How to Install OpenVPN Client

Setting Up and customize OpenVPN on Windows, macOS and Linux

VPN (Virtual Private Network) is becoming more and more widely used. OpenVPN is a free application for building a virtual private network over an encrypted TLS connection. The increasingly popular OpenVPN client enables VPN connections to access its data from anywhere, for example, when working in the home office, or with a private cloud. This article shows the client deployment and use of OpenVPN. OpenVPN is available for free for many operating systems, in addition to Windows there is a client for macOS, for iOS, Linux and Android devices.

How to do it


OpenVPN client install on Windows

OpenVPN for Windows can be downloaded from the community website here, on Windows 10 with double-clicking OpenVPN-2.5.0-I601-amd64.msi start the setup.

Run OpenVPN Customize Setup

Choose Customize to goes through the setup wizard, because here only the client components are needed, we choose the selection.

OpenVPN Setup choose Feature selection

Continuous Installing OpenVPN..

Run OpenVPN Windows Setup

OpenVPN Installing Completed.

OpenVPN Logo

Start OpenVPN


A glance at the taskbar shows now the OpenVPN icon openvpn symbol

OVPN configuration import at the client

The OpenVPN Access Server is available for Windows, Linux and FreeBSD, and there are an increasing number of devices that can be used as OpenVPN servers, such as pfSense and OPNsense or OpenWrt, from commercial manufacturer like Sophos formerly Astaro or Synology NAS and many more.

The file with the configuration for the client, such as, which was previously exported on the VPN server or router need to unpacked, the files ca.crt, README.txt and VPNConfig.ovpn are usually extracted.

The configuration file here in this example VPNConfig.ovpn may have a different file name. Hint! if you change the file name to i.e. office-davos.ovpn, then this name appears in the context menu at connection.

The file VPNConfig.ovpn usually has to be open in an editor, for this I use Notepad and change YOUR_SERVER_IP to the public IP address of the VPN gateway, or the firewall on which is the NAT mapping to the VPN termination device.

OpenVPN Connection Editing

After saving VPNConfig.ovpn, the configuration is imported.

Right-clicking above the icon in the Systemtry opens the context menu from which you choose to import file.

Importing OpenVPN Connection
Figure: Importing OpenVPN Connection
Wenn man die Datei VPNConfig.ovpn umbenennt zB. Office-Arbon.ovpn, erscheint im Kontextmenü Verbinden der entsprechende Name als Ziel.

Tip! If you rename the file VPNConfig.ovpn eg. Home-Office.ovpn, the corresponding name appears as the target in the Connect context menu.

Connecting from the context menu prompts to enter the user and password, which is the user on the VPN Router or with use LDAP authentication the user on the server.

OpenVPN Connection Login
Figure: OpenVPN Connection

If the connection is successful, the OpenVPN icon will appear green.

OpenVPN client setup on macOS

OpenVPN Connect v3 Client for macOS is a complete installation program for macOS, after the installation the ovpn file can be imported for an OpenVPN connection to an access server. If the downloaded OpenVPN Connect v3 for macOS is installed on a Mac on which OpenVPN Connect v3 is already installed and configured, it will be updated to the new version with all settings retained.

How to install OpenVPN on macOS Catalina
OpenVPN Installer on macOS Catalina
OpenVPN Dock
OpenVPN Connect for macOS
OVPN file import on macOS catalina.

Deploy OpenVPN client on Linux

With the standard installation, OpenVPN is usually already installed together with the network management tools, in this case you can go directly to Import OVPN configuration file below. The easiest way to deploy the OpenVPN client using the package management system is to run the following commands as root on a Red Hat based Linux distribution such as Fedora or CentOS:

Install the OpenVPN on Debian and Ubuntu based distributions as follows:

Running the OpenVPN client with the downloaded configuration file, using the -config argument to pass the configuration file:

The configuration file here in this example VPNConfig.ovpn may have a different file name. Hint! if you change the file name to i.e. office-davos.ovpn, then this name appears in the context menu at connection

The connection can also be established via a GUI client, to install the OpenVPN GUI from the shell:

Import OVPN configuration file

Now you can call the Connection Manager by clicking on the network icon – VPN Connections – Configuring VPN.

on Ubuntuimport  OpenVPN use VPN-Connection Manager
Illustration: OpenVPN GUI Ubuntu

By clicking on Add – Import Saved VPN Configuration – Create a new VPN connection. The next step is to import the previously downloaded VPNConfig.ovpn file. The connection can now be started from the taskbar.

For Linux Mint with Cinnamon desktop, you click on the network icon in the taskbar and go to network settings.

Cinnamon Connection
Cinnamon Network

Click + to create a new network connection.

on Cinnamon open saved VPN-config to import OpenVPN

Import saved VPN configuration from the VPNConfig.ovpn file. After entering the user and password, the saved connection can be started in the taskbar.

Import the OVPN file via the Network Manager of Linux Mint and Cinnamon Desktop.

OpenVPN import ovpn-file on Linux Mint
OVPN file import by Network Manager at Linux Mint Cinnamon desktop.

Disable Linux Mint automatic login

Linux Mint during installation offers the option of enabling system start with automatic login. If the password entry is to be restored later, as with Ubuntu 10 Buster, the option can no longer be found in the settings. This post show how to re-enabling the user login with password entry under Linux Mint 20 Ulyana.

It was necessary to switch off the automatic login after it was found that the email client Geary did not save the passwords of the accounts, these had to be re-entered after each restart.

Linux email client Geary

Since Linux Mint 19 Tessa Cinnamon or more longer there has the option Automatic login in the Control Panel – Login window. The setting can now be made with an text editor, open a terminal hit CTRL + ALT + T and enter the following command:

and remove this lines:

 if you are not familiar with vim, your favorite editor could be nano or xed.

After restarting and logging in with a password, the key management opens in the background, which enables Geary to save the passwords in the seahorse key management.

Linux Mint 20 Cinnamon modify lightdm.conf to change autologin
Linux Mint 20 Cinnamon – disable autologin
modify lightdm.conf to change autologin
Linux Mint Terminal: cat /etc/lightdm/lightdm.conf

Another possibility to switch off the automatic user login is to remove the user in the Username field in the User section in System Settings – Login Window.

Linux Mint control panel logon setting
Anmeldefenster – Benutzer – Benutzername muss leer sein.

On automatic login, the Username field must be empty.

Docker Container with Synology DSM

How to use Docker with Synology

Synology DSM 6.0 or higher comes with the Docker Engine. You can find the Docker App in the package center by entering docker in the search field.

Docker is a lean virtualization application platform, thousands of containers created by developers from all over the world can be executed and are published on the well-known image repository, called Docker Hub. Container images can be find on Docker Hub will loaded and executed from Synology’s integrated Docker App.


If the Docker App does not appear in the Package Center, the Synology device is most likely not supported.

Due to the hardware requirements, Docker is only offered for models with virtualization technology (VT-x). The models used in this guide are RS820RP+ / RS4018xs+ / DS218+ for these the Docker ability is given.

How to use Docker

When you open the main menu icon from DSM, you will find the icon for the Docker Engine, which can now be started.


Docker opens in overview, the running containers are listed here, any applications including allocated memory and CPU resources, number of container has yet been started.

Synology DSM Docker overview

In addition, the Docker command line is explained below, this as a alternative hint for using Docker Console.

CLI Docker Command Running Container:

In the Registration section you can search for new images (like on the official website). New repositories (in addition to the official ones) can also be added under Settings.

Synology DSM Docker Registriering

CLI the original Docker Command is:

After a suitable image has been found, in this case a small Ubuntu 18.04 Dockerized image contains SSH service, it is downloaded with a right click on the Synology NAS, ideally always choosing latest. All images are write-protected and can be used multiple times for other containers.

The download can take a few minutes, depending on the size and available download bandwidth. The download status is shown with an animated icon.

CLI Docker Command is:

The downloaded images that are available on the Synology NAS are located under Image. New containers can be started with the Docker wizard. Note Synlogy_Docker_Link link symbol opens the Docker Hub page for container with useful information.

Synology DSM Docker Image

CLI Docker Command is:

Now go to Start will open the Assistent.

Abbildung: Synology DSM Docker Container Starten

Next to complete the wizard and start the container with klick Apply.

Synology DSM Docker create

CLI Docker Command is:

Running container can now be found in the Container section.


CLI Docker full output as follows:

Back to Docker overview, we can now see the resources of started containers.

Synology DSM Docker overview

CLI Docker Command is:

Now we are trying to establish an SSH terminal to the container. To do this in the Container section, click on Details to see which port the SSH service is listening on.

Synology DSM Docker Conatainer
Synology DSM Docker Container

In the overview under port settings we find the value we are looking for under local port, in this case it is port 32789, the port address is assigned automatically.

CLI  Determine port address.

Now we open PuTTY or KiTTY and connect to IP of the Synology NAS with port 32789 to the container, for CLI Command as follows:

Abbildung: KiTTY Session

Logon as root with the password of root.


The Docker Engine can also be used from the console, provided the SSH terminal that has been activated under DSM Control Panel – SSH Service.

The Docker application shown in this article is intended to show as a simple example how Docker can be used on a Synology NAS, of course there are more useful container applications, such as Websever for developing web applications to complete development environments, there are already countless Docker images on Docker Hub, and other Docker registrars. It makes you wonder whether the effort to install your development environment such as Xamp or LAMP is still useful. At this point it should be mentioned that all data stored in the container must be saved on a persistent volume, because all work is lost when the container is closed.

There are also other articles about using Docker here in this blog, the best thing to do is to simply enter docker in the search field above.

Fixing Windows Spotlight

How to Fix Windows Spotlight does not change new images

Windows Spotlight is a feature included in Windows 10, that download wallpapers from Bing automatically, so you alternately see a new background image on the lock screen when you sign in.

The only downside to Microsoft Windows Spotlight is that sometimes it stops working or you will notice it stuck on the same picture. Unfortunately, Windows 10 doesn’t include an option to reset this feature. However, it is possible to fix Windows Spotlight settings using this simple workaround.

Reseting Windows Spotlight

To do this, open settings, click on -> Personalization -> Lock screen, here change the background to picture.

open settings, click on - Personalization and - Lock screen, here change the background to picture.

Then right-click on Desktop -> New -> Text document and insert the following content:

Click on File -> Save As, and save as Filename spotlight.bat.

Click on File - Save As, and save as Filename spotlight.bat.

Right-click on mouse over the spotlight.bat batch file will context menu opens, select run as administrator here.

Now restart your computer. Then open settings again and switch to Windows Spotlight under Personalization -> Lock screen.

As soon as these steps are carried out, you can lock the computer be hit the Win + L keys, now lock screen presenting new Bing images.

Note: To Windows Spotlight working, setting – Privacy – Background apps must be activated.

To Windows Spotlight working, setting - Privacy - Background apps must be activated.
Setting: Allow run apps in the background
Windows 10 Blickpunkt Reparieren

Nagios Monitoring on Raspberry Pi

How to Install Nagios on Raspberry Pi

Nagios OpenSource IT infrastructure Monitoring

Nagios consists of a collection of modules for monitoring networks, hosts and their specific services, as well as a web interface to display queries of the collected data. Nagios is under the GNU GPL, so it is free software and runs on numerous Unixoid operating systems. Because of its widespread use, Nagios has become a quasi-standard in professional use.

Nagios Monitoring with Raspberry Pi

Raspberry Pi with its fanless design, minimal dimensions and low power consumption, well suited as a single-board computer for a Nagios monitoring server that can even monitor itself.


The installation of Nagios Core 4 on the Raspberry’s own OS Raspbian, which is based on Debian, is unspectacular. Here in these instructions the procedure for a Raspberry Pi 3 Model B is shown, on a 32 GB microSD card type Class 10, a 16 GB microSD card would also suffice.

Raspbian Terminal

SanDisk Ultra SDHC I 16 GB – 80 /Sek, Class 10 microSD Card.

The provision of Raspbian on a microSD card is not discussed here in more detail. After booting a Raspbian desktop image, the LXTerminal is opened on the Raspbian X desktop and the root shell is started, in headless operation a VNC session can be started with VNCViewer, with the login as user pi and the default password raspberry. If you want to use the Raspbian Minimal Image, authentication via SSH to the Raspberry Pi is recommended.

Raspbian VNCViewer

After logging in as user pi, we want to become root.

First, all required packages are installed from the repository as a prerequisite.

Download and unzip the Nagios Core 4 source packages. The last release can be found here The core release as well as the agents and plugins are available on Github,


Create the user nagios and the group. The Apache user www-data is also added to the nagios group.

Install the binaries.

Installing the service daemon files and configuring them for the boot process.

Installs and configures the external command file.

Just now * SAMPLE * configuration files will be installed. These are necessary because Nagios needs some configuration files to start.

apache_webserverApache web server configuration files are installed and the Apache settings for Nagios are configured.

Port 80 must be permitted for incoming data traffic on the local firewall so that the Nagios Core web interface can be reached.

Answer yes to save the existing rules.

An Apache user account is created so that it can log into Nagios.

The following command creates a user account called nagiosadmin and a password is created for the account, now remember this password.

The Apache web server must be restarted.

Nagios Core will now start.

Nagios is now ready to be tested.

You will be asked to log in with your user name and password. The username is nagiosadmin (you created it in a previous step) and the password is what you provided earlier.

After successfully logging in, the Nagios Core web interface appears. Congratulations, you did it.

Nagios Core is now installed, the Nagios plugins are still required for operation. The error message appears: (No output on stdout) stderr: execvp(/usr/local/nagios/libexec/check_load .. this is normal, the standard plugins are installed in the following steps.

Plugin Installation

The following packages are installed from the repository as a prerequisite for installing the plugins.

Download and extract the source packages. The last plugin releases can get from

Compile and install packages.

Go to a host or service object and “Re-schedule the next check” in the Commands menu. The error that appeared before should now disappear and the correct output is displayed on the screen.

The daemon commands for start / stop / restart / status.

Nagios configuration

Now that the Nagios Core Server is ready for operation, it is time to create the configuration of the host and services that are to be monitored. Under /usr/local/nagios/etc the main configuration is nagios.cfg, here the paths to the configuration files are defined with cfg_file, the hosts to be monitored can be entered in a file hosts.cfg.

If it is to be more structured, there is the possibility to save the host and service configuration in the directories printers, routers, servers, switches, for this the file nagios.cfg is edited and the comment characters # (hash) are removed accordingly in cfg_dir =.

The .cfg files created in the directories are read out.

Example for a mail and web server with this IMAP and HTTPS is checked.

The Nagios server is restarted after each change.

A look at the Nagios log file can be worthwhile.

Additional configuration examples for Linux, Windows, printer routers and switches can be found under the objects directory.

Beispiel: Nagios Service Configuration

With remote agents such as NCPA, active checks can be carried out on Windows and Linux hosts; passive checks can be carried out using NRDP and NRPE, which provide values ​​on CPU load, memory usage, processes, user and disk usage.

Nagios Notification

In the file nagios.cfg and objects/contacts.cfg the recipient email  root@localhost can be left.

In the file nagios.cfg at admin_email.

Postfix is ​​used here as the mail transport agent for the Nagios email notification. This is installed and configured as follows.

During the installation you will be asked to select a mail server configuration, here we select Internet Site.

In order to be able to test the sending of emails later, the package mailutils is installed.

The Postfix main configuration is adapted.

At relayhost, the mail server is entered that allows Raspberry Pi to receive emails, if the Raspberry is behind a firewall with NAT, the public IP address of the mail server must be authorized for reception.

Set up an email address for root by editing the aliases file.

At the end a valid email address is entered so that mails from this host are delivered, here as an example it is, the colon for root: is mandatory.

The changes in the aliases file must still generate the aliases.db file.

The Postfix configuration also has to be read in and activated.

Now sending emails from Raspberry Pi, this can be done as follows.

An email should now be in the inbox of

Read the email log can also provide further information here.

If the attempt to send returns the status=bounced, receipt on the mailer is not yet authorized. With Exchange, the IP address of the Raspberry Pi must be entered in the receive connector in the frontend transport under area definition for email received from servers with these remote IP addresses. For Postfix a smtpd_client_restrictions directive must exist in

client_access file contains the IP address of the Raspberry Pi.

Postfix database still needs to be generated.

If the SMTP requests are accepted by the mailer, the queue process and delivery can take place.

Windows Server 2012 NTP Configuration

Windows Server NTP Network Time

Correct time synchronization in an AD domain environment is a prerequisite for stable operation. This article describes how NTP (w32tm) is configured on a Windows Server 2012 (FSMO). As a rule, the PDC operations master is the NTP service server in a forest. A PDC emulator in a domain is synchronized with an external time source. In order for a domain controller to be regarded as a reliable time source, this must be specified explicitly.

In order to make the PDC emulator a reliable time source that regularly synchronizes with time servers on the Internet, the following commands from PowerShell are executed as administrator:

Show which time server is currently in use.

Execute the time synchronization immediately.

The clients and servers in domain forest as well as shared storages can now synchronize the time with the PDC emulator.

The firewall permit UDP port 123 inbound, e.g. allow outgoing.

The NTP configuration can also be done via GPO by calling gpmc.msc.

Group Policy Management
Computerkonfiguration/Administrative Templates/System/Windows-Timeservice/Timeserver

Group Policy Management Console
Group Policy Management Console

Following Test Displays a graph of the offset between synchronizing computers.

W32tm stripchart
W32tm stripchart

The configuration can also be checked in the registry.


Launch AnyDesk from KeePass

Launch AnyDesk Remote Desktop Remote Access from KeePass

KeePass is a useful tool for administrators in their daily work in system maintenace and administrative tasks. AnyDesk is also often used, other remote maintenance software, such as Teamviewer, or VNC Viewer for remote desktop remote maintenance, also SSH terminal sessions to server and network devices are required.

This post shows how to build an AnyDesk Remote Desktop session to a computer directly from KeePass.

KeePass enables an external program to be executed out from an item with the transfer of parameters such as host name or address and the user credentials for authentication. To do this, add a new entry in KeePass with choose Add Entry to creates a new target.

Launch AnyDesk Remote Desktop Remote Access from KeePass

In the General tab, the computer name is entered in the Title field. For User name the AnyDesk alias which is usually the computer name (hostname), alternatively the AnyDesk ID can be used. The AnyDesk password is entered in the Password field.

The KeePass URL to pass the parameters to AnyDesk:

After the entry is saved, the AnyDesk Remote Desktop session is started with a double-click in the URL column, or with the key combination Ctrl + V.

Double click URL to connect AnyDesk Remote Desktop
AnyDesk Alias is the hostname

AnyDesk Alias is the hostname, or the ID that is displayed with 9 digits on the remote computer. The hostname (alias) is transferred to AnyDesk with the User name field as the USERNAME variable with the password as a parameter from KeePass.

Windows Trusted Installer with AdvancedRun

Run the SYSTEM and Trusted Installer service account with AdvancedRun

One would think that as an administrator authenticated to Windows, you have all the permissions to make changes in the registry, also under HKLM/SECURITY, to install software, or to change, overwrite or delete files and directories.

Windows service account SYSTEM and Trusted Installer are owner of system files and registry keys

Trusted Installer is a service account used by the Windows Modules Installer Service. The Trusted Installer service running under the Trusted Installer user has exclusive permissions to everything related to Windows updates and optional Windows components.

Windows uses the SYSTEM account at logon for internal tasks and processes, it manages the rights of the SYSTEM account itself. If you look in the user management, you will notice that this account does not appear there, and it can not be added to the group.

Administrators may be required to run programs in the context of the SYSTEM or Trusted Installer accounts if they own files and registry keys. Since the Windows on-board resources do not provide an adequate procedure for this task, free tools can take over this task.

Administrators could take ownership of files and folders owned by SYSTEM or Trusted Installer. However, this would potentially affect system services and processes if the owner is not undone.

It is better to run programs such as regedit.exe or Explorer under these accounts to modify files or registry entries that belong to these particular service accounts.

Run Program with AdvancedRun as SYSTEM und Trusted Installer

Nirsoft’s AdvancedRun utility makes it easy to run programs with many options as special users in Windows.

AdvancedRun has many useful features

AdvancedRun has many useful features beyond running as a SYSTEM or Trusted Installer. It is also allowed to run as NetworkService or LocalService.

AdvancedRun Features:

  • Run program with user of another running process
  • Run a program as another logged-in user without knowing and having to enter their password.
  • Run RegEdit as a SYSTEM user. In this mode you can access the key HKEY_LOCAL_MACHINE\SECURITY.
  • Run high-priority programs
  • Use other PATH environment variables without changing the actual PATH

AdvancedRun can be downloaded here.

Credential or ssl vpn configuration is wrong

FortiClient Error: Credential or ssl vpn configuration is wrong (-7200)

When trying to start an SSL VPN connection on a Windows Server 2016 or 2019 with the FortiClient, it may be that the error message “Credential or ssl vpn configuration is wrong (-7200)” appears. The reason to drop connection to the endpoint during initializing caused by the encryption, which can be found in the settings of the Internet options.

According to Fortinet support, the settings are taken from the Internet options. The Internet Options of the Control Panel can be opened via Internet Explorer (IE), or by calling inetcpl.cpl directly.

Windows Logo + R

Press the Win + R keys enter inetcpl.cpl and click OK.

Run inetcpl.cpl
Internet Options Delete personal settings

Select the Advanced tab

Disable use TLS 1.0 (no longer supported)

Click the Reset… button. If the Reset Internet Explorer settings button does not appear, go to the next step.

Click the Delete personal settings option

Click Reset

Add website to Trusted sites

Add the SSL-VPN gateway URL to the Trusted sites. Usually, the SSL VPN gateway is the FortiGate on the endpoint side.

Internet Options Trusted Sites

Go to the Security tab in Internet Options and choose Trusted sites then click the button Sites. Insert the SSL-VPN gateway URL into Add this website to the zone and click Add, here like https://sslvpn_gateway:10443 as placeholder.

Note: The default Fortinet certificate for SSL VPN was used here, but using a validated certificate won’t make a difference.

Furthermore, the SSL state must be reset, go to tab Content under Certificates. Click the Clear SSL state button.

Internet Options Clear SSL state

The SSL VPN connection should now be possible with the FortiClient version 6 or later, on a Windows Server 2016 or later, and also on Windows 10.