2025-12-09

Running OpenBSD in hostile environment

I haven't blogged for quite a while.. Well, life is happning and I just don't have the time or energy to sit down and write posts. Until now.

Lately I had a work strip to China, where it's known for the hostile internet the the GFW. So.. I decided to upgrade the long-untouched OpenBSD on my laptop and seek security there. Turns out OpenBSD 7.8 is great!! Firefox now has hardware accelerated video decoding and doesn't crash randomly anymore. sndio is now also stable on my Framework 13 and doesn't crash randomly. And WiFi is more stable than ever.

Running OpenBSD 7.8 on my Framework 13
Image: Running OpenBSD 7.8 on my Framework 13

The logic behind using OpenBSD is simple. I am (hopefully) not a valuable enough target for a state actor to burn a 0-day on. If I get attacked at all, they'll be generic attacks against commonly installed systems. Windows, Mac, Ubuntu, Arch, Fedora. Not the BSDs. OpenBSD because important userspace programs are pledged and unveiled to the minimal set of access they actually need. Plus the allocator has settings I can choose to increase security at some cost to performance - and everything keeps on being "it just works", unlike using hardened_allocator on Linux and starting to see processes failing.

# /etc/rc.conf
vm.malloc_config=JU>

Even if there's a kenel 0 day.. good luck when offsets are unknown due to relinking.

Security being security, you don't know if it worked until it's too late and there's a hole. And ofc that physical security is more important then preventing remote attacks - FDE, always completely powered off when not in sight, etc.. I really liked the trick of putting shreads of paper on top of and next to the machine when leaving it in hotel room. You'll know if someone every touched it.

Good news is during and aftre the stay. My dmesg logs does not see any meaningful errors. It seems that I haven't been attacked.

VPN wise WireGuard is useless. It gets detected and stopped. GFW's DPI is a bitch. But XRay with VLess works really well. The CPU overhead is much higher, often eating up an entire CPU core. But it gets passes the GFW by wrapping VPN into a normal looking TLS session. With many obfuscation techniques.

Project XRay

Long story short - I survived.

← Back to blog