSD desktop than could be used by newcomers or by people that don’t care about tinkering with computers and just want a working daily driver for general tasks. Somebody will obviously need to know a bit of UNIX but we’ll try to limit it to the minimum. ↫ Joel Carnat An excellent, to-the-point, no-nonsense guide about turning a default OpenBSD installation into a desktop operating system running Xfce. You definitely don’t need intimate, arcane knowledge of OpenBSD to follow along with this one.
Only yesterday, I mentioned one of the main reasons I decided to switch back to Fedora from OpenBSD were performance issues – and one of them was definitely the lack of hardware acceleration for video decoding/encoding. The lack of such technology means that decoding/encoding video is done using the processor, which is far less efficient than letting your GPU do it – which results in performance issues like stuttering and tearing, as well as a drastic reduction in battery life. Well, that’s changed now. Thanks to the work of, well, many, a major commit has added hardware accelerated video decoding/encoding to OpenBSD. Hardware accelerated video decode/encode (VA-API) support is beginning to land in #OpenBSD -current. libva has been integrated into xenocara with the Intel userland drivers in the ports tree. AMD requires Mesa support, hence the inclusion in base. A number of ports will be adjusted to enable VA-API support over time, as they are tested. ↫ Bryan Steele This is great news, and a major improvement for OpenBSD and the community. Apparently, performance in Firefox is excellent, and with simply watching video on YouTube being something a lot of people do with their computers – especially laptops – anyone using OpenBSD is going to benefit immensely from this work.
This is an attempt to turn OpenBSD into a Whonix or Tails alternative, although if you really need that level of privacy, use a system from this list and not the present guide. It is easy to spot OpenBSD using network fingerprinting, this can not be defeated, you can not hide the fact you use OpenBSD to network operators. I did this guide as a challenge for fun, but I also know some users have a use for this level of privacy. ↫ Solène Rapenne Written by OpenBSD developer Solène Rapenne, so you’re probably not going to find a guide written by anyone more knowledgeable.
Last year marked a significant milestone for both myself and the OpenBSD desktop community, as we successfully ported KDE Plasma 5 and all dependencies to OpenBSD. With the release of OpenBSD 7.5 on April 5, 2024, KDE Plasma in version 5.27.10 has become a part of our lovely operating system. This success is the result of years of development work and commitment to achieving this goal. KDE launched version 6 of its Plasma desktop environment on February 28, 2024, bringing numerous updates and features as well as the major switch to Qt6. I am immensely proud that the OpenBSD team has managed to prepare for this major update so swiftly. All necessary components have been committed to our CVS tree, and the packages will soon be available. ↫ Rafael Sadowski Excellent news for OpenBSD users who don’t wish to be using GNOME, Xfce, or one of the smaller build-it-yourself desktop environments. My dual-Xeon workstation, which I switched over from Fedora KDE to OpenBSD, runs Xfce, because I feel a smaller desktop environment is a more natural fit for OpenBSD, but I’m very happy to know that I have KDE to fall back on in case Xfce turns out not to be a good fit for me in the long term. I’ll give the OpenBSD developers an other experts in that community some more time to iron out any wrinkles, and then I’ll probably give it a go to see just how well KDE will be integrated with the OpenBSD base system.
But the biggest differential factor between BSDs and GNU/Linux is the way it is structured. In Linux, all components are designed to work together, but are completely separate. You’ve got the kernel, init systems, multimedia daemons, userland, bootloader, virtualization and containerization mechanisms, package managers, and so on. They are all separate projects with their own goals and are operated by separate entities. This is why we’ve got different Linux Distributions instead of Operating System. Everyone can take the kernel, start adding components on top of it, and a few minutes later the DistroWatch is even harder to keep up with. Each BSD on the other hand is designed as single system. All components are created and developed together. Things work together perfectly, because they are designed, coded, tested and released as one. ↫ Michał Sapka As I’ve mentioned here and there over the past few weeks, I’ve been exploring the world of BSD lately, and after bouncing of FreeBSD I’ve found a very happy home on OpenBSD. Now, this doesn’t mean I’m now a full-time OpenBSD user or anything like that – Linux is the main operating system on my gaming PC, my laptop, and my workstation, and that’s not going to be changing any time soon. However, after installing, exploring, and using OpenBSD on a machine cobbled together from spare and older parts, I can definitely see the appeal. OpenBSD feels more coherent than a Linux distribution – I use Fedora KDE, if that matters – and the various lower-level systems seem to talk to each other in ways that make more intuitive sense than the individually developed systems in a Linux distribution do. Diving into the command-line interface of a Linux distribution can sometimes feel confusing because different tools use different conventions, because they’re developed by entirely different people and projects, with different ideas about how flags should work, how output should be presented, and so on. On OpenBSD, it seems much easier to carry over something you learn from one tool to the next. I simply feel more secure and knowledgeable, even if it’s still the same idiot me. The documentation plays a big role here. They’re in one place, written in a consistent style, and reference each other left and right, making it easy to find your way around to other commands or tools you haven’t yet considered using. On Linux, you’re going from one project’s documentation to another project’s documentation, and not only will the style change, the quality will also vary greatly. That’s not to say everything’s perfect on OpenBSD – it’s clearly a hardened server operating system, and its focus on security will definitely throw up annoying hurdles if you’re just trying to do workstation things. Firefox, for instance, is hobbled by strict security rules through unveil, which makes perfect sense for what OpenBSD is first and foremost trying to be, but if you’re just a regular user like me, it’s annoying that Firefox can only access ~/Downloads, or that it can’t set itself as the default browser so unless you disable that check, Firefox will keep complaining about it. Diving into Firefox and unveil is on my list, though, because you should be able to ‘fix’ this. Furthermore, while every piece of software, or an equivalent, is pretty much always available for Linux, on OpenBSD it’s more hit and miss, and it seems to take a bit longer for new releases of especially bigger software packages to get updated. I mean, there’s obviously no Steam on OpenBSD, but smaller, less well-known projects generally also don’t support OpenBSD, so you’re either going to be compiling things yourself or hope someone packages it up for OpenBSD. Then there’s the various vanity things we’ve come to expect from modern Linux distributions, like slick, fully graphical boot and shutdown sequences, detailed graphical tools for managing your packages, graphical firmware and driver managers, and so on. OpenBSD has none of these things, and while that’s no issue for me, I can see how it would throw other people off. FreeBSD, OpenBSD, NetBSD, and the few others often kind of get lost in all the Linux, Windows, and macOS violence, and to be quite honest – I feel like many people in the BSD community seem mostly okay with that. If you’ve never spent any serious time using any of the BSDs, but you’re interested in operating systems and don’t mind spending a few hours learning how to manipulate your system through CLI tools – dive in. There’s a ton of fun to be had, and things to learn. For now, I’m continuing my exploration of OpenBSD, and if things keep going as well as they are, I may consider at least switching over the workstation in my office from Fedora KDE to OpenBSD – but I highly doubt it’ll ever make its way to my gaming desktop or my laptop.
Game of Trees (Got) is a version control system which prioritizes ease of use and simplicity over flexibility. Got is still under development; it is being developed on OpenBSD and its main target audience are OpenBSD developers. Got uses Git repositories to store versioned data. Git can be used for any functionality which has not yet been implemented in Got. It will always remain possible to work with both Got and Git on the same repository. ↫ Game of Trees website OpenBSD is developing Game of Trees because they want a version control system that adheres to OpenBSD coding conventions, implements various OpenBSD security practices, and uses nothing but BSD-licensed code. It’s important to note, as its developers make very clear, that GoT is not in any way intended as a replacement for git.
I always like it when I can link to an article written by an OSNews, and this time it’s even relevant to me as I’m exploring OpenBSD myself. OSNews reader and silver Patreon supporter Morgan has written an article about using OpenBSD as a daily driver. OpenBSD is forever tied in first place with Void Linux as my favorite desktop OS. This is particularly funny because OpenBSD isn’t “just a desktop OS”; in its purest form, the base installation without any installed packages, it makes for an excellent Ethernet router, firewall, or web server. It even ships with its own fork of X11 called Xenocara, along with fvwm2 and its own calm window manager, so there’s a rudimentary desktop OS in there too. With that said, in 2024 there is no such thing as a fully functioning desktop computer or workstation without at least a web browser of some kind, and if you’re adding packages you may as well build a full desktop system to suit your needs. So how do you go from the amazing but unfortunately limited base install to a “daily driver” workstation operating system? There are many ways to do this, and I will present a couple of paths I take depending on the hardware and use case involved. Before I do that, a bit of prep is necessary to get OpenBSD into more of a desktop OS mode. ↫ Morgan I’ll be using this guide over the coming days to make sure I end up with something usable. I still haven’t decided on what desktop environment I want to go for – I’m not interested in running GNOME or KDE, so Xfce is probably the most likely option. I’d also love to try out LXQt, but it seems the version OpenBSD has in its repositories is very, very outdated (1.0.0 from years ago, when 2.0.0 was just released). There’s a small chance I might suck it up and use one of those “build your own desktop environment” options, but I have no idea which one I should go for.
With the recent release of OpenBSD 7.5, I decided to run through my personal OpenBSD “installer” for laptop/desktop devices. The project is built off of the dwm tiling window manager and only installs a few basic packages. The last time I updated it was with the release of 7.3, so it’s been due for an minor rework. While making these minor changes, I remembered how incredibly easy the entire install process for OpenBSD is and how cozy the entire operating system feels. All the core systems just work out the box. Yes, you need to “patch” in WiFi with a firmware update, so you’ll need an Ethernet connection during the initial setup. Yes, the default desktop environment is not intuitive or ideal for newcomers. But the positives heavily outweigh the negatives (in my opinion). ↫ Bradley Taunt OpenBSD has a very dedicated community, and I’ve noticed they tend to be very helpful and friendly. It’s making me curious about trying it out, and both this article and the helpful posts it links to will be a great way to start.
OpenBSD 7.5 has hit the streets (or servers and workstations), and it comes with a metric ton of improvements and new features. Of course, the kernel has been improved in countless ways, from symmetric multiprocessing improvements to a new font usable as a console font. The graphics drivers have been updated to match Linux 6.6.19, and drivers for the Apple display coprocessor were added. Furthermore, a whole slew of additional ARM boards and SoC are now supported, and new drivers for a variety of networking chips, both wired and wireless, were added as well. Of course, that’s just a selection of the changes, and the full changelog lists them all for those of you with specific wishes.
In this blog post, you will learn about some OpenBSD features that can be useful, but not widespread. They often have a niche usage, but it’s important to know they exist to prevent you from reinventing the wheel. ↫ Solène Rapenne Written by Solène Rapenne, who also happens to be an OpenBSD developer, so a great source for information like this.
Welcome to my comprehensive guide on recording audio and desktop screen on OpenBSD. In this blog post, I’m excited to share my personal setup and approach to efficiently capturing high-quality audio and video on one of the most secure and stable operating systems available. Whether you’re a professional content creator, a developer looking to record tutorials, or simply an OpenBSD enthusiast, this guide is tailored to help you navigate the intricacies of screen recording in this unique environment. Alongside this step-by-step tutorial, I’ve also included a practical YouTube video to demonstrate the quality and effectiveness of the recordings you can achieve with this setup. So, let’s dive in and explore the world of audio and video recording on OpenBSD! ↫ Rafael Sadowski The BSD world needs more of these kinds of guides and articles. I feel like the various BSDs have so much to offer to desktop users, especially now that there is a reasonable contingent of Linux users who aren’t happy with the spread of things like systemd and Wayland, but the fact of the matter is that the BSDs are not as focused on desktop and laptop use as Linux has been. That’s not a dig at BSD developers – BSD focuses on different things – but it does mean that people interested in using BSD on desktops and laptops need a bit more assistance.
I wanted to share a list of hardening you can do on your OpenBSD workstation, and explaining the threat model of each change. Feel free to pick any tweak you find useful for your use-case, many are certainly overkill for most people, but depending on the context, these changes could make sense for others. ↫ Solène Rapenne Writte by OpenBSD developer Solène Rapenne.
I was always very interested in OpenBSD and a few months ago, I decided to give it a try. I’ve quickly fallen in love with it! There is, however, a big problem: Hare does not fully support OpenBSD! So, I decided to port it and I am happy to announce that my work was merged yesterday and OpenBSD is now fully supported by Hare. Let me show you some of the tricky stuff that was involved in the port. ↫ Lorenz (xha) on the official Hare blog Hare is a relatively new programming language, and originally only supported Linux and FreeBSD. This post details the process of porting it over to OpenBSD.
The seL4 microkernel is currently the only kernel that has been fully formally verified. In general, the increased interest in ensuring the security of a kernel’s code results from its important role in the entire operating system. One of the basic features of an operating system is that it abstracts the handling of devices. This abstraction is represented by device drivers – the software that manages the hardware. A proper verification of the software component could ensure that the device would work properly unless there is a hardware failure. In this paper, we choose to model the behavior of a device driver and build the proof that the code implementation matches the expected behavior. The proof was written in Isabelle/HOL, the code translation from C to Isabelle was done automatically by the use of the C-to-Isabelle Parser and AutoCorres tools. We choose Isabelle theorem prover because its efficiency was already shown through the verification of seL4 microkernel. Some light reading that would’ve been for the weekend had I not gotten sick and unable to work on OSNews much.
A new OpenBSD release means a ton of new features, and OpenBSD 7.4 is no different. It adds a VirtIO GPU driver, built-in leak detection for malloc, support for AMD processor microcode updates, and a whole lot more. If you want the really detailed list of changes, hop on over to the changelog, and OpenBSD users will already know how to update.
Suppose, hypothetically, that you have some DNS servers that are exposed to the Internet behind an OpenBSD PF-based firewall. Since you’re a sensible person, you have various rate limits set in your DNS servers to prevent or at least mitigate various forms of denial of service attacks. One day, your DNS servers become extremely popular for whatever reason, your rate limits kick in, and your firewall abruptly stops allowing new connections in or out. What on earth happened? It’s a quirk of PF in OpenBSD, and this post provides more details and possible mitigations.
I often see a lot of confusion with regard to OpenBSD, either assimilate as a Linux distribution or mixed up with FreeBSD. Let’s be clear, OpenBSD is a stand alone operating system. It came as a fork of NetBSD in 1994, there isn’t much things in common between the two nowadays. While OpenBSD and the other BSDs are independant projects, they share some very old roots in their core, and regularly see source code changes in one being imported to another, but this is really a very small amount of the daily code changes though. Just like OSNews (more information about the OSNews Gemini capsule), this article is also available on Gemini.
sysclean(8) is a system tool designed for help system administrator to keep their OpenBSD clean after upgrade. It walks the installed system and compare to a reference system, reporting to the user additional things in the installed system. The purpose is to point any elements that wouldn’t be present if a fresh install was done, instead of an upgrade. This seems like a useful tool.
Years later, Todd Mortimer and I developed RETGUARD. At the start of that initiative he proposed we protect all functions, to try to guard all the RET instructions, and therefore achieve a state we call “ROP-free”. I felt this was impossible, but after a couple hurdles the RETGUARD performance was vastly better than the stack protector and we were able to protect all functions and get to ROP-free (on fixed-sized instruction architecures). Performance was acceptable to trade against improved security. RETGUARD provides up to 4096 cookies per DSO, per-function, but limited to avoid excessive bloat. It is difficult to do on architectures with very few registers. Code was only written for clang, there is no gcc codebase doing it. clang code for some architectures was never written (riscv64). I hope that sets the stage for what is coming next. We were able to enable RETGUARD on all functions because it was fast. Look, I have no clue what any of this means. None at all. However, I do somewhat grasp this is a big deal… I just need OSNews readers to explain in layman’s terms why, exactly.
