Openbsd on UNIX Esoterica

OpenBSD Wireguard Keygen Script

Fri, 26 Dec 2025 18:49:47 +0100

WireGuard has been officially included in OpenBSD as a native, in-kernel implementation since OpenBSD 6.8 released in October 2020.

It is quite simple to create a private WireGuard key using the “openssl” command. However, the process of key derivation from a known private key isn’t as simple.

This is a simple little script that I wrote to solve the problem of generating a WireGuard keypair using only the tools from a base install without the need for any additional software:

Keeping OpenBSD Up To Date

Wed, 24 Dec 2025 12:58:21 +0100

NOTE: Feel Free To Skip Ahead

OpenBSD Release Model Explained

OpenBSD uses a strict, time-based release model focused on predictability and continuous development. OpenBSD releases new versions on a fixed six-month cycle.

Flavors

OpenBSD maintains three distinct “flavors” of the operating system simultaneously:

-release: The official, static version of the OS released every six months (e.g., 7.5, 7.6). It is intended for users who prioritize stability and do not need the absolute latest features.

Useful Links

Tue, 29 Apr 2025 10:35:02 +0200

An eclectic collection of useful URLs

I highly recommend reading official documentation first. I have provided a curated list of websites which I personally consider useful.

OpenBSD

Main OpenBSD Sites

OpenBSD Main Site https://www.openbsd.org
OpenBSD FAQs https://www.openbsd.org/faq/index.html
OpenBSD Manpages https://man.openbsd.org
OpenBSD Patches https://www.openbsd.org/errata76.html
OpenBSD Download https://www.openbsd.org/faq/faq4.html#Download

OpenBSD Projects

Keeping OpenBSD Alive

The OpenBSD Foundation https://www.openbsdfoundation.org

Hosting

Sysctl Hardening

Tue, 29 Apr 2025 08:41:24 +0200

/etc/sysctl.conf - hardening

Official OpenBSD Documentation

sysctl(8) manpage - https://man.openbsd.org/sysctl.8

sysctl.conf(5) manpage - https://man.openbsd.org/sysctl.conf.5

malloc(3) manpage - https://man.openbsd.org/free

Sysctl Parameter	Description
`ddb.panic=0`	Reboot on a panic, instead of dropping into the debugger.
`ddb.console=0`	Prevent entry into the kernel debugger.
`net.inet.ip.forwarding=0`	Prevent inet4 forwarding for standalone workstations ( unless needed ).
`machdep.allowaperature=0`	For systems that don’t run X.
`vm.malloc_conf=CFGU`	Individual arguments explained below.
C ( Cache disabled )	Reduces the chance that sensitive data ( like passwords, keys, etc ) remains in memory after being freed.
F ( Free junking )	Easier to detect user-after-free bugs ( access to freed memory ), and prevents old data from leaking if memory is later misused.
G ( Guard pages )	Helps catch buffer overflows immediately by causing a segmentation fault when memory writes go past their bounds.
U ( Use junking )	Helps catch bugs where programs wrongly assume newly allocated memory.

Server Example - /etc/sysctl.conf

ddb.panic=0
ddb.console=0
vm.malloc_conf=CFGU
net.inet.ip.forwarding=0
machdep.allowaperature=0

Firewall Example - /etc/sysctl.conf

ddb.panic=0
ddb.console=0
vm.malloc_conf=CFGU
net.inet.ip.forwarding=1
machdep.allowaperature=0

Workstation Example - /etc/sysctl.conf

ddb.panic=1
ddb.console=1
vm.malloc_conf=CFGU
net.inet.ip.forwarding=0
machdep.allowaperature=1

Thanks to the author of the following page for teaching me about the malloc stuff:

Hosting a HUGO website with OpenBSD

Wed, 20 Nov 2024 17:09:20 +0100

Intended Audience

This guide is intended for anyone who wants to setup a HUGO website runing on OpenBSD using httpd and relayd.

Document Scope

It is assumed that you have some basic UNIX administration skills and that you have already setup an OpenBSD server to your liking. General setup and administration is outside the scope of this document. Instead, we will focus on setting up OpenBSD’s httpd server, relayd, SSL certificates, and so on.