Openbsd Root Password Recovery

if you ever have to recover your root password …

Root PW Recovery

boot> boot -s

Enter pathname of shell or RETURN for sh: [ENTER]

fsck -p /
fsck -p /usr

mount -uw /
mount /usr


and finally: reboot


need to run fsck ?

fsck /dev/sd1a
fsck -y /dev/sd1a


need do fix your fstab ?

boot -s
mount /usr
mount /
export TERM=vt100
/usr/bin/vi /etc/fstab
fix it !

Smokeping Debian Nginx

Smokeping in 5min, with Dual Stack on Nginx


All in one Installer

Run it at your own risk …

chmod 700

or Setup by Hand

Install Packages

apt-get install borgbackup curl echoping fcgiwrap fping hping3 htop lynx mlocate mtr nginx rsync smokeping tmate tree tshark unzip vim vnstat wget zip

Configure Nginx

export MYSITENAME=""
wget ""
sed -i -- s/smokeping\.example\.com/${MYSITENAME}/g best.conf
chown root: best.conf
mv best.conf /etc/nginx/sites-available/${MYSITENAME}.conf
ln -s "../sites-available/${MYSITENAME}.conf" "/etc/nginx/sites-enabled/${MYSITENAME}.conf"
nginx -t && systemctl restart nginx

Some Smokeping Fixes

mkdir -p /var/run/smokeping

Tune General

cat << 'EOF' > /etc/smokeping/config.d/General
*** General ***

owner    = Franz Musterer
contact  = [email protected]
mailhost = smtp-relay-host

# NOTE: do not put the Image Cache below cgi-bin
# since all files under cgi-bin will be executed ... this is not
# good for images.
cgiurl   = http://somekping.planet/smokeping/smokeping.cgi

# specify this to get syslog logging
syslogfacility = local0
# each probe is now run in its own process
# disable this to revert to the old behaviour
# concurrentprobes = no

@include /etc/smokeping/config.d/pathnames

Tune Databases

cat << 'EOF' > /etc/smokeping/config.d/Database
*** Database ***

step     = 60
pings    = 59
#step     = 300
#pings    = 20

# consfn mrhb steps total

AVERAGE  0.5   1  1008
AVERAGE  0.5  12  4320
    MIN  0.5  12  4320
    MAX  0.5  12  4320
AVERAGE  0.5 144   720
    MAX  0.5 144   720
    MIN  0.5 144   720

Tune Probes

cat << 'EOF' > /etc/smokeping/config.d/Probes
*** Probes ***

+ FPing

binary = /usr/bin/fping

+ FPing6
binary = /usr/bin/fping
protocol = 6

+ EchoPingHttp

binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300

# The following variables can be overridden in each target section
accept_redirects = yes
extraopts =
ignore_cache = yes
ipversion = 4
pings = 5
port = 80
priority = 6
revalidate_data = no
timeout = 20
tos = 0xa0
url = /
waittime = 1


binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300

# The following variables can be overridden in each target section
accept_redirects = yes
extraopts =
ignore_cache = yes
ipversion = 4
pings = 5
port = 443
priority = 6
prot = 3443
revalidate_data = no
timeout = 20
tos = 0xa0
url = /
waittime = 1


binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300

# The following variables can be overridden in each target section
dns_request =
dns_tcp = no
dns_type = A
extraopts =
ipversion = 4
pings = 5
plugin = /usr/lib/echoping/
pluginargs = -p
priority = 6
timeout = 1
tos = 0xa0
waittime = 1

Tune Targets

cat << 'EOF' > /etc/smokeping/config.d/Targets
*** Targets ***

probe = FPing

menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of xxx Company.          Here you will learn all about the latency of our network.

+ Local
menu = Local
title = Local Network

++ LocalMachine

menu = Local Machine
title = This host
host = localhost

+ Inet
menu = Internet
title = some Hosts on the Net
probe = FPing

++ google
menu = google
title = google,
host =

++ switch
host =

++ uzh
host =

++ blick
host =

+ IPv4
menu = IPv4 Hosts
title = Hosts running IPv4
probe = FPing

++ multi
menu  = MultiTarget
title = Multiple Targets
host  = /IPv4/host1 \
        /IPv4/host2 \

++ host1
host = host1.planet

++ host2
host = host2.planet

++ host3
host = host3.planet

+ IPv6
menu = IPv6 Hosts
title = Hosts running IPv6
probe = FPing6

++ multi
menu  = MultiTarget
title = Multiple Targets
host  = /IPv6/host1 \
        /IPv6/host2 \

++ host1
host = host1.planet

++ host2
host = host2.planet

++ host3
host = host3.planet

menu = HTTP
title = some HTTP Probes
probe = EchoPingHttp

++ google-com
host =

++ uzh
host =

Restart Smokeping

systemctl restart smokeping



Json Query

some basics about JQ

RAW Data

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0:3]'
    "val": 2.64,
    "ack": 1,
    "ts": 1607900404883,
    "q": 0,
    "user": "system.user.admin"
    "val": 2.61,
    "ack": 1,
    "ts": 1607900410483,
    "q": 0,
    "user": "system.user.admin"
    "val": 2.58,
    "ack": 1,
    "ts": 1607900416083,
    "q": 0,
    "user": "system.user.admin"

Query First Record

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0]'
  "val": 2.64,
  "ack": 1,
  "ts": 1607900404883,
  "q": 0,
  "user": "system.user.admin"

Filter val and ts

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0] |.ts,.val'

Filter val and ts on one line

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0] | (.ts |tostring) + ";" + (.val |tostring)'

Filter first 10 val and ts on one line

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[] | (.ts |tostring) + ";" + (.val |tostring)' |head -10

Filter first 10 val and ts on one line

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[] |.ts,.val' |paste - - |head -10
1607900404883	2.64
1607900410483	2.61
1607900416083	2.58
1607900421739	2.62
1607900427335	2.62
1607900433003	2.57
1607900438543	2.72
1607900444131	2.67
1607900449791	2.6
1607900455383	2.55

Current over 50A

cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq -c '.[] | select (.val >= '50')'

Wireguard Puffy to OPNsense

WG Tunnel between OpenBSD and OPNsense

How to Setup an WG Tunnel between OpenBSD and OPNSense ? That’s quite simple …


Install Packages

pkg_add wireguard-tools--

Gen Key Onliner

wg genkey | tee privatekey | wg pubkey > publickey

Build Interface

r=$(openssl rand -base64 32)

cat << 'EOF' > /etc/hostname.wg0
# WG Tunnel to OPNsense
wgkey   ${r}
wgport  51820
wgpeer  xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx= wgendpoint ${remote_ip} 51820 wgaip ${remote_net}
!route add ${remote_net}

sh /etc/netstart wg0
ifconfig wg0

update pf.conf

# skip on wg Interface
set skip on { lo0 wg0 }

# Wireguard
pass in log quick inet proto udp from ${remote_ip}/32 to (self) port 51820


Install Wireguard

Menu System -> Firmware -> Plugins -> Install Wireguard


Need a small and smart utility to manage you ssh keys under linux ? got some scripts and cronjobs which requires an local ssh key ? have a look at keychain !

Install Software

depending on your OS …

macos$ brew install keychain
debian$ sudo apt-get install keychain
openbsd$ pkg_add keychain
freebsd$ pkg install keychain

edit startup Scripts

$HOME/.bashrc $HOME/.bash_profile /etc/profile $HOME/.profile

cat << 'EOF' >> $HOME/.bashrc
# Keychain Startup
eval `keychain --eval id_ed25519`

check service

$ keychain
$ ssh-add -L

add to .profile

cat << 'EOF' >> .profile

# Keychain Loaded ? Load and show Key ...
eval $(keychain --eval id_ed25519)
echo -e "loaded keys: `ssh-add -L |cut -c 1-12,77-`\n"

List Keys

keychain --list

List Finterprints (Public Key ?)

$ keychain --list-fp

Set Timeout

Timeout for SSH Agent

OpenBSD 6.8

OpenBSD 6.8 released

OpenBSD has two new releases every year. historically, on 1. Mai and 1. November. With a few small execptions in the past Check Wikipedia

so, then latest OS appeared today: OpenBSD 6.8

Perform a Full Upgrade (incl. X Stuff)

sysupgrade -r

Run the Script (on your own risk !)

doas su -
mkdir /root/bin
ftp -o /root/bin/
chmod 740 /root/bin/
# /root/bin/
# *** reboot ***
# /root/bin/
# rm /root/bin/

or use some custom Script (just Xbase and not other X Stuff)

doas su -
mkdir /root/bin

cat << 'EOF' > /root/bin/

prepare () {

  echo "let's upgrade to 6.8 ..."

  rm -f /usr/lib/libperl.a

  rm /usr/X11R6/lib/libxkbui.*
  rm /usr/X11R6/lib/pkgconfig/xkbui.pc
  rm /usr/X11R6/include/X11/extensions/XKBui.h


download() {

  local _response=$(sysupgrade -n)

  if [[ $_response == *reboot ]]; then
    echo "\nInstalled! Let's reboot ...\n"
    rm /home/_sysupgrade/{comp,xf,xs}*
    echo "Nothing todo ..."


install() {

postwork() {

  echo "let's do some postwork after upgrade to 6.8 ..."

  cd /dev
  ./MAKEDEV all

  _boot=$(mount |awk -F'[/ ]' '/ on \/ / {print $3}')
  installboot ${_boot%?}




  pkg_add -Vu

  pkg_delete -a

  /usr/libexec/locate.updatedb &


# Main
local _ver=$(uname -r)

if [ "$_ver" == "6.7" ]; then


elif [ "$_ver" == "6.8" ]; then



exit 0

chmod 740 /root/bin/
# /root/bin/
# *** reboot ***
# /root/bin/
# rm /root/bin/


you should do a few checks afterwards:


Assuming you have a Website with some higher load, higher demand for availability, or both of them. You can do the following:

  • Duplicate your Webserver (and the Content of Course) as much as you need
  • Put a Loadbalancer in Front the Webserver, best in Combination with a Firewall Ruleset
  • Terminate TLS on the Loadbalancer once, or on each Webserver directly. Whatever you prefer.
  • You can also double the Loadbalancer with two Boxes the get redundancy on this level.

Network Diagram

                   |       www      |
                   | | vio0
                   |  Loadbalancer   |
                   |    | vio1
        |                   |                   |
        |                   |                   |
+-------+-------+  +--------+-------+  +--------+-------+
|     www1      |  |      www2      |  |      www3      |
|   |  |   |  |   |
+---------------+  +----------------+  +----------------+

Config Web1 - 3

You can run any Kind of Webserver you want. Apache, Nginx, Httpd, … here is the Config for Nginx on OpenBSD.

SSH Server behind Firewall

got a Server behing NAT / Firewall ? Need Shell access to … ?

Server behind NAT/FW

user@server$ ssh -R 1234:localhost:22 my.public.jumpbox

Access Server

ssh my.public.jumpbox

user@jumpbox$ ssh -p 1234 localhost


and you’re in :)

another component of OpenBSD is relayd. it’s an integrated Loadbalancer & Proxy Service, like F5, Nginx and Others. But just like other BSD Services, straight, simple and easy to use … wanna see … ?

Setup 4 VM’s, one Loadbalancer and 3 Webserver. The Webserver should server the same content, while the Loadbalancer checks if a Webserver is running and redirects traffic to the host or not.

the configuration on the loadbalancer is simple like that: