Get started

Run it on your own OpenBSD box

OgmaProtect is in early access (v0.5.0) while the pre-1.0 hardening programme completes. Access is granted per request — you get the real package, the quickstart, and a direct line to the people building it.

1 · Request access

  1. Tell us about your setup. Email hello@ogmaprotect.com or call +353 1 620 5585 — who you are, roughly what your network looks like, and whether the small-business terms apply to you.
  2. Receive the package. We reply with the pkg_add-able OpenBSD package and quickstart under the license terms.
  3. Install and go. The steps below take a stock OpenBSD system to a managed router in well under an hour.

2 · What you need

  • OpenBSD 7.x (base system) on the router — any hardware OpenBSD supports, from a small fanless board to a rack server. Prefer not to build your own? Appliances are coming.
  • The sqlite3 package on the router (one pkg_add sqlite3).
  • A browser on your management machine. That's the whole client — no agents, no cloud account.

3 · Install

The package's post-install notes are the canonical instructions; this is the shape of them. Order matters once: ogmaprotect_netd configures the interfaces and exposes the control socket the auth plane requires, so it starts first and ogmaprotect_authd last.

Install the package

doas pkg_add sqlite3
doas pkg_add ./ogmaprotect-0.5.0.tgz

Enable and start the 16 daemons (in this order)

doas rcctl enable ogmaprotect_netd ogmaprotect_rtd ogmaprotect_pfd \
    ogmaprotect_dnsd ogmaprotect_dhcpd ogmaprotect_routed \
    ogmaprotect_diagd ogmaprotect_healthd ogmaprotect_arpd \
    ogmaprotect_logd ogmaprotect_timed ogmaprotect_ipsecd \
    ogmaprotect_sysd ogmaprotect_alertd ogmaprotect_gwmond \
    ogmaprotect_authd

doas rcctl start ogmaprotect_netd ogmaprotect_rtd ogmaprotect_pfd \
    ogmaprotect_dnsd ogmaprotect_dhcpd ogmaprotect_routed \
    ogmaprotect_diagd ogmaprotect_healthd ogmaprotect_arpd \
    ogmaprotect_logd ogmaprotect_timed ogmaprotect_ipsecd \
    ogmaprotect_sysd ogmaprotect_alertd ogmaprotect_gwmond \
    ogmaprotect_authd

Create your admin user

doas ogmaprotectctl user add admin
doas ogmaprotectctl role grant admin net-admin

Wire up HTTPS

Use the installed example httpd.conf (or lift its server blocks into your existing one), configure TLS, and enable HSTS. Then sign in from your browser and add per-user MFA under Users.

Add log rotation

Append the shipped newsyslog fragment so the audit logs rotate — they record operator actions and must neither grow unbounded nor stay world-readable.

Upgrades

Releases are versioned packages. To upgrade: stop the daemons, back up /var/db/ogmaprotect/ (canonical config, revisions and users database — your rollback), install the new package, start the daemons again. Canonical configuration is versioned and forward-migrated automatically.

What early access means: the product is pre-1.0 and the audit-derived hardening programme is still landing. You get every release as it ships, and a direct channel to the engineers — and we get operators who tell us the truth. Production use within the license terms is yours to judge; we are straight about where things stand.