Encrypted OpenBSD 6.0 in the OVH Cloud

  2016-11-24      851 words, 4 minutes

• openbsd
• ovh
• vps

OVH provides very cheap IaaS. VPS 2016 SSD 1 costs about $3/month to get 1 vCPU, 2GB of RAM and 10GB of SSD storage. It is supposed to provide Linux only virtual machines. But one can achieve installation of OpenBSD with a little help from the Internet and a few cups of coffee. Here’re my notes.

The OVH Cloud

Create an account on OVH system and subscribe a “VPS 2016 SSD 1”. I used the “Ubuntu 16.04 Server (64bits) / Français” template. The language selection doesn’t seem to matter for later OpenBSD installation. Upon creation, you’ll recieve an email with information about SSH connection. It is required to connect to SSH before being able to connect using the KVM.

To access the Web KVM, you need to enable the “expert” mode. I had difficulties using my French keyboard layout with the KVM. The trick is to use a US keyboard layout on your workstation. Then, you get correct key mapping in the KVM.

Prepare for OpenBSD installation

Once the VM is created, connect to it using SSH and the credentials sent by email. Then, grab the OpenBSD install image.

root@vps342115:/root# cd /
root@vps342115:/# wget http://ftp.fr.openbsd.org/pub/OpenBSD/6.0/amd64/bsd.rd
(...)
2016-11-23 16:31:57 (2.97 MB/s) - ‘bsd.rd’ saved [7905392/7905392]

Finally, configure Grub to enable OpenBSD selection and boot.

root@vps342115:/# diff -u2 /etc/grub.d/40_custom.orig /etc/grub.d/40_custom
--- /etc/grub.d/40_custom.orig  2015-05-13 20:33:36.000000000 +0200
+++ /etc/grub.d/40_custom       2016-11-23 17:00:50.081495400 +0100
@@ -4,2 +4,6 @@
 # menu entries you want to add after this comment.  Be careful not to change
 # the 'exec tail' line above.
+menuentry "OpenBSD" {
+       set root=(hd0,msdos1)
+       kopenbsd /bsd.rd
+}

root@vps342115:/# diff -u2 /etc/default/grub.orig /etc/default/grub
--- /etc/default/grub.orig      2015-06-29 22:45:26.135117001 +0200
+++ /etc/default/grub   2016-11-23 17:02:14.429495400 +0100
@@ -5,7 +5,7 @@

 GRUB_DEFAULT=0
-GRUB_HIDDEN_TIMEOUT=0
-GRUB_HIDDEN_TIMEOUT_QUIET=true
-GRUB_TIMEOUT=0
+GRUB_HIDDEN_TIMEOUT=10
+GRUB_HIDDEN_TIMEOUT_QUIET=false
+GRUB_TIMEOUT=10
 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
 GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS0"

root@vps342115:/# update-grub
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.13.0-100-generic
Found initrd image: /boot/initrd.img-3.13.0-100-generic
Found linux image: /boot/vmlinuz-3.13.0-55-generic
Found initrd image: /boot/initrd.img-3.13.0-55-generic
done

This should be enough to boot the OpenBSD installation wizard. Reboot the VM and switch to the Web KVM. On Grub prompt, press “Esc” and select the “OpenBSD” entry.

Install OpenBSD using full disk encryption

When the boot is finished, choose the “(S)hell” prompt option.

Prepare the disk for full encryption. sd0 is the virtual disk device. A RAID partition will be created on it using whole space and encryption. Then, a softraid device will be created on top of it. This is where the swap and partitions will be created. Note that /dev/sd1 has to be created as it is not available by default.

# fdisk -iy sd0
Writing MBR at offset 0.

# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
> a a
offset: [64]
size: [20964761] *
FS type: [4.2BSD] RAID
> w
> q
No label changes.

# bioctl -c C -l sd0a softraid0
New passphrase:
Re-type passphrase:
sd1 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd1: 10236MB, 512 bytes/sector, 20964233 sectors
softraid0: CRYPTO volume attached as sd1

# cd /dev && sh MAKEDEV sd1
# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
# exit

Back in the installation wizard, choose the “(I)nstall” prompt. Installation goes straight as usual here. Just remember to use sd1 as the disk device where to install OpenBSD. I choose to “Use (W)hole disk MBR” and “Create (C)ustom layout”. Swap can be located on sd1.

When done, simply reboot the server. You’ll see that Grub was replaced with the native OpenBSD boot-loader and that everything goes smooth. At each boot, you’ll have to enter the encryption passphrase before being able to access the disk.

Houston, we have a problem

The OpenBSD installation was done via HTTP. The host got an IP address via DHCP and everything went smooth. But on reboot, the host gets an IP address but can’t use it’s gateway. Hence, you can connect to the host using SSH ; you can’t even ping your own gateway… The problem seem to be that the gateway is not on the same network that the IP address the host gets. No idea why it works during installation though…

Any way, to get the network working, I disabled the DHCP configuration and configure the interface manually.

# pkill dhclient
# ifconfig vio0 delete
# route delete default
# route delete 193.70.40.1

# cat /etc/hostname.vio0
#dhcp
inet 193.70.43.130 255.255.255.255
!route add -inet 193.70.40.1 -llinfo -link -static -iface vio0
!route add -inet default 193.70.40.1
!echo "search local" > /etc/resolv.conf
!echo "nameserver 213.186.33.99" >> /etc/resolv.conf

# /etc/netstart

Conclusion

OpenBSD is now up and running. So far, it seems to run nicely.
Being able to access the KVM is great. It allows disk encryption and boot access for further upgrade process.

There are some pf configuration that has to be done to enable OVH monitoring. This allows the Web interface to alert you if services are up or not.

Now, it’s time to install, configure and run all my IT services there.

References

• Installing OpenBSD on OVH’s VPS 2016 KVM machines
• OpenBSD FAQ - Full disk encryption
• Network settings for OpenBSD system hosted at OVH