proxy70

	Title: OpenBSD extreme privacy setup Author: Solène Date: 08 June 2024 Tags: privacy security openbsd tor i2p Description: In this article, you will learn how to install and configure OpenBSD to reduce its network activity over clearnet # Introduction This blog post explains how to configure an OpenBSD workstation with extreme privacy in mind. This is an attempt to turn OpenBSD into a Whonix or Tails alternative, although if you really need that level of privacy, use a system from this list and not the present guide. It is easy to spot OpenBSD using network fingerprinting, this can not be defeated, you can not hide the fact you use OpenBSD to network operators. I did this guide as a challenge for fun, but I also know some users have a use for this level of privacy. Note: this guide explains steps related to increase privacy of OpenBSD and its base system, it will not explain how to configure a web browser or how to choose a VPN. # Checklist OpenBSD does not have much network activity with a default installation, but the following programs generate traffic: * the installer connects to 199.185.178.80 to associate chosen timezone with your public IP to reuse the answer for a future installation * ntpd (for time sync) uses pool.ntp.org, 9.9.9.9, 2620:fe::fe, www.google.com and time.cloudflare.com * fw_update connects to firmware.openbsd.org (resolves as openbsd.map.fastlydns.net), fw_update is used at the end of the installer, and at the end of each sysupgrade * sysupgrade, syspatch and pkg_* tools use the address defined in /etc/installurl (defaults to cdn.openbsd.org) # Setup ## OpenBSD installation If you do not have OpenBSD installed yet, you will have to download an installer. Choose from the official mirrors or my tor/i2p proxy mirror.
	OpenBSD official website: Downloading OpenBSD
	OpenBSD privacy-friendly mirrors
	Choose the full installer, for 7.5 it would be install75.img for USB installer or install75.iso for using a CD-ROM. It is important to choose the full installer to avoid any network at install time. Full disk encryption is recommended, but it's your choice. If you choose encryption, it is recommended to wipe the drive with random data before.
	OpenBSD FAQ: Crypto and disks
	During the installation, do not configure the network at all. You want to avoid syspatch and fw_update to run at the end of the installer, and also ntpd to ping many servers upon boot. ## First boot (post installation) Once OpenBSD booted after the installation, you need to take a decision for ntpd (time synchronization daemon). * you can disable ntpd entirely with `rcctl disable ntpd`, but it is not really recommended as it can create issues with some network software if the time is desynchronized * you can edit the file `/etc/ntpd.conf` which contains the list of servers used to keep the time synchronized, and choose which server to connect to (if any) * you can configure ntpd to use a sensor providing time (like a GPS receiver) and disable everything else Whonix (maybe Tails too?) uses a custom tailored program named swdate to update the system clock over Tor (because Tor only supports TCP while NTP uses UDP), it is unfortunately not easily portable on OpenBSD. Next step is to edit the file `/etc/hosts` to disable the firmware server whose hostname is hard-coded in the program `fw_update`, add this line to the file: ``` 127.0.0.9 firmware.openbsd.org ``` ## Packages, firmware and mirrors The firmware installation and OpenBSD mirror configuration using Tor and I2P are covered in my previous article, it explains how to use tor or i2p to download firmware, packages and system sets to upgrade.
	OpenBSD privacy-friendly mirrors
	There is a chicken / egg issue with this though, on a fresh install you have neither tor nor i2p, so you can not download tor or i2p packages through it. You could download the packages and their dependencies from another system and install them locally using USB. Wi-Fi and some other devices requiring a firmware may not work until you run fw_update, you may have to download the files from another system and pass the network interface firmware over a USB memory stick to get network. A smartphone with USB tethering is also a practical approach for downloading firmware, but you will have to download it over clearnet. ## DNS DNS is a huge topic for privacy-oriented users, I can not really recommend a given public DNS servers because they all have pros and cons, I will use 1.1.1.1 and 9.9.9.9 for the example, but use your favorite DNS. Enable the daemon unwind, it is a local DNS resolver with some cache, and supports DoT, DoH and many cool features. Edit the file `/etc/unwind.conf` with this configuration: ``` forwarder { 1.1.1.1 9.9.9.9 } ``` As I said, DoT and DoH is supported, you can configure it directly in the forwarder block, the man page explains the syntax:
	OpenBSD manual pages: unwind.conf
	Now, enable, start and make sure the service is running fine: ``` rcctl enable unwind rcctl start unwind rcctl check unwind ``` A program named `resolvd` is running by default, when it finds that unwind is running, resolvd modifies `/etc/resolv.conf` to switch DNS resolution to 127.0.0.1, so you do not have anything to do. ## Firewall configuration A sane firewall configuration for workstations is to block all incoming connections. This can be achieved with the following `/etc/pf.conf`: (reminder, last rule matches) ``` set block-policy drop set skip on lo match in all scrub (no-df random-id max-mss 1440) antispoof quick for egress # block all traffic (in/out) block # allow reaching the outside (IPv4 + IPv6) pass out quick inet pass out quick inet6 # allow ICMP (ping) for MTU discovery pass in proto icmp # uncomment if you use SLAAC or ICMP6 (IPv6) #pass in on egress inet6 proto icmp6 #pass in on egress inet6 proto udp from fe80::/10 port dhcpv6-server to fe80::/10 port dhcpv6-client no state ``` Reload the rules with `pfctl -f /etc/pf.conf`. ## Network configuration Everything is ready so you can finally enable networking. You can find a list of network interfaces with `ifconfig`. Create the hostname.if file for your network device.
	OpenBSD manual pages: hostname.if
	An ethernet device configuration using DHCP would look like this ``` inet autoconf ``` A wireless device configuration would look like this: ``` join SSID_NAME wpakey password1 join OTHER_NET wpakey hunter2 inet autoconf ``` You can randomize your network device MAC address at each boot by adding the line `lladdr random` to its configuration file. Start the network with `sh /etc/netstart ifname`. # Special attention during updates When you upgrade your OpenBSD system from a release to another or to a newer snapshot using `sysupgrade`, the command `fw_update` will automatically be run at the very end of the installer. It will bypass any `/etc/hosts` changes as it runs from a mini root filesystem, if you do not want `fw_update` to be used over clearnet at this step, the only method is to disable network at this step, which can be done by using `sysupgrade -n` to prepare the upgrade without rebooting, and then: * disconnect your computer Ethernet cable if any, if you use Wi-Fi and you have a physical killswitch this will be enough to disable Wi-Fi * if you do not have such a killswitch and Wi-Fi is configured, rename its configuration file in `/etc/hostname.if` to another invalid name, you will have to rename it back after `sysupgrade`. You could use this script to automate the process: ```shell mv /etc/hostname.* /root/ sysupgrade -n echo 'mv /root/hostname.* /etc/' > /etc/rc.firsttime echo 'sh /etc/netstart' >> /etc/rc.firsttime chmod +x /etc/rc.firsttime reboot ``` It will move all your network configuration in `/root/`, run sysupgrade, and configure the next boot to restore the hostname files back to place and start the network. # Webcam and Microphone protection By default, OpenBSD "filters" webcam and microphone use, if you try to use them, you get a video stream with a black background and no audio on the microphone. This is handled directly by the kernel and only root can change this behavior. To toggle microphone recording, change the sysctl `kern.audio.record` to 1 or 0 (default). To toggle webcam recording, change the sysctl `kern.video.record` to 1 or 0 (default). What is cool with this mechanism is it makes software happy when they make webcam/microphone a requirement, they exist but just record nothing. # Conclusion Congratulations, you achieved a high privacy level with your OpenBSD installation! If you have money and enough trust in some commercial services, you could use a VPN instead (or as a base) of Tor/I2P, but it is not in the scope of this guide. I did this guide after installing OpenBSD on a laptop connected to another laptop doing NAT and running Wireshark to see exactly what was leaking over the network. It was a fun experience.