I have a couple of OpenBSD servers on various VPS providers for hobby purposes and to provide, e.g., name and web servers. During the new year holiday I installed a new OpenBSD server. I wanted to document the process in the hope that it might useful to someone; I assume that you know the unix basics, but may be unfamiliar with OpenBSD way of doing things. Of course it would be much easier to maintain my web site in GitHub pages or somewhere similar, but having an own server has some benefits, especially if you like tinkering with *nixes. :)

The benefits of OpenBSD are manyfold compared to alternatives, most notable of which are the GNU/Linux distributions. For me, OpenBSD is really an ideal platform to maintain a robust and secure small-footprint server, for a long term. OpenBSD just celebrated the project’s 25th anniversary. The OpenBSD web site lists some of its benefits.

As for virtual private server (VPS) providers, my criterion have been no-nonsense setup and a cheap prize. I don’t really need extra offerings in addition to standard VPS and console access. Low price is important, because I have a couple of servers running for years and the monthly fees add up and because this is a hobby project. Because OpenBSD has a very small memory footprint and the base system fits into a small disk, the smallest VPS offerings are typically fine for me. Another criterion for a VPS provider is that I want to have a hard monthly cap on fees. This is a problem with many VPS providers, because most of the providers charge for bandwidth overages, which might happen due to an unfortunate configuration error or a malicious attack. I want to have either unlimited bandwidth (which practically mean slowing down the connection if the bandwidth is “overused”, which won’t happen in normal use) or a cap such that the VPS instance is frozen if the pre-allocated bandwidth quota would be exceeded (which practically never happens either). For these reasons I have for a long time use RamNode and more recently OVHcloud Europe.

I will below describe installation of an OpenVPS server to OVHcloud Europe.

Installing OpenBSD on OVHcloud VPS

My latest server lives in OVHcloud, using their smallest “Starter” VPS solution that has currently 1 core, 2 GB of RAM, 20 GB of SSD disk space, and 100 Mbit/s unlimited bandwidth for 3 euros per month. OVHcloud does not offer OpenBSD as an install option, but it is always possible to install OpenBSD if you have VPS and root access to a Linux distribution with GRUB 2 boot loader and console access, which is what I did. I first installed image of CentOS 8, provided by OVHcloud, copied the OpenBSD 6.8 installation ram disk to /bsd.rd, rebooted, entered GRUB 2 command prompt by pressing c at the boot time, then typed ls to see the available disk, and finally rebooted to the OpenBSD installation ram disk by issuing the following GRUB commands:

grub> set root=(hd0,msdos1)
grub> kopenbsd /bsd.rd
grub> boot

The OpenBSD installer asks several questions. I answered the default to all questions (with network configured by dhcp), except the keyboard layout (for which I choose the Swedish keyboard, sv) and location of sets (I chose http). The installer downloads the necessary sets via HTTP (more detailed instructions for using Linux and GRUB 2 to install *BSD). The thing about OpenBSD is that the documentation is really good and oftentimes it is not necessary to seek documentation further than from your nearest man page. For OpenBSD installation documentation, see the installation guide.

First boot

After reboot, the system is in running and secure state. Root ssh login is disabled by default, but you can access the system via ssh by using an user account you created during the install process.

SSH access

First I add my public ssh key to $HOME/.ssh/authorized_keys, which allows me to login without typing the password (see the man page). Next I usually forward the mail to my main email address by using .forward:

echo firstname.surname@example.com > $HOME/.forward

Replace firstname.surname@example.com by your email address.

.profile

To make installing packages (software not included in the basic install process) easier and to have a nicer prompt I then add the following lines to $HOME/.profile:

PKG_PATH=ftp://ftp.eu.openbsd.org/pub/OpenBSD/`uname -r`/packages/`machine -a`/
export PKG_PATH

CVSROOT=anoncvs@anoncvs.eu.openbsd.org:/cvs
export CVSROOT

PS1='\u@\h \W \$ '
export PS1

Notice that I used the European mirror. You might choose a different mirror server, depending on the location of your VPS server.

doas

OpenBSD uses doas to execute commands as another user. This does the same as sudo in some other systems. I edited /etc/doas.conf to include the following lines:

permit luser as root
permit nopass luser as root cmd /root/backup.sh

Replace luser with the name of your user account to which you want to give root access. Notice that I authorise above the backup script, see below! You may consider creating a separate user for the backup script, but for simplicity the above configuration assumes only one user.

Backups

For backup I use script that I wrote and that works over ssh. With it I can do incremental backups, e.g., to my laptop. The idea is to have the simplest possible way to do backups easily.

To set it up, you need the following files. First, /root/backup.sh:

#!/bin/sh
T=/root/tags/`date -z Z "+%Y%m%d%H%M%S"`
F=/root/tags/files
touch $T $F
cd /
find . -print | grep -v -f /root/exclude > $F
if [ "$1" = "" ]
then
        cpio -oaz < $F && mv -f $T /root/tags/last
else
        find . -newer /root/tags/last -print | grep -v -f /root/exclude | cpio -oaz
fi

Give the script execute privileges by chmod a+x /root/backup.sh. File /root/exclude:

^\./usr/src/
^\./usr/obj/
^\./usr/ports/
^\./usr/xenocara/
^\./usr/xobj/
^\./tmp/
^\./var/tmp/

As root user, make directory /root/tags by mkdir /root/tags.

In a remote location (e.g., I use my laptop) you can use the following script in $HOME/backups/hostname.domain.example, where you should replace hostname.domain.example by the fully qualified domain name of your server:

#!/bin/sh
H=`echo $0 | sed 's/.*\///'`
F=$HOME/backups/$H$1.`date -u "+%Y%m%d%H%M%S"`.cpio.gz
ssh -l luser $H doas /root/backup.sh $1 > $F

Now you should be able to do full backup of the host server by issuing command $HOME/backups/hostname.domain.example and an incremental backup (changes since the previous completed full backup) by issuing command $HOME/backups/hostname.domain.example 1.

If you need to restore your system from scratch you can, for example, use the OpenBSD install ramdisk (see above) first to partition the disk, install base system, and then copy the latest full backup file and (if exists) incremental backup file to your system. Then just boot in a single user mode and restore the files that you need to restore, for example, something like this if you want to restore all:

cd /
cpio -imud < full-backup.cpio.gz
cpio -imud < incremental-backup.cpio.gz

(Warning: I have not tested the above. Typically I would just use other server or re-install system and restore the necessary files and configurations, instead of just having a blanket restore.)

Setting the hostname

Unless your hostname is set correctly, you can set it by editing /etc/myname.

Installing any patches

You should update the most recent patches. The system patches are most easily installed via the syspatch utility and package updates by using pkg_add -u:

doas syspatch
doas pkg_add -u

Installing authoritative name server

I use my OpenBSD boxes as authoritative name server. OpenBSD comes with nsd pre-installed. By default, nsd will be chrooted to /var/nsd. The zone files go to /var/nsd/zones. You should check their syntax with nsd-checkzone.

The nsd configuration file is in /var/nsd/etc/nsd.conf, see the instructions. I have one master server and another OpenBSD server hosts a slave server. Any changes made to master server are automatically pushed to the slave, which makes administration easier, because you only have to keep one zone file up-to-date.

OpenBSD services are administered by rcctl. To enable, start, and check nsd run the following commands as root user:

rcctl enable nsd
rcctl start nsd
rcctl check nsd

“enable” modifies rc.conf.local to make the daemon start at boot and “start” actually starts the daemon.

Now your authoritative name server should be up and running.

Installing web server

OpenBSD includes a web server called httpd, with FastCGI and TLS support, that does the job, at least if this basic functionality is fine with you. The advantage of the OpenBSD servers is that the default installation is quite secure, which is one worry less for you. Otherwise you need to install some other server, e.g., via packages collection.

httpd is by default chrooted to /var/www. My different web sites are under /var/www/htdocs, e.g., /var/www/htdocs/kaip.iki.fi. I can enable this with the following contents for /etc/httpd.conf:

server "kaip.iki.fi" {
	listen on egress port 80
	block return 301 "https://kaip.iki.fi$REQUEST_URI"
}
server "kaip.iki.fi" {
	listen on egress tls port 443
	tls {
		certificate "/etc/ssl/kaip_iki_fi-bundle.crt"
		key "/etc/ssl/private/kaip_iki_fi.key"
	}
	root "/htdocs/kaip.iki.fi"
}

The TLS stuff is related to the SSL protocol. You can take a look, e.g., at Let’s Encrypt and OpenBSD Handbook to get started. The above configuration redirects all http requests to the corresponding https address.

The httpd can be enabled at boot and started with:

httpd -n
rcctl enable httpd
rcctl start httpd
rcctl check httpd

The last line is just to check that the daemon works. You should of course also check the logs files so that there are no surprises there.

I use Jekyll to maintain my web site. You can install it by first installing ruby with doas pkg_add ruby and then installing Jekyll as instructed in the Jekyll web site.

Rebooting

Finally, you should reboot your server to make sure that the kernel patches are applied and to see that your installation survives the reboot:

doas reboot

Final words

That’s it. The whole process really takes an hour or so if you know what you are doing. The maintenance is quite straightforward. You should do regular backups (which is easy with the scripts above) and install any patches, which you can do with syspatch and pkg_add -u, as above.

New OpenBSD releases occur every six months around May and November. System upgrade is most easily done with sysupgrade.