OpenBSD routers on AliExpress mini PCs

Almost 10 years running a great OS on some nice little network appliance hardware from AliExpress.

I posted Another successful OpenBSD setup to the fediverse and got lots of questions. This is something I’ve wanted to write about for years now. Better now than never!

OpenBSD is one of my favourite operating systems. I’ve been using it on my workstations and laptops for almost 10 years now. I was even lucky enough to be able to use it on my work desktops and laptops. But this isn’t where OpenBSD really shines.

Two major problems with consumer-grade routers provided by internet service providers:

  1. They suck
  2. They’re boring!

I discovered a whole suite of cool network software in the default OpenBSD installation. It’s what makes OpenBSD perfect for edge/gateway network devices. So we’ve got some nice software – what about some hardware to run it on?

Discourse’s Scooter Computers

Jeff Atwood of Coding Horror, Stack Overflow etc. fame posted the blog article The Scooter Computer, saying of standard residential network devices:

Let’s face it: this is just a little box that runs a chopped up version of Linux, with a bit of specialized wireless hardware and multiple antennas tacked on … that we’re not even using. So when it came time to upgrade, we wondered:

Why not just go with a small box that can run a real, full Linux distro? Wouldn’t that be simpler and easier to keep up to date?

So then I wondered: why not run real, full OpenBSD on these boxes? Hardware support for OpenBSD isn’t as complete as for Linux, though… Challenge accepted!

Chinabox install

My most recent purchase is the XCY Firewall Appliance Mini PC for AUD140 (approx. $90 US, 85€). I affectionately call these devices chinaboxes. This chinabox came in some tidy cardboard, packed with foam. There’s also a VESA mounting plate thing and SATA cables:

taking mini PC out of package, showing 4 ethernet ports bottom of package with VESA mount and SATA cabling

It feels solid; it’s surprisingly heavy for its size.

holding mini PC showing ethernet ports underside of mini PC with vent

It’s easy to get inside the box; just 4 Phillips head screws. Inside seems relatively neat and tidy:

inside of mini PC and motherboard

Time to power it on! Of course it comes with some kind of maybe-kinda-probably-not licensed Windows (10?) with user “Admini”:

booting into Windows with user Admini

But we’re not interested in Windows right now - if ever ;) So I rebooted and got into the EVALUATION COPY BIOS:

BIOS setup screen

Running OpenBSD on x86 PCs often involves turning off or tweaking a bunch of things in the BIOS. But I only ended up doing a couple of minor things. To get the device to behave more like other networking equipment, I set the device to always power back on after power loss:

setting automatic power on in BIOS

Secure Boot is unsupported by OpenBSD so I disabled that:

disabling Secure Boot in BIOS

Finally I found some setting mysteriously called “OS Selection”. I reset this from Windows to Linux. If anyone has more info on what this could be please let me know!

resetting OS selection from Windows to Linux

Booting into OpenBSD over the network by PXE and also by USB started off fine:

OpenBSD installation prompt screenshot

For those unfamiliar, the OpenBSD process is super straightforward with basic plain text prompts:

installation progress screenshot

Success!

successful boot to login prompt

Where it will sit for a (long) while:

deployed on top of switch, next to modem

And as a bonus my old firewall still humming along:

similar mini PC as a internet gateway, older

Tech specs

See also dmesg output at the bottom of this article.

There’s a lot of different hardware configurations available from the manufacturer. It’s probably best to see the original item listing at XCY Firewall Appliance Mini PC. In particular it would be good to upgrade this 10+ year-old CPU to something like the Intel N100.

Interesting Fediverse replies

It’s highly recommended to read through the replies to Another successful OpenBSD setup. Some highlights follow.

BIOS/Firmware updates

cmnybo@discuss.tchncs.de asked:

Do any of those cheap Chinese computers ever get any firmware or bios updates?

None that I’m aware of, which sucks. However benja@ohnepunktundkomma.org let us know that CoreBoot may be available:

some of this boxes can run with #coreboot, so the #firmware is #opensource too. Protectli ported coreboot for their hardware, and with a little research you can find this hardware on aliexpress, of course under a different name.

Why?

Sorry for my ignorance I tried googling but what is this exactly? A server for files or? A media server?

Anything! It’s now a plain old server connected to the internet with a static IPv4 address and a /48 IPv6 subnet! relayd(8) is used as a HTTP reverse proxy and generic TCP proxy for internet services and custom software I write. For example:

that tp-link probably negates anything remotely resembling security on its own.

Yes having a managed switch is so surplus to requirements. I bought this one in a rush as it was cheap and had PoE. If anyone knows a 8-port unmanaged PoE switch please let me know! Or reply to Another successful OpenBSD setup via ActivityPub (Mastodon, Lemmy, KBin… you all know who you are ;) ).

dmesg

TODO