Install OpenBSD on Hetzner vServer

Posted on Thu 27 November 2014 in English

This is a short English howto for installing OpenBSD on a vServer from Hetzner.


The first step is to install a VNC client on your host system (ssh connection didn't work out for me as the keyboard layout was havocked - perhaps a tmux problem?). If you need a suggestion: Vinagre worked for me.


Login to your Robot and restart your server in rescue mode (I've chosen Linux 32 bit here). Write down the password given here, as you can't get it afterwards! After that restart your server and login to your server via SSH.

If you have anything on your server's harddisk, please copy them first, as the next step will destroy ALL_YOUR_DATA!

rescue # fdisk - l
rescue # fdisk /dev/vda

In the following dialog create a new DOS partition table (press o), then create a new partition (press n and x-times "enter" - the default values are OK), followed by writing the changes to the disk (press w to exit).

Create a temporary filesystem, mount it and download the minimal CD image we need to boot from (we could download the full blown install56.iso here, but this way we can see sooner if our NATed internet connection works):

rescue # mkfs.ext3 -j /dev/vda1
rescue # mount /dev/vda1 /mnt
rescue # cd /mnt 
rescue # wget $MIRROR/pub/OpenBSD/5.6/i386/cd56.iso

Switch to another terminal emulator on your host now and set up the secure tunnel from our host to the server (remember: VNC isn't secure - as we use qemu with VNC we have to secure the insecure protocol).

local # ssh -L 5900:localhost:5900 root@$SERVER_IP

We have to substitute the script for creating our qemu tap interface with another one. The default in the Hetzner rescue system has created the tap interface, but I couldn't connect to the outside world with it, so I took the one from QEMU wiki:

# Copyright IBM, Corp. 2010  
# Authors:
#  Anthony Liguori <>
# This work is licensed under the terms of the GNU GPL, version 2.  See
# the COPYING file in the top-level directory.

# Set to the name of your bridge

# Network information

# Optionally parameters to enable PXE support

do_brctl() {
    brctl "$@"

do_ifconfig() {
    ifconfig "$@"

do_dd() {
    dd "$@"

do_iptables_restore() {
    iptables-restore "$@"

do_dnsmasq() {
    dnsmasq "$@"

check_bridge() {
    if do_brctl show | grep "^$1" > /dev/null 2> /dev/null; then
    return 1
    return 0

create_bridge() {
    do_brctl addbr "$1"
    do_brctl stp "$1" off
    do_brctl setfd "$1" 0
    do_ifconfig "$1" "$GATEWAY" netmask "$NETMASK" up

enable_ip_forward() {
    echo 1 | do_dd of=/proc/sys/net/ipv4/ip_forward > /dev/null

add_filter_rules() {
do_iptables_restore <<EOF
# Generated by iptables-save v1.3.6 on Fri Aug 24 15:20:25 2007
:OUTPUT ACCEPT [132:8691]
# Completed on Fri Aug 24 15:20:25 2007
# Generated by iptables-save v1.3.6 on Fri Aug 24 15:20:25 2007
:INPUT ACCEPT [1453:976046]
:OUTPUT ACCEPT [1605:194911]
-A INPUT -i $BRIDGE -p tcp -m tcp --dport 67 -j ACCEPT 
-A INPUT -i $BRIDGE -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i $BRIDGE -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i $BRIDGE -p udp -m udp --dport 53 -j ACCEPT 
-A FORWARD -i $1 -o $1 -j ACCEPT 
-A FORWARD -o $BRIDGE -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i $BRIDGE -j REJECT --reject-with icmp-port-unreachable 
# Completed on Fri Aug 24 15:20:25 2007

start_dnsmasq() {
    do_dnsmasq \
    --strict-order \
    --except-interface=lo \
    --interface=$BRIDGE \
    --listen-address=$GATEWAY \
    --bind-interfaces \
    --dhcp-range=$DHCPRANGE \
    --conf-file="" \
    --pid-file=/var/run/qemu-dnsmasq-$ \
    --dhcp-leasefile=/var/run/qemu-dnsmasq-$BRIDGE.leases \
    --dhcp-no-override \
    ${TFTPROOT:+"--enable-tftp"} \
    ${TFTPROOT:+"--tftp-root=$TFTPROOT"} \

setup_bridge_nat() {
    if check_bridge "$1" ; then
    create_bridge "$1"
    add_filter_rules "$1"
    start_dnsmasq "$1"

setup_bridge_vlan() {
    if check_bridge "$1" ; then
    create_bridge "$1"
    start_dnsmasq "$1"

setup_bridge_nat "$BRIDGE"

if test "$1" ; then
    do_ifconfig "$1" up
    do_brctl addif "$BRIDGE" "$1"

Save it to a file, upload that file to your server and move it to /etc/qemu-ifup. Don't forget to 'chmod +x' it!

Before checking your free memory with the command 'free' and chose a value below the free one to run qemu with (-m parameter), install the missing 'sudo' package:

rescue # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
rescue # apt-get install dnsmasq 
rescue # qemu -m 256 -hda /dev/vda -net nic -net tap -cdrom /mnt/cd56.iso -boot d -vnc localhost:0 &

Note: If you're running another architecture you have to run qemu-system-x86_64 or something like that.

Now we must write down some important values - if they're wrong your virtual OpenBSD will not get an internet connection after rebooting, so be careful!

rescue # ifconfig eth0
rescue # ifconfig tap0
rescue # cat /etc/resolv.conf

Note the IP addresses, netmasks and one or more of the DNS servers. Now we're ready to install our beloved OpenBSD!!! Login to localhost via your VNC viewer. When asked about the IP address choose the one given from br0+1. In my case it was, so em0 got with netmask and gateway (the br0 IP).

After the installation type:

openbsd # halt -p

After you see the message that disks are synced, kill qemu and umount the storage we don't need anymore:

rescue # killall qemu
rescue # cd
rescue # umount /mnt

Now you have to restart your OpenBSD server and prepare it for the real world:

rescue # qemu -m 256 -hda /dev/vda -net nic -net tap -vnc localhost:0 &

Finally connect again via VNC, set the real networking properties and restart the rescue system:

openbsd # echo 'inet $SERVER_IP netmask $NETMASK' > /etc/hostname.re0
openbsd # echo $GATEWAY_IP > /etc/mygate
openbsd # shutdown -p -h now
rescue # reboot

The tricky thing here is to figure out which real network card you have in your VPS. For me it's re. If you want to check on your box, type the following command:

rescue # apt-get install hwinfo
rescue # hwinfo

hwinfo gives you all the information you need to find the real network card driver.