Posts

2025

• OpenBSD Wireguard Keygen Script

  Dec 26

  WireGuard has been officially included in OpenBSD as a native, in-kernel implementation since OpenBSD 6.8 released in October 2020.

  It is quite simple to create a private WireGuard key using the “openssl” command. However, the process of key derivation from a known private key isn’t as simple.

  This is a simple little script that I wrote to solve the problem of generating a WireGuard keypair using only the tools from a base install without the need for any additional software:

• Create Your GPG Key In Minutes

  Dec 25

  Step 1 - Create Your Public/Private Key Pair and Revocation Certificate

  gpg --expert --full-gen-key
  

  NOTE: If you are on a console without GUI use this instead:

  gpg --expert --pinentry-mode=loopback --full-gen-key
  

  When asked what kind of key you want you will be presented with 14 options. Choose the 9th option which should be ECC (Elliptic Curve Cryptography) public/private keypair and an ECC signing key. In most cases the default option will be the best choice.

• Keeping OpenBSD Up To Date

  Dec 24

  NOTE: Feel Free To Skip Ahead

  OpenBSD Release Model Explained

  OpenBSD uses a strict, time-based release model focused on predictability and continuous development. OpenBSD releases new versions on a fixed six-month cycle.

  Flavors

  OpenBSD maintains three distinct “flavors” of the operating system simultaneously:

  -release: The official, static version of the OS released every six months (e.g., 7.5, 7.6). It is intended for users who prioritize stability and do not need the absolute latest features.

• Flush DNS on macOS Tahoe

  Dec 23

  While not normally required, you may in rare circumstances find it useful to flush the DNS cache on your Mac. For example, you might experience undesirable DNS settings which persist despite all efforts to remove them through conventional means.

  Flush DNS

  NOTE: An iPhone sharing cellular data via USB is being used as an example here. Replace “iPhone USB” as needed.

  sudo networksetup -setdnsservers "iPhone USB" Empty
  sudo dscacheutil -flushcache
  sudo killall -HUP mDNSResponder
  

  Verify DNS

  scutil --dns
  

• Useful Links

  Apr 29

  An eclectic collection of useful URLs

  I highly recommend reading official documentation first. I have provided a curated list of websites which I personally consider useful.

  OpenBSD

  Main OpenBSD Sites

  • OpenBSD Main Site https://www.openbsd.org
  • OpenBSD FAQs https://www.openbsd.org/faq/index.html
  • OpenBSD Manpages https://man.openbsd.org
  • OpenBSD Patches https://www.openbsd.org/errata76.html
  • OpenBSD Download https://www.openbsd.org/faq/faq4.html#Download

  OpenBSD Projects

  • OpenSSH https://www.openssh.com
  • LibreSSL https://www.libressl.org
  • OpenBGPD https://www.openbgpd.org
  • OpenNTPD https://www.openntpd.org
  • OpenSMTPD https://www.opensmtpd.org

  Keeping OpenBSD Alive

  • The OpenBSD Foundation https://www.openbsdfoundation.org

  Other OpenBSD Related Sites

  Hosting

• Sysctl Hardening

  Apr 29

  /etc/sysctl.conf - hardening

  Official OpenBSD Documentation

  sysctl(8) manpage - https://man.openbsd.org/sysctl.8

  sysctl.conf(5) manpage - https://man.openbsd.org/sysctl.conf.5

  malloc(3) manpage - https://man.openbsd.org/free

  Sysctl Parameter	Description
  ddb.panic=0	Reboot on a panic, instead of dropping into the debugger.
  ddb.console=0	Prevent entry into the kernel debugger.
  net.inet.ip.forwarding=0	Prevent inet4 forwarding for standalone workstations ( unless needed ).
  machdep.allowaperature=0	For systems that don’t run X.
  vm.malloc_conf=CFGU	Individual arguments explained below.
  C ( Cache disabled )	Reduces the chance that sensitive data ( like passwords, keys, etc ) remains in memory after being freed.
  F ( Free junking )	Easier to detect user-after-free bugs ( access to freed memory ), and prevents old data from leaking if memory is later misused.
  G ( Guard pages )	Helps catch buffer overflows immediately by causing a segmentation fault when memory writes go past their bounds.
  U ( Use junking )	Helps catch bugs where programs wrongly assume newly allocated memory.

  Server Example - /etc/sysctl.conf

  ddb.panic=0
  ddb.console=0
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=0
  machdep.allowaperature=0
  

  Firewall Example - /etc/sysctl.conf

  ddb.panic=0
  ddb.console=0
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=1
  machdep.allowaperature=0
  

  Workstation Example - /etc/sysctl.conf

  ddb.panic=1
  ddb.console=1
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=0
  machdep.allowaperature=1
  

  Thanks to the author of the following page for teaching me about the malloc stuff:

2024

• Hosting a HUGO website with OpenBSD

  Nov 20

  Intended Audience

  This guide is intended for anyone who wants to setup a HUGO website runing on OpenBSD using httpd and relayd.

  Document Scope

  It is assumed that you have some basic UNIX administration skills and that you have already setup an OpenBSD server to your liking. General setup and administration is outside the scope of this document. Instead, we will focus on setting up OpenBSD’s httpd server, relayd, SSL certificates, and so on.

• Day One

  Nov 10

  Site up and running

  Today marks the start of a new adventure. The site is up and running.

  I look forward to sharing content such as howtos, UNIX history, stories, and adventures. In my early years many people helped me to get started. They were there to light my path and get me pointed in the right direction. Their efforts enabled me to discover my passion for all things UNIX and to really discover what facets I enjoyed from such a broad range of possibilities. Over time I was able to perfect my craft and my hobbies and work were one.