How to Install OpenVPN Client

Setting Up and customize OpenVPN on Windows, macOS and Linux

VPN (Virtual Private Network) is becoming more and more widely used. OpenVPN is a free application for building a virtual private network over an encrypted TLS connection. The increasingly popular OpenVPN client enables VPN connections to access its data from anywhere, for example, when working in the home office, or with a private cloud. This article shows the client deployment and use of OpenVPN. OpenVPN is available for free for many operating systems, in addition to Windows there is a client for macOS, for iOS, Linux and Android devices.

How to do it

Content

OpenVPN client install on Windows

OpenVPN for Windows can be downloaded from the community website here, on Windows 10 with double-clicking OpenVPN-2.5.0-I601-amd64.msi start the setup.

Run OpenVPN Customize Setup

Choose Customize to goes through the setup wizard, because here only the client components are needed, we choose the selection.

OpenVPN Setup choose Feature selection

Continuous Installing OpenVPN..

Run OpenVPN Windows Setup

OpenVPN Installing Completed.

OpenVPN Logo

Start OpenVPN

openvpn_systry

A glance at the taskbar shows now the OpenVPN icon openvpn symbol

OVPN configuration import at the client

The OpenVPN Access Server is available for Windows, Linux and FreeBSD, and there are an increasing number of devices that can be used as OpenVPN servers, such as pfSense and OPNsense or OpenWrt, from commercial manufacturer like Sophos formerly Astaro or Synology NAS and many more.

The file with the configuration for the client, such as openvpn.zip, which was previously exported on the VPN server or router need to unpacked, the files ca.crt, README.txt and VPNConfig.ovpn are usually extracted.

The configuration file here in this example VPNConfig.ovpn may have a different file name. Hint! if you change the file name to i.e. office-davos.ovpn, then this name appears in the context menu at connection.

The file VPNConfig.ovpn usually has to be open in an editor, for this I use Notepad and change YOUR_SERVER_IP to the public IP address of the VPN gateway, or the firewall on which is the NAT mapping to the VPN termination device.

OpenVPN Connection Editing

After saving VPNConfig.ovpn, the configuration is imported.

Right-clicking above the icon in the Systemtry opens the context menu from which you choose to import file.

Importing OpenVPN Connection
Figure: Importing OpenVPN Connection
Wenn man die Datei VPNConfig.ovpn umbenennt zB. Office-Arbon.ovpn, erscheint im Kontextmenü Verbinden der entsprechende Name als Ziel.

Tip! If you rename the file VPNConfig.ovpn eg. Home-Office.ovpn, the corresponding name appears as the target in the Connect context menu.

Connecting from the context menu prompts to enter the user and password, which is the user on the VPN Router or with use LDAP authentication the user on the server.

OpenVPN Connection Login
Figure: OpenVPN Connection

If the connection is successful, the OpenVPN icon will appear green.

OpenVPN client setup on macOS

OpenVPN Connect v3 Client for macOS is a complete installation program for macOS, after the installation the ovpn file can be imported for an OpenVPN connection to an access server. If the downloaded OpenVPN Connect v3 for macOS is installed on a Mac on which OpenVPN Connect v3 is already installed and configured, it will be updated to the new version with all settings retained.

How to install OpenVPN on macOS Catalina
OpenVPN Installer on macOS Catalina
OpenVPN Dock
OpenVPN Connect for macOS
OVPN file import on macOS catalina.

Deploy OpenVPN client on Linux

With the standard installation, OpenVPN is usually already installed together with the network management tools, in this case you can go directly to Import OVPN configuration file below. The easiest way to deploy the OpenVPN client using the package management system is to run the following commands as root on a Red Hat based Linux distribution such as Fedora or CentOS:

Install the OpenVPN on Debian and Ubuntu based distributions as follows:

Running the OpenVPN client with the downloaded configuration file, using the -config argument to pass the configuration file:

The configuration file here in this example VPNConfig.ovpn may have a different file name. Hint! if you change the file name to i.e. office-davos.ovpn, then this name appears in the context menu at connection

The connection can also be established via a GUI client, to install the OpenVPN GUI from the shell:

Import OVPN configuration file

Now you can call the Connection Manager by clicking on the network icon – VPN Connections – Configuring VPN.

on Ubuntuimport  OpenVPN use VPN-Connection Manager
Illustration: OpenVPN GUI Ubuntu

By clicking on Add – Import Saved VPN Configuration – Create a new VPN connection. The next step is to import the previously downloaded VPNConfig.ovpn file. The connection can now be started from the taskbar.

For Linux Mint with Cinnamon desktop, you click on the network icon in the taskbar and go to network settings.

Cinnamon Connection
Cinnamon Network

Click + to create a new network connection.

on Cinnamon open saved VPN-config to import OpenVPN

Import saved VPN configuration from the VPNConfig.ovpn file. After entering the user and password, the saved connection can be started in the taskbar.

Import the OVPN file via the Network Manager of Linux Mint and Cinnamon Desktop.

OpenVPN import ovpn-file on Linux Mint
OVPN file import by Network Manager at Linux Mint Cinnamon desktop.

Disable Linux Mint automatic login

Linux Mint during installation offers the option of enabling system start with automatic login. If the password entry is to be restored later, as with Ubuntu 10 Buster, the option can no longer be found in the settings. This post show how to re-enabling the user login with password entry under Linux Mint 20 Ulyana.

It was necessary to switch off the automatic login after it was found that the email client Geary did not save the passwords of the accounts, these had to be re-entered after each restart.

Linux email client Geary

Since Linux Mint 19 Tessa Cinnamon or more longer there has the option Automatic login in the Control Panel – Login window. The setting can now be made with an text editor, open a terminal hit CTRL + ALT + T and enter the following command:

and remove this lines:

 if you are not familiar with vim, your favorite editor could be nano or xed.

After restarting and logging in with a password, the key management opens in the background, which enables Geary to save the passwords in the seahorse key management.

Linux Mint 20 Cinnamon modify lightdm.conf to change autologin
Linux Mint 20 Cinnamon – disable autologin
modify lightdm.conf to change autologin
Linux Mint Terminal: cat /etc/lightdm/lightdm.conf

Another possibility to switch off the automatic user login is to remove the user in the Username field in the User section in System Settings – Login Window.

Linux Mint control panel logon setting
Anmeldefenster – Benutzer – Benutzername muss leer sein.

On automatic login, the Username field must be empty.

Docker Container with Synology DSM

How to use Docker with Synology

Synology DSM 6.0 or higher comes with the Docker Engine. You can find the Docker App in the package center by entering docker in the search field.

Docker is a lean virtualization application platform, thousands of containers created by developers from all over the world can be executed and are published on the well-known image repository, called Docker Hub. Container images can be find on Docker Hub will loaded and executed from Synology’s integrated Docker App.

synology_paket_center_docker

If the Docker App does not appear in the Package Center, the Synology device is most likely not supported.

Due to the hardware requirements, Docker is only offered for models with virtualization technology (VT-x). The models used in this guide are RS820RP+ / RS4018xs+ / DS218+ for these the Docker ability is given.

How to use Docker

When you open the main menu icon from DSM, you will find the icon for the Docker Engine, which can now be started.

Synology_DSM_Control_Panel

Docker opens in overview, the running containers are listed here, any applications including allocated memory and CPU resources, number of container has yet been started.

docker_overview
Synology DSM Docker overview

In addition, the Docker command line is explained below, this as a alternative hint for using Docker Console.

CLI Docker Command Running Container:

In the Registration section you can search for new images (like on the official website). New repositories (in addition to the official ones) can also be added under Settings.

docker_registrering
Synology DSM Docker Registriering

CLI the original Docker Command is:

After a suitable image has been found, in this case a small Ubuntu 18.04 Dockerized image contains SSH service, it is downloaded with a right click on the Synology NAS, ideally always choosing latest. All images are write-protected and can be used multiple times for other containers.

The download can take a few minutes, depending on the size and available download bandwidth. The download status is shown with an animated icon.

CLI Docker Command is:

The downloaded images that are available on the Synology NAS are located under Image. New containers can be started with the Docker wizard. Note Synlogy_Docker_Link link symbol opens the Docker Hub page for container with useful information.

docker_image
Synology DSM Docker Image

CLI Docker Command is:

Now go to Start will open the Assistent.

synology_docker_container
Abbildung: Synology DSM Docker Container Starten

Next to complete the wizard and start the container with klick Apply.

synology_container_erstellen
Synology DSM Docker create

CLI Docker Command is:

Running container can now be found in the Container section.

Synology_DSM_Docker_Container

CLI Docker full output as follows:

Back to Docker overview, we can now see the resources of started containers.

synology_docker_overview
Synology DSM Docker overview

CLI Docker Command is:

Now we are trying to establish an SSH terminal to the container. To do this in the Container section, click on Details to see which port the SSH service is listening on.

Synology DSM Docker Conatainer
Synology DSM Docker Container

In the overview under port settings we find the value we are looking for under local port, in this case it is port 32789, the port address is assigned automatically.

CLI  Determine port address.

Now we open PuTTY or KiTTY and connect to IP of the Synology NAS with port 32789 to the container, for CLI Command as follows:

kitty_session
Abbildung: KiTTY Session

Logon as root with the password of root.

docker_terminal

The Docker Engine can also be used from the console, provided the SSH terminal that has been activated under DSM Control Panel – SSH Service.

The Docker application shown in this article is intended to show as a simple example how Docker can be used on a Synology NAS, of course there are more useful container applications, such as Websever for developing web applications to complete development environments, there are already countless Docker images on Docker Hub https://hub.docker.com, and other Docker registrars. It makes you wonder whether the effort to install your development environment such as Xamp or LAMP is still useful. At this point it should be mentioned that all data stored in the container must be saved on a persistent volume, because all work is lost when the container is closed.

There are also other articles about using Docker here in this blog, the best thing to do is to simply enter docker in the search field above.

Repair Windows Spotlight

Windows Spotlight does not show any new images

Windows Spotlight is a feature included in Windows 10, that download wallpapers from Bing automatically, so that you alternately see a new background image on the lock screen when you log in.

The only downside to Microsoft Windows Spotlight is that sometimes it stops working or you could find it stuck on the same picture. Unfortunately, Windows 10 doesn’t include an option to reset this feature. However, it is possible to fix Windows Spotlight settings using this simple workaround.

To do this, open settings, click on -> Personalization and -> Lock screen, here change the background to picture.

open settings, click on - Personalization and - Lock screen, here change the background to picture.

Then right-click on Desktop -> New -> Text document and insert the following content:

Click on File -> Save As, and save as Filename spotlight.bat.

Click on File - Save As, and save as Filename spotlight.bat.

Right-click on mouse over the spotlight.bat batch file will context menu opens, select run as administrator here.

Now restart your computer. Then open settings again and switch to Windows Spotlight under Personalization -> Lock screen.

As soon as these steps are carried out, you can lock the computer be hit the Win + L keys, now lock screen presenting new Bing images.

Note: To Windows Spotlight working, setting – Privacy – Background apps must be activated.

To Windows Spotlight working, setting - Privacy - Background apps must be activated.
Setting: Allow run apps in the background
Windows 10 Blickpunkt Reparieren

Nagios Monitoring on Raspberry Pi

How to Install Nagios on Raspberry Pi

Nagios OpenSource IT infrastructure Monitoring

Nagios consists of a collection of modules for monitoring networks, hosts and their specific services, as well as a web interface to display queries of the collected data. Nagios is under the GNU GPL, so it is free software and runs on numerous Unixoid operating systems. Because of its widespread use, Nagios has become a quasi-standard in professional use.

Nagios Monitoring with Raspberry Pi

Raspberry Pi with its fanless design, minimal dimensions and low power consumption, well suited as a single-board computer for a Nagios monitoring server that can even monitor itself.

INSTALLATION

The installation of Nagios Core 4 on the Raspberry’s own OS Raspbian, which is based on Debian, is unspectacular. Here in these instructions the procedure for a Raspberry Pi 3 Model B is shown, on a 32 GB microSD card type Class 10, a 16 GB microSD card would also suffice.

Raspbian Terminal

SanDisk Ultra SDHC I 16 GB – 80 /Sek, Class 10 microSD Card.

The provision of Raspbian on a microSD card is not discussed here in more detail. After booting a Raspbian desktop image, the LXTerminal is opened on the Raspbian X desktop and the root shell is started, in headless operation a VNC session can be started with VNCViewer, with the login as user pi and the default password raspberry. If you want to use the Raspbian Minimal Image, authentication via SSH to the Raspberry Pi is recommended.

Raspbian VNCViewer

After logging in as user pi, we want to become root.

First, all required packages are installed from the repository as a prerequisite.

Download and unzip the Nagios Core 4 source packages. The last release can be found here The core release as well as the agents and plugins are available on Github,

Compilie

Create the user nagios and the group. The Apache user www-data is also added to the nagios group.

Install the binaries.

Installing the service daemon files and configuring them for the boot process.

Installs and configures the external command file.

Just now * SAMPLE * configuration files will be installed. These are necessary because Nagios needs some configuration files to start.

apache_webserverApache web server configuration files are installed and the Apache settings for Nagios are configured.

Port 80 must be permitted for incoming data traffic on the local firewall so that the Nagios Core web interface can be reached.

Answer yes to save the existing rules.

An Apache user account is created so that it can log into Nagios.

The following command creates a user account called nagiosadmin and a password is created for the account, now remember this password.

The Apache web server must be restarted.

Nagios Core will now start.

Nagios is now ready to be tested.

You will be asked to log in with your user name and password. The username is nagiosadmin (you created it in a previous step) and the password is what you provided earlier.

After successfully logging in, the Nagios Core web interface appears. Congratulations, you did it.

Nagios Core is now installed, the Nagios plugins are still required for operation. The error message appears: (No output on stdout) stderr: execvp(/usr/local/nagios/libexec/check_load .. this is normal, the standard plugins are installed in the following steps.

Plugin Installation

The following packages are installed from the repository as a prerequisite for installing the plugins.

Download and extract the source packages. The last plugin releases can get from nagios-plugins.org.

Compile and install packages.

Go to a host or service object and “Re-schedule the next check” in the Commands menu. The error that appeared before should now disappear and the correct output is displayed on the screen.

The daemon commands for start / stop / restart / status.

Nagios configuration

Now that the Nagios Core Server is ready for operation, it is time to create the configuration of the host and services that are to be monitored. Under /usr/local/nagios/etc the main configuration is nagios.cfg, here the paths to the configuration files are defined with cfg_file, the hosts to be monitored can be entered in a file hosts.cfg.

If it is to be more structured, there is the possibility to save the host and service configuration in the directories printers, routers, servers, switches, for this the file nagios.cfg is edited and the comment characters # (hash) are removed accordingly in cfg_dir =.

The .cfg files created in the directories are read out.

Example for a mail and web server with this IMAP and HTTPS is checked.

The Nagios server is restarted after each change.

A look at the Nagios log file can be worthwhile.

Additional configuration examples for Linux, Windows, printer routers and switches can be found under the objects directory.

nagios_check_dns
Beispiel: Nagios Service Configuration

With remote agents such as NCPA, active checks can be carried out on Windows and Linux hosts; passive checks can be carried out using NRDP and NRPE, which provide values ​​on CPU load, memory usage, processes, user and disk usage.

Nagios Notification

In the file nagios.cfg and objects/contacts.cfg the recipient email  root@localhost can be left.

In the file nagios.cfg at admin_email.

Postfix is ​​used here as the mail transport agent for the Nagios email notification. This is installed and configured as follows.

During the installation you will be asked to select a mail server configuration, here we select Internet Site.

In order to be able to test the sending of emails later, the package mailutils is installed.

The Postfix main configuration main.cf is adapted.

At relayhost, the mail server is entered that allows Raspberry Pi to receive emails, if the Raspberry is behind a firewall with NAT, the public IP address of the mail server must be authorized for reception.

Set up an email address for root by editing the aliases file.

At the end a valid email address is entered so that mails from this host are delivered, here as an example it is helpdesk@banana.org, the colon for root: is mandatory.

The changes in the aliases file must still generate the aliases.db file.

The Postfix configuration also has to be read in and activated.

Now sending emails from Raspberry Pi, this can be done as follows.

An email should now be in the inbox of helpdesk@banana.org.

Read the email log can also provide further information here.

If the attempt to send returns the status=bounced, receipt on the mailer is not yet authorized. With Exchange, the IP address of the Raspberry Pi must be entered in the receive connector in the frontend transport under area definition for email received from servers with these remote IP addresses. For Postfix a smtpd_client_restrictions directive must exist in main.cf.

client_access file contains the IP address of the Raspberry Pi.

Postfix database still needs to be generated.

If the SMTP requests are accepted by the mailer, the queue process and delivery can take place.

Windows Server 2012 NTP Configuration

Windows Server NTP Network Time

Correct time synchronization in an AD domain environment is a prerequisite for stable operation. This article describes how NTP (w32tm) is configured on a Windows Server 2012 (FSMO). As a rule, the PDC operations master is the NTP service server in a forest. A PDC emulator in a domain is synchronized with an external time source. In order for a domain controller to be regarded as a reliable time source, this must be specified explicitly.

In order to make the PDC emulator a reliable time source that regularly synchronizes with time servers on the Internet, the following commands from PowerShell are executed as administrator:

Show which time server is currently in use.

Execute the time synchronization immediately.

The clients and servers in domain forest as well as shared storages can now synchronize the time with the PDC emulator.

The firewall permit UDP port 123 inbound, e.g. allow outgoing.

The NTP configuration can also be done via GPO by calling gpmc.msc.

Group Policy Management
Computerkonfiguration/Administrative Templates/System/Windows-Timeservice/Timeserver

Group Policy Management Console
Group Policy Management Console

Following Test Displays a graph of the offset between synchronizing computers.

W32tm stripchart
W32tm stripchart

The configuration can also be checked in the registry.

w32tm_registry
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Block suspicious IP with Linux firewall daemon

Block Brute-Force requests with Firewall Daemon from Bash Script

Firewall Daemon can help to protect against ongoing brute force attacks by detecting attempted attacks on the Linux host. To permanently protect the host from suspicious sources they can be blocked. The following bash script prevent from suspicious requests by append the IP address as argument and set it to reject using firewall-cmd.

The script was written on Debian 10 (buster), on Debian firewalld has to be installed first, as well as on Ubuntu 20. On RHEL and CentOS 7+ family and Fedora 30 or higher firewalld is default and the script can be used.

Install Firewalld on Debian

The firewalld package is available on the official Debian 10 repositories. Installation is quick as shown below commands.

Install firewalld in the terminal as root or user with sudo privileges.

If ufw is activated, the uncomplicated firewall (ufw) for managing the netfilter must be deactivated in order to make firewalld the standard firewall.

Run the firewall daemon and activate it for the system start.

Check if firewall daemon is running and availability of the service.

Load the new firewall rules and keep the status information.

Using Debian after run firewall-cmd –reload the error appears:

Error: COMMAND_FAILED: ‘/usr/sbin/ip6tables-restore -w -n’ failed: ip6tables-restore v1.8.2 (nf_tables:
line 4: RULE_REPLACE failed (no such file ordirectory): rule in chain OUTPUT

The solution is to run update-alternatives to force Debian to use iptables instead of nftables.

After switching from nftables to iptables, restart the Linux machine with reboot.

Firewalld configuring

Firewalld is a firewall-management solution that acts as a front-end for the iptables packet filter system provided by the Linux kernel. firewall-cmd is the utility used to manage the firewall configuration. The firewalld daemon manages groups of rules using entities called “zones”. Zones are like sets of rules that determine what traffic to allow based on the known trust of the networks to which the computer is connected. A zone is assigned to the network interfaces in order to determine the behavior that the firewall should allow.

A network interface assigned to the default zone public, using the firewall-cmd tool, with the command to check zones and interfaces.

If no network interface appears at interfaces (at line 6), this must still be assigned to the zone by querying the interfaces with ip or ifconfig (net-tools).

Here at the virtual Debian (buster) it is Link 2 ens33.

The interface ens33 is assigned to the default zone public.

Check the interface assigned to the zone with the output.

The interface ens33 is assigned to zone public.

Interacting Fail2ban and firewalld

Fail2ban (failure leads to ban) is an IPS framework developed in Python to prevent attacks. It runs on all Unixoid OS that is based on a managable packet filter system or a firewall such as iptables or firewalld on Linux.

line 13 in the script reject.sh (above), if available and executed, the addresses banned by fail2ban are restored to their previously active state after firewalld has been processed. If fail2ban is not applied, lines 12-14 can be deleted.

Run the script

Run the script with append die source IP to reject suspicious requests through the firewall.

The locked IP address can be removed with the following command line in the bash shell.

Activate the rule entered through the firewall daemon.

Help to use firewall-cmd

Output of the changed and activated rule of the Public zone.

Check current firewall rules with the following commands.

Use the command firewall-cmd and iptables to list current rules.

Output standard zone for connections and interfaces.

Set a zone as the default zone.

Output currently active zones.

Output predefined zones.

Get help and man page of firewall-cmd.

Network Printer Management from Command Prompt

rundll32 printui.dll,PrintUIEntry

printui.dll is an executable for automated printer configuration tasks with features used by the printer configuration dialog boxes. These functions can also be called from a script or command-line batch file, or run interactively through the command prompt.

printui.dll runs with rundll32.exe to provide tools for demanding tasks, add printers, manage, delete, and add network printer connection.

Open printer server properties

Printer server properties open rundll32 printui.dll,PrintUIEntry /s
Open properties of printer server
Properties of Printer Server Section Drivers

Connect to the network printer:

The LaserJet network printer which is shared on the SERVER, is installed on the client computer and connected to the server.

Setup printer using driver INF-file:

/if Installs printer using the specified INF-file
/b Basic printer name AddressLabel
/f Path to the printer driver INF-file
/r Portname or IP address
/m Model name of the printer driver from the INF-file
/Z Share this printer, use only with option “/if”

Delete local printer driver:

/dd Deletes the local printer driver
/m Model name of the printer driver
/q Do not display possible error messages

Delete network printer connection:

/dn Deletes the network printer connection.
/n The name of the printer.

  Help on printui.dll is get with the following command in the command prompt.

Batch example:

Example add network printer connection use from Loginscript.

Create Shortcut using VBScript

Create shortcuts on desktop with Visual Basic Script

VBScripts can help wherever automated tasks need to be used. Batch files may not always be appropriate, and the use of Group Policy may not always be available, where a Visual Basic Script can do this, for example, to provide shortcuts to applications.

create-shortcut.vbs

The following VBScript creates a shortcut on the desktop, here for example to open the Windows Calculator.

Insert VBScript lines by  Copy Paste into Notepad and save them as create-shortcut.vbs, then douple-click to execute the VBScript will create the shortcut on desktop.

  Last but not least, enjoy to edit the Const lines in the script to use any other applications.

Now double-clicking the shortcut on the desktop opens the Windows Calculator.

This VBScript can be started with cscript from the command prompt or from a batch.