Configure an OpenBSD machine

Now that your OpenBSD machine is running, there are some initial configuration changes you can make to get things tuned up. That's not to say the default settings are bad, but with some small tweaks you can get the machine tailored to your needs.

The following changes are inspired by the information found in the "welcome" e-mail and man afterboot. You should give them a read for yourself, especially if you're on OpenBSD 6.4 or later as it may have more up-to-date information than is listed here.

dmesg output for the community

First things first, help the OpenBSD community by sending information about your system to the developers so that they can have better insight to the type of hardware being used with OpenBSD.

$ (dmesg; sysctl hw.sensors) | mail -s "dmesg output" dmesg@openbsd.org

Set your installurl

The installurl represents the server from which you will obtain syspatches, packages, and upgrade binaries. There are many mirrors available and you should choose one that is closest to you to get the fastest response times. If there are multiple mirrors near you, send a few pings to them to get an idea of which one might be faster. Don't forget to test out the cloudflare and fastly mirrors as well. Once you've identified the fastest mirror, echo it to /etc/installurl.

$ doas sh -c "echo 'https://cloudflare.cdn.openbsd.org/pub/OpenBSD/' > /etc/installurl"

Install bugfixes

Since the last release, the developers may have released patches for various bugs that have been found. The syspatch(8) utility makes it easy to retrieve and install them. To see which patches are available, you can use the -c flag, otherwise simply issue the syspatch command to install them automatically. I like to reboot after this step to ensure all the updates are running properly.

$ doas syspatch
$ doas shutdown -r now

Configure timekeeping facilities

The Network Time Procotol can be used to automatically update the clock on your machine. This is a convenient way to ensure your clock stays in sync and won't drift over time. First, add the following line in /etc/rc.conf.local to force ntpd (the NTP daemon) to synchronize the clock immediately on startup.

ntpd_flags="-s"

Next, visit the NTP Pool Project site to identify NTP servers nearest to you. On the right-hand side you should see a breakdown by continent, through which you can drill down to specific server pools. Your country may even have dedicated pools. With this information you can fill in the /etc/ntpd.conf file to control how ntpd gets updates. Using the "servers" (plural) and "constraints" (plural) keywords ensures that if the URL resolves to multiple IP addresses, they will all be checked. Don't forget the 's'.

listen on *

servers 0.us.pool.ntp.org
servers 1.us.pool.ntp.org
servers 2.us.pool.ntp.org
servers 3.us.pool.ntp.org

constraints from "https://www.iso.org"
constraints from "https://www.nist.gov"
constraints from "https://www.google.com"
constraints from "https://www.amazon.com"

The constraints URLs are used as a sanity-check on the values received from your NTP pools to protect against a man-in-the-middle attack attempting to sabotage your systems clock. You may choose any HTTPS sites you wish, but a couple standards organizations and popular sites should do you well. Don't forget to enclose these constraints URLs in quotes, otherwise ntpd will yell at you.

Verify hostname

Print the contents of /etc/myname to validate the hostname being used for your machine. This should be a fully-qualified domain name, not just the hostname. If it's empty, you can echo your FQDN to it the same way we did for the installurl.

$ cat /etc/myname
gridc0.gridc0.com

Verify network interfaces

You can list out the current interface configurations using ifconfig. Don't be too alarmed if you see more interfaces than you're expecting. lo0 is your loopback interface, enc0 is an encapsulation interface for ipsec, and pflog0 is the packet filter logging interface. These are built-in and you can leave them alone for now.

$ ifconfig

Setup DNS options

If you wish to use different DNS servers than those provided to you over DHCP, you can configure them in /etc/resolv.conf.tail. This file will be appended to /etc/resolv.conf which is written by your DHCP client (so making changes there will just get overwritten). If you want to find the DNS servers that are fastest for you, you could use a tool like GRC's DNS Benchmark. Identify 3 servers you want to use and add them in place of the IP addresses below in /etc/resolv.conf.tail.

nameserver <IP address>
nameserver <IP address>
nameserver <IP address>

domain <yourdomain>
lookup file bind
family ipv4

The domain keyword specifies your local domain to allow people on your network to use hostnames only, rather than the FQDN for a server. The lookup keyword specifies that the contents of /etc/hosts will be searched first before performing a proper DNS query. Lastly, you can indicate that only IPv4 queries should be performed with the family keyword. If you use IPv6 as well, don't include that line.

Reboot and enjoy

To ensure you made the changes correctly, reboot once more. Watch the console output for errors before assuming that the configuration changes were valid.

$ doas shutdown -r now

Now your machine is setup for normal operation - enjoy!

For more detailed information on these utilities or configuration files, you can pass their names to man

$ man ntpd.conf

Or visit their online man pages at the following links

Comments !

social