It was very cheap (4$ or 3.75€ annually), but with a lot of gotchas.
One of them is Ubuntu 18.04 Minimal, which means a lot of packages will not be pre-installed, causing a lot of pain when installing services like in my example OpenVPN.
Here is how I managed to install OpenVPN on Ubuntu 18.04 Minimal.
The first problem occurs with the root CA certificates:
Install the root certificates in order to trust them:
apt-get install ca-certificates
After re-running the command, another error shows up:
Install the next package (iptables):
apt-get install iptables
And finally, the OpenVPN setup can be run:
I had to set a custom port, because only specific ones were NAT’d to my server. You might leave the port to default. I am also using 1.1.1.1 for DNS.
After the setup is finished, a configuration file will be created. This file contains the public certificates and private key that are mandatory for the connection. It can be imported into the OpenVPN client (Windows) through the GUI.
By default, Linux systems allow both password-based and key-based authentication over SSH. If you have a server with SSH open to the world, password-based authentication shouldn’t be allowed at all.
To disable password-based authentication, edit the SSH config file:
nano /etc/ssh/sshd_config
Add the following lines:
PasswordAuthentication no
PubkeyAuthentication yes
Now generate a new private/public key pair:
ssh-keygen
id_rsa is your private key
id_rsa.pub is the public certificate thumbprint that must be added to ~/.ssh/authorized_keys
nano ~/.ssh/authorized_keys
The SSH service must be restarted.
service ssh restart
Now you can connect to your server with key-based authentication only. If connecting from a Linux system the file’s permissions must be set to 600.
chmod 600 id_rsa
ssh -i id_rsa ip@username
If you like using Putty, you’ll have to load the file with PuttyGen and save the private key as .ppk.
Today I stumbled upon this very useful site that helps you find very cheap virtual private servers (VPS) around the globe. The public IPv4 address is shared and NAT'd across multiple servers. If that's no problem for you, the cheapest servers are 0.15€ a month with 128MB RAM and 1 vCPU.
Also, some public IP addresses are blocked in China and/or Russia.
I was trying to enable Bitlocker on my C: drive, but unfortunately my PC does not have a physical TPM chip built-in. Turns out there is a way to enable Bitlocker Drive Encryption without the TPM chip with help of Group Policies.
Open Local Group Policies (gpedit.msc) > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Require additional authentication at starutp
Enable this Policy and leave the default settings.
Now in Windows Explorer, Bitlocker can be turned on:
Because there is no TPM chip available, we either have the option to enter a password every time the OS boots or unlock the drive with a USB flash drive.
I got tasked with installing a brand new Windows Server 2019 with the Remote Desktop Services (RDS) role. It was a pretty straightforward installation, but minor things might work differently compared to previous versions of Windows Server (I was migrating off Windows Server 2012 R2).
Start by adding the RDS role through Server Manager.
Select the RDS installation:
I went for the Quick Start because my deployment is fairly basic.
Session-based deployment enables multi-session support on the server.
The server should be automatically selected.
The three roles (RD Connection Broker, RD Web Access and RD Session Host) will be installed.
After the installation a license warning will be shown in the Notification Center.
Two things are needed in order for licensing to work properly: The license server and licensing mode. In a production environment, usually there is a separate server hosting the RDS Licensing service.
Make sure you select the server by moving it to the right with the arrow.
In a production environment a custom group should be used to control the number of permitted users.
User profile disks were not needed in my environment.
After the creation, there are some things that should be changed in the Collection properties (Server Manager > Remote Desktop Services > Collections > Collection Name):
These are my specific settings, you should change the parameters based on your experience or leave them at their default values.
Older clients might have problems with these security settings (like Network Level Authentication - NLA)
