Title: OpenBSD extreme privacy setup
Author: Solène
Date: 08 June 2024
Tags: privacy security openbsd tor i2p
Description: In this article, you will learn how to install and
configure OpenBSD to reduce its network activity over clearnet
# Introduction
This blog post explains how to configure an OpenBSD workstation with
extreme privacy in mind.
This is an attempt to turn OpenBSD into a Whonix or Tails alternative,
although if you really need that level of privacy, use a system from
this list and not the present guide. It is easy to spot OpenBSD using
network fingerprinting, this can not be defeated, you can not hide the
fact you use OpenBSD to network operators.
I did this guide as a challenge for fun, but I also know some users
have a use for this level of privacy.
Note: this guide explains steps related to increase privacy of OpenBSD
and its base system, it will not explain how to configure a web browser
or how to choose a VPN.
# Checklist
OpenBSD does not have much network activity with a default
installation, but the following programs generate traffic:
* the installer connects to 199.185.178.80 to associate chosen timezone
with your public IP to reuse the answer for a future installation
* ntpd (for time sync) uses pool.ntp.org, 9.9.9.9, 2620:fe::fe,
www.google.com and time.cloudflare.com
* fw_update connects to firmware.openbsd.org (resolves as
openbsd.map.fastlydns.net), fw_update is used at the end of the
installer, and at the end of each sysupgrade
* sysupgrade, syspatch and pkg_* tools use the address defined in
/etc/installurl (defaults to cdn.openbsd.org)
# Setup
## OpenBSD installation
If you do not have OpenBSD installed yet, you will have to download an
installer. Choose from the official mirrors or my tor/i2p proxy
mirror.
(HTM) OpenBSD official website: Downloading OpenBSD
(HTM) OpenBSD privacy-friendly mirrors
Choose the full installer, for 7.5 it would be install75.img for USB
installer or install75.iso for using a CD-ROM.
It is important to choose the full installer to avoid any network at
install time.
Full disk encryption is recommended, but it's your choice. If you
choose encryption, it is recommended to wipe the drive with random data
before.
(HTM) OpenBSD FAQ: Crypto and disks
During the installation, do not configure the network at all. You want
to avoid syspatch and fw_update to run at the end of the installer, and
also ntpd to ping many servers upon boot.
## First boot (post installation)
Once OpenBSD booted after the installation, you need to take a decision
for ntpd (time synchronization daemon).
* you can disable ntpd entirely with `rcctl disable ntpd`, but it is
not really recommended as it can create issues with some network
software if the time is desynchronized
* you can edit the file `/etc/ntpd.conf` which contains the list of
servers used to keep the time synchronized, and choose which server to
connect to (if any)
* you can configure ntpd to use a sensor providing time (like a GPS
receiver) and disable everything else
Whonix (maybe Tails too?) uses a custom tailored program named swdate
to update the system clock over Tor (because Tor only supports TCP
while NTP uses UDP), it is unfortunately not easily portable on
OpenBSD.
Next step is to edit the file `/etc/hosts` to disable the firmware
server whose hostname is hard-coded in the program `fw_update`, add
this line to the file:
```
127.0.0.9 firmware.openbsd.org
```
## Packages, firmware and mirrors
The firmware installation and OpenBSD mirror configuration using Tor
and I2P are covered in my previous article, it explains how to use tor
or i2p to download firmware, packages and system sets to upgrade.
(HTM) OpenBSD privacy-friendly mirrors
There is a chicken / egg issue with this though, on a fresh install you
have neither tor nor i2p, so you can not download tor or i2p packages
through it. You could download the packages and their dependencies
from another system and install them locally using USB.
Wi-Fi and some other devices requiring a firmware may not work until
you run fw_update, you may have to download the files from another
system and pass the network interface firmware over a USB memory stick
to get network. A smartphone with USB tethering is also a practical
approach for downloading firmware, but you will have to download it
over clearnet.
## DNS
DNS is a huge topic for privacy-oriented users, I can not really
recommend a given public DNS servers because they all have pros and
cons, I will use 1.1.1.1 and 9.9.9.9 for the example, but use your
favorite DNS.
Enable the daemon unwind, it is a local DNS resolver with some cache,
and supports DoT, DoH and many cool features. Edit the file
`/etc/unwind.conf` with this configuration:
```
forwarder { 1.1.1.1 9.9.9.9 }
```
As I said, DoT and DoH is supported, you can configure it directly in
the forwarder block, the man page explains the syntax:
(HTM) OpenBSD manual pages: unwind.conf
Now, enable, start and make sure the service is running fine:
```
rcctl enable unwind
rcctl start unwind
rcctl check unwind
```
A program named `resolvd` is running by default, when it finds that
unwind is running, resolvd modifies `/etc/resolv.conf` to switch DNS
resolution to 127.0.0.1, so you do not have anything to do.
## Firewall configuration
A sane firewall configuration for workstations is to block all incoming
connections. This can be achieved with the following `/etc/pf.conf`:
(reminder, last rule matches)
```
set block-policy drop
set skip on lo
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for egress
# block all traffic (in/out)
block
# allow reaching the outside (IPv4 + IPv6)
pass out quick inet
pass out quick inet6
# allow ICMP (ping) for MTU discovery
pass in proto icmp
# uncomment if you use SLAAC or ICMP6 (IPv6)
#pass in on egress inet6 proto icmp6
#pass in on egress inet6 proto udp from fe80::/10 port dhcpv6-server to fe80::/10 port dhcpv6-client no state
```
Reload the rules with `pfctl -f /etc/pf.conf`.
## Network configuration
Everything is ready so you can finally enable networking. You can find
a list of network interfaces with `ifconfig`.
Create the hostname.if file for your network device.
(HTM) OpenBSD manual pages: hostname.if
An ethernet device configuration using DHCP would look like this
```
inet autoconf
```
A wireless device configuration would look like this:
```
join SSID_NAME wpakey password1
join OTHER_NET wpakey hunter2
inet autoconf
```
You can randomize your network device MAC address at each boot by
adding the line `lladdr random` to its configuration file.
Start the network with `sh /etc/netstart ifname`.
# Special attention during updates
When you upgrade your OpenBSD system from a release to another or to a
newer snapshot using `sysupgrade`, the command `fw_update` will
automatically be run at the very end of the installer.
It will bypass any `/etc/hosts` changes as it runs from a mini root
filesystem, if you do not want `fw_update` to be used over clearnet at
this step, the only method is to disable network at this step, which
can be done by using `sysupgrade -n` to prepare the upgrade without
rebooting, and then:
* disconnect your computer Ethernet cable if any, if you use Wi-Fi and
you have a physical killswitch this will be enough to disable Wi-Fi
* if you do not have such a killswitch and Wi-Fi is configured, rename
its configuration file in `/etc/hostname.if` to another invalid name,
you will have to rename it back after `sysupgrade`.
You could use this script to automate the process:
```shell
mv /etc/hostname.* /root/
sysupgrade -n
echo 'mv /root/hostname.* /etc/' > /etc/rc.firsttime
echo 'sh /etc/netstart' >> /etc/rc.firsttime
chmod +x /etc/rc.firsttime
reboot
```
It will move all your network configuration in `/root/`, run
sysupgrade, and configure the next boot to restore the hostname files
back to place and start the network.
# Webcam and Microphone protection
By default, OpenBSD "filters" webcam and microphone use, if you try to
use them, you get a video stream with a black background and no audio
on the microphone. This is handled directly by the kernel and only root
can change this behavior.
To toggle microphone recording, change the sysctl `kern.audio.record`
to 1 or 0 (default).
To toggle webcam recording, change the sysctl `kern.video.record` to 1
or 0 (default).
What is cool with this mechanism is it makes software happy when they
make webcam/microphone a requirement, they exist but just record
nothing.
# Conclusion
Congratulations, you achieved a high privacy level with your OpenBSD
installation! If you have money and enough trust in some commercial
services, you could use a VPN instead (or as a base) of Tor/I2P, but it
is not in the scope of this guide.
I did this guide after installing OpenBSD on a laptop connected to
another laptop doing NAT and running Wireshark to see exactly what was
leaking over the network. It was a fun experience.