OpenBSD routers on AliExpress mini PCs
Oliver Lowe
I posted Another successful OpenBSD setup to the fediverse and got lots of questions. This is something I’ve wanted to write about for years now. Better now than never!
OpenBSD is one of my favourite operating systems. I’ve been using it on my workstations and laptops for almost 10 years now. I was even lucky enough to be able to use it on my work desktops and laptops. But this isn’t where OpenBSD really shines.
Two major problems with consumer-grade routers provided by internet service providers:
- They suck
- They’re boring!
I discovered a whole suite of cool network software in the default OpenBSD installation. It’s what makes OpenBSD perfect for edge/gateway network devices. So we’ve got some nice software – what about some hardware to run it on?
Discourse’s Scooter Computers
Jeff Atwood of Coding Horror, Stack Overflow etc. fame posted the blog article The Scooter Computer, saying of standard residential network devices:
Let’s face it: this is just a little box that runs a chopped up version of Linux, with a bit of specialized wireless hardware and multiple antennas tacked on … that we’re not even using. So when it came time to upgrade, we wondered:
Why not just go with a small box that can run a real, full Linux distro? Wouldn’t that be simpler and easier to keep up to date?
So then I wondered: why not run real, full OpenBSD on these boxes? Hardware support for OpenBSD isn’t as complete as for Linux, though… Challenge accepted!
Chinabox install
My most recent purchase is the XCY Firewall Appliance Mini PC for AUD140 (approx. $90 US, 85€). I affectionately call these devices chinaboxes. This chinabox came in some tidy cardboard, packed with foam. There’s also a VESA mounting plate thing and SATA cables:
It feels solid; it’s surprisingly heavy for its size.
It’s easy to get inside the box; just 4 Phillips head screws. Inside seems relatively neat and tidy:
Time to power it on! Of course it comes with some kind of maybe-kinda-probably-not licensed Windows (10?) with user “Admini”:
But we’re not interested in Windows right now - if ever ;)
So I rebooted and got into the EVALUATION COPY
BIOS:
Running OpenBSD on x86 PCs often involves turning off or tweaking a bunch of things in the BIOS. But I only ended up doing a couple of minor things. To get the device to behave more like other networking equipment, I set the device to always power back on after power loss:
Secure Boot is unsupported by OpenBSD so I disabled that:
Finally I found some setting mysteriously called “OS Selection”. I reset this from Windows to Linux. If anyone has more info on what this could be please let me know!
Booting into OpenBSD over the network by PXE and also by USB started off fine:
For those unfamiliar, the OpenBSD process is super straightforward with basic plain text prompts:
Success!
Where it will sit for a (long) while:
And as a bonus my old firewall still humming along:
Tech specs
See also dmesg
output at the bottom of this article.
- Intel Celeron N2830, 1MB Cache, dual-core.
- 4 Intel I225V 2.5Gb network interfaces supported by igc(4)
There’s a lot of different hardware configurations available from the manufacturer. It’s probably best to see the original item listing at XCY Firewall Appliance Mini PC. In particular it would be good to upgrade this 10+ year-old CPU to something like the Intel N100.
Interesting Fediverse replies
It’s highly recommended to read through the replies to Another successful OpenBSD setup. Some highlights follow.
BIOS/Firmware updates
cmnybo@discuss.tchncs.de asked:
Do any of those cheap Chinese computers ever get any firmware or bios updates?
None that I’m aware of, which sucks. However benja@ohnepunktundkomma.org let us know that CoreBoot may be available:
some of this boxes can run with #coreboot, so the #firmware is #opensource too. Protectli ported coreboot for their hardware, and with a little research you can find this hardware on aliexpress, of course under a different name.
Why?
Sorry for my ignorance I tried googling but what is this exactly? A server for files or? A media server?
Anything! It’s now a plain old server connected to the internet with a static IPv4 address and a /48 IPv6 subnet! relayd(8) is used as a HTTP reverse proxy and generic TCP proxy for internet services and custom software I write. For example:
- a public DNS-over-TLS resolver at
dns.srcbeat.com:853
, - an ActivityPub to SMTP relay experiment
- ad-hoc file/video sharing
TP-Link switch
that tp-link probably negates anything remotely resembling security on its own.
Yes having a managed switch is so surplus to requirements. I bought this one in a rush as it was cheap and had PoE. If anyone knows a 8-port unmanaged PoE switch please let me know! Or reply to Another successful OpenBSD setup via ActivityPub (Mastodon, Lemmy, KBin… you all know who you are ;) ).
dmesg
TODO