1. Introduction §
This blog post explains how to configure an OpenBSD workstation with extreme privacy in mind.
This is an attempt to turn OpenBSD into a Whonix or Tails alternative, although if you really need that level of privacy, use a system from this list and not the present guide. It is easy to spot OpenBSD using network fingerprinting, this can not be defeated, you can not hide the fact you use OpenBSD to network operators.
I did this guide as a challenge for fun, but I also know some users have a use for this level of privacy.
Note: this guide explains steps related to increase privacy of OpenBSD and its base system, it will not explain how to configure a web browser or how to choose a VPN.
2. Checklist §
OpenBSD does not have much network activity with a default installation, but the following programs generate traffic:
- the installer connects to 199.185.178.80 to associate chosen timezone with your public IP to reuse the answer for a future installation
- ntpd (for time sync) uses pool.ntp.org, 9.9.9.9, 2620:fe::fe, www.google.com and time.cloudflare.com
- fw_update connects to firmware.openbsd.org (resolves as openbsd.map.fastlydns.net), fw_update is used at the end of the installer, and at the end of each sysupgrade
- sysupgrade, syspatch and pkg_* tools use the address defined in /etc/installurl (defaults to cdn.openbsd.org)
3. Setup §
3.1. OpenBSD installation §
If you do not have OpenBSD installed yet, you will have to download an installer. Choose from the official mirrors or my tor/i2p proxy mirror.
OpenBSD official website: Downloading OpenBSD
OpenBSD privacy-friendly mirrors
Choose the full installer, for 7.5 it would be install75.img for USB installer or install75.iso for using a CD-ROM.
It is important to choose the full installer to avoid any network at install time.
Full disk encryption is recommended, but it's your choice. If you choose encryption, it is recommended to wipe the drive with random data before.
OpenBSD FAQ: Crypto and disks
During the installation, do not configure the network at all. You want to avoid syspatch and fw_update to run at the end of the installer, and also ntpd to ping many servers upon boot.
3.2. First boot (post installation) §
Once OpenBSD booted after the installation, you need to take a decision for ntpd (time synchronization daemon).
- you can disable ntpd entirely with
rcctl disable ntpd
, but it is not really recommended as it can create issues with some network software if the time is desynchronized
- you can edit the file
/etc/ntpd.conf
which contains the list of servers used to keep the time synchronized, and choose which server to connect to (if any)
- you can configure ntpd to use a sensor providing time (like a GPS receiver) and disable everything else
Whonix (maybe Tails too?) uses a custom tailored program named swdate to update the system clock over Tor (because Tor only supports TCP while NTP uses UDP), it is unfortunately not easily portable on OpenBSD.
Next step is to edit the file /etc/hosts
to disable the firmware server whose hostname is hard-coded in the program fw_update
, add this line to the file:
127.0.0.9 firmware.openbsd.org
3.3. Packages, firmware and mirrors §
The firmware installation and OpenBSD mirror configuration using Tor and I2P are covered in my previous article, it explains how to use tor or i2p to download firmware, packages and system sets to upgrade.
OpenBSD privacy-friendly mirrors
There is a chicken / egg issue with this though, on a fresh install you have neither tor nor i2p, so you can not download tor or i2p packages through it. You could download the packages and their dependencies from another system and install them locally using USB.
Wi-Fi and some other devices requiring a firmware may not work until you run fw_update, you may have to download the files from another system and pass the network interface firmware over a USB memory stick to get network. A smartphone with USB tethering is also a practical approach for downloading firmware, but you will have to download it over clearnet.
3.4. DNS §
DNS is a huge topic for privacy-oriented users, I can not really recommend a given public DNS servers because they all have pros and cons, I will use 1.1.1.1 and 9.9.9.9 for the example, but use your favorite DNS.
Enable the daemon unwind, it is a local DNS resolver with some cache, and supports DoT, DoH and many cool features. Edit the file /etc/unwind.conf
with this configuration:
forwarder { 1.1.1.1 9.9.9.9 }
As I said, DoT and DoH is supported, you can configure it directly in the forwarder block, the man page explains the syntax:
OpenBSD manual pages: unwind.conf
Now, enable, start and make sure the service is running fine:
rcctl enable unwind
rcctl start unwind
rcctl check unwind
A program named resolvd
is running by default, when it finds that unwind is running, resolvd modifies /etc/resolv.conf
to switch DNS resolution to 127.0.0.1, so you do not have anything to do.
3.5. Firewall configuration §
A sane firewall configuration for workstations is to block all incoming connections. This can be achieved with the following /etc/pf.conf
: (reminder, last rule matches)
set block-policy drop
set skip on lo
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for egress
# block all traffic (in/out)
block
# allow reaching the outside (IPv4 + IPv6)
pass out quick inet
pass out quick inet6
# allow ICMP (ping) for MTU discovery
pass in proto icmp
# uncomment if you use SLAAC or ICMP6 (IPv6)
#pass in on egress inet6 proto icmp6
#pass in on egress inet6 proto udp from fe80::/10 port dhcpv6-server to fe80::/10 port dhcpv6-client no state
Reload the rules with pfctl -f /etc/pf.conf
.
3.6. Network configuration §
Everything is ready so you can finally enable networking. You can find a list of network interfaces with ifconfig
.
Create the hostname.if file for your network device.
OpenBSD manual pages: hostname.if
An ethernet device configuration using DHCP would look like this
inet autoconf
A wireless device configuration would look like this:
join SSID_NAME wpakey password1
join OTHER_NET wpakey hunter2
inet autoconf
You can randomize your network device MAC address at each boot by adding the line lladdr random
to its configuration file.
Start the network with sh /etc/netstart ifname
.
4. Special attention during updates §
When you upgrade your OpenBSD system from a release to another or to a newer snapshot using sysupgrade
, the command fw_update
will automatically be run at the very end of the installer.
It will bypass any /etc/hosts
changes as it runs from a mini root filesystem, if you do not want fw_update
to be used over clearnet at this step, the only method is to disable network at this step, which can be done by using sysupgrade -n
to prepare the upgrade without rebooting, and then:
- disconnect your computer Ethernet cable if any, if you use Wi-Fi and you have a physical killswitch this will be enough to disable Wi-Fi
- if you do not have such a killswitch and Wi-Fi is configured, rename its configuration file in
/etc/hostname.if
to another invalid name, you will have to rename it back after sysupgrade
.
You could use this script to automate the process:
mv /etc/hostname.* /root/
sysupgrade -n
echo 'mv /root/hostname.* /etc/' > /etc/rc.firsttime
echo 'sh /etc/netstart' >> /etc/rc.firsttime
chmod +x /etc/rc.firsttime
reboot
It will move all your network configuration in /root/
, run sysupgrade, and configure the next boot to restore the hostname files back to place and start the network.
5. Webcam and Microphone protection §
By default, OpenBSD "filters" webcam and microphone use, if you try to use them, you get a video stream with a black background and no audio on the microphone. This is handled directly by the kernel and only root can change this behavior.
To toggle microphone recording, change the sysctl kern.audio.record
to 1 or 0 (default).
To toggle webcam recording, change the sysctl kern.video.record
to 1 or 0 (default).
What is cool with this mechanism is it makes software happy when they make webcam/microphone a requirement, they exist but just record nothing.
6. Conclusion §
Congratulations, you achieved a high privacy level with your OpenBSD installation! If you have money and enough trust in some commercial services, you could use a VPN instead (or as a base) of Tor/I2P, but it is not in the scope of this guide.
I did this guide after installing OpenBSD on a laptop connected to another laptop doing NAT and running Wireshark to see exactly what was leaking over the network. It was a fun experience.