Why would anyone want to use BSD?

INDEX

Disclaimer:

First of all this is a rave, a hyped and biased praise, full of opinionated zealotry, I figured that's just what the internet needed :) On a more serious note, adjectives are relative, so read them in context (Linux is bloated compared to OpenBSD, as OpenBSD is bloated compared to FreeRTOS).* I also find that the most violently opposed to BSD, and UNIX in general, are usually the ones who have never seriously tried it. Don't criticize a system you have never used. At any rate I am merely expressing my personal thoughts in a blog, so take my opinions for what they are worth.

My Numero Uno OS

It is quite impossible to nominate the numero uno operating system. Simply because the term is too broad. Windows can probably run the most programs, and MacOS might be the prettiest of them all, but that doesn't mean that they are the "best" in all other aspects. No system is perfect, they all have different strengths and weaknesses, and more importantly, their strengths are weaknesses, from a different angle. To quote Obi-Wan Kenobi: "You're going to find that many of the truths we cling to depend greatly on our own point of view." Finding the right OS, is therefore not a question of finding the "perfect" system, but rather, one with strengths that you care about and weaknesses you can live with. I cannot tell you which is your numero uno operating system, but I can tell you about mine.

Well, honestly my favorite is Plan 9, but I do not recommend this to others unless they are certifiable*. Lets face it, sane people "need" a working web browser, office suit, games and thousands of other popular day-to-day apps. So we're talking mainstream operating systems today, and not my usual weird stuff. What's my numero uno (mainstream) OS? OpenBSD. Now, I know what you're thinking, but hear me out. Articles about OpenBSD on the net usually talk about security and/or networking, but I don't care much about that. I'm just an average computer hobbyist who want to boot up a desktop and goof around. And yes, OpenBSD is my numero uno choice in this capacity. I'll get to the "why" in a moment, but first, let's start with a short howto:

OpenBSD Desktop Guide

Take five minutes out of you busy day; install OpenBSD by hitting Enter a few times.

The End

There isn't much more to say. I mean, surely I don't need to explain how you use Google Chrome, VLC, GNOME, Battle of Wesnoth, LibreOffice, etc, etc..? Just install OpenBSD and use it, run man afterboot and help if you need to, and be sure to check out the FAQ. IRC (channel #OpenBSD) and mailing lists are also available, just remember to ask stupid questions politely. You may have questions or even objections to my guide though, so let's look at some of them:

  1. I don't like the default desktop!
  2. No problem. You will find about 50 alternatives in the Ports collection, here is a Youtube video showing how to install the Xfce desktop for instance. The process isn't much more difficult then installing an alternative desktop in a Linux distro (if you must use KDE, go with FreeBSD).

    Update: KDE has finally been ported to OpenBSD 7.5!

  3. OpenBSD doesn't support my hardware!
  4. Ah, you are one of the unlucky ones then. You could try to work this out with the developers, they will appreciate your patient support, or you could fork out ~400$ on a second hand ThinkPad.

    Pro tip: Update the BIOS firmware before attempting to install an esoteric OS, you'd be surprised how many nasty hardware issues it solves!

  5. OpenBSD doesn't have the programs I need!
  6. That could be true. There are ~10,000 packages available in the Ports collection, but if that doesn't meet your requirements, you can give FreeBSD a try. It has ~40,000 packages and can also run Linux and Windows (with wine) binaries.

  7. OpenBSD doesn't have the features I need!
  8. Well again, I don't know what kind of features you need. FreeBSD has some important industry features lacking in OpenBSD, such as ZFS and jails. Personally, I am quite content with backups and chroot(8) + unveil(2), but maybe FreeBSD is a better fit for your requirements.

  9. OpenBSD is slow and crashy!
  10. No, some programs are slow and crashy in OpenBSD. I'll get back to this issue later, but if you are having a lot of problems here, you may want to give FreeBSD a try.

  11. The installer is all text!
  12. What are you trying to say? That you can't read English? How did you manage to get this far into my article..? Well anyway, it's possible to set up a nice GUI desktop with non-English support in OpenBSD, but you may need a bit of hand-holding from an English speaking friend to get to that point.

  13. No what I mean is, OpenBSD is UGLY! And it's all TEXT! I HATE IT!!!
  14. Ah, OK. Look, everyone is entitled to their opinion. For what it's worth, here is mine: OpenBSD is not ugly, it's plain. There is a difference. In my mind, saying that you will not work with a plain looking OS that gives you textual feedback, is a bit like saying, "I'm not working with a secretary that doesn't wear makeup, and who TALKS back to me!" If that is your attitude, I'm not sure I can help you. Might I suggest a Mac perhaps?

But why..?

Why on Earth would I want to use BSD when Linux has newer, more, and at times, faster, applications? For two reasons: OpenBSD is a lot easier, and second, I love UNIX. BSD users actually read manpages and source code, not because they are Teenage Mutant Ninja Nerds, but because manpages and source code in BSD are actually readable. Really, if you need to work as a sysadmin, or if you just want to learn how a UNIX system works, going BSD instead of Linux will save you a world of hurt! I have tremendous respect for anyone who can work efficiently in that Brazilian penguin nightmare (the movie, not the country), but a lazy bum like me haven't got a chance!

I am not saying Linux is less capable, on the contrary, it's precisely because Linux tries hard to do everything and please everyone that it's such a bloody mess. More features means more complexity means more headache. OpenBSD has constraints like none other and is therefore elegant and pleasant like none other. It's tempting to give you a long list of examples, but I'm not going to bore you. Just fire up OpenBSD and poke around long enough to get over that first unfamiliarity bump, and you cannot fail to appreciate the beauty (if you want to read about the benefits though, Peter Hansteen wrote a recent blog about it: part 1, part 2 and part 3 - it's all about security and/or networking). Of course, hitting the sweet spot between simplicity and functionality, is a tricky balance. Pros and cons must be weighed carefully, so let's look at some specifics:

Speed

Cons

Unlike the FreeBSD developers (and everyone else), the OpenBSD camp is not overly preoccupied with speed. Specifically, they have been slow to adopt multiprocessing support in the kernel. For an operating system to balance many processes across many cores efficiently, it needs a great deal of sophistication. The OpenBSD devs take a careful and simple approach to the problem. More sophisticated SMP have been introduced step by step, and the OpenBSD kernel is getting there, but they are in no immediate rush to compete with FreeBSD.

Because OpenBSD is developed so carefully, you will see a drop in performance in other areas as well. An obvious example is the many security mitigation's throughout the system. Boot time is quite bad for instance, since the kernel is relinked after every reboot. A more surprising example is that the filesystem doesn't do journaling by default. Certain ports, especially big programs like browsers and desktops, might also struggle with performance on OpenBSD (usually due to a combination of OpenBSD being an unsophisticated brute, and the program in question being a misbehaving brat). The developers do not seem to loose any sleep over this.

Pros

The small drop in performance is the price for greater simplicity, stability and security. Even if the OpenBSD developers could outperform FreeBSD, they would have to sacrifice that which makes their operating system so great. Don't get me wrong, speed has value too. And if you have a big server farm that needs to burn the metal in order to compete, then go with FreeBSD, it rocks under under that kind of pressure. But personally, I don't much care if a program is 1% slower on my OpenBSD box. And though security mitigation's have a performance cost, it's by no means prohibitive. OpenBSD can run on a VAX, and it's more then fast enough for my humble needs.

Compatibility

Cons

Compared to the other BSD's, not to mention Linux, OpenBSD has few packages in its repository. And there are some big candidates missing, such as wine and KDE Plasma. (Update: KDE was ported just recently) Such limitations are compounded by the fact that OpenBSD, unlike the other BSD's, cannot run Linux binaries. (but like the others, they also lack common virtualization options, such as Docker/jails or VirtualBox/KVM)

In a related topic, the OpenBSD developers show little regard for industry standards and backward compatibility, which makes it harder to port software and less desirable to do so (who knows if it will run in the next release...). If that wasn't bad enough, the developers are totally adamant in their refusal to allow binary blobs into their kernel, which makes it impossible to run important 3rd party drivers, such as anything from Nvidia.

Pros

Although the ports collection is small compared to its competitors, we are still talking about ~10,000 packages. Including over ~50 desktops and ~400 games. Make no mistake, whatever you need to do with a computer, OpenBSD has your back, all 99% of the way! Speaking of which, you might be able to use OpenBSD's pledge, unveil and vmd, to do your containerizing and virtualization. You won't know until you've tried.*

PS: See Running Windows and Linux programs in the mini FAQ below for vmd tips.

The repo limitations are mainly due to the developers uncompromising stand on quality (the OpenBSD team has strong aversion to anything closed source, not because of moral zealotry, but because you cannot check the quality of proprietary code). There is a very good reason why flash, wine and Oracle Java has never been supported, and why Linux emulation was eventually dropped. If OpenBSD does not run something, then you probably shouldn't be running it, regardless of operating system (and yes, tossing binary Nvidia wrenches into the cogs of a running kernel is a bad idea!). I find this idealistic stand useful, through negative reinforcement, OpenBSD teaches me what applications I need to avoid. The lack of strict standards compliance and backward compatibility, is just another way of saying progress.

Stability

Cons

You do not have to use OpenBSD very long before you notice programs crashing, especially if you use huge bloated stuff like web browsers and desktops. Not only is this annoying, but it might make you seriously question the quality of the operating system!

Pros

OpenBSD is renowned for being the worlds most secure operating system, it has earned that reputation by actively combating faulty software. You know, faulty software, such as: your web browser and desktop. If an application does anything to threaten the operating system, by violating memory or doing something else it's not supposed to, OpenBSD will summarily kill it on the spot. The crappiness of these programs may be more noticeable in OpenBSD because it runs a tight ship, but the very same problems, though unnoticed, may cause serious security breaches, memory leakage and other issues on operating systems that tolerate such misconduct. Don't laugh at the dead canary, or conversely, gold fish, in the coal mine, take heed!

Sex Appeal

Cons

Both the default window manager and OpenBSD's website look like an eyesore from the 90's! It's like they go out of their way to make it look ugly! Ugh! Seriously, what kind of circus freaks would use this?!? If that wasn't bad enough, the developers have a serious attitude problem. Grievances are dismissed with a manpage link, as if that helps!

Pros

We've been over this. People who judge a book by its cover are shallow, sir. I for one am glad that the developers spend their time and focus on important matters. I have nothing against good looks per se, but I also look for deeper values in my operating systems. In any event, it takes 5 minutes to dress up a desktop, so stop whining.

And while it is quite true that the OpenBSD community is very technical, with little tolerance for nonsense, the developers attitude is often genuinely helpful for the end user (speaking as a newcomer). The devs will not waste your time with flowery trivia, just as they will not allow you to waste their time with uninformed snivel. If you are willing to put in some effort, by reading suggested manpages and writing detailed bug reports, you will get much respectful assistance from the OpenBSD community.

Conclusion

OpenBSD is the "perfect" (mainstream) OS for me, it has strengths like none other in areas that I care about: ease of use and maintenance, quality of code and documentation. And its weaknesses, less and slower software with more crashes, are slight enough that it doesn't really bother me. It is a matter of taste of course, but I do feel that OpenBSD is the most elegant modern UNIX system today,* if, and I stress if, you can live with its limitations. If you can't, loosen the belt buckle a bit, and give FreeBSD a try.

appendix

Screenshot of my desktop

Linux, A Word of Thanks

Much like a public forum, there can be no doubt that Linux is a chaotic mess. But that doesn't mean that a free exchange of ideas has no value. Linux is a breeding ground for all kinds of useful programs and technologies. Virtually all of the BSD's Ports collection comes from Linuxland, and many of its developers and users, myself included, come (at times running) from this messy background. Linux is an important reason why BSD is so great, without it BSD would probably be less useful then Plan 9! And few indeed would abandon their Windows machines. Thank you Linux for dragging me away from the clutches of that corporate monster. For showing me a better way, for many years of frivolous fun and serious work, and last but not least, for making my OpenBSD box so darn practical!

NetBSD, An Honorable Mention

When discussing BSD, one usually ends up talking about the big two: FreeBSD and OpenBSD. In comparison NetBSD is near totally anonymous. One would think that this OS is as useless as it's unpopular. One would be wrong. Although not quite as featureful as FreeBSD, and not quite as simple as OpenBSD, NetBSD is still a very capable and beautiful UNIX system. For what it's worth, it would probably have been my numero uno recommendation, if it hadn't been for OpenBSD, and just maybe it will hit your sweet spot in the balance between simplicity and usefulness? The biggest challenge is simply NetBSD's lack of manpower. I have had more issues with network mirrors, drivers and glitchy ports there, then its big brother BSD's. Still, it's nice to root on the under dog. And you can choose to view these problems as an opportunity; The NetBSD community need you, and they are a very friendly and grateful bunch!

Plan 9, Eulogy Keynote

Glendy was a genetically engineered, but weirdly lovable, bunny created in the bowels of the Bell laboratories, by the mythological UNIX progenitors of the past millennium. "An argument", it's lead developer lovingly called it, then left it for dead. And die it did, unnoticed and unloved in a cold and uncaring cybervirtualreality. Then one fateful night, a group of un-American* "scientists" broke into the dusty tar archive and downloaded the remains. They took the corpse back to their basement, and performed unspeakable programming experiments on it, and they... brought it BACK TO LIFE!!! Well... maybe not "life" exactly, not dead anyway. (cough!)

Now ignorant peasants gather in social medias over a black mug of coffee and grumble over our glorious achievement, muttering hurtful comments like, "outdated C witchcraft", "evil windows without boundaries nor crosses with vile theming", "blasphemy against UNIX", "mice lovers", "browserless fanatics..." Bah! Fools!!! The world is not ready for our genius, the scientists exclaimed and headed back into the basement from which they came, the concrete walls echoing the hollow tapping from their keyboards all through the night as the experiments continued, MWAHAHAHAHAHAHAHAHAH!!!

"You are not expected to understand this." - J. Lions

OpenBSD, mini FAQ

The following is a short howto of things I struggled with as a newcomer to OpenBSD. This mini-FAQ is entirely redundant of course, if you read the official FAQ and manpages you'll know what to do, my howto is only useful if you happen to be a lazy reader like myself facing the exact same issues that I did.

Useful Utilities

As with all the BSD's, OpenBSD ships with its own set of command line utilities. So the grep command, for instance, is developed and maintained by the OpenBSD devs - it is not GNU (eg. Linux) grep. Same goes for make, sed, awk, sh and many other tools.*. This is part of the charm. The reason you'll find readable manpages in BSD, is because they are rolling their own tools, which inevitably are much simpler then the GNU equivalents. But this does cause compatibility issues, so you may need to install things like coreutils, bash, gawk, gmake, gsed etc, and replace #!/bin/sh lines with #!/usr/bin/env bash, awk with gawk and so on in your configure scripts and shell scripts.

You'll also find that the utilities in OpenBSD are very frugal, often with no color support for instance. But before you capitulate to the GNU bloatware (and other modern monstrosities), you can check out some neat and slim alternatives, such as: colorls, colordiff, hgrep (grep with highlighting), cmixer (ncurses audio mixer), pkg_mgr (ncurses package manager), nvi (vi with unicode) and ee (nano alternative). The moreutils package also has a few lightweight, but useful, tools, such as vipe, which will let you edit pipeline input with vi before sending the output down the pipe. (it's 2000 times lighter then fzf...*) Of course, you can also add colors to the dull OpenBSD commands if you want that sort of thing.

Minimal Desktop Theming

There are many alternative desktops in the ports collection, but I actually enjoy using the window managers that come with OpenBSD: Go with the defaults during the installation, but when asked if you want the X Window System to be started by xenodm(1), type "yes" (you can also set this post-install by running: rcctl enable xenodm). By default xenodm(1) (OpenBSD's port of xdm) uses a dull grey background, and you log in to the fvwm(1) window manager. You can tweak xenodm to use random wallpapers and use the alternative cwm(1) window manager if you like:

$ su -
# pkg_add openbsd-backgrounds
# vi /etc/X11/xenodm/Xsetup_0       # uncomment the openbsd-wallpaper clause
# exit
$ cat /etc/X11/xinit/xinitrc > ~/.xinitrc
$ vi ~/.xinitrc                     # tweak (eg. change fvwm to cwm)
$ man cwmrc
$ vi ~/.cwmrc                       # tweak (eg. copy example from cwmrc(5))
            

Post-Install Optimizations

For casual laptop use, it's best to relax some of OpenBSD's conservative defaults:

# echo boot > /etc/boot.conf     # boot OpenBSD immediately
# echo permit persist <myuser> > /etc/doas.conf
# chpass <myuser>                # set: "Class: staff"
# vi /etc/fstab                  # add softdep and noatime
# cat /etc/fstab
09bfb74fd6bf43b2.b none swap sw
09bfb74fd6bf43b2.a / ffs rw,noatime,softdep 1 1
09bfb74fd6bf43b2.e /home ffs rw,noatime,softdep,nodev,nosuid 1 2
09bfb74fd6bf43b2.d /usr ffs rw,noatime,softdep,wxallowed,nodev 1 2
            

doas(1) is a simple sudo like command, and assigning your user to the staff class, will remove some resource restrictions. The last example is the most crucial; it sets softdeps (a journaling like feature) on your FFS partitions, which will improve performance and reliability (noatime may improve battery longevity somewhat - its optional). Of course your own /etc/fstab will not look exactly like this; so don't just blindly copy paste here!

Update: From version 7.4 onwards softdeps have been disabled, to allow for more rapid filesystem innovation in the near future.

Mounting ISO's and USB sticks

# vnconfig vnd0 /home/myuser/file.iso
# mount -t cd9660 /dev/vnd0c /mnt   # your iso is now in /mnt
            

# dmesg | tail                      # after plugging in the USB stick
# disklabel sd4                     # check partitions on the stick
# mount /dev/sd4i /mnt              # your stick is now in /mnt
# dd if=file.iso of=/dev/sd4c bs=1024 # "c" is always the raw partition
            

Gaming

Gaming is limited in OpenBSD; you don't have steam, wine or the ability to run Linux binaries. The two last limitations can be circumvented in theory (see below), but this isn't a good gaming solution, since latency issues will prevent good video/audio performance.

That said, you will actually find a plethora of retro and opensource gaming alternatives in the ports collection. dosbox, scummvm and retroarch/mednafen* are just a few of the available emulators, and supertuxkart, wesnoth, endless-sky and pysol are some examples of decent opensource games. The ports collection also contain a handful of reimplementations of old classics, such as openjk (Jedi Academy), openrct2 (RollerCoaster Tycoon 2), openttd (Transport Tycoon Deluxe) and julius (Ceasar 3). Except for openttd, these opensource reimplementations still use the original copyrighted game artwork, so you'll have to buy the original games on GOG (or get them in some other, naturally legal, way), and extract the files in the appropriate place, see the relevant howtos in /usr/local/share/doc/pkg-readmes.

For a more exhaustive list of gaming options, check out Mr. Satterly's blog. If you install steamworks-nosteam you can even play a few Steam games on your OpenBSD box! Of course, serious gamers probably wouldn't consider OpenBSD their numero uno OS, but for a man of low moral fiber like myself, the gaming options are almost too good ;)

Printing

Using CUPS, the process of setting up a printer in OpenBSD is quite similar to any UNIX-like system. However, there are some gotchas: If you want to use a USB printer with CUPS, you must first disable the conflicting ulpt driver. So get src.tar.gz and sys.tar.gz from an OpenBSD mirror and unpack them in /usr/src, then we can:

# pkg_add cups
# rcctl enable cupsd cups_browsed
# cd /usr/src/sys/arch/$(uname -m)/conf
# vi GENERIC    # comment out ulpt* at uhub? line
# config GENERIC.MP
# cd ../compile/GENERIC.MP
# make clean    # recompile kernel
# make
# make install
# reboot
            

Now, run usbdevs -v and find out what USB device your printer is using, the output might be something like this:

...
Controller /dev/usb1:
...
addr 05: 04f9:0027 Brother, HL-2030 series
    full speed, self powered, config 1, rev 1.00, iSerial L9J746593
    driver: ugen0
        

Note /dev/usb1 and ugen0 (PS: if your printer isn't using the ugen driver, you need to disable the ulpt driver and recompile the kernel - see instructions above). Armed with this knowledge, we can now give CUPS access to our printer:

# echo chown _cups /dev/ugen0.* /dev/usb1 >> /etc/rc.local
# reboot
            

You can now configure the CUPS printer in the usual way; open http://localhost:631 in a browser and login as root. If you can't find a driver for your printer, head over to openprinting.org and see if they have got one. PS: Use /usr/local/bin/lpr to print documents from the command line with CUPS, /usr/bin/lpr is the native BSD print daemon, which almost certainly isn't what you want.

Video Conferencing

# echo kern.audio.record=1 >> /etc/sysctl.conf
# echo kern.video.record=1 >> /etc/sysctl.conf
# video -q -f /dev/video0      # check if the webcam is video0, it could be video1
# echo chown <myuser> /dev/video0 >> /etc/rc.local
# vi /etc/chromium/unveil.utility_video    # edit as needed (eg. add /dev/video0)
# vi /etc/firefox/unveil.main  # edit as needed
# reboot
            

This is one example where OpenBSD's strict security cuts against casual desktop use; for video conferencing to work we must first allow audio and video recording, and give our web browser access to the webcam. Browser based VOIP solutions, such as Google Meet, should now work, if it doesn't your camera isn't supported.

To use Zoom, just go to zoom.us, join a meeting and click on the "Join from your browser" link at the bottom. This works well in Firefox, in Chromium you need to launch the browser with ENABLE_WASM=1 chrome, but even then the microphone will not work, at least in my case.

PS: The OpenBSD sound server, sndiod(8), cannot use two sound cards simultaneously. Eg. recording audio from a webcam mic while playing audio from the PC speakers. Alternatives are easy to find, but keep this in mind when you're planning your audio setup.

A Desktop Firewall

As mentioned, OpenBSD's main claim to fame, is as an ultra secure firewall. But networking is a painful subject, and as such, we would like to avoid it! Nevertheless, setting up a casual firewall on your OpenBSD lappy, is actually quite simple:

Method 1: White List

Your kid bursts in the front door gleefully with his shiny new Windows enabled school laptop in hand, eager to play online games with his buddies and do all kinds of non-academic activities with his new educational tool. Being a responsible parent, your mission in life is to suck the joy out of these little 'uns existence. So you promptly install OpenBSD on this laptop and configure PF to deny all internet access, except for a select few, highly educational, websites:

$ cat /etc/pf.conf
table <whitelist> {
    127.0.0.1      # introspection
    2.718281828459 # school homepage
    3.141592653589 # science project
    91.198.174.192 # encyclopedia
    199.185.178.80 # computers
    94.142.241.173 # computer news
    192.73.246.162 # entertainment
}

set skip on lo

block return
pass in on egress to <whitelist>
            

Method 2: Black List

Of course, for your own laptop, the above solution will not do. It is too much work to maintain a list of the hundreds and thousands of internet services needed on a day-to-day basis, and besides, blocking of the internet like that is just inhumane... Still, we would like to block offensive websites. Here is one quick solution (we will also add a DNS-based whitelist, in case our blacklist contains false positives):

# Use the default /etc/pf.conf, and add two extra lines in
# /var/unbound/etc/unbound.conf before the remote-control section:
#    include: "/var/unbound/etc/blacklist.conf"
#    include: "/var/unbound/etc/whitelist.conf"
# We can now generate a black list:

$ install -m 644 -o root -g wheel /dev/null /var/unbound/etc/blacklist.conf
$ lynx -dump \
  https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/porn/hosts |\
  awk '/0.0.0.0/ {
    if($2 !~ /0.0.0.0/) printf("%s: \"%s\" %s\n", "local-zone", $2, "always_nxdomain")
  }' > /var/unbound/etc/blacklist.conf

# lets also manually write a whitelist and start the unbound service:
$ install -m 644 -o root -g wheel /dev/null /var/unbound/etc/whitelist.conf
$ echo 'local-zone: "github.com" always_transparent' \
  >> /var/unbound/etc/whitelist.conf
$ rcctl -f restart unbound

# Assuming you are using DHCP to dynamically obtain your IP address, we 
# also need to tell dhcpleased leave our DNS service alone:

$ cat /etc/hostname.iwn0
dhcp
$ cat /etc/resolv.conf
nameserver 127.0.0.1
$ cat /etc/dhcpleased.conf
interface iwn0 { ignore dns }

# restart the network if you have made changes
$ sh /etc/netstart iwn0
            

Now, if you want to get technical, there are many issues with this solution. We are connecting to the internet with a wireless network card, that alone is problematic. (naturally, you might be using a different network card then iwn0) Blocking sites in this way is also relatively expensive. We are only delaying boot time by a second and gobbling up 100 Mb of RAM here, but we are also only blocking some 200,000 sites. Suppose our list was 50 times bigger, not wholly unfeasible, then boot time would be delayed by a minute and a whooping 5 GB of RAM would be gone. Worse, DNS filtering is easily circumvented. And we haven't even tried to stop advertisement, tracking, or any kind of intrusion. It is possible to address these issues, take a look at pf-badhost and unbound-adblock for instance, but I leave that as an exercise for the reader. PS: See openbsdrouterguide.net for a more in depth discussion on this subject.

Running Windows and Linux programs

Although OpenBSD is great and all that, there are times when you actually have to run a Linux/Windows application. With vmd(8) you, plausibly, can:

1) Configure the network and other things a bit first (replace 
   <DNS-SERVER> with one of the nameservers in your
   /etc/resolv.conf):

# echo hw.smt=1 >> /etc/sysctl.conf
# echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
# cat << eof >> /etc/pf.conf
match out on egress from 100.64.0.0/10 to any nat-to (egress)
pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \
  rdr-to <DNS-SERVER> port domain
eof
# rcctl enable vmd
# reboot

2) Create a virtual disk and install Linux (eg. Debian):

$ vmctl create -s 20G deb.qcow2
$ doas vmctl start -Lc -m 1G -r debian-*.iso -d deb.qcow2 deb

   Hit Tab quickly when Debian starts, then type "console=ttyS0,115200"
   (vmd can only read text from the guest machines serial console). The
   installer will smartly set up a serial console also for your newly
   installed Linux box, but if you need to manually set this up post-
   installation, add GRUB_CMDLINE_LINUX="console=ttyS0,115200" to 
   /etc/default/grub and run update-grub.

   The method here varies a bit between distros, in Alpine for instance
   hit Tab at the "boot:" promt to see what kernels you can boot, for
   "lts" for instance, type "lts console=ttyS0,115200". Once a "sys"
   installation is completed; mount /dev/vdb3 /mnt, and then add 
   default_kernel_opts="console=ttyS0,115200 quiet rootfstype=ext4" to
   /mnt/etc/update-extlinux.conf.

   However you set up your Linux box, make sure that it uses the serial
   console, and that it boots in a text only mode. (so don't install a
   desktop during the Debian installation for instance) Once the 
   installation is complete, you can set up VNC or X forwarding to run
   graphical applications from the guest. To demonstrate:
  
3) First of, let's just run a simple Linux application:

obsd# vi /etc/ssh/ssh_config          # uncomment "ForwardX11 yes"
obsd$ doas vmctl start -Lc -m 1G -d deb.qcow2 deb
lxguest:~$ sudo apt update
lxguest:~$ sudo apt install openssh-server
lxguest:~# vi /etc/ssh/sshd_config    # uncomment "X11Forwarding yes"

obsd$ alias lxterm="ssh -Y <GUEST-IP> xterm"
obsd$ lxterm

   This will display an xterm in your host, that is running in the Linux
   guest. Any Linux programs you start from this xterm will also be
   displayed in your OpenBSD host.

4) Now, for our second example, lets run a Windows game in OpenBSD:

obsd$ doas vmctl start -Lc -m 1G -d deb.qcow2 deb
lxguest:~$ sudo dpkg --add-architecture i386
lxguest:~$ sudo apt update
lxguest:~$ sudo apt install wine32

obsd$ ssh -Y <GUEST-IP>
lxguest:~$ scp <HOST-IP>:~/games/wingames.iso .
lxguest:~$ sudo mount -o loop wingames.iso /mnt
lxguest:~$ wine /mnt/Setup.exe
lxguest:~$ exit
obsd$ alias conquest="ssh -Y <GUEST-IP> \
> 'cd ~/.wine/drive_c/Program\ Files\
> /Sean\ O'\\\\\''Connor'\\\\\''s\ Windows\ Games\
> /Conquest && wine Conquest.exe'"*
obsd$ conquest

5) Virtual subnets with static IP addresses and auto startup:

   With this setup your guest IP should be something like 100.64.1.3,
   you can run "ip a" (or ifconfig) to check. Obviously, for this example,
   we would want the guest to have the same IP address every time. To do
   so we can first change the two occurences of 100.64.0.0/10 in out
   /etc/pf.conf file to vether0:network, then create a virtual subnet:

obsd$ echo inet 10.0.0.1 255.255.255.0 > /etc/hostname.vether0
obsd$ echo add vether0 > /etc/hostname.bridge0
obsd$ cat /etc/vm.conf
switch "my_switch" {
    interface bridge0
}
vm "deb" {
    memory 1G
    disk "/home/myuser/hdd/deb.qcow2"
    interface { switch "my_switch" }
    #disable
}

   This VM configuration file will automatically start the Linux guest at
   boot time (if you don't want that, uncomment the disable line) and it
   will bridge the virtual subnet to our host network. We can now go ahead
   and set up a static IP address in our Linux guest in the 10.0.0.X range
   using 10.0.0.1 as our gateway, on Debian for instance, we can add these
   lines to /etc/network/interfaces:

iface enp0s2 inet static
  address 10.0.0.2
  netmask 255.255.255.0
  gateway 10.0.0.1
  dns-nameservers 8.8.8.8 1.1.1.1

6) Desktops using X Forwarding or VNC:

   You can also run a full desktop from a vmm client if you want to:

obsd$ ssh -Y <GUEST-IP>
lxguest:~$ sudo apt install xorg openbox
lxguest:~$ (Xephyr :2 -screen 1920x1080 &); sleep 1; DISPLAY=:2 openbox
lxguest:~$ pkill Xephyr                 # kill X when you're done

    Or, you can use VNC:

obsd$ doas pkg_add tigervnc
obsd$ ssh -Y <GUEST-IP>
lxguest:~$ sudo apt install tigervnc-standalone-server tigervnc-common
lxguest:~$ vncpassword
lxguest:~$ vncserver -localhost no
lxguest:~$ vncserver -list              # check that it's working
lxguest:~$ vncserver -kill :1           # stop server
lxguest:~$ cat << eof > ~/.vnc/xstartup # configure VNC desktop
#!/bin/bash
xrdb ~/.Xresources
xrandr --output VNC-0 --mode 1920x1080
openbox-session
eof
lxguest:~$ vncserver -localhost no

obsd$ vncviewer <GUEST-IP>

2b) If you cannot enable the serial console during installation, or if
   you need to manually add this configuration to an already installed
   Linux image, you can always boot it up (slowly) with qemu:

$ doas pkg_add qemu
$ ulimit -d 30000000
$ qemu-system-x86_64 -m 1G -hdd deb.qcow2

   Qemu is the only option for systems that cannot be installed in text
   mode, such as Haiku, and systems that vmm don't support, such as 
   FreeBSD, and for such light operating systems it works well enough
   even without a hypervisor.
   
   PS: To boot Linux in OpenBSD with qemu, you may need to add the
   kernel parameter noapic.
            

This setup works fairly well for many basic apps, but as mentioned, it's not a good solution for heavy gaming, or even heavy desktop use, vmm and VNC/X11 forwarding just isn't fast enough for that (audio is problematic, you can set sndio_flags="-L <GUEST-IP>" in /etc/rc.conf.local, install sndio on the Linux guest, copy over the hosts ~/.sndio/cookie, and export AUDIODEVICE="snd@<HOST-IP>/0", but few applications will work with sndio, and those that do have terrible latency issues).