Setting Up and customize OpenVPN on Windows, macOS and Linux
VPN (Virtual Private Network) is becoming more and more widely used. OpenVPN is a free application for building a virtual private network over an encrypted TLS connection. The increasingly popular OpenVPN client enables VPN connections to access its data from anywhere, for example, when working in the home office, or with a private cloud. This article shows the client deployment and use of OpenVPN. OpenVPN is available for free for many operating systems, in addition to Windows there is a client for macOS, for iOS, Linux and Android devices.
OpenVPN for Windows can be downloaded from the community website here, on Windows 10 with double-clicking OpenVPN-2.5.0-I601-amd64.msi start the setup.
Choose Customize to goes through the setup wizard, because here only the client components are needed, we choose the selection.
Continuous Installing OpenVPN..
OpenVPN Installing Completed.
A glance at the taskbar shows now the OpenVPN icon
OVPN configuration import at the client
The OpenVPN Access Server is available for Windows, Linux and FreeBSD, and there are an increasing number of devices that can be used as OpenVPN servers, such as pfSense and OPNsense or OpenWrt, from commercial manufacturer like Sophos formerly Astaro or Synology NAS and many more.
The file with the configuration for the client, such as openvpn.zip, which was previously exported on the VPN server or router need to unpacked, the files ca.crt, README.txt and VPNConfig.ovpn are usually extracted.
The configuration file here in this example VPNConfig.ovpn may have a different file name. Hint! if you change the file name to i.e. office-davos.ovpn, then this name appears in the context menu at connection.
The file VPNConfig.ovpn usually has to be open in an editor, for this I use Notepad and change YOUR_SERVER_IP to the public IP address of the VPN gateway, or the firewall on which is the NAT mapping to the VPN termination device.
After saving VPNConfig.ovpn, the configuration is imported.
Right-clicking above the icon in the Systemtry opens the context menu from which you choose to import file.
Tip! If you rename the file VPNConfig.ovpn eg. Home-Office.ovpn, the corresponding name appears as the target in the Connect context menu.
Connecting from the context menu prompts to enter the user and password, which is the user on the VPN Router or with use LDAP authentication the user on the server.
If the connection is successful, the OpenVPN icon will appear green.
OpenVPN client setup on macOS
OpenVPN Connect v3 Client for macOS is a complete installation program for macOS, after the installation the ovpn file can be imported for an OpenVPN connection to an access server. If the downloaded OpenVPN Connect v3 for macOS is installed on a Mac on which OpenVPN Connect v3 is already installed and configured, it will be updated to the new version with all settings retained.
Deploy OpenVPN client on Linux
With the standard installation, OpenVPN is usually already installed together with the network management tools, in this case you can go directly to Import OVPN configuration file below. The easiest way to deploy the OpenVPN client using the package management system is to run the following commands as root on a Red Hat based Linux distribution such as Fedora or CentOS:
[root@fedora~]# dnf install openvpn
Install the OpenVPN on Debian and Ubuntu based distributions as follows:
[root@debian~]# apt-get install openvpn
Running the OpenVPN client with the downloaded configuration file, using the -config argument to pass the configuration file:
The configuration file here in this example VPNConfig.ovpn may have a different file name. Hint! if you change the file name to i.e. office-davos.ovpn, then this name appears in the context menu at connection
The connection can also be established via a GUI client, to install the OpenVPN GUI from the shell:
Now you can call the Connection Manager by clicking on the network icon – VPN Connections – Configuring VPN.
By clicking on Add – Import Saved VPN Configuration – Create a new VPN connection. The next step is to import the previously downloaded VPNConfig.ovpn file. The connection can now be started from the taskbar.
For Linux Mint with Cinnamon desktop, you click on the network icon in the taskbar and go to network settings.
Click + to create a new network connection.
Import saved VPN configuration from the VPNConfig.ovpn file. After entering the user and password, the saved connection can be started in the taskbar.
Import the OVPN file via the Network Manager of Linux Mint and Cinnamon Desktop.
Linux Mint during installation offers the option of enabling system start with automatic login. If the password entry is to be restored later, as with Ubuntu 10 Buster, the option can no longer be found in the settings. This post show how to re-enabling the user login with password entry under Linux Mint 20 Ulyana.
It was necessary to switch off the automatic login after it was found that the email client Geary did not save the passwords of the accounts, these had to be re-entered after each restart.
Since Linux Mint 19 Tessa Cinnamon or more longer there has the option Automatic login in the Control Panel – Login window. The setting can now be made with an text editor, open a terminal hit CTRL + ALT + T and enter the following command:
and remove this lines:
if you are not familiar with vim, your favorite editor could be nano or xed.
After restarting and logging in with a password, the key management opens in the background, which enables Geary to save the passwords in the seahorse key management.
Another possibility to switch off the automatic user login is to remove the user in the Username field in the User section in System Settings – Login Window.
On automatic login, the Username field must be empty.
Synology DSM 6.0 or higher comes with the Docker Engine. You can find the Docker App in the package center by entering docker in the search field.
Docker is a lean virtualization application platform, thousands of containers created by developers from all over the world can be executed and are published on the well-known image repository, called Docker Hub. Container images can be find on Docker Hub will loaded and executed from Synology’s integrated Docker App.
If the Docker App does not appear in the Package Center, the Synology device is most likely not supported.
Due to the hardware requirements, Docker is only offered for models with virtualization technology (VT-x). The models used in this guide are RS820RP+ / RS4018xs+ / DS218+ for these the Docker ability is given.
How to use Docker
When you open the main menu icon from DSM, you will find the icon for the Docker Engine, which can now be started.
Docker opens in overview, the running containers are listed here, any applications including allocated memory and CPU resources, number of container has yet been started.
In addition, the Docker command line is explained below, this as a alternative hint for using Docker Console.
CLI Docker Command Running Container:
In the Registration section you can search for new images (like on the official website). New repositories (in addition to the official ones) can also be added under Settings.
CLI the original Docker Command is:
docker search ubuntu-sshd
After a suitable image has been found, in this case a small Ubuntu 18.04 Dockerized image contains SSH service, it is downloaded with a right click on the Synology NAS, ideally always choosing latest. All images are write-protected and can be used multiple times for other containers.
The download can take a few minutes, depending on the size and available download bandwidth. The download status is shown with an animated icon.
CLI Docker Command is:
docker pull rastasheep/ubuntu-sshd
The downloaded images that are available on the Synology NAS are located under Image. New containers can be started with the Docker wizard. Note link symbol opens the Docker Hub page for container with useful information.
CLI Docker Command is:
Now go to Start will open the Assistent.
Next to complete the wizard and start the container with klick Apply.
Back to Docker overview, we can now see the resources of started containers.
CLI Docker Command is:
Now we are trying to establish an SSH terminal to the container. To do this in the Container section, click on Details to see which port the SSH service is listening on.
In the overview under port settings we find the value we are looking for under local port, in this case it is port 32789, the port address is assigned automatically.
CLI Determine port address.
~# docker port ubuntu 22
Now we open PuTTY or KiTTY and connect to IP of the Synology NAS with port 32789 to the container, for CLI Command as follows:
~# ssh -p 32789 firstname.lastname@example.org
The authenticity of host'[10.127.52.77]:32789 ([10.127.52.77]:32789)'can't be established.
ECDSA key fingerprint is SHA256:YtTfuoRRR4qStSVA5UuxnGamA/dvf+djbIT2Y48IYD0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.127.52.77]:32789' (ECDSA) to the list of known hosts.
Last login:Thu Sep1915:00:252018from172.18.0.1
Logon as root with the password of root.
The Docker Engine can also be used from the console, provided the SSH terminal that has been activated under DSM Control Panel – SSH Service.
attach Attach local standard input,output,anderror streams toarunning container
build Build an image fromaDockerfile
commit Createanewimage fromacontainer's changes
cp Copy files/folders between a container and the local filesystem
create Create a new container
diff Inspect changes to files or directories on a container'sfilesystem
events Get real time events from the server
exec Runacommand inarunning container
export Exportacontainer's filesystem as a tar archive
history Show the history of an image
images List images
import Import the contents from a tarball to create a filesystem image
info Display system-wide information
inspect Return low-level information on Docker objects
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a Docker registry
logout Log out from a Docker registry
logs Fetch the logs of a container
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image or a repository from a registry
push Push an image or a repository to a registry
rename Rename a container
restart Restart one or more containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container
save Save one or more images to a tar archive (streamed to STDOUT by default)
search Search the Docker Hub for images
start Start one or more stopped containers
stats Display a live stream of container(s) resource usage statistics
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update configuration of one or more containers
version Show the Docker version information
wait Block until one or more containers stop, then print their exit codes
Run 'docker COMMAND--help'formore information onacommand.
The Docker application shown in this article is intended to show as a simple example how Docker can be used on a Synology NAS, of course there are more useful container applications, such as Websever for developing web applications to complete development environments, there are already countless Docker images on Docker Hub https://hub.docker.com, and other Docker registrars. It makes you wonder whether the effort to install your development environment such as Xamp or LAMP is still useful. At this point it should be mentioned that all data stored in the container must be saved on a persistent volume, because all work is lost when the container is closed.
There are also other articles about using Docker here in this blog, the best thing to do is to simply enter docker in the search field above.
How to Fix Windows Spotlight does not change new images
Windows Spotlight is a feature included in Windows 10, that download wallpapers from Bing automatically, so you alternately see a new background image on the lock screen when you sign in.
The only downside to Microsoft Windows Spotlight is that sometimes it stops working or you will notice it stuck on the same picture. Unfortunately, Windows 10 doesn’t include an option to reset this feature. However, it is possible to fix Windows Spotlight settings using this simple workaround.
Reseting Windows Spotlight
To do this, open settings, click on -> Personalization -> Lock screen, here change the background to picture.
Then right-click on Desktop -> New -> Text document and insert the following content:
Nagios consists of a collection of modules for monitoring networks, hosts and their specific services, as well as a web interface to display queries of the collected data. Nagios is under the GNU GPL, so it is free software and runs on numerous Unixoid operating systems. Because of its widespread use, Nagios has become a quasi-standard in professional use.
Nagios Monitoring with Raspberry Pi
Raspberry Pi with its fanless design, minimal dimensions and low power consumption, well suited as a single-board computer for a Nagios monitoring server that can even monitor itself.
The installation of Nagios Core 4 on the Raspberry’s own OS Raspbian, which is based on Debian, is unspectacular. Here in these instructions the procedure for a Raspberry Pi 3 Model B is shown, on a 32 GB microSD card type Class 10, a 16 GB microSD card would also suffice.
SanDisk Ultra SDHC I 16 GB – 80 /Sek, Class 10 microSD Card.
The provision of Raspbian on a microSD card is not discussed here in more detail. After booting a Raspbian desktop image, the LXTerminal is opened on the Raspbian X desktop and the root shell is started, in headless operation a VNC session can be started with VNCViewer, with the login as user pi and the default password raspberry. If you want to use the Raspbian Minimal Image, authentication via SSH to the Raspberry Pi is recommended.
After logging in as user pi, we want to become root.
First, all required packages are installed from the repository as a prerequisite.
You will be asked to log in with your user name and password. The username is nagiosadmin (you created it in a previous step) and the password is what you provided earlier.
After successfully logging in, the Nagios Core web interface appears. Congratulations, you did it.
Nagios Core is now installed, the Nagios plugins are still required for operation. The error message appears: (No output on stdout) stderr: execvp(/usr/local/nagios/libexec/check_load .. this is normal, the standard plugins are installed in the following steps.
The following packages are installed from the repository as a prerequisite for installing the plugins.
apt-get install-yautoconf gcc libc6 libmcrypt-dev make libssl-dev wget bc gawk dc build-essential snmp libnet-snmp-perl gettext
Download and extract the source packages. The last plugin releases can get fromnagios-plugins.org.
Go to a host or service object and “Re-schedule the next check” in the Commands menu. The error that appeared before should now disappear and the correct output is displayed on the screen.
The daemon commands for start / stop / restart / status.
systemctl start nagios.service
systemctl stop nagios.service
systemctl restart nagios.service
systemctl status nagios.service
Now that the Nagios Core Server is ready for operation, it is time to create the configuration of the host and services that are to be monitored. Under /usr/local/nagios/etc the main configuration is nagios.cfg, here the paths to the configuration files are defined with cfg_file, the hosts to be monitored can be entered in a file hosts.cfg.
## Default Linux Host Template ##
name linux-box;Name of thistemplate
register0;DONT REGISTER THIS-ITSATEMPLATE
uselinux-box;Inherit defaultvalues fromatemplate
host_name Diskstation;The name we're giving tothisserver
alias Synology;Alonger name forthe server
address10.10.10.88;IP address of Remote Linux host
If it is to be more structured, there is the possibility to save the host and service configuration in the directories printers, routers, servers, switches, for this the file nagios.cfg is edited and the comment characters # (hash) are removed accordingly in cfg_dir =.
Additional configuration examples for Linux, Windows, printer routers and switches can be found under the objects directory.
With remote agents such as NCPA, active checks can be carried out on Windows and Linux hosts; passive checks can be carried out using NRDP and NRPE, which provide values on CPU load, memory usage, processes, user and disk usage.
In the file nagios.cfg and objects/contacts.cfg the recipient email root@localhost can be left.
contact_name nagiosadmin;Shortname of user
usegeneric-contact;Inherit defaultvalues from generic-contact$
Postfix is used here as the mail transport agent for the Nagios email notification. This is installed and configured as follows.
sudo apt-get-yinstall postfix
During the installation you will be asked to select a mail server configuration, here we select Internet Site.
In order to be able to test the sending of emails later, the package mailutils is installed.
sudo apt-get-yinstall mailutils
The Postfix main configuration main.cf is adapted.
At relayhost, the mail server is entered that allows Raspberry Pi to receive emails, if the Raspberry is behind a firewall with NAT, the public IP address of the mail server must be authorized for reception.
Set up an email address for root by editing the aliases file.
At the end a valid email address is entered so that mails from this host are delivered, here as an example it is email@example.com, the colon for root: is mandatory.
The changes in the aliases file must still generate the aliases.db file.
The Postfix configuration also has to be read in and activated.
Now sending emails from Raspberry Pi, this can be done as follows.
echo"hello from raspberry pi"|mail-shello root
An email should now be in the inbox of firstname.lastname@example.org.
Read the email log can also provide further information here.
If the attempt to send returns the status=bounced, receipt on the mailer is not yet authorized. With Exchange, the IP address of the Raspberry Pi must be entered in the receive connector in the frontend transport under area definition for email received from servers with these remote IP addresses. For Postfix a smtpd_client_restrictions directive must exist in main.cf.
Correct time synchronization in an AD domain environment is a prerequisite for stable operation. This article describes how NTP (w32tm) is configured on a Windows Server 2012 (FSMO). As a rule, the PDC operations master is the NTP service server in a forest. A PDC emulator in a domain is synchronized with an external time source. In order for a domain controller to be regarded as a reliable time source, this must be specified explicitly.
In order to make the PDC emulator a reliable time source that regularly synchronizes with time servers on the Internet, the following commands from PowerShell are executed as administrator:
Launch AnyDesk Remote Desktop Remote Access from KeePass
KeePass is a useful tool for administrators in their daily work in system maintenace and administrative tasks. AnyDesk is also often used, other remote maintenance software, such as Teamviewer, or VNC Viewer for remote desktop remote maintenance, also SSH terminal sessions to server and network devices are required.
This post shows how to build an AnyDesk Remote Desktop session to a computer directly from KeePass.
KeePass enables an external program to be executed out from an item with the transfer of parameters such as host name or address and the user credentials for authentication. To do this, add a new entry in KeePass with choose Add Entry to creates a new target.
In the General tab, the computer name is entered in the Title field. For User name the AnyDesk alias which is usually the computer name (hostname), alternatively the AnyDesk ID can be used. The AnyDesk password is entered in the Password field.
The KeePass URL to pass the parameters to AnyDesk:
After the entry is saved, the AnyDesk Remote Desktop session is started with a double-click in the URL column, or with the key combination Ctrl + V.
AnyDesk Alias is the hostname, or the ID that is displayed with 9 digits on the remote computer. The hostname (alias) is transferred to AnyDesk with the User name field as the USERNAME variable with the password as a parameter from KeePass.
Run the SYSTEM and Trusted Installer service account with AdvancedRun
One would think that as an administrator authenticated to Windows, you have all the permissions to make changes in the registry, also under HKLM/SECURITY, to install software, or to change, overwrite or delete files and directories.
Windows service account SYSTEM and Trusted Installer are owner of system files and registry keys
Trusted Installer is a service account used by the Windows Modules Installer Service. The Trusted Installer service running under the Trusted Installer user has exclusive permissions to everything related to Windows updates and optional Windows components.
Windows uses the SYSTEM account at logon for internal tasks and processes, it manages the rights of the SYSTEM account itself. If you look in the user management, you will notice that this account does not appear there, and it can not be added to the group.
Administrators may be required to run programs in the context of the SYSTEM or Trusted Installer accounts if they own files and registry keys. Since the Windows on-board resources do not provide an adequate procedure for this task, free tools can take over this task.
Administrators could take ownership of files and folders owned by SYSTEM or Trusted Installer. However, this would potentially affect system services and processes if the owner is not undone.
It is better to run programs such as regedit.exe or Explorer under these accounts to modify files or registry entries that belong to these particular service accounts.
Run Program with AdvancedRun as SYSTEM und Trusted Installer
Nirsoft’s AdvancedRun utility makes it easy to run programs with many options as special users in Windows.
AdvancedRun has many useful features beyond running as a SYSTEM or Trusted Installer. It is also allowed to run as NetworkService or LocalService.
Run program with user of another running process
Run a program as another logged-in user without knowing and having to enter their password.
Run RegEdit as a SYSTEM user. In this mode you can access the key HKEY_LOCAL_MACHINE\SECURITY.
Run high-priority programs
Use other PATH environment variables without changing the actual PATH
FortiClient Error: Credential or ssl vpn configuration is wrong (-7200)
When trying to start an SSL VPN connection on a Windows Server 2016 or 2019 with the FortiClient, it may be that the error message “Credential or ssl vpn configuration is wrong (-7200)” appears. The reason to drop connection to the endpoint during initializing caused by the encryption, which can be found in the settings of the Internet options.
According to Fortinet support, the settings are taken from the Internet options. The Internet Options of the Control Panel can be opened via Internet Explorer (IE), or by calling inetcpl.cpl directly.
Press the Win + R keys enter inetcpl.cpl and click OK.
Select the Advanced tab
Disable use TLS 1.0 (no longer supported)
Click the Reset… button. If the Reset Internet Explorer settings button does not appear, go to the next step.
Click the Delete personal settings option
Add website to Trusted sites
Add the SSL-VPN gateway URL to the Trusted sites. Usually, the SSL VPN gateway is the FortiGate on the endpoint side.
Go to the Security tab in Internet Options and choose Trusted sites then click the button Sites. Insert the SSL-VPN gateway URL into Add this website to the zone and click Add, here like https://sslvpn_gateway:10443 as placeholder.
Note: The default Fortinet certificate for SSL VPN was used here, but using a validated certificate won’t make a difference.
Furthermore, the SSL state must be reset, go to tab Content under Certificates. Click the Clear SSL state button.
The SSL VPN connection should now be possible with the FortiClient version 6 or later, on a Windows Server 2016 or later, and also on Windows 10.
UNBLOG verwendet Cookies, um Dein Online-Erlebnis zu verbessern. Mit "ACCEPT" gibst Du Deine Zustimmung zur Nutzung dieser Website und unseren Datenschutzbestimmungen, oder wähle Cookie settings.
Diese Website verwendet Cookies, um Ihre Erfahrung zu verbessern, während Sie durch die Website navigieren. Von diesen werden die Cookies, die nach Bedarf kategorisiert werden, in Ihrem Browser gespeichert, da sie für das Funktionieren der grundlegenden Funktionen der Website wesentlich sind. Wir verwenden auch Cookies von Drittanbietern, mit denen wir analysieren und verstehen können, wie Sie diese Website nutzen. Diese Cookies werden nur mit Ihrer Zustimmung in Ihrem Browser gespeichert. Sie haben auch die Möglichkeit, diese Cookies zu deaktivieren. Das Deaktivieren einiger dieser Cookies kann sich jedoch auf Ihre Browser-Erfahrung auswirken.
Notwendige Cookies sind unbedingt erforderlich, damit die Website ordnungsgemäß funktioniert. Diese Kategorie enthält nur Cookies, die grundlegende Funktionen und Sicherheitsmerkmale der Website gewährleisten. Diese Cookies speichern keine persönlichen Informationen.
Alle Cookies, die für die Funktion der Website möglicherweise nicht besonders erforderlich sind und speziell zur Erfassung personenbezogener Daten des Benutzers über Analysen, Anzeigen und andere eingebettete Inhalte verwendet werden, werden als nicht erforderliche Cookies bezeichnet. Es ist obligatorisch, die Zustimmung des Benutzers einzuholen, bevor diese Cookies auf Ihrer Website ausgeführt werden.