Tag Archives: OpenBSD

Pen 0.29.0 released

Available here:


And also here:


Pen 0.29.0 introduces transparent reverse proxying on supported platforms,
which currently means Linux, FreeBSD and OpenBSD. This allows the backend
servers to see the client’s real address. It can be used in combination
with SSL termination.

Another improvement is that the server table size is no longer fixed
at startup but grows dynamically as servers are added. The -S option is
still accepted but doesn’t do anything. The client and connection tables
can also be expanded on the fly, reducing the number of restarts.

Full list of changes from 0.28.0:

150608 Released 0.29.0.

150528 Transparent reverse proxy support for Linux, FreeBSD and OpenBSD.

150527 Allow the client table size to be updated on the fly. Default size still 2048.
Allow the connection table size to be updated in the fly. Default still 500.
See penctl.1, options clients_max and conn_max.

150526 Introduced the macro NO_SERVER to be used instead of -1 to signify
error conditions and such.
Removed the fixed server table size along with the -S option.

150525 Fixed cosmetic bug in startup code which required port to be specified
on backend servers even if it was the same as the listening port.


Transparent Reverse Proxy on OpenBSD

Continuing this series of posts on transparent reverse proxy, here’s how to do it on OpenBSD.

The OpenBSD host running Pen has IP addresses on em1 and on em2. The client debian2 has IP address and the server debian3 has IP address

OpenBSD takes first price in the easy management department by not requiring any special firewall rules or policy routing whatsoever. Just start Pen exactly the same way as on Linux and FreeBSD:

sudo ./pen -df -O transparent

The client sees a connection from to The server sees a connection from to