Ordering an OpenBSD VPS and initial thoughts
Table of Contents
Intro#
I thought I would start by sharing my experience of ordering and setting up an OpenBSD VPS on OpenBSD.Amsterdam. Before I begin, I have no affiliation with them so I gain nothing should you decide to order from them, and I am paying for this server out of my own pocket.
Ordering#
Looking around on their page, they have quite a lot of information about their setup, so it should be easy to see what the options are and what you are getting.
I would like to point out a few things which I think is unique with this
provider. First off, the hosts are also running OpenBSD, using vmm/vmd to
provide virtualization. If you click on the “xxx VMs deployed” link in the top
right-hand corner of their page, you will find rrdtool graphs for all the hosts
which shows their uptime as well as what OpenBSD version they are running. They
also share what kind of hardware the hosts are running on, and that they
provision at most 40 VMs per host, so they are quite transparent with their
setup.
Another thing I think is unique is that they allow you to SSH into the host, to
manage your VM with vmctl if you need to start or stop it, or access its console.
They do not have any web-interfaces to manage your VM, so SSH is it. I think this
is a far superior experience though, as many console web-interfaces I have tried have been very laggy,
and more problematic, have had a different keyboard mapping than mine. Having
special characters in my password, like ^, `, [, } and * I have many
times struggled to log on in a web-interface as I couldn’t find what key
combinations to use to get those characters.
To order a VPS, there’s a large, friendly “Book your VM” button on their front-page. Fill in your information, select your options and that is it. Memory and disk can be increased later, so I went for the minimal option which is the default 1 GB RAM, 50 GB disk.
I ordered my VM around 8 in the evening Amsterdam time, and received the welcome mail a little more than one hour later with the login details. Your experience may vary here as I saw someone mention they got theirs mere minutes after ordering.
Do note that you will have to pay for the VM for a year in advance, so if you just want to try OpenBSD, this may not be for you. The current price is €69 for a year, which works out to less than €6 per month, which I personally think is reasonable. Here that price equals one, maybe two cups of take-away coffee a month.
For every new VM ordered they donate €10 to the OpenBSD Foundation, and for every renewal they donate €15, so by being a customer you are helping fund the people and the infrastructure behind OpenBSD, OpenSSH and so on. I’ve not seen anyone else do anything like that.
Setup#
Back to the setup, having received the login details I was able to log in with my wanted username, on the ip-address they gave, using my SSH-key.
As noted in the onboarding link provided in the email I received, I found
the root password in the ~/.ssh/authorized_keys file.
I changed that right away and setup doas, which OpenBSD uses instead of sudo
to execute commands as root.
Setting up doas is easy as my user was already a member of the group
wheel, and the default doas config allows users in this group to execute
commands. Group membership can be checked with the id command.
OpenBSD comes with a set of example configuration files in /etc/examples so
all I needed to do was copy doas.conf to /etc and I was good to go. Setting
a strong password for my account was also done at this point.
Now I have a config that works, but to make life a little more tolerable I added a line to the doas config so I won’t have to enter my password every time:
permit persist <username>
This means I only have to give doas my password every so often, which seems to be every 5 minutes or so.
Looking in /var/mail I found a file with my username. This contained
a log of the installation, so I could see exactly how it was done. I made a copy
of this as I’m sure I want to reinstall my VM later to add full disk encryption (FDE).
Another nice surprise was that they ran syspatch as part of the
installation, meaning the VM already had the latest security patches applied. I
ordered my VM a little earlier this month, at which point 7.6 had been out for a
while, so it was nice to see all published patches were already installed. Patch
status can be checked by running doas syspatch which should return an empty output,
indicating that there was nothing to do as the system is up to date.
So then, what is running on our shiny, new OpenBSD VM? Not much it turns out which I think is sensible, as there is no need to find out what everything is and how to disable it to secure the system.
The entire process list:
user@obsd-web:~$ ps waux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 1 0.0 0.0 940 100 ?? I 14Apr25 0:00.02 /sbin/init
root 27554 0.0 0.0 1096 24 ?? Ip 14Apr25 0:00.01 /sbin/slaacd
_slaacd 48623 0.0 0.0 1096 24 ?? Ip 14Apr25 0:00.01 slaacd: engine (slaacd)
_slaacd 95138 0.0 0.0 1112 252 ?? IpU 14Apr25 0:00.02 slaacd: frontend (slaacd)
root 43737 0.0 0.0 1124 24 ?? IU 14Apr25 0:00.02 /sbin/dhcpleased
_dhcp 22091 0.0 0.1 1128 844 ?? Ip 14Apr25 0:00.05 dhcpleased: engine (dhcpleased)
_dhcp 12222 0.0 0.1 1140 908 ?? IpU 14Apr25 0:00.06 dhcpleased: frontend (dhcpleased)
root 45070 0.0 0.0 828 8 ?? IpU 14Apr25 0:00.01 /sbin/resolvd
root 43133 0.0 0.1 1028 788 ?? IpU 14Apr25 0:00.02 syslogd: [priv] (syslogd)
_syslogd 45465 0.0 0.1 1536 1528 ?? Spc 14Apr25 0:02.51 /usr/sbin/syslogd
root 53296 0.0 0.0 992 8 ?? IU 14Apr25 0:00.01 pflogd: [priv] (pflogd)
_pflogd 92342 0.0 0.1 1044 644 ?? Ipc 14Apr25 0:00.97 pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
_ntp 5555 0.0 0.2 1512 1844 ?? S<pc 14Apr25 0:13.77 ntpd: ntp engine (ntpd)
_ntp 36218 0.0 0.1 1336 1164 ?? Ip 14Apr25 0:00.14 ntpd: dns engine (ntpd)
root 3044 0.0 0.2 1412 1856 ?? I<pU 14Apr25 0:00.07 /usr/sbin/ntpd
root 92087 0.0 0.2 1092 2460 ?? I 14Apr25 0:00.46 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups (sshd)
root 98446 0.0 0.2 1980 1684 ?? Ip 14Apr25 0:00.03 /usr/sbin/smtpd
_smtpd 46031 0.0 0.0 1708 24 ?? Ipc 14Apr25 0:00.01 smtpd: crypto (smtpd)
_smtpd 29310 0.0 0.2 1984 1576 ?? Ipc 14Apr25 0:00.03 smtpd: control (smtpd)
_smtpd 36714 0.0 0.2 1804 2020 ?? Ip 14Apr25 0:00.03 smtpd: lookup (smtpd)
_smtpd 4182 0.0 0.2 2572 2548 ?? Ipc 14Apr25 0:00.07 smtpd: dispatcher (smtpd)
_smtpq 65699 0.0 0.2 1924 1920 ?? Ipc 14Apr25 0:00.11 smtpd: queue (smtpd)
_smtpd 14480 0.0 0.2 1708 1600 ?? Ipc 14Apr25 0:00.04 smtpd: scheduler (smtpd)
root 50727 0.0 0.1 1152 1364 ?? Ip 14Apr25 0:03.56 /usr/sbin/cron
root 79089 0.0 0.4 1588 4292 ?? I 11:14AM 0:00.05 sshd-session: user [priv] (sshd-session)
user 5967 0.0 0.4 1860 3732 ?? R 11:14AM 0:00.11 sshd-session: user@ttyp0 (sshd-session)
user 14194 0.0 0.1 1532 1144 p0 Sp 11:14AM 0:00.02 -ksh (ksh)
user 85515 0.0 0.0 960 448 p0 R+pU 12:33PM 0:00.00 ps -waux
root 7401 0.0 0.0 792 24 00 I+pU 14Apr25 0:00.02 /usr/libexec/getty std.115200 tty00
user@obsd-web:~$
As for what network services are running and having open ports, not many either.
Only sshd and dhcp listens on the public ip, while smtpd listens on localhost only.
I’ve removed my incomming ssh connection, the outgoing ntp connections and my
server ip:
user@obsd-web:~$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address TCP-State
tcp 0 0 *.22 *.* LISTEN
tcp 0 0 127.0.0.1.25 *.* LISTEN
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address
udp 0 0 *.* *.*
udp 0 0 x.x.x.x.68 *.*
udp 0 0 *.* *.*
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address TCP-State
tcp6 0 0 fe80::1%lo0.25 *.* LISTEN
tcp6 0 0 ::1.25 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address
udp6 0 0 *.* *.*
udp6 0 0 *.* *.*
All in all it feels like a very nice and clean and minimal system, at least in the default setup. OpenBSD actually comes with a lot of services that can be activated if you want, which I’ll get back to later.
That’s it for now. I’m very happy with the process so far, the transparency of the hosting provider and the initial setup.
Next up, change some things and add some services.