| Index || Me |


OpenBSD Logo

The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography. As an example of the effect OpenBSD has, the popular OpenSSH software comes from OpenBSD.

Where to get help:


On Linux for example

sudo dd if=install62.fs of=/dev/sdb bs=1M

Make sure you're selecting the right drive (can be found with dmesg), or dd will fuck your shit up.

Welcome to the OpenBSD/i386 4.4 install program.
(I)nstall, (U)pgrade or (S)hell?


For UEFI hardware and harddisks over 2,19 TB choose whole disk GPT, else MBR.

From FAQ:

A /home partition can be nice. New version of the OS? Leave your /home partition untouched, wipe and reload everything else. Since some packages need to be started from a wxallowed filesystem, it is recommended to have a separate /usr/local partition. A system exposed to the internet should have a separate /var. Compiling some ports from source can take huge amounts of space on your /usr and /tmp partitions.

Example 500GB disk:

Choose (C)ustom layout. _p g _ shows the current partitions, d * deletes all current partitions so you can start on your own. Create partitions with a then a through p, excluding c. The size can be entered as 100g, meaning 100 GB. Just press enter when asked for the offset, so it will use the value in parentheses. The same for the filesystem type. To use up the rest of the remaining size, just press Enter when asked for size. If you're done with everything, press q.

So for this example you would enter

d *
a a
offset: [63] ENTER
size: 100g
FS type: [4.2BSD] ENTER
mount point: /
a b
offset: [xy] ENTER
size: 8g
FS type: [swap] ENTER
mount point: /
a d
offset: [xy] ENTER
size: 5g
FS type: [4.2BSD] ENTER
mount point: /tmp

And so on.

Choose sets to install

If you're not overly concerned about space, you can safely install them all. The location of the sets is usually sd1 if you're installing from flash drive - so choose location of sets as disk, then no (not mounted yet) and select sd1.

After that you're set and the installation process begins.

If you're told that OpenBSD won't be able to boot from your drive - then you've probably chosen GPT, when you should've chosen MBR. Type reboot and do everything again - it's a learning experience!

After the first booting it is recommended to look up man afterboot - do it!


The configurations are in /usr/X11R6/share/X11/xorg.conf.d/.

Fixing X on HP250

man intel:

intel is an Xorg driver for Intel integrated graphics chipsets [...] supports Intel(R) HD Graphics: 2000-6000

Create the file /usr/X11R6/share/X11/xorg.conf.d/60-graphics.conf:

Section "Device"
	Identifier "Card0"
	Driver	   "intel"

Configuring synaptics mouse driver

Starting XFCE automatically

Create the file ~/.xsession

#! /bin/sh
exec startxfce4

Annoying terminal bell

man wsconsctl

Disable the annoying keyboardbell permanently by creating the file /etc/wsconsctl.conf:


and on the running system by typing wsconsctl keyboard.bell.volume=0. If you're running FVWM (default window manager), the beep in xterm is caused by its configuration. Add


to /home/user/.Xresources. If you're using XFCE, create the file .xinputrc

set bell-style visual

If you want to disable the bell for all X applications, type xset b off. For this change to be systemwide you have to add xset -b to /etc/X11/xinit/xinitrc.



They are precompiled packages of applications. If you want to compile yourself, you have to use the ports.

The packages are not as thoroughly audited as the main OpenBSD source tree (in many cases, they have not been audited at all). Starting with OpenBSD 5.5, packages are now signed using pkg_sign(1).

The basic available tools are: pkg_info, pkg_add, pkg_delete, pkg_check. By default the variable $PKG_PATH, where the system looks for packages, is empty - you have to set it up first: Look for an FTP server near you in https://www.openbsd.org/ftp.html and type as root:

export PKG_PATH=ftp://ftp.eu.openbsd.org/pub/OpenBSD/%c/packages/%a

If you want to permanently set the variable, add the same line to /home/user/.profile.

To find and install a package type

# pkg_info -Q libreoffice
# pkg_add libreoffice

Here libreoffice is the package name, is the version number. Use the flag -v for pkg_add if you want a more verbose output or -V for statistics output. The tools are interactive by default, if something needs user input it will ask.

To update your installed packages just type

pkg_add -u


pkg_delete package

to delete a package.

Good packages:


man ports

Each port contains any patches necessary to make the original application source code compile and run on OpenBSD.

Ports are basically scripts that pull source code, compiles it on your machine and then installs - they are not binary packages. The downside is that the OpenBSD ports system doesn't have a simple interface like FreeBSD to customize your port. So unless the port is not already in the packages, you probably want to use the available packages. HOWEVER, there are flavors for some packages, that include different build options.

You first have to get the ports.tar.gz from your ftp server of choice, then extract it to /usr/.

# cd /tmp
# ftp https://ftp.openbsd.org/pub/OpenBSD/$(uname -r)/{ports.tar.gz,SHA256.sig}
# signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz
# cd /usr
# tar xzf /tmp/ports.tar.gz

Ways to find a port:

$ cd /usr/ports
$ make search key=rsnapshot
Port:   rsnapshot-1.3.1p0
Path:   net/rsnapshot
Info:   remote filesystem snapshot utility
Maint:  Antoine Jacoutot <ajacoutot@openbsd.org>
Index:  net sysutils
B-deps: :net/rsync
R-deps: :devel/p5-Lchown :net/rsync
Archs:  any
$ cd /usr/ports
$ make search key=python | grep "Port:.*python-2"
Port:   python-2.3.6p6
Port:   python-2.4.4p7
Port:   python-2.5.2p4
Port:   gpsd-python-2.37p0

To install a port:

# cd /usr/ports/misc/screen
# make install clean

To uninstall:

# cd /usr/ports/misc/screen
# make uninstall
===> Deinstalling for screen-4.0.3p1
screen-4.0.3p1: complete
Clean shared items: complete

If there are errors while building, saying that it hit the limit on opened files, raise the openfiles-max variable in the daemon category in the file /etc/login.conf and reboot. After compiling you can lower the value to the default setting again.

Good ports:


To find out if a port has available flavors, go into its directory and type

$ make show=FLAVORS

For example the port of GNU screen has a flavor named static. To install it type

# cd /usr/ports/misc/screen
# env FLAVOR="static" make install 
# env FLAVOR="static" make clean

Porting yourself

If you want to port applications yourself, there's a guide on https://www.openbsd.org/faq/ports/guide.html


General locations of configuration files:

File Contains
/etc/myname default hostname
/etc/hostname.interface configuration for interface
/etc/mygate default gateway
/etc/resolv.conf DNS resolver
/etc/hosts known hosts
/etc/netstart script starts network interfaces
/etc/pf.conf firewall configuration


Create hostname file for your interface in ifconfig (/etc/hostname.urtwn0 for interface urtwn0):


The permissions will automatically be set if insecure, so don't worry about it.

The default gateway will still be fetched from /etc/mygate and your hostname from /etc/myname. To use the changes without rebooting type sh /etc/netstart urwtn0.

While not at home, on a running machine type

# ifconfig ral0 nwid NETWORK wpakey PASSWORD

to connect to a new network, that isn't in your hostname.interface file.

If you are encountering something like this on startup

urtwn0: failed loadfirmware of file urtwn-rt18192cfwT (error 2) urtwn0: no link ............ sleeping

It (error 2) means that the firmware for the device is not in the location where it's supposed to be. Firmware blobs are often not included on the installer media. When you're connected to the internet via cable, type

# fw_update -v

to install the firmware. It will tell you if it updated/installed any firmware.


PF is OpenBSDs firewall and maintained by the developers. There is a port to FreeBSD, but it contains customized code for FreeBSD and uses an older syntax, that has since been changed in OpenBSD.

To permanently disable the boot startup of PF, type

# rcctl disable pf

To temporarily enable and disable PF, type the following (note that it doesn't load a ruleset - this must be done separately)

/sbin/pfctl -e
/sbin/pfctl -d

If you've changed the rules, you can load them again with

/sbin/pfctl -f /etc/pf.conf
Parameter Description
-s rules show rules
-s info show filter stats and counters
-s states show content of states table
-s Tables show list of tables


The configuration files is /etc/pf.conf.

Lists & Macros

The simplest form of rules:

# Comment
pass in tcp to port 2222 from
match in on urtwn0 proto tcp to port { 22 80 } rdr-to
block log out on urtwn0 proto { tcp udp } from {, } to any port { ssh https }

trusted = "{ }"
pass in inet proto tcp from $trusted to port 22

host1      = ""
host2      = ""
all_hosts  = "{" $host1 $host2 "}"

For pass, the packet will be passed and a state will automatically created unless otherwise specified. proto matches only for the specified protocol (tcp, udp, ..).

table <rfc1918>  const {,, }
block in from <rfc1918> to any
# skip all PF processing from loopback interface:
set skip on lo0
Examples for non-server
block quick proto ipv6
set skip on lo
block log all

table <ok> persist
google_dns = "{, }"

pass out on egress inet proto { tcp, udp } from any to <ok> keep state
pass out on egress inet proto { tcp, udp } from any to any port 53 keep state
block out on egress inet proto { tcp, udp } from any to $google_dns port 53
pass out on egress inet proto icmp all icmp-type echoreq keep state
set skip on lo
block return
block return in on ! lo0 proto tcp to port 6000:6010
pass in proto tcp to localhost port 5433
set skip on lo

table <trusted> const {,, }
table <rfc1918> const {,, }

# allow ssh from trusted computers in LAN
pass in on egress proto tcp from <trusted> to port 22
# allow traffic to DNS
pass out on egress inet proto { tcp, udp } from any to any port 53 keep state
# block rfc1918
block return    # block stateless traffic
pass            # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

On Laptop


The daemon is installed by default and should make suspend and suspend on lid close possible without any further interaction. You can set it to automatic performance adjustment mode by adding


into your /etc/rc.conf.local.


If you are an XFCE user, you may wonder why theres no xfce4-power-manager installed, that shows your current battery status. The manager depends on dbus - why install it if you don't need it? You can get all your battery stats with

$ sysctl hw.sensors.acpibat0
hw.sensors.acpibat0.volt0=11.10 VDC (voltage)
hw.sensors.acpibat0.volt1=12.40 VDC (current voltage)
hw.sensors.acpibat0.amphour0=4.04 Ah (last full capacity)
hw.sensors.acpibat0.amphour1=0.20 Ah (warning capacity)
hw.sensors.acpibat0.amphour2=0.04 Ah (low capacity)
hw.sensors.acpibat0.amphour3=3.95 Ah (remaining capacity), OK
hw.sensors.acpibat0.raw0=0 (battery idle), OK
hw.sensors.acpibat0.raw1=0 (rate)
$ sysctl hw.sensors.acpiac0
hw.sensors.acpiac0.indicator0=On (power supply)

To automatically update the XFCE4 panel to show the battery status, create the following script:

#! /bin/sh
# Info query shamelessly copied from http://karlbsd.blogspot.de/2010/01/openbsd-nc4200-howto-get-battery-status.html
# who in turn also copied stuff, or something.
# whatever.
# XFCE clock needs to be set to digital, type:
# xfconf-query -c xfce4-panel -p /plugins/plugin-5/mode -s 2

while true
# Check/update batterystatus every 120 s
sleep 120
bat0=$(sysctl -n hw.sensors.acpibat0)
 if [ "${bat0}" != "" ]; then
  bat0full=$(sysctl -n hw.sensors.acpibat0.amphour0 | sed s/.A.*//)
  bat0warn=$(sysctl -n hw.sensors.acpibat0.amphour1 | sed s/.A.*//)
  bat0low=$(sysctl -n hw.sensors.acpibat0.amphour2 | sed s/.A.*//)
  bat0now=$(sysctl -n hw.sensors.acpibat0.amphour3 | sed s/.A.*//)

  # Get the battery capacity in percentage
  bat0cap=`echo "100 * ${bat0now} / ${bat0full}" | bc`

 # Get the charging status of the battery, replace with symbols
  bat0s=$(sysctl -n hw.sensors.acpibat0.raw0 | sed 's/'0'.*//; s/'1'.*/-/; s/'2'.*/+/; s/'4'.*/!/')
  bat0p=`echo ""`
  bat0s=`echo ""`

 # Get the AC Adapter status
 ac0=$(sysctl -n hw.sensors.acpiac0.indicator0 | sed s/.'('.*//)

 # Set XFCE digital clock to also display battery status
 # This needs to be modified to whatever your plugin no. is
 PRINT="xfconf-query -c xfce4-panel -p /plugins/plugin-5/digital-format -s "
 PRINT=$PRINT"'<b>%R</b> | <i>"
eval $PRINT
# echo Battery: ${bat0p}${bat0s} '|' AC: $ac0


Then make the script executable with chmod +x script. To run the script with XFCE startup, go to Settings>Session and Startup>Application Autostart and add the script to the list.


Create and remove users interactively with adduser and rmuser. Members of the wheel group are allowed to use su (doesn't come preinstalled on 6.2) - to modify groups use the group command.


See man doas. Configuration file is /etc/doas.conf, for example:

permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add 
permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel 
permit nopass testuser as root cmd /sbin/reboot
permit nopass keepenv root as root


non-free Firmware

To update all firmware type

fw_update -a


Binary patches

syspatch is a utility to fetch, verify, install and revert OpenBSD binary patches. When run without any options, syspatch will apply all missing patches.

It is available since September 2016 and should be the preferred method for security and reliability maintenance, provided you want to upgrade an official release and not a current or stable branch. It also only supports the last release.

/etc/installurl contains the URL to the patches mirror, /var/syspatch/ directory contains the rollback tarball. The installurl contains a single line with your OpenBSD mirror of choice. The address must not end with an /!

While rollback is possible it's always all patches or none.

Optionstable -c list available patches (can be automated with cronjob) -r revert most recent patch -R revert all patches

Individual files

Openbsd has an errata for every release: https://www.openbsd.org/errata.html

They contain security fixes, patches and so on. It patches affected files individually.

Switch to current


The current options (2018) are Qemu and the native hypervisor VMM.


This needs an Intel processor that has built-in support for virtualization - make sure it's set to enabled in the BIOS! After that you can check if it works correcly with

# dmesg | grep vmm
      vmm0 at mainbus0: VMX/EPT

Graphical capabilities can be gained by hosting a VNC session on the virtualized machine and using ssvnc as a viewer on the hosting OpenBSD machine to connect (command after installation: vncviewer).

Ubuntu 16.04 LTS

I'm using 16.04 since one of the developers said the following in IRC:

21:26 < mlarkin> 17.04 and previous work best. 17.10 has an issue with networking but you can upgrade from 17.04 -> 17.10 and select the older kernel at boot if you want
21:26 < mlarkin> arch, alpine, fedora, centos have also been reported to work fine. recent (4.11+) kernels have that networking problem across the board though.
21:28 < mlarkin> they chnaged how their virtio stack allocates queue buffers and it's incompatible in some way with how we implemented virtio. both ccardenas and i have looked at it for a week before moving on to more important things

To get a minimal installation, download a mini-iso from https://help.ubuntu.com/community/Installation/MinimalCD

mkdir ~/vmm && cd ~/vmm
vmctl create ubuntu.disk -s 30G



to your /etc/rc.conf.local.

Create a /etc/hostname.vether0 that contains


Leave the address as it is. This is a virtual address.

Your /etc/sysctl.conf should contain


Your /etc/pf.conf should contain

# your actual physicial interface
# the virtual interface
set block-policy drop
set loginterface egress
match in all scrub (no-df random-id max-mss 1440)
match out on $ext_if inet from $int_if:network to any nat-to ($ext_if)
pass on vether0
pass on tap0
pass on tap1

In /etc/rc.conf:


Create the file /etc/dhcpd.conf:

option domain-name "vmm.local";
option domain-name-servers,;

subnet netmask {
        option routers;

Leave the address as it is, it's a virtual address. If you specify any real address space in your home network, dhcpd will go rogue in it, since it will try to answer in the real network. You can check where dhcpd is listening by typing dhcpd.

To automatically generate the interface switch0, create the file /etc/hostname.switch0:

!switchctl connect /dev/switch0
!ifconfig switch0 addlocal vether0
!ifconfig vether0 up
add vether0
add tap0

Usually the switch0 will not be connected when the machine is up: check wether it is with switchctl show summary or directly connect it with switchctl connect /dev/switch0.

Create /etc/vm.conf for the VM configuration:

vm "ubuntu" {
memory 1024M
disk "/home/user/vmm/ubuntu.disk"
cdrom "/home/user/vmm/mini.iso"

interface {
switch "local"
lladdr 11:22:33:44:55:66

switch "local" {
interface "switch0"

You can generate a MAC address with one of the many tools available online and have it in the configuration or leave out lladdr to have vmd generate an address every time the VM boots up. You can leave the disable out if you want the VM to start automatically. The configuration is described in detail in man vm.conf.

Start the VM with vmctl start 1 -c, where 1 is the ID of your VM, -c meaning that it will be connected to your current terminal. You can check the IDs with vmctl status. If you run into errors saying that the connection to the vmd-socket /var/run/vmd.sock has been refused, it's likely that the socket is not opened at all (you may check that with netstat -ln | grep vmd). Run vmd -dv to have it log to stderr during startup, so you can see what's happening. The vmd will not start correctly if there are any syntax errors in your configuration, as it should.

Inside the VM, when prompted to start the installation or choose other options, press TAB to edit the command the bootloader runs for installation and add the following:


You need to change the booting options in GRUB later to not allow graphics and have console=tty0 console=ttyS0,115200 after linux xyz. You should also delete quiet, so you can see what's happening.

You can exit the serial terminal by typing ~. <ENTER> and reattach it with vmctl console 1. If you want to resize your serial terminal window: After installing xterm on your VM, you can use the command resize (no parameters given) to have the serial terminal fit the size of your OpenBSD terminal window.

After booting into the system, you may want to change the line auto networkinterface to allow-hotplug networkinterface in /etc/network/interfaces to circumvent the 5 min waiting time for systemd.

I recommend you install these packages for a minimal environment:

sudo apt-get install xorg xterm icewm menu gksu synaptic --no-install-recommends
Setting up a VNC Server

The current source and binarys can be found at: https://bintray.com/tigervnc/stable E.g.:

wget https://bintray.com/tigervnc/stable/download_file?file_path=tigervnc-1.8.0.x86_64.tar.gz
tar xvfz tigervnc-1.8.0.x86_64.tar.gz

If you execute vncserver after installing, an interactive setup comes up. After that the server should already be running on display :1.

The startup configuration in ~/.vnc/xstartup should be merged to contain something like

xrdb ~/.Xresources & icewm &

and be executable.