Posts on UNIX Esoterica

OpenBSD Wireguard Keygen Script

Fri, 26 Dec 2025 18:49:47 +0100

WireGuard has been officially included in OpenBSD as a native, in-kernel implementation since OpenBSD 6.8 released in October 2020.

It is quite simple to create a private WireGuard key using the “openssl” command. However, the process of key derivation from a known private key isn’t as simple.

This is a simple little script that I wrote to solve the problem of generating a WireGuard keypair using only the tools from a base install without the need for any additional software:

Create Your GPG Key In Minutes

Thu, 25 Dec 2025 21:19:21 +0100

Step 1 - Create Your Public/Private Key Pair and Revocation Certificate

gpg --expert --full-gen-key

NOTE: If you are on a console without GUI use this instead:

gpg --expert --pinentry-mode=loopback --full-gen-key

When asked what kind of key you want you will be presented with 14 options. Choose the 9th option which should be ECC (Elliptic Curve Cryptography) public/private keypair and an ECC signing key. In most cases the default option will be the best choice.

Keeping OpenBSD Up To Date

Wed, 24 Dec 2025 12:58:21 +0100

NOTE: Feel Free To Skip Ahead

OpenBSD Release Model Explained

OpenBSD uses a strict, time-based release model focused on predictability and continuous development. OpenBSD releases new versions on a fixed six-month cycle.

Flavors

OpenBSD maintains three distinct “flavors” of the operating system simultaneously:

-release: The official, static version of the OS released every six months (e.g., 7.5, 7.6). It is intended for users who prioritize stability and do not need the absolute latest features.

Flush DNS on macOS Tahoe

Tue, 23 Dec 2025 13:00:15 +0100

While not normally required, you may in rare circumstances find it useful to flush the DNS cache on your Mac. For example, you might experience undesirable DNS settings which persist despite all efforts to remove them through conventional means.

Flush DNS

NOTE: An iPhone sharing cellular data via USB is being used as an example here. Replace “iPhone USB” as needed.

sudo networksetup -setdnsservers "iPhone USB" Empty
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

Verify DNS

scutil --dns

Useful Links

Tue, 29 Apr 2025 10:35:02 +0200

An eclectic collection of useful URLs

I highly recommend reading official documentation first. I have provided a curated list of websites which I personally consider useful.

OpenBSD

Main OpenBSD Sites

OpenBSD Main Site https://www.openbsd.org
OpenBSD FAQs https://www.openbsd.org/faq/index.html
OpenBSD Manpages https://man.openbsd.org
OpenBSD Patches https://www.openbsd.org/errata76.html
OpenBSD Download https://www.openbsd.org/faq/faq4.html#Download

OpenBSD Projects

Keeping OpenBSD Alive

The OpenBSD Foundation https://www.openbsdfoundation.org

Hosting

Sysctl Hardening

Tue, 29 Apr 2025 08:41:24 +0200

/etc/sysctl.conf - hardening

Official OpenBSD Documentation

sysctl(8) manpage - https://man.openbsd.org/sysctl.8

sysctl.conf(5) manpage - https://man.openbsd.org/sysctl.conf.5

malloc(3) manpage - https://man.openbsd.org/free

Sysctl Parameter	Description
`ddb.panic=0`	Reboot on a panic, instead of dropping into the debugger.
`ddb.console=0`	Prevent entry into the kernel debugger.
`net.inet.ip.forwarding=0`	Prevent inet4 forwarding for standalone workstations ( unless needed ).
`machdep.allowaperature=0`	For systems that don’t run X.
`vm.malloc_conf=CFGU`	Individual arguments explained below.
C ( Cache disabled )	Reduces the chance that sensitive data ( like passwords, keys, etc ) remains in memory after being freed.
F ( Free junking )	Easier to detect user-after-free bugs ( access to freed memory ), and prevents old data from leaking if memory is later misused.
G ( Guard pages )	Helps catch buffer overflows immediately by causing a segmentation fault when memory writes go past their bounds.
U ( Use junking )	Helps catch bugs where programs wrongly assume newly allocated memory.

Server Example - /etc/sysctl.conf

ddb.panic=0
ddb.console=0
vm.malloc_conf=CFGU
net.inet.ip.forwarding=0
machdep.allowaperature=0

Firewall Example - /etc/sysctl.conf

ddb.panic=0
ddb.console=0
vm.malloc_conf=CFGU
net.inet.ip.forwarding=1
machdep.allowaperature=0

Workstation Example - /etc/sysctl.conf

ddb.panic=1
ddb.console=1
vm.malloc_conf=CFGU
net.inet.ip.forwarding=0
machdep.allowaperature=1

Thanks to the author of the following page for teaching me about the malloc stuff:

Hosting a HUGO website with OpenBSD

Wed, 20 Nov 2024 17:09:20 +0100

Intended Audience

This guide is intended for anyone who wants to setup a HUGO website runing on OpenBSD using httpd and relayd.

Document Scope

It is assumed that you have some basic UNIX administration skills and that you have already setup an OpenBSD server to your liking. General setup and administration is outside the scope of this document. Instead, we will focus on setting up OpenBSD’s httpd server, relayd, SSL certificates, and so on.

Day One

Sun, 10 Nov 2024 21:54:53 +0100

Site up and running

Today marks the start of a new adventure. The site is up and running.

I look forward to sharing content such as howtos, UNIX history, stories, and adventures. In my early years many people helped me to get started. They were there to light my path and get me pointed in the right direction. Their efforts enabled me to discover my passion for all things UNIX and to really discover what facets I enjoyed from such a broad range of possibilities. Over time I was able to perfect my craft and my hobbies and work were one.