OpenBSD Is Now My Workstation

Before we both dive into a wall of text below, consider supporting the OpenBSD project to continue their efforts to make the world a better and more secure place. Every little bit helps!

Why OpenBSD? Simply because it is the best tool for the job for me for my new-to-me Lenovo Thinkpad T420. Additionally, I do care about security and non-bloat in my personal operating systems (business needs can have different priorities, to be clear).

I will try to detail what my reasons are for going with OpenBSD (instead of GNU/Linux, NetBSD, or FreeBSD of which I’m comfortable using without issue), challenges and frustrations I’ve encountered, and what my opinions are along the way.

Disclaimer: in this post, I’m speaking about what is my opinion, and I’m not trying to convince you to use OpenBSD or anything else. I don’t truly care, but wanted to share in case it could be useful to you. I do hope you give OpenBSD a shot as your workstation, especially if it has been a while.

A Bit About Me and OpenBSD

I’m not new to OpenBSD, to be clear. I’ve been using it off and on for over 20 years. The biggest time in my life was the early 2000s (I was even the Python port maintainer for a bit), where I not only used it for my workstation, but also for production servers and network devices.

I just haven’t used it as a workstation (outside of a virtual machine) in over 10 years, but have used it for servers. Workstation needs, especially for a primary workstation, are greatly different and the small things end up mattering most.

OpenBSD Documentation is Great

Like FreeBSD, OpenBSD also has great documentation. The “FAQ” is the OpenBSD manual found at https://www.openbsd.org/faq/index.html

Sadly, I need to get in the habit of searching first. I recommend reading the relevant sections before you do the actions. I should have did that from the get-go but I was too excited and figured I’ll just figure it out as it goes.

The “welcome email” from Theo (root’s email after installation) is a great addition. I should have read the email before going forward.

Installation of OpenBSD is a Breeze

Easy to install, period. Probably the easiest installer I’ve ever used. Be sure to read the Installation section of the FAQ. I should have done it, it is a short read that can save you time and frustration.

Full Disk Encryption

I wish full disk or /home encryption was baked into the installer. The ability to retroactively apply full disk encryption would also be great (think VeraCrypt on Windows). For now, I simply put a password on boot via the BIOS, which may be good enough but my hard drive can be removed.

To implement full disk encryption of a drive, read https://www.openbsd.org/faq/faq14.html#softraidFDE

I’m going to have to reinstall to get transparent full disk encryption (and unsure how much of a performance hit I would take), which is less than ideal but would make it where I add all my non-stock customizations to an Ansible playbook.

Update: Full disk encryption uses AES-NI if the CPU supports it, so the performance impact should be minimal. The processor in my Thinkpad T420 does support it. If it didn’t, there could be performance overhead that may be noticable. Adding ‘softdep‘ and ‘noatime‘ to /etc/fstab file system mount points will also improve disk performance.

Update: I reinstalled with full disk encryption. It seems to be working fine without issue. The step in the FAQ above about writing random data to disk did take a long time (about 30 minutes).

Wireless Networking

I wish the extra firmware would be installed from the installer, too, so I can leverage the Intel wifi. I thought it picked up wifi stuff once (maybe I configured wired internet first?), but when I did a ‘?’ to see wifi access points, I got nothing back. Had to use wired ethernet, which is not a big deal (I have a Cisco CCNA networking lab at my desk, too).

Be sure to read https://www.openbsd.org/faq/faq6.html#Wireless

Configuring wireless is pretty easy. Just add the access point and password to hostname.iwn0 (OpenBSD will go down the list trying to connect until it is able to):

join WirelessAccessPointHere wpakey PASSWORD
join WirelessAccessPointHere2 wpakey PASSWORD2
inet6 autoconf
dhcp

System Updates and Binary Packages

Updating the base system, installing ports, and updating them is super easy.

Updating the base system is as simple as running the “syspatch” command with root permissions. See https://www.openbsd.org/faq/faq10.html#Patches

To install ports pre-compiled packages (similiar to pkgin with pkgsrc project, apt with Debian Linux, or rpm with Redhat Linux) it is done with pkg_* utilities:

  • Search for packages: pkg_info -Q irssi
  • Install packages: pkg_add -iv irssi
  • Delete a package: pkg_delete irssi
  • Update packages: pkg_add -u
  • See what packages you installed: pkg_info -m
  • List files installed by a package: pkg_info -L irssi
  • Find what package a file is a part of: pkg_info -qE /usr/local/bin/irssi

Be sure to read https://www.openbsd.org/faq/faq15.html

Update: unless you’re following current ports (instead of a release), you will probably have to compile updates and security patches from ports. This could be problematic for packages that take a long time to compile.

Enable APM for the Laptop

Just add “apmd_flags=-A” to /etc/rc.conf.local

sudo is Dead, Long Live doas

See https://www.openbsd.org/faq/faq10.html#doas

To replicate “sudo -s” to run “doas -s”, add “permit persist keepenv USERNAME” to /etc/doas.conf (you probably need to create the file).

Your user needs increased limits

Update /etc/login.conf by changing datasize-cur value to 7000M for the staff group.

Add your user to the staff group: doas usermod -G staff USERNAME

Lenovo Thinkpad T420 Hardware Support

Everything just simply works and works well straight out of the box. I literally had to do nothing to get anything to work.

The only extra stuff was installing the Intel firmware, but that happens on boot by default and I can explicitly do it.

I purchased the laptop off eBay, it is refurbished and tested (had OEM Windows 10 Pro installed that I used to verify everything was OK with the laptop before installing different operating systems and making problems harder to identify), has 8GB of RAM and an SSD drive.

There is not an HDMI port on this laptop, but there is a display port, so I got a dongle off Amazon for under $10. I plugged it in and attached my monitor to it, and rebooted. OpenBSD recognized the second monitor without issue with the console (mirroring of course) and with X (with XFCE) it automatically extended the display.

I also ordered a docking station off eBay, too, that I haven’t tested if it would work. I do have high hopes it would though.

Speed is Stellar

The speed of the system is stellar. I feel like it is faster than the Linux and FreeBSD installations, but I don’t have proof of it. I suspect there is less bloat to weight things down and the hardware support for Thinkpads is super in OpenBSD.

Speed is not a concern for me.

Security and Quality Matter

Security and quality matter to me, and especially so with a laptop where I could be on random networks. I won’t pretend to know all the ways OpenBSD security is great, but I trust that the people that know these things are working on this project and it is a core priority.

HyperThreading (SMT) is Disabled by Default

I suspected that is the case when I looked at top and saw CPU0 and CPU2. HyperThreading can be enabled/disabled by a sysctl call (“doas sysctl hw.smt=1”), so that’s nice.

If I want to accept the risk, I can get those two cores added back to my system.

Frankly, I turned it on and tried doing stuff I normally do and didn’t notice a difference. I suspect bottlenecks for me aren’t CPU related.

Xenodm is Fine (xdm port)

While some folks have a strong desire to install a fancy graphical login manager and display, I’m not one of them.

The only modifications I did was disable the console window from starting, disable the bell, and made the background black. My /etc/X11/xenodm/Xsetup_0 contains these content:

#!/bin/sh
# $OpenBSD: Xsetup_0,v 1.5 2018/07/17 11:52:12 matthieu Exp $

#xconsole -geometry 480x130-0-0 -daemon -notify -verbose -fn fixed -exitOnFail

# sxpm OpenBSD.xpm &
xset b off
xsetroot -solid black

XFCE is available, mirroring my old Linux Desktop

People have opinions about desktop environments and go a bit overboard with minimal stuff for X. I used to be like that and got caught up in it (I remember complaining about how bloated xterm is and thought rich GUI toolkits were terrible [x11/motif is super fast, why all the extra fluff]). Now I don’t care, I use what I like, not trying to win any contests here on who can use the least amount of system resources.

XFCE is lightweight for my hardware, super fast, customizable, and I get GUI tweaks I enjoy. If you have to look at the same interfaces all the time, at least make sure they get out of the way and you enjoy them right?

Other than installing standard packages, I also transferred icons and themes over from my old Linux desktop. The icons and theme mimic OSX, to what degree I’m not sure (I don’t use OSX), but I find them pleasing to the eye.

Be sure to read /usr/local/share/doc/pkg-readmes/xfce

Thunderbird Works Great (GPG too)

Here, everything works great.

No issues except needing to install the pinentry-gtk2 application (what asks you for your key password via Enigmail).

I use Google Gsuite for my domains. My primary MX for sogubsys.com is my own server, but I auto-forward to gmail, too as a backup.

So, to get mail to work, I simply needed to configure mail as any other gmail customer.

To get encrypt with GPG to work, I needed to import my key into gpg, and then install Enigmail from within Thunderbird, and then configure it.

Application Crashes Randomly (.core files in $HOME)

Sometimes applications crash, it happens. But it seems to happen a lot more in OpenBSD with X applications. It has happened enough where I’m just used to looking in $HOME for .core files to see if that was the cause.

I didn’t dive into why they crashed and didn’t analyze the core files, I’m still getting to a normal level again of where I’m settled in and can get back to normal activities.

While not truly an XFCE or OpenBSD issue, it would be nice to know that an application crashed with a core dump.

This is an annoyance to be sure. I assume it is related to applications from ports behaving badly or not making the correct syscalls for permissions/resources in OpenBSD, and OpenBSD simply would rather a program crash than be bad. I agree with that 100% – it just would be nice to know from a user usability point of view that a crash happened and have a built-in ability to report it to the port maintainer. I would assume port maintainers either know it is a problem and getting to tofixing it (if it is fixable), or there isn’t a maintainer or folks to spend time on it (if it doesn’t crash every time, then it isn’t critical?).

I don’t maintain any ports any more (2002 was a long time ago), so I can’t speak on it.

Update: The core dumps are due to buggy programs. OpenBSD malloc is not as forgiving to blatant programming errors as other implementations of malloc available on other Operating Systems. The best course of action would be to notify the port maintainer about the issue, especially if I can help with a patch. The patch could and should also be pushed upstream to the original developer(s) can fix.

Evernote Migration (what a Pain)

There is not a good Evernote client for OpenBSD outside of their website (web app). I have been an Evernote customer for 10 years and I use it daily. So, it is a big shift for me and my biggest gripe at the moment, because it impacts my normal workflows and I feel unsettled.

So, I set out to see if I could migrate my Evernote data to another application. I did it with Zim using a custom hacky perl script I wrote parsing a nixnote2 export of all my notes.

It still isn’t a fluid experience for me yet, Zim is ideal and seems to work now that I updated to 0.71.1 (0.69 crashed when reading my notes every time). It stores data in text files, which is great since I can easily have my data in non-proprietary format and is easy to parse.

But I also want to have the data encrypted and backed up to a cloud data store.

So, I am currently using a custom Veracrypt port by jcs to contain all my Zim notes/notebooks from the Evernote port. I wasted time trying to update his port to use doas instead of sudo, but I ended up simply installing sudo and it works as normal now (my normal user can mount and read/write to the mounted location with sudo, “doas veracrypt ~/vault.vc ~/vault” resulted in a resource only root could write to for some reason). Though I did learn how to make patches for ports again, so that’s cool.

While I was dealing with Zim crashes, I moved on to org-mode. I converted all my notes (installed the Evernote client in my Windows 10 VM, did a per-notebook export [can’t export everything at once with Evernote Windows client for some reason], transferred to a Linux machine, used a program to do the conversion, and transferred conversion org-mode directories to OpenBSD). I have org-mode configured in my local Emacs, can see all the stuff and work with it, and can use rclone to encrypt and sync the data.

Then I couldn’t just let the Zim stuff go, so I went looking for the latest version. There was one newer than the ports version and it used python 3 and instead of python 2. 0.71.1 accepted all my notes without issue and I’m a happy camper! Dropping org-mode for now.

No VirtualBox and No Linux Emulation

VirtualBox is not available for OpenBSD. Linux Emulation was dropped from OpenBSD.

So, running virtual machines like I’m used to (I use VirtualBox for work a lot, and learning InfoSec Red Team stuff where I also need labs) is problematic.

vmd is cool tech, for sure, but it isn’t that useful to me. It is best if you want to run OpenBSD virtual machines or gimped Linux virtual machines. I needed to find another solution. Read more in the FAQ at https://www.openbsd.org/faq/faq16.html

libvirt seems to be the answer. Basically, I run KVM/QEMU virtual machines on my old Linux laptop via libvirt and then my OpenBSD workstation can run the client to remotely manage the virtual machines, including full GUI like I’m used to for Windows virtual machines.

libvirt manager connecting to Linux for Windows VM

So, it still is less than ideal that I can’t have the VMs on my OpenBSD laptop itself and am bound to my home network for labs. Probably not a huge deal, but would love to have VirtualBox on OpenBSD so badly. I want Kali Linux, NetBSD, and Windows 10 and Windows Server VMs for pentest labs… and I can’t do that work in isolation on my laptop.

It is frustrating. I hate that I don’t have it.

FreeBSD didn’t seem to support this laptop well out of the box and I didn’t feel like monkeying with configuring it. Maybe there was a way to install intel graphics drivers and I gave up too early. FreeBSD supports VirtualBox.

Pain Points

The pain points that still exists for me that I’m not sure how to fix well, still using workarounds is:

  • No EverNote support outside of the web application on the website.
  • No VirtualBox

Parting Words

If you have any feedback, corrections, or want to connect hit me up!

  • Thank you to @blakkheim on Twitter for feedback and corrections!
  • Thank you to @mischapeters on Twitter for the correction on WiFi configuration.

Update

The laptop didn’t work well with Linux and FreeBSD because it turned out the SSD drive I had installed from the refurbished laptop was bad. I must not have been hitting the disk space used or something with OpenBSD. So, I reinstalled GNU/Linux on a new SSD drive with the laptop and it works well. Since my primary focus is getting the OSCP certification, it is the best tool for the job right now. Read more about it at in another blog post: GNU/Linux Is Now My OSCP Workstation.

I’ll return to OpenBSD after I get the OSCP cert. OpenBSD is still awesome and I still donate monthly.


Congrats for making it to the bottom!

Wow!

Hey, want to see a sticker I got for my laptop for OpenBSD?

You can get one, too, by going to https://www.redbubble.com/people/mewmewmaya/works/21702385-pufferfish


Published on June 30, 2019 and last updated on August 11, 2019.