Skip to main content
  1. Posts/

Setup an OpenBSD Bastion Host

·559 words·3 mins·
Servers Technology Openbsd Productivity
Joshua Blais
Joshua Blais
Table of Contents


We are going to be setting up a Bastion Host (or colloquially a ‘Jumpbox’) for our cloud infrastructure.

This should be the entry point for all future server, database, and load balancing systems.

The purpose of Bastion Hosts is simple and for one reason: to only allow the ability to SSH into your cloud infrastructure from ONE secure location. No other computers in the world will be allowed to access the rest of your machines, only this one.

Classically, you would SSH into each part of your infrastructure (DB, web server, load balancers etc.) and work on them. Most guides are set up so that you directly connect to your production server from your desktop. However, this adds a secure step in the process, stopping the greater internet from even really seeing these important parts of your setup.

How are we going to do this?

Via the most secure OS in the world - OpenBSD

Let’s begin!

OpenBSD Setup:

Go into Vultr - use my promo code to save some money (and give me a little kickback, thank you!) and create an OpenBSD instance. From here, you will ssh into it from your main computer and begin the process of a basic setup

1. Setup SSH keys

Setup your ssh keys on your local computer by:

ssh-keygen -t rsa 4096 -f ~/ssh/whateverKeyNameYouWant.key -C "Jumpbox key"

This will give you two files in your .ssh directory: whateverKeyNameYouWant.key AND

You will add that .pub key to your OpenBSD installation

2. Change root password

Get into your bastion host via:

ssh root@yourserverIP

using the password on your Vultr server details page

You’re in!

Now, first thing first is we will change that root password:


And enter whatever root password you want.

3. Add packages

We can add packages to our new OpenBSD installation via the following:

pkg_add packageName
pkg_add neovim

I generally add neovim to all my servers, and this is no exception.

4. Create a new user

Enter as the root user:


and you will get an interactive script allowing you to name and create a new user

4.1 Add that user to wheel group

Edit /etc/group file as the root user:

and add the following:


or in the terminal:

sudo useradd -G wheel john_doe

4.2 Enable doas:

nvim /etc/doas.conf as the root user And put the following in the file:

permit :wheel

4.3 Make sure your private key is in that USER’s .ssh/authorizedkeys

As the user you created:

cat .ssh/authorized_keys

or as root:

cat /home/user/.ssh/authorized_keys

The file should look like the following:

n/iXFKYpnm1v8K6Kme9LcKE7H9bbPHBlNFnq3G+RNVxLY1dldKXkS2IA86FQ== throwaway

5. Security and remove ability to ssh into root user:

inside /etc/ssh/sshdconfig from root:

Change the following lines and UNCOMMENT them:

PermitRootLogin -> no
AuthorizedKeysFile -> .ssh/authorized_keys
PasswordAuthentication -> no

Then run:

/etc/rc.d/sshd restart

Now to get into remote server you must run:

ssh -i .ssh/private_key.key user@33.33.333.33

Congratulations! You now have a tremendously secure Jump-in point for your cloud infrastructure that only you can access via your ssh private key.

Next, we will configure a load balancing machine.

I hope you liked this first technical post I’ve made, and I plan on doing many more in the future for the sake of documenting the journey of developing applications that are portable and scalable.