A few days ago I bought a very cheap Virtual Private Server (VPS) – check my post here: https://www.ajni.it/2020/03/quick-tip-cheap-private-servers-on-the-cloud/

It was very cheap (4$ or 3.75€ annually), but with a lot of gotchas.

One of them is Ubuntu 18.04 Minimal, which means a lot of packages will not be pre-installed, causing a lot of pain when installing services like in my example OpenVPN.

Here is how I managed to install OpenVPN on Ubuntu 18.04 Minimal.

Updating the system:

apt update

apt upgrade

Install OpenVPN

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

The first problem occurs with the root CA certificates:

Install the root certificates in order to trust them:

apt-get install ca-certificates

After re-running the command, another error shows up:

Install the next package (iptables):

apt-get install iptables

And finally, the OpenVPN setup can be run:

I had to set a custom port, because only specific ones were NAT’d to my server. You might leave the port to default. I am also using 1.1.1.1 for DNS.

After the setup is finished, a configuration file will be created. This file contains the public certificates and private key that are mandatory for the connection. It can be imported into the OpenVPN client (Windows) through the GUI.

On Linux, a simple

openvpn configfile.ovpn

does the trick.

By default, Linux systems allow both password-based and key-based authentication over SSH. If you have a server with SSH open to the world, password-based authentication shouldn’t be allowed at all.

To disable password-based authentication, edit the SSH config file:

nano /etc/ssh/sshd_config

Add the following lines:

PasswordAuthentication no

PubkeyAuthentication yes

Now generate a new private/public key pair:

ssh-keygen

id_rsa is your private key

id_rsa.pub is the public certificate thumbprint that must be added to ~/.ssh/authorized_keys

nano ~/.ssh/authorized_keys

The SSH service must be restarted.

service ssh restart

Now you can connect to your server with key-based authentication only. If connecting from a Linux system the file’s permissions must be set to 600.

chmod 600 id_rsa

ssh -i id_rsa ip@username

If you like using Putty, you’ll have to load the file with PuttyGen and save the private key as .ppk.

PuttyGen can be downloaded here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Links:

https://askubuntu.com/questions/346857/how-do-i-force-ssh-to-only-allow-users-with-a-key-to-log-in

Today I stumbled upon this very useful site that helps you find very cheap virtual private servers (VPS) around the globe. The public IPv4 address is shared and NAT'd across multiple servers. If that's no problem for you, the cheapest servers are 0.15€ a month with 128MB RAM and 1 vCPU.

Also, some public IP addresses are blocked in China and/or Russia.

Have fun!

https://www.serverhunter.com/

So last time we created a Master-VHDX on Hyper-V with Windows Server 2019 in order to save space. Today we are installing the first Domain Controller with a fresh domain. Very straight forward stuff.

Before installing Active Directory Directory Services, the computer should have a decent name.

Give it a fixed IP address. Since this is going to be a lab, I am not going to plan the IP design. The Default Gateway does not exist yet. Also, the secondary DNS server will be installed later on a Server Core version.

From Server Manager Add Roles and Features, Select Role-based or feature-based installation

Select the Active Directory Directory Services Role

Everything else can be left on default.

Once the installation is completed, the server can be promoted to a Domain Controller.

Since there is no existing forest, the root domain name must be defined:

Define a new password for the Directory Services Restore Mode (DSRM). DSRM allows you to perform an authoritative restore of single or multiple AD objects through ntdsutil (from cmd).

This warning can be safely ignored.

The NetBIOS domain name can be used when logging into a domain computer, for example AJNI\Domainuser. The UserPrincipalName can be also used – domainuser@ajni.it.

The rest can be left to default.

The server will restart, after that the domain will be up and running!

The next blog post will be covering the installation of an additional Domain Controller (the second DNS server 10.10.10.11) with Windows Server 2019 Core Edition.

Stay tuned !

Hyper-V has a very interesting feature that allows to save a lot of space: By creating a golden VHDX Disk with the base operating system, you can then use so called “Differencing” disks, which reference the Master VHDX and only save the changes on their disk.

So, first things first: Just create a normal VM to prepare the golden image for later use.

Specify Generation 2

Give the Golden disk a self-explanatory name

Before starting the VM, disable automatic checkpoints (in VMware known as Snapshots) and give it more juice. Do not forget to apply changes:

Install the OS (standard procedure)

Once the OS installed and custom settings are made, the machine is ready to be Sysprep’ed.

Delete the VM once stopped, the disk will not be deleted. Then locate the VHDX and set it into Read-Only mode.

Now a new VM can be created in Hyper-V with a Differencing disk. Note: In the VM creation wizard specify “Attach a virtual disk later”:

Now in the VM settings under SCSI Controller add a new Hard Drive:

Select the last option for Differencing:

This will be the new disk name:

And finally, the base disk we created previously:

Before powering on the machine make sure the new disk is first in the boot order.

The VM is up and running!

Notice the size of the new VHDX. Only 1.4 GB!

In the VM settings you can once again inspect the disk and see the relationship with the golden disk.