Before we both dive into a wall of text below, consider supporting the OpenBSD project to continue their efforts to make the world a better and more secure place. Every little bit helps!
Why OpenBSD? Simply because it is the best tool for the job for me for my new-to-me Lenovo Thinkpad T420. Additionally, I do care about security and non-bloat in my personal operating systems (business needs can have different priorities, to be clear).
I will try to detail what my reasons are for going with OpenBSD (instead of GNU/Linux, NetBSD, or FreeBSD of which I’m comfortable using without issue), challenges and frustrations I’ve encountered, and what my opinions are along the way.
Disclaimer: in this post, I’m speaking about what is my opinion, and I’m not trying to convince you to use OpenBSD or anything else. I don’t truly care, but wanted to share in case it could be useful to you. I do hope you give OpenBSD a shot as your workstation, especially if it has been a while.
I’m not new to OpenBSD, to be clear. I’ve been using it off and on for over 20 years. The biggest time in my life was the early 2000s (I was even the Python port maintainer for a bit), where I not only used it for my workstation, but also for production servers and network devices.
I just haven’t used it as a workstation (outside of a virtual machine) in over 10 years, but have used it for servers. Workstation needs, especially for a primary workstation, are greatly different and the small things end up mattering most.
Like FreeBSD, OpenBSD also has great documentation. The “FAQ” is the OpenBSD manual found at https://www.openbsd.org/faq/index.html
Sadly, I need to get in the habit of searching first. I recommend reading the relevant sections before you do the actions. I should have did that from the get-go but I was too excited and figured I’ll just figure it out as it goes.
The “welcome email” from Theo (root’s email after installation) is a great addition. I should have read the email before going forward.
Easy to install, period. Probably the easiest installer I’ve ever used. Be sure to read the Installation section of the FAQ. I should have done it, it is a short read that can save you time and frustration.
I wish full disk or /home encryption was baked into the installer. The ability to retroactively apply full disk encryption would also be great (think VeraCrypt on Windows). For now, I simply put a password on boot via the BIOS, which may be good enough but my hard drive can be removed.
To implement full disk encryption of a drive, read https://www.openbsd.org/faq/faq14.html#softraidFDE
I’m going to have to reinstall to get transparent full disk encryption (and unsure how much of a performance hit I would take), which is less than ideal but would make it where I add all my non-stock customizations to an Ansible playbook.
Update: Full disk encryption uses AES-NI if the CPU supports it, so the performance impact should be minimal. The processor in my Thinkpad T420 does support it. If it didn’t, there could be performance overhead that may be
Update: I reinstalled with full disk encryption. It seems to be working fine without issue. The step in the FAQ above about writing random data to disk did take a long time (about 30 minutes).
I wish the extra firmware would be installed from the installer, too, so I can leverage the Intel wifi. I thought it picked up wifi stuff once (maybe I configured wired internet first?), but when I did a ‘?’ to see wifi access points, I got nothing back. Had to use wired ethernet, which is not a big deal (I have a Cisco CCNA networking lab at my desk, too).
Be sure to read https://www.openbsd.org/faq/faq6.html#Wireless
Configuring wireless is pretty easy. Just add the access point and password to hostname.iwn0 (OpenBSD will go down the list trying to connect until it is able to):
join WirelessAccessPointHere wpakey PASSWORD join WirelessAccessPointHere2 wpakey PASSWORD2 inet6 autoconf dhcp
Updating the base system, installing ports, and updating them is super easy.
Updating the base system is as simple as running the “
To install ports pre-compiled packages (
- Search for packages: pkg_info -Q
- Install packages: pkg_add -iv
- Delete a package: pkg_delete
- Update packages: pkg_add -u
- See what packages you installed: pkg_info -m
- List files installed by a package: pkg_info -L
- Find what package a file is a part of: pkg_info -qE /
Be sure to read https://www.openbsd.org/faq/faq15.html
Update: unless you’re following current ports (instead of a release), you will probably have to compile updates and security patches from ports. This could be problematic for packages that take a long time to compile.
Just add “apmd_flags=-A” to /etc/rc.conf.local
To replicate “
Update /etc/login.conf by changing datasize-cur value to 7000M for the staff group.
Add your user to the staff group: doas usermod -G staff USERNAME
Everything just simply works and works well straight out of the box. I literally had to do nothing to get anything to work.
The only extra stuff was installing the Intel firmware, but that happens on boot by default and I can explicitly do it.
I purchased the laptop off eBay, it is refurbished and tested (had OEM Windows 10 Pro installed that I used to verify everything was OK with the laptop before installing different operating systems and making problems harder to identify), has 8GB of RAM and an SSD drive.
There is not an HDMI port on this laptop, but there is a display port, so I got a dongle off Amazon for under $10. I plugged it in and attached my monitor to it, and rebooted. OpenBSD recognized the second monitor without issue with the console (mirroring of course) and with X (with XFCE) it automatically extended the display.
I also ordered a docking station off eBay, too, that I haven’t tested if it would work. I do have high hopes it would though.
The speed of the system is stellar. I feel like it is faster than the Linux and FreeBSD installations, but I don’t have proof of it. I suspect there is less bloat to weight things down and the hardware support for Thinkpads is super in OpenBSD.
Speed is not a concern for me.
Security and quality matter to me, and especially so with a laptop where I could be on random networks. I won’t pretend to know all the ways OpenBSD security is great, but I trust that the people that know these things are working on this project and it is a core priority.
I suspected that is the case when I looked at
If I want to accept the risk, I can get those two cores added back to my system.
Frankly, I turned it on and tried doing stuff I normally do and didn’t notice a difference. I suspect bottlenecks for me aren’t CPU related.
While some folks have a strong desire to install a fancy graphical login manager and display, I’m not one of them.
The only modifications I did was disable the console window from starting, disable the bell, and made the background black. My /etc/X11/xenodm/Xsetup_0 contains these content:
#!/bin/sh # $OpenBSD: Xsetup_0,v 1.5 2018/07/17 11:52:12 matthieu Exp $ #xconsole -geometry 480x130-0-0 -daemon -notify -verbose -fn fixed -exitOnFail # sxpm OpenBSD.xpm & xset b off xsetroot -solid black
People have opinions about desktop environments and go a bit overboard with minimal stuff for X. I used to be like that and got caught up in it (I remember complaining about how bloated
XFCE is lightweight for my hardware, super fast, customizable, and I get GUI tweaks I enjoy. If you have to look at the same interfaces all the time, at least make sure they get out of the way and you enjoy them right?
Other than installing standard packages, I also transferred icons and themes over from my old Linux desktop. The icons and
Be sure to read /usr/local/share/doc/pkg-readmes/xfce
Here, everything works great.
No issues except needing to install the
I use Google Gsuite for my domains. My primary MX for sogubsys.com is my own server, but I auto-forward to gmail, too as a backup.
So, to get mail to work, I simply needed to configure mail
To get encrypt with GPG to work, I needed to import my key into
Sometimes applications crash, it happens. But it seems to happen a lot more in OpenBSD with X applications. It has happened enough where I’m just used to looking in $HOME for .core files to see if that was the cause.
I didn’t dive into why they crashed and didn’t analyze the core files, I’m still getting to a normal level again of where I’m settled in and can get back to normal activities.
While not truly an XFCE or OpenBSD issue, it would be nice to know that an application crashed with a core dump.
This is an annoyance to be sure. I assume it is related to applications from ports behaving badly or not making the correct syscalls for permissions/resources in OpenBSD, and OpenBSD simply would rather a program crash than be bad. I agree with that 100% – it just would be nice to know from a user usability point of view that a crash happened and have a built-in ability to report it to the port maintainer. I would assume port maintainers either know it is a problem and getting
I don’t maintain any ports any more (2002 was a long time ago), so I can’t speak on it.
Update: The core dumps are due to buggy programs. OpenBSD malloc is not as forgiving to blatant programming errors as
There is not a good Evernote client for OpenBSD outside of their website (web app). I have been an Evernote customer for 10 years and I use it daily. So, it is a big shift for me and my biggest gripe at the moment,
So, I set out to see if I could migrate my Evernote data to another application. I did it with Zim using a custom h
It still isn’t a fluid experience for me yet, Zim is ideal and seems to work now that I updated to 0.71.1 (0.69 crashed when reading my notes every time). It stores data in text files, which is great since I can easily have my data in non-proprietary format and is easy to parse.
But I also want to have the data encrypted and backed up to a cloud data store.
So, I am currently using a custom Veracrypt port by
While I was dealing with Zim crashes, I moved on to org-mode. I converted all my notes (installed the Evernote client in my Windows 10 VM, did a per-notebook export [can’t export everything at once with Evernote Windows client for some reason], transferred to a Linux machine, used a program to do the conversion, and transferred conversion org-mode directories to OpenBSD). I have org-mode configured in my local Emacs, can see all the stuff and work with it, and can use rclone to encrypt and sync the data.
Then I couldn’t just let the Zim stuff go, so I went looking for the latest version. There was one newer than the ports version and it used python 3 and instead of python 2. 0.71.1 accepted all my notes without issue and I’m a happy camper! Dropping org-mode for now.
VirtualBox is not available for OpenBSD. Linux Emulation was dropped from OpenBSD.
So, running virtual machines like I’m used to (I use VirtualBox for work a lot, and learning InfoSec Red Team stuff where I also need labs) is problematic.
So, it still is less than ideal that I can’t have the VMs on my OpenBSD laptop itself and am bound to my home network for labs. Probably not a huge deal, but would love to have VirtualBox on OpenBSD so badly. I want Kali Linux, NetBSD, and Windows 10 and Windows Server VMs for pentest labs… and I can’t do that work in isolation on my laptop.
It is frustrating. I hate that I don’t have it.
FreeBSD didn’t seem to support this laptop well out of the box and I didn’t feel like monkeying with configuring it. Maybe there was a way to install intel graphics drivers and I gave up too early. FreeBSD supports VirtualBox.
The pain points that still exists for me that I’m not sure how to fix well, still using workarounds is:
- No EverNote support outside of the web application on the website.
- No VirtualBox
If you have any feedback, corrections, or want to connect hit me up!
- Thank you to @blakkheim on Twitter for feedback and corrections!
- Thank you to @mischapeters on Twitter for the correction on WiFi configuration.
Congrats for making it to the bottom!
Hey, want to see a sticker I got for my laptop for OpenBSD?
You can get one, too, by going to https://www.redbubble.com/people/mewmewmaya/works/21702385-pufferfish