Cruising a VPS at OpenBSD Amsterdam

  2025-01-07      1760 words, 9 minutes

• cloud
• openbsd
• openbsd.amsterdam
• openbsd.ams
• vps

When it comes to getting an OpenBSD virtual machine, you can go to your preferred Linux VPS provider and hack its rescue mode to install OpenBSD. Or you can go to a VPS provider that offers booting from an ISO file and getting access to the console. In that case, you’d probably get an OpenBSD VM running on KVM. Which is not that bad.

But you can also book your VM from OpenBSD Amsterdam and let the 100% OpenBSD journey begin.

Introduction

OpenBSD Amsterdam is a VPS provider that only offers OpenBSD virtual machines. It is unique in that the entire virtualisation infrastructure runs using OpenBSD. They have physical servers running OpenBSD with vmm(4)/vmd(8). Those hypervisors host the VPS you book from them.

Because of this, the VPS have fairly static configuration. You only get 1 vCPU server with 1 GB of RAM and 50GB of storage for roughly 5€ per month; as of December 2024. There are options to book a bit more memory and/or storage if you really need more.

The purchase is done on a yearly basis. And each time you book a VM at OpenBSD Amsterdam, they donate a portion of the VPS price to the OpenBSD Foundation.

Read more about them here .

This Website and my Email services are actually hosted at OpenBSD Amsterdam. I own another VM that does some monitoring stuff. I also booked another one to actually proof test all the stuff you’ll read in the following sections. When done, this VM will be reused for another project I have in mind 🤫

📽️ Note that I also published a Peertube video that covers what is detailed in this post 🍿

Book your VM

If you’re already on OpenBSD Amsterdam homepage, click the “Book your VM” yellow button. Or simply browse to the Book your VM web page.

Read the terms of service and think twice before running you $5M enterprise ERP on those VPS. I booked my first VM in January 2020 and only encountered 1 big issue where the VM was totally lost because of hardware error. There are “regular” (hear once every 6 months) downtimes that never exceeded an hour when the hypervisors were upgraded. There may be some shorter downtimes (like 5-10 minutes) when a security patch requires a host to be rebooted. TBH, it is as good as Vultr and somehow better than what I encountered with OVH.

Read the terms of use:

Don’t run Tor/I2P nodes, don’t convert to Linux, traffic is fair-use and be kind to your neighbour.

If you’re ok with this, fill-in the booking form.

• Enter your name.
• Enter your contact email.
• Enter your public SSH key.
  This is required to connect to the VPS and the Host.
• Enter the VM hostname.
  This can be change later on from the VM if you change your mind.
• Enter a username.
  It is used to log onto the VPS and the Host.
• Select a RAM configuration.
• Select a storage sizing.
• Optionally write something in the note section.
• Enter a VAT number if that’s relevant to you.

Confirm that you are a real nerd human by validating the Captcha. Then click the yellow “Book it” button.

The booking will be processed and you will receive a confirmation email at the contact address you entered.

Greetings and payment

Once the booking is processed and the VPS is ready to roll out, you get a notification email. It contains all the informations required to connect to the VPS itself and to the hosting hypervisor if you need to access the VPS console. Both access are done using the username and the SSH key you provided during booking.

Here’s an anonymised example of the welcome email you get when your VPS is ready:

From: ░░▒░▓░░▓▒▓░░░▒▒░░▒▓░
To:   ▓░░▓▒▓░░░▒░▒▒░░▒▓░░▓
Date: Fri, 22 Nov 2024 06:33:38 +0100 (CET)
Subject: OpenBSD Amsterdam

Hi Joel,

Welcome to OpenBSD Amsterdam! Your VM has been deployed.

You are on host: ░▓▒▓░░░▒.openbsd.amsterdam
Your VM name: ░▒▒░░▒▓░

IPv4 address: ░░▒░▓░░▓▒▓░░░▓
IPv4 subnet:  ▓░░▓▒▓░░░▒▒░▓▒
IPv4 gateway: ▒░▓░░▓▒▓░░░▒▒░

IPv6 address: ▓▒▓░░░▒▒░▓▒░▓░░▓▒▓░░░░
IPv6 subnet:  ▓░░▒░▓░░▓▒▓░░░▓▒░▓░░▓▒
IPv6 gateway: ░▓▒░▓░░▓▒▓░░░░▓▒▓░░░▒▒

You should be able to ssh into your VM.

The username you provided was: ░░▒▒░▓▒░▒░▓░

You can also ssh into the host on port ▓░▓▒░░▓▒ with the same username
and SSH key and use vmctl to manage your VM.

More information to be found at:
https://openbsd.amsterdam/onboard.html
https://openbsd.amsterdam/backup.html

To set your PTR / reverse DNS you can follow the steps at:
https://openbsd.amsterdam/ptr.html

Your payment for the year is €67.

Stripe: https://buy.stripe.com/8wMaEO0i67LS1eE288
iDEAL: https://bunq.me/openbsdams/67/vm21%20server24
Paypal: https://paypal.me/runbsd/67eur

For all payment options, have a look at:
https://openbsd.amsterdam/pay.html

Have fun!

Mischa

PS: When you are going to FDE your VM, keep in mind that we can not
start your VM.

PPS: You can follow us on https://bsd.network/@OpenBSDAms and would be
great if you can share your story there.

Once you payment is done, you can start connecting to the virtual machine.

VPS access

There are two main ways to access the virtual machine. Either connecting to its SSH daemon. Or connecting to the host server using SSH and accessing the VPS serial console.

The on-boarding information are available here .

Connecting using SSH

Using the email information and the provided SSH key, log into the VPS using your favourite SSH client.

$ ssh -i ~/.ssh/mykey username@192.0.2.101
rec-obsd-ams$ uname -a
OpenBSD rec-obsd-ams.openbsd.amsterdam 7.6 GENERIC#332 amd64

The randomly generated root password is stored in the last field of the user’s authorized_keys file. Display it, switch to the root user and proceed to your preferred administrative tasks.

$ cat ~/.ssh/authorized_keys
$ su -

# passwd root
New password:
Retype new password:
passwd: password updated successfully

# cat > /etc/doas.conf
permit keepenv persist :wheel
permit nopass root
^D

# syspatch

# vi /etc/ssh/sshd_config
(...)
PasswordAuthentication no

# rcctl restart sshd

Note that the password is also the one preconfigured for your user. You probably want to change it too.

Accessing the VPS console

If you ever lock yourself out of the VM (wrong pf rules, system crash, …) or require entering the passphrase to unlock your encrypted boot disk, you can access the VM console. Connect to the host via SSH and use vmctl(8).

$ ssh -i ~/.ssh/mykey username@serverXX.openbsd.amsterdam -p change_me

$ vmctl console vm21
Connected to /dev/ttypl (speed 115200)
root
Password:
OpenBSD 7.6 (GENERIC) #332: Mon Sep 30 08:45:17 MDT 2024
(...)
rec-obsd-ams# who
root     tty00    Nov 26 23:40
rec-obsd-ams# exit

Enter ~. to quit the console and terminate the host’s SSH session.
Enter ~~. to quit the console and keep the host’s SSH session up.

When I only need to access the console (to enter the FDE passphrase at boot or monitor a reboot), I tend to use a command such as:

$ ssh -t -i ~/.ssh/mykey username@serverXX.openbsd.amsterdam -p change_me \
  "vmctl console vm21"

Extra OpenBSD Amsterdam services

OpenBSD Amsterdam allows setting reverse DNS (PTR) entries for your VPS' IPs. Read the relevant documentation to learn more about this service and set up your DNS records. I won’t duplicate the procedure here, that would be useless.

OpenBSD Amsterdam offers additional free storage to achieve backup. Read more about it here . You basically get a dedicated SSH access to the backup server storage and can export your local VPS files using a dedicated user and an SSH connection.

Reinstall the VPS

If your VM becomes unusable from some reasons, you can contact OpenBSD.Amsterdam and they will help you. But if, like me, you’re a heavy tester and a breaking things person, you may not want to bother them each time you whoops. There are options to restore your VPS on your own.

An accessible VM

If you decide you have to restart from a clean system, you can reinstall the VPS as new. Connect to the VPS console, reboot the VM and run the bsd.rd installer image.

boot> boot bsd.rd
(...)
Welcome to the OpenBSD/amd64 7.6 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? i
(...)

Run the installation the same way you’d do it elsewhere. Take care to enter the proper network configuration. IPv4 can either be DHCP of fixed IP. IPv6 has to be fixed IP; as of now. The network configuration was given in the welcoming email.

(...)
Network interface to configure? (name, lladdr, '?', or 'done') [vio0] <Enter>
IPv4 address for vio0? (or 'autoconf' or 'none') [autoconf] <Enter>
IPv6 address for vio0? (or 'autoconf' or 'none') [none] ▓▒▓░░░▒▒░▓▒░▓░░▓▒▓░░░░
IPv6 prefix length for vio0? [64] <Enter>
(...)
IPv6 default router? (list #, IPv6 address or 'none') ░▓▒░▓░░▓▒▓░░░░▓▒▓░░░▒▒
(...)

If you use the local mirror as the HTTP install source, you’ll get access to the siteXX package. This will autoconfigure a few additional things for your VM and it will nearly be restored to its original state. What won’t be restored is the unprivileged user, its SSH key and the user & root password. This requires you setting those during installation.

Location of sets? (disk http nfs or 'done') [http] <Enter>
HTTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none] <Enter>
HTTP Server? (hostname, list#, 'done' or '?') [mirror.openbsd.amsterdam] <Enter>
Server directory? [pub/OpenBSD/7.6/amd64]

Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
    [X] bsd           [X] comp76.tgz    [X] xbase76.tgz   [X] xserv76.tgz
    [X] bsd.rd        [X] man76.tgz     [X] xshare76.tgz  [ ] site76.tgz
    [X] base76.tgz    [X] game76.tgz    [X] xfont76.tgz
Set name(s)? (or 'abort' or 'done') [done] +site*
    [X] bsd           [X] comp76.tgz    [X] xbase76.tgz   [X] xserv76.tgz
    [X] bsd.rd        [X] man76.tgz     [X] xshare76.tgz  [X] site76.tgz
    [X] base76.tgz    [X] game76.tgz    [X] xfont76.tgz
Set name(s)? (or 'abort' or 'done') [done] <Enter>
(...)
Get/Verify site76.tgz   100% |**************************|   515       00:00
Checksum test for site76.tgz failed. Continue anyway? [no] yes
Get/Verify BUILDINFO    100% |**************************|    54       00:00
Unverified sets: site76.tgz. Continue without verification? [no] yes
(...)

When the installation is finished, you can reboot. If you installed siteXX, OpenBSD will run syspatch and reboot if required. You now have a fully functional and clean system.

A wrecked VPS

If you have wrecked your VPS so badly that you can’t even boot it, you can still reinstall it using vmctl. Log onto the host and download the OpenBSD installation kernel image. Then use vmctl to boot from it.

$ ssh -i ~/.ssh/mykey username@serverXX.openbsd.amsterdam -p change_me

serverXX$ ftp https://mirror.openbsd.amsterdam/pub/OpenBSD/7.6/amd64/bsd.rd
serverXX$ vmctl stop vm21
serverXX$ vmctl start -c -b ./bsd.rd vm21

Run the installer as usual and/or as seen previously.

Don’t forget to delete the bsd.rd file when you’re done. You’re not supposed to store things in your $HOME folder.

serverXX$ rm bsd.rd
serverXX$ exit

You can now book your VM at OpenBSD Amsterdam and have fun!