Run it on your own OpenBSD box
OgmaProtect is in early access (v0.5.0) while the pre-1.0 hardening programme completes. Access is granted per request — you get the real package, the quickstart, and a direct line to the people building it.
1 · Request access
- Tell us about your setup. Email hello@ogmaprotect.com or call +353 1 620 5585 — who you are, roughly what your network looks like, and whether the small-business terms apply to you.
- Receive the package. We reply with the
pkg_add-able OpenBSD package and quickstart under the license terms. - Install and go. The steps below take a stock OpenBSD system to a managed router in well under an hour.
2 · What you need
- OpenBSD 7.x (base system) on the router — any hardware OpenBSD supports, from a small fanless board to a rack server. Prefer not to build your own? Appliances are coming.
- The
sqlite3package on the router (onepkg_add sqlite3). - A browser on your management machine. That's the whole client — no agents, no cloud account.
3 · Install
The package's post-install notes are the canonical instructions; this is the shape of
them. Order matters once: ogmaprotect_netd configures the interfaces and
exposes the control socket the auth plane requires, so it starts first and
ogmaprotect_authd last.
Install the package
doas pkg_add sqlite3
doas pkg_add ./ogmaprotect-0.5.0.tgz Enable and start the 16 daemons (in this order)
doas rcctl enable ogmaprotect_netd ogmaprotect_rtd ogmaprotect_pfd \
ogmaprotect_dnsd ogmaprotect_dhcpd ogmaprotect_routed \
ogmaprotect_diagd ogmaprotect_healthd ogmaprotect_arpd \
ogmaprotect_logd ogmaprotect_timed ogmaprotect_ipsecd \
ogmaprotect_sysd ogmaprotect_alertd ogmaprotect_gwmond \
ogmaprotect_authd
doas rcctl start ogmaprotect_netd ogmaprotect_rtd ogmaprotect_pfd \
ogmaprotect_dnsd ogmaprotect_dhcpd ogmaprotect_routed \
ogmaprotect_diagd ogmaprotect_healthd ogmaprotect_arpd \
ogmaprotect_logd ogmaprotect_timed ogmaprotect_ipsecd \
ogmaprotect_sysd ogmaprotect_alertd ogmaprotect_gwmond \
ogmaprotect_authd Create your admin user
doas ogmaprotectctl user add admin
doas ogmaprotectctl role grant admin net-admin Wire up HTTPS
Use the installed example httpd.conf (or lift its server blocks into your
existing one), configure TLS, and enable HSTS. Then sign in from your browser and add
per-user MFA under Users.
Add log rotation
Append the shipped newsyslog fragment so the audit logs rotate — they
record operator actions and must neither grow unbounded nor stay world-readable.
Upgrades
Releases are versioned packages. To upgrade: stop the daemons, back up
/var/db/ogmaprotect/ (canonical config, revisions and users database — your
rollback), install the new package, start the daemons again. Canonical configuration is
versioned and forward-migrated automatically.
What early access means: the product is pre-1.0 and the audit-derived hardening programme is still landing. You get every release as it ships, and a direct channel to the engineers — and we get operators who tell us the truth. Production use within the license terms is yours to judge; we are straight about where things stand.