Anyone here using OpenBSD? If so, for what purpose?

I’ve always wanted to use NetBSD for an application for an embedded system / IoT device but never had the pleasure (yet!).

We use OpenBSD for our VPSes on Hetzner, bare metal (for security focussed clients) and older (but still good) hardware in our Home Lab. OpenBSD is excellent on older (no longer supported by Cupertino) Apple hardware. We have an Intel Mac Mini Cluster with near-perfect uptime. If you need to run any kind of server (Web, Mail, DNS, NFS, Database) where you need stability & security, look no further. Some learning curve, but totally worth it.

I use it on my personal laptop, essentially because I like how slim and simple it is.

Packaging is simple, kernel development and upgrade is simple, etc. Also the kernel code itself is written in a style I like, it's to the point, no useless abstractions, no fuss. I prefer it even amongst other BSDs I tried (netbsd and free*lbsd/dragonfly).

It just feels nice to be able to understand most of your system. It's not as fully featured as Linux, but there is a sense of understanding your system that is refreshing. A bit like if you're on vacation in a small and cute village where life is mundane and calming. At least that's how I feel with it. Mileage may vary.

I run it. Home firewall, office desktops and laptops. It's pretty stable and I'm fairly familiar with it. Really simple if you know Unix. I hope it never goes away, not sure what I would replace it with. Linux is so complicated now, it's just too much for me to deal with

Authoritative DNS (nsd) and email (opensmtpd) runs out of the box with minimal config on very low ram kvms. The documentation is fantastic, installation is easy; sysupgrade has been a big improvement, though I wish they'd slow the release cycle a little

My wife and I are building a wedding rentals company. I'm responsible for the digital part and building a Ruby on Rails app deployed to OpenBSD. The entire thing runs on a cheap Supermirco U1 server in a rack at our home. :-)

open-bsd will always feel like a safe pick for anything in regard to vault or key holding ; it's not appropriate to run anything CPU intensive - but it's a very appropriate system for anything that just need to boot up and hold some data ; eventually expose a network interface.

I use it for my home router, a small home server, a personal VPS at https://openbsd.amsterdam and a development VM (mostly for testing BSD backends on portable software).

I wish I had an OpenBSD development laptop, but I don't have one right now.

It is, by far, my first choice for a router/firewall. It has so many niceties for this, all well integrated OOTB, and you can deploy something top notch in no time at all.

Been running it as my home router since 2.3. I had it on a server for a very short time when I used hardware RAID but I replaced that quickly with FreeBSD for ZFS once I could afford to replace that old Dell.

I ran it on my personal laptop for several years when I had one, but having a work laptop for these past decades I don't have much use for a personal laptop. I would probably run it again on a nice portable when I retire. It would be nice to focus on being creative on such a machine. Coding and drawing mostly. I will continue to use Linux in my recording studio though.

I use it for my mailserver (thank you openbsd.amsterdam), for the gateway in my homelab, a dedicated OpenBSD VMD machine in my homelab, and on personal machines (Macbook Air M2, a Thinkpad X220 and on a T480 that dualboots OpenBSD/FreeBSD).

For mailserver I think it is the best option. And for Gateway, PF is just wonderful.

But even on my laptops I enjoy it. It is rock solid, and I have pretty much no complaints.

I use it. It's secure, and if your hardware is supported it mostly just works. A good unix experience if you're willing to learn its intricacies

Web/SSH/mail server using the built in httpd, sshd and smtpd. Very happy with it.

And on my laptop, occasionally, to experience it in person.

Single tenant(and single core) tiny VMs with OpenBSD's VMM hypervisor and confidential computing through AMD-SEV.

I do. Multiple things:

Work: I need a simple easy to use system that I can configure to meet third party compliance requirements without jumping through hoops. It really excels when you can mostly use the base system there, maybe couple services. For example it's so nice to just have a couple pledge/unveil lines for example in a Go service.

Also super nice for "set and forget" style stuff. For example "I just need a HTTPS server with acme and SFTP". That's something you get out of the box with no third party packages (so everything vetted, pledge/unveil for everything, maintenance just running syspatch and sysupgrade), which is really nice.

Personal: Private mail server, family website, a quick and dirty "watching streams together" service I set up to watch stuff with people not in the same place as I am. prosody to have XMPP for friends and family.

I would NOT use it for "people throw stuff at you" use cases (Linux and FreeBSD do a far better job there). But I absolutely love it for scenarios where you want very very low maintenance. For example that private email server. I don't have time to do big upgrade plans, or "hardening" systems or reinventing the wheel. I cannot afford to do privately what I do in a day job or consulting (setting up or maintaining really rather complicated infrastructure).

I have done that many years with Debian, but the Linux world sadly is a big complex and complicated mess. That's great, when I get paid to deal with it, but annoying otherwise.

And I don't mean that bashing wise. I use Linux, I like Linux, but somehow there is a huge drive to overengineering and then building hacks and weird workarounds that become normalized until it's a proper job. Without wanting to start a flame war, but the whole Docker, Containers, Kubernetes, Helm, Orchestrators, etc. story is a lot of reinventing the wheel and a static executable like a Go service in a container, so essentially coming with a whole Linux distribution even though one never thinks about it that way is just really absurd. That's what executables, processes, etc. were invented for.

And since I've lived through the story and as mentioned make a limit, I understand how that came to be, but it feels like the industry took a wrong turn because it was cool and exciting and then (nearly) everyone decided to use that hammer for everything one could imagine to be a nail. And then the next layer came and the next and the next. But all of them doing things differently. And suddenly to have a Postgres cluster you need Kubernetes, and Helm, but also need to know both PG config and the orchestrator's config, etc.

It's a mess and the OpenBSD people somehow knew that decades before I did.

I've been running OpenBSD on my main laptop for about a decade, as well as on routers. It has the most consistent and well-designed interfaces of any modern *nix other than arguably macOS.

I use it for home router, my laptop, several vms for various services, and on one vps I keep around should I need to quickly set something up. I keep a proxmox server for anything I can’t or won’t run on OpenBSD.

I use OpenBSD for my home server. Runs everything from httpd to a Minecraft server.

Not really, but OpenBSD has been in my life for 25 years.

I used OpenBSD to create the firewalls for our LAN parties when I was at school.

The first shellserver I ran, on an UltraSparc IIi was OpenBSD, gave out accounts to my friends.

And then I used it as a firewall, both professionally and personally, for many years. Until the first Turris Omnia was released, and now I have retired even Turris for pfSense, which is FreeBSD I believe.

But the PF firewall in OpenBSD was superior, definitely to the syntax of IPtables.

To me Linux was a great server OS, and OpenBSD was a great FW/Gateway OS.

Runs well on my Lenovo T-490. I use this as my main non-Windows laptop.

My home router, firewall and VPN gateway is an OpenBSD box, Intel N100 with quad 2.5G Ethernet. To be frank, Linux has better support for fighting bufferbloat with FC-CoDel, but pf is so much saner than Linux firewalls it's not even close.

WiFi is handled separately by a Ubiquiti UniFi system, but I don't trust Ubiquiti not to exfiltrate data after their underhanded attempt to turn telemetry on a few years ago. OpenBSD WiFI is somewhat mediocre, but it has improved in this release with experimental support for WiFi 6 after years of being stuck at 802.11n.

The closest you will get to the OpenBSD experience on Linux is with Alpine Linux.

Running OpenBSD 7.9 with KDE 6.6.4. Desktop usage.

It has been my daily driver for years.

I’ve been using it on an old PC Engines router (great hardware, by the way! I wish they were still around.)

It ran for over 8 years without downtime, but I’ve had repeated problems in the last year or so.

I used the default partitioning scheme, which makes /usr tiny, and /var huge, and since it is a router, did not install X11.

At some point, they made x11 mandatory for auto updates. This is dumb, because all the upgrade tool is doing is untarring a list of tarballs. So, I had to perform partition surgery from the upgrade ramdisk to make room for X11.

Now, they made some ASLR relinking scheme mandatory, which makes sense, except the relink directory is 1.5GB (larger than the entire rest of the distribution, and far larger than the parts I voluntarily installed!).

For some reason the relink output files go in /usr, which, by default, won’t hold it at upgrade. It really belongs in /var, because it is not immutable, and also, there’s room there! So, I had to repartition the router from a rescue environment again.

They also removed the ability for ntp to sync on machines without cmos clocks, and the alternate config options don’t seem to work. That’s a bit more niche, granted, but my router hw is reasonably common for openbsd use and has that property. You can make it work by using a second utility to force clock sync at boot.

I like that they keep things simple, but they also recently pulled out any semblance of power loss safety for their file system. I’ve had to serial console in a few times to run fsck, which isn’t really the behavior I want from the home router!

They don’t have any way to setup DDNS in the base install, so you have to use a port or pkg. The port I chose was EOL’ed by upstream (ISC), so I’ll probably need to switch to dnsmasq as a dhcp server / dns server, which is fine, but those services are a significant fraction of the attack surface of my router. DDNS seems like a pretty simple thing to implement, and would be really high value for router use cases. Without it, I’d have to assign static addresses to everything on the LAN, then edit DNS records.

I think all this stuff is fixable, but wish they’d take the niche of “rock solid secure infrastructure” a bit more seriously. This used to be a nice “set and forget” weekend project but now it requires attention every few release cycles.

7.8 barely managed to fit in my duct tape and bailing wire partition layout. I’m probably going to switch to freebsd on a box with faster NICs when I finally get a > 1GBit internet connection (hopefully in the next year or so).

If I upgrade to 7.9, I’ll have to give up on using the openbsd hypervisor, since, with the partition scheme that the installer chose, there will no longer be a partition large enough to hold the download sets and also the vm image.

This is particularly frustrating because the boot drive is under 50% full. I’d just do “one big partition”, but they warn against that for good reason - it complicates manual fs repair at boot.

Anyway, I really like the project. It would be nice if they did a “fix common papercuts” release, since I doubt many users are as patient as I am.

If you are looking to install it, either use fewer partitions, or way over provision storage (I was 10x over provisioned at install, and the stuff I use hasn’t grown more than 10-20%) and also make sure you choose much larger partition sizes than recommended. This will add under $100 to your hardware cost, even with the storage shortages.

I needed to create a backdoor network-level KVM contraption to help my dad relocate some servers. tl;dr an office was closing down, he pulled the rack and stood it up in his basement. I mailed him a unifi edgerouter 4 that was reflashed to run openbsd. On boot it would create a vpn tunnel to a vps and basically expose a public WAN port to the rack. So it was in my dads garage on his Fios internet, but from a networking perspective it thought that it was in a Linode datacenter.

The ER4 has 3 ports: 1 was for the uplink, one exposed the WAN connection to the rack, and then the 3rd port became a client inside of the network. I could shell into it from home (he's on the other side of the country) and operate from the residential network and also the server network simultaneously. Worked well enough for a few weeks to keep access around until we could engineer a better solution.

Configuring OpenBSD was really quite simple and rewarding. No insane linux network stack / netplan / cloud-init / bs ... just a few conf files.

obligatory pic: https://i.imgur.com/Mkf9ckc.jpeg