 |
Title: OpenBSD extreme privacy setup |
|
Author: Solène |
|
Date: 08 June 2024 |
|
Tags: privacy security openbsd tor i2p |
|
Description: In this article, you will learn how to install and |
|
configure OpenBSD to reduce its network activity over clearnet |
|
|
|
# Introduction |
|
|
|
This blog post explains how to configure an OpenBSD workstation with |
|
extreme privacy in mind. |
|
|
|
This is an attempt to turn OpenBSD into a Whonix or Tails alternative, |
|
although if you really need that level of privacy, use a system from |
|
this list and not the present guide. It is easy to spot OpenBSD using |
|
network fingerprinting, this can not be defeated, you can not hide the |
|
fact you use OpenBSD to network operators. |
|
|
|
I did this guide as a challenge for fun, but I also know some users |
|
have a use for this level of privacy. |
|
|
|
Note: this guide explains steps related to increase privacy of OpenBSD |
|
and its base system, it will not explain how to configure a web browser |
|
or how to choose a VPN. |
|
|
|
# Checklist |
|
|
|
OpenBSD does not have much network activity with a default |
|
installation, but the following programs generate traffic: |
|
|
|
* the installer connects to 199.185.178.80 to associate chosen timezone |
|
with your public IP to reuse the answer for a future installation |
|
* ntpd (for time sync) uses pool.ntp.org, 9.9.9.9, 2620:fe::fe, |
|
www.google.com and time.cloudflare.com |
|
* fw_update connects to firmware.openbsd.org (resolves as |
|
openbsd.map.fastlydns.net), fw_update is used at the end of the |
|
installer, and at the end of each sysupgrade |
|
* sysupgrade, syspatch and pkg_* tools use the address defined in |
|
/etc/installurl (defaults to cdn.openbsd.org) |
|
|
|
# Setup |
|
|
|
## OpenBSD installation |
|
|
|
If you do not have OpenBSD installed yet, you will have to download an |
|
installer. Choose from the official mirrors or my tor/i2p proxy |
|
mirror. |
|
|
 |
OpenBSD official website: Downloading OpenBSD |
|
OpenBSD privacy-friendly mirrors |
|
|
|
Choose the full installer, for 7.5 it would be install75.img for USB |
|
installer or install75.iso for using a CD-ROM. |
|
|
|
It is important to choose the full installer to avoid any network at |
|
install time. |
|
|
|
Full disk encryption is recommended, but it's your choice. If you |
|
choose encryption, it is recommended to wipe the drive with random data |
|
before. |
|
|
|
OpenBSD FAQ: Crypto and disks |
|
|
|
During the installation, do not configure the network at all. You want |
|
to avoid syspatch and fw_update to run at the end of the installer, and |
|
also ntpd to ping many servers upon boot. |
|
|
|
## First boot (post installation) |
|
|
|
Once OpenBSD booted after the installation, you need to take a decision |
|
for ntpd (time synchronization daemon). |
|
|
|
* you can disable ntpd entirely with `rcctl disable ntpd`, but it is |
|
not really recommended as it can create issues with some network |
|
software if the time is desynchronized |
|
* you can edit the file `/etc/ntpd.conf` which contains the list of |
|
servers used to keep the time synchronized, and choose which server to |
|
connect to (if any) |
|
* you can configure ntpd to use a sensor providing time (like a GPS |
|
receiver) and disable everything else |
|
|
|
Whonix (maybe Tails too?) uses a custom tailored program named swdate |
|
to update the system clock over Tor (because Tor only supports TCP |
|
while NTP uses UDP), it is unfortunately not easily portable on |
|
OpenBSD. |
|
|
|
Next step is to edit the file `/etc/hosts` to disable the firmware |
|
server whose hostname is hard-coded in the program `fw_update`, add |
|
this line to the file: |
|
|
|
``` |
|
127.0.0.9 firmware.openbsd.org |
|
``` |
|
|
|
## Packages, firmware and mirrors |
|
|
|
The firmware installation and OpenBSD mirror configuration using Tor |
|
and I2P are covered in my previous article, it explains how to use tor |
|
or i2p to download firmware, packages and system sets to upgrade. |
|
|
|
OpenBSD privacy-friendly mirrors |
|
|
|
There is a chicken / egg issue with this though, on a fresh install you |
|
have neither tor nor i2p, so you can not download tor or i2p packages |
|
through it. You could download the packages and their dependencies |
|
from another system and install them locally using USB. |
|
|
|
Wi-Fi and some other devices requiring a firmware may not work until |
|
you run fw_update, you may have to download the files from another |
|
system and pass the network interface firmware over a USB memory stick |
|
to get network. A smartphone with USB tethering is also a practical |
|
approach for downloading firmware, but you will have to download it |
|
over clearnet. |
|
|
|
## DNS |
|
|
|
DNS is a huge topic for privacy-oriented users, I can not really |
|
recommend a given public DNS servers because they all have pros and |
|
cons, I will use 1.1.1.1 and 9.9.9.9 for the example, but use your |
|
favorite DNS. |
|
|
|
Enable the daemon unwind, it is a local DNS resolver with some cache, |
|
and supports DoT, DoH and many cool features. Edit the file |
|
`/etc/unwind.conf` with this configuration: |
|
|
|
``` |
|
forwarder { 1.1.1.1 9.9.9.9 } |
|
``` |
|
|
|
As I said, DoT and DoH is supported, you can configure it directly in |
|
the forwarder block, the man page explains the syntax: |
|
|
|
OpenBSD manual pages: unwind.conf |
|
|
|
Now, enable, start and make sure the service is running fine: |
|
|
|
``` |
|
rcctl enable unwind |
|
rcctl start unwind |
|
rcctl check unwind |
|
``` |
|
|
|
A program named `resolvd` is running by default, when it finds that |
|
unwind is running, resolvd modifies `/etc/resolv.conf` to switch DNS |
|
resolution to 127.0.0.1, so you do not have anything to do. |
|
|
|
## Firewall configuration |
|
|
|
A sane firewall configuration for workstations is to block all incoming |
|
connections. This can be achieved with the following `/etc/pf.conf`: |
|
(reminder, last rule matches) |
|
|
|
``` |
|
set block-policy drop |
|
set skip on lo |
|
|
|
match in all scrub (no-df random-id max-mss 1440) |
|
antispoof quick for egress |
|
|
|
# block all traffic (in/out) |
|
block |
|
|
|
# allow reaching the outside (IPv4 + IPv6) |
|
pass out quick inet |
|
pass out quick inet6 |
|
|
|
# allow ICMP (ping) for MTU discovery |
|
pass in proto icmp |
|
|
|
# uncomment if you use SLAAC or ICMP6 (IPv6) |
|
#pass in on egress inet6 proto icmp6 |
|
#pass in on egress inet6 proto udp from fe80::/10 port dhcpv6-server to fe80::/… |
|
``` |
|
|
|
Reload the rules with `pfctl -f /etc/pf.conf`. |
|
|
|
## Network configuration |
|
|
|
Everything is ready so you can finally enable networking. You can find |
|
a list of network interfaces with `ifconfig`. |
|
|
|
Create the hostname.if file for your network device. |
|
|
|
OpenBSD manual pages: hostname.if |
|
|
|
An ethernet device configuration using DHCP would look like this |
|
|
|
``` |
|
inet autoconf |
|
``` |
|
|
|
A wireless device configuration would look like this: |
|
|
|
``` |
|
join SSID_NAME wpakey password1 |
|
join OTHER_NET wpakey hunter2 |
|
inet autoconf |
|
``` |
|
|
|
You can randomize your network device MAC address at each boot by |
|
adding the line `lladdr random` to its configuration file. |
|
|
|
Start the network with `sh /etc/netstart ifname`. |
|
|
|
# Special attention during updates |
|
|
|
When you upgrade your OpenBSD system from a release to another or to a |
|
newer snapshot using `sysupgrade`, the command `fw_update` will |
|
automatically be run at the very end of the installer. |
|
|
|
It will bypass any `/etc/hosts` changes as it runs from a mini root |
|
filesystem, if you do not want `fw_update` to be used over clearnet at |
|
this step, the only method is to disable network at this step, which |
|
can be done by using `sysupgrade -n` to prepare the upgrade without |
|
rebooting, and then: |
|
|
|
* disconnect your computer Ethernet cable if any, if you use Wi-Fi and |
|
you have a physical killswitch this will be enough to disable Wi-Fi |
|
* if you do not have such a killswitch and Wi-Fi is configured, rename |
|
its configuration file in `/etc/hostname.if` to another invalid name, |
|
you will have to rename it back after `sysupgrade`. |
|
|
|
You could use this script to automate the process: |
|
|
|
```shell |
|
mv /etc/hostname.* /root/ |
|
sysupgrade -n |
|
echo 'mv /root/hostname.* /etc/' > /etc/rc.firsttime |
|
echo 'sh /etc/netstart' >> /etc/rc.firsttime |
|
chmod +x /etc/rc.firsttime |
|
reboot |
|
``` |
|
|
|
It will move all your network configuration in `/root/`, run |
|
sysupgrade, and configure the next boot to restore the hostname files |
|
back to place and start the network. |
|
|
|
# Webcam and Microphone protection |
|
|
|
By default, OpenBSD "filters" webcam and microphone use, if you try to |
|
use them, you get a video stream with a black background and no audio |
|
on the microphone. This is handled directly by the kernel and only root |
|
can change this behavior. |
|
|
|
To toggle microphone recording, change the sysctl `kern.audio.record` |
|
to 1 or 0 (default). |
|
|
|
To toggle webcam recording, change the sysctl `kern.video.record` to 1 |
|
or 0 (default). |
|
|
|
What is cool with this mechanism is it makes software happy when they |
|
make webcam/microphone a requirement, they exist but just record |
|
nothing. |
|
|
|
# Conclusion |
|
|
|
Congratulations, you achieved a high privacy level with your OpenBSD |
|
installation! If you have money and enough trust in some commercial |
|
services, you could use a VPN instead (or as a base) of Tor/I2P, but it |
|
is not in the scope of this guide. |
|
|
|
I did this guide after installing OpenBSD on a laptop connected to |
|
another laptop doing NAT and running Wireshark to see exactly what was |
|
leaking over the network. It was a fun experience. |
