This documentation provides guidance how to configure an OAuth 2.0 application in Azure AD and how to grant application access to a defined group of Exchange mailboxes only.
Prerequisites
To perform the steps in this documentation, you need to meet the following requirements:
To limit app permissions to certain mailboxes only, we need to prepare a mail-enabled security in Microsoft 365 and add the desired mailboxes as group members. This makes sure that the app can only read/write/send e-mails for the mailboxes in the scope of the security group, but access to other mailboxes in the tenant is blocked.
Please use the following PowerShell script snippet to configure the mail-enabled security group:
Connect-ExchangeOnline
New-DistributionGroup `
-Type “Security” `
-Name “sgc_[APPLICATION-NAME]_RestrictedAccess” `
-Description “[APPLICATION-NAME] – Restrict app access to this group only” `
-Members “[USER1]@sg365.onmicrosoft.com”, “[USER2]@saargummi.com”
As a result, you will receive the application ID / client ID (both terms are used as synonyms). The client ID will be used in the next steps of this document.
Creation of an Exchange application access policy
With an application access policy in Exchange Online, we technically restrict our Azure AD app registration to only have access to members of our defined security group. More information can be found here:
-Description “[APPLICATION-NAME] – Restrict app access to this group only”
Please adjust the [APPLICATION-NAME] and [CLIENT-ID-OF-THE-APPLICATION] parameter to your needs before executing the commands.
If the script is executed, you will receive the following output as confirmation:
Afterwards, it is important to verify that the application access policy successfully restricts access to only the mailboxes in the previously created security group. For this purpose, please use the following PowerShell commands:
Please adjust the [CLIENT-ID-OF-THE-APPLICATION] parameter according to your app registration.
Use one user [USER-IN-GROUP], where the app shall have access to the mailbox, and use another user [USER-NOT-IN-GROUP], where the app shall NOT have access to the mailbox.
In the PowerShell output, you need to see that access is granted in the first case, but access is denied in the second case:
Assignment of permissions to the Azure AD app registration
Finally, you can assign the appropriate Graph API permissions to the previously created Azure AD app registration. For example, you can use the following application permissions for mail access:
Mail.Read
Mail.ReadBasic
Mail.ReadBasic.All
Mail.ReadWrite
Mail.Send
The application permissions depend on your very own use case.
The app permissions can be configured and admin consent can be granted according to the following Microsoft documentation and according to the attached screenshots:
Afterwards, the setup is done and you can use the app’s client id + client secret / certificate to authenticate against Microsoft Graph API and to programmatically access the mailboxes in the security group.
Using the correct timezone is essential for many systems related tasks and processes. For example, the cron daemon uses the system’s timezone for executing cron jobs, and the timestamps in the log files are based on the same system’s timezone.
On Ubuntu, the system’s timezone is set during the install, but it can be easily changed at a later time.
Follow bellow commands in order to activate time sync and set time zone:
Update-Help -UICulture EN-US -Force -Scope CurrentUser #delet Scope CurrentUser - for Windows Power Shell
Useful Scripts
1. Script for Changing Power Shell appearance – display warnings blue, – powershall path at the top, -adding Listing as standard to powershell (Listing 1.15)
2. Script for duplicating profiles for both WinPS and PS. Once executed Copy the above script (listing 1.15) in the opened notepad and save to default location
– can be executed with: L 1.16 -run
#requires -RunAsAdministrator
# Hardlinks können nur als Administrator angelegt werden
# dieses Skript macht nur Sinn, wenn das Betriebssystem "Windows" ist:
if ($isWindows -eq $false)
{
Write-Warning "Spiegeln der Profile ist nur bei Windows möglich."
Write-Warning "Andere Betriebssysteme verfügen über kein Windows PowerShell"
return
}
# sicherstellen, dass die Windows PowerShell Profildatei existiert
if ($PSVersionTable.PSEdition -eq 'Core')
{
# Pfad zum Windows PowerShell Profilskript berechnen:
$winprofile = $profile.CurrentUserAllHosts -replace '\\PowerShell\\', '\WindowsPowerShell\'
$coreprofile = $profile
}
else
{
# Pfad steht bei Windows PowerShell schon in $profile:
$winprofile = $profile.CurrentUserAllHosts
$coreprofile = $profile -replace '\\WindowsPowerShell\\','\PowerShell\'
}
# Datei anlegen, wenn noch nicht vorhanden
$exists = Test-Path -Path $winprofile
if ($exists -eq $false)
{
$null = New-Item -Path $winprofile -ItemType File -Force
Write-Warning "Profilskript für Windows PowerShell angelegt."
}
else
{
Write-Warning "Profilskript für Windows PowerShell war vorhanden."
}
# testen, ob Profilskript für PowerShell existiert
$exists = Test-Path -Path $coreprofile
if ($exists)
{
# ist die Profildatei vielleicht bereits gespiegelt?
$datei = Get-Item -Path $coreprofile
if ($datei.LinkType -eq 'HardLink')
{
# wir sind fertig
Write-Warning 'Profildatei von Windows PowerShell wird bereits mitgenutzt (keine Änderungen).'
# Profilskript im Editor öffnen:
Invoke-Item -Path $winprofile
Return
}
else
{
# wenn PowerShell bereits eine eigene Profildatei verwendet, muss diese
# gelöscht werden, um stattdessen auf das Windows Profil zu verweisen
# also nachfragen, ob der User das will:
Write-Warning 'Profilskript für PowerShell ist bereits als separate Datei vorhanden.'
Write-Warning 'Soll dieses Profil gelöscht und stattdessen das Profil der Windows PowerShell verwendet werden?'
# Frage stellen und 20 Sekunden warten, danach "NEIN" wählen:
choice.exe /C JN /M "Drücken Sie J für Ja oder N für Nein" /T 20 /D N
# choice.exe liefert einen ErrorLevel in $LastExitCode zurück, der
# Zahlenwert entspricht der Auswahl (1=Ja, 2=Nein)
if ($LASTEXITCODE -eq 2) { return }
# Profildatei löschen
Remove-Item -Path $coreprofile -Force
}
}
# Hardlink anlegen (erfordert Adminrechte)
$null = New-Item -Path $coreprofile -ItemType HardLink -Value $winprofile
Write-Warning 'Profildatei von Windows PowerShell wird nun mitgenutzt.'
Write-Warning "Um die Spiegelung aufzuheben, einfach die $profile löschen und von Hand oder im Editor neu angelegen."
# Profilskript im Editor öffnen:
Invoke-Item -Path $winprofile
GIT HUB Desktop
this is a good tool to download all or divers spripts all at once:
The purpose of this article is to find out various subnet parameters from a given IP Address and its corresponding mask. This is one of a few available methods that can be used to achieve this.
This tutorial considers having basic knowledge of networking and understanding basic networking terminology.
We will be trying to find:
Network Address (ID)
“NID”
Broadcast Address (ID)
“BID”
Next Subnet
“NsubN”
First Host IP
“FHIP”
Last Host IP
“LHIP”
IP Host Range
“IPHR”
Number of Hosts
“N°H”
Number of Subnets
“N°subN”
Let’s take the following IP Address as an Example 1:
185.195.201.101 / 23
Firstly, let us break this IP Address into Binary
11111111.11111111.11111110.00000000
As we know the CIDR value of /23 tells us where the Mask Identifier ends and host identifier begins. In this case on the 23rd position. This position falls onto the 3rd Octet. Let us also mark any octet where this boundary falls into with a sign ‘|’ e.g NID(|). I will be using this to make clear which octet of the address is being meant.
Let us convert the Binary into Decimals. But let us first take a look at the Decimal value of each “Octet”
1
1
1
1
1
1
1
1
128
64
32
16
8
4
2
1
As we can see it all sums up to 255. Let us now translate the above Mask into Decimals
11111111.
11111111.
11111110.
00000000
255
255
254
0
As it can be seen our Netmask is 255.255.254.0 for the above IP Address.
The IP Address belongs also to a Class B Subnet
Network ID & Broadcast ID
Let us now try to determine the Network ID and Broadcast ID.
In order to achieve this we are going to concentrate on the 3rd Octet (because the division of Mask and Host modifier lies there).
2. Binary value of the 3rd. Octet of the IP Address
11001001
1. Binary Value of the 3rd. Octet of the Mask
11111110
3. Logical Conjunction of both (like a multiplier)
11001000
As we can see our logical conjunction is 11001000. Translating this into the Decimal value using the decimal chart above we get: 128 + 64 + 8 = 200
This Number is our Network Address (ID) value. Therefore our network ID is:
185.195.200.0
Having our network ID we can easily find out the Broadcast ID. Here we need to look at the 3rd octet of the Mask again and convert the last positive digit of the binary into a decimal value (it is the 7th digit marked orange). I will call this LastPositiveDigitDecimalValue (LPDDV)
11111110 --> 2
Now we can find out the Broadcast ID with this small equation
NID + (LPDDV-1) = 200 + (2-1) = 201
Our Broadcast Address (ID) is:
185.195.201.255
In order to get out next Subnet Address we just leave the -1 out of the equation above.
NID + LPDDV = 200 + 2 = 202
Out next Subnet begins at:
185.195.202.0
From here it will be very easy to calculate all the remaining parameters. Let’s integrate all into a single table and use the formulae in the second column :
NID
185.195.200.0
–
BID
185.195.201.255
NID(|) + (LPDDV-1)
NsubN
185.195.202.0
NID(|) + LPDDV
FHID
185.195.200.1
NID(4) + 1
LHID
185.195.201.254
BID(4) – 1
IPHR
185.195.200.1 – 185.195.201.254
–
N°H
256 * ((201-200)+1)-2= =2^(32-23)-2 = 2^9-2=510
256 * ((BID(|)-NID(|))+1)-2 or 2^(32-CIDR) – 2
N°subN
256 / (201-200+1)=128
256 / (BID(|)-NID(|)+1)
Formulae
Example 2
Let us have a look at another example without the explanation
185.120.120.29 / 21
11111111.11111111.11111000.00000000
11111111.
11111111.
11111000.
00000000
255
255
248
0
Binary value of the 3rd. Octet of the IP Address
01111000
Binary Value of the 3rd. Octet of the Mask
11111000
Multiplier of both
01111000
1
1
1
1
1
1
1
1
128
64
32
16
8
4
2
1
NID
185.120.120.0
–
BID
185.120.127.255
NID(|) + (LPDDV-1)
NsubN
185.120.128.0
NID(|) + LPDDV
FHID
185.120.120.1
NID(4) + 1
LHID
185.120.127.254
BID(4) – 1
IPHR
185.195.200.1 – 185.195.201.254
–
N°H
256*((127-120)+1)-2= =2^(32-21)-2=2046
256 * ((BID(|)-NID(|))+1)-2 or 2^(32-CIDR) – 2
N°subN
256 /((127-120)+1)=32
256 / (BID(|)-NID(|)+1)
Formulae
Should you have any question post a comment or send me a direct message.
This casestudy is ment to go through the process of setting up a second Gateway managed by one contoller
Background
If you are trying to use a second WAN interface in order to connect an alternative parallel local network and you want to managed the WAN Port with separate firewall rules you might realise that this task can become somewhat difficult. This is because there is no direct possibility of managing two WAN ports through the Unify GUI interface. This option has unfortunately not been implemented although requested since many years on the USG gateway series. One of the workarounds is to work with the “.json” files, where you will need to set all the rules manually. This can be quite challenging of course. One workaround is to take a second USG and integrate it into the existing network so that we can separately manage it through the same controller.
This procedure can also be used if you have a separate site which is physically found on a different premises.
I hope to save you same time and give a clear indication on how to implement this solution.
Prerequisits
For this task we will require:
2 x USG gateways (for exmple USG-Pro-4 and USGP3)
2 x Public IPs
1 x Switch
1 x Controller (Keycloud or Server)
Steps
Site Creation
Frontend Network Creation
WAN Network Creation
Backend Network Creation
Let us first create a new site which will be used for the connection of the second USG. In our example we are going to call it TestSite
Let’s create a frontend network. This network will be used for containing our USG Router later on.
Now let us create a WAN Network, and configure it in order to reflect the ISPN internet configuration. In our example the Internet router is in a bridge mode, meaning we are going to use IP Addresses provided from the ISPN. If your ISP has enabled DHCP you might also use that option to gain the necessary IP configuration automatically.
Now, add a network which will contain any other devices, such as servers, pcs, and other equipemment. For this I will use the default network which had been automatically created as we created the new “TestSite”
Finally, we will create a Site-to-Site VPN network. We are going to need this so that the controller can manage the newly bound USG.
Make sure to have a “Site-to-Site” network on both sites setup i.e. on the new ‘TestSite’ but also on the already existing site. Make sure to point towards each site in the option “Remote Site”.
USG Connection and adoption
Now let us concentrate on getting the USG connected to the newly created “TestSite” and have it adopted through the Cloudkey controller.
Connect your USG to WAN
Plug in a Laptop or PC into LAN 1 of the USG.
Set your local Laptop Network adapter settings to the default USG IP range. In my case I have set it up to: 192.168.1.50/24. DNS settings can be omitted.
Call out the USG default factory IP address. Should be 192.168.1.1. This should open the default USG login page. Use the default pass und Login name if required: ubnt/ubnt
Set the IP configuration according to the “Frontend” network we set up earlier through the controller . I set it to 192.168.100.1/24. Additionally choose the connection type. In my case I could choose DHCP as the ISP had bound my gateway to the DHCP using its MAC address. You might need to add the manual IP configuration. If you don’t have it you might need to contact your Internet provider to get one.
Apply the changes. It will now be necessary to change the network settings of your pc/laptop network adapter again, and to set the IP address in the range of the USG. Since we changed the USG IP to 192.168.100.1 let us change the laptop IP to 192.168.100.50.
After doing so reconnect to the USG using the default credentials
Before we proceed any further we are going to have to update the firmware of your USG before trying to connect it to the controller. This is important, because the versions should not have too much difference between each other. I have experienced that in case of a large version difference either an error occurs during adoption or the controller simply doesn’t recognise the USG. In order to achieve this it will be necessary to ssh the USG.
Start windows cmd with administrator rights and type the following:
c:\ ssh ubnt@192.168.100.1
Accept the ssh key and enter the default usg password “ubnt”
Having an active ssh session now, type the following.
You will need to replace the address with the one corresponding to the newest firmware version of your USG. Follow this link.
After the USG has updated and restarted itself you will need to log in again. Search for a field which has http://unifi:8080/inform in it. In this field we are going to place the external IP of your primary gateway.
Make sure to forward port 8080 to the internal IP address of your primary gateway before you proceed.
In our example this will look like this: http://186.165.90.10:8080/
After having placed the address you are going to get the option to send the adoption request. Having done so go back to your controller and choose “Devices”. Your new USG should pop up there and be ready for adoption. After the adoption has been completed you can confirm on the new usg that it had been adopted and basically you can disconnect your laptop now and connect your new usg to your switch. Make sure that the port of the switch is set up for the Backend network in this example the default LAN Network.
You have now adopted a second USG which can be managed through one controller. You may also close the forwarded port 8080 now as the adoption has been completed.
Generated key need to pasted into the wp-config.php file. Also specify all the neccesssary infos for Database name, Hostname, Database Username and Passwords
$ sudo nano /var/www/your_domain/wp-config.php
SLS Configuration
There are two possibilities for your new site to be able to redirect its traffic to https protocol.
1. Via self signed Certificate
2. Via open source Certbot
I will describe both ways but strongly recommend using Certbot because its certificate will be trusted by most browsers. Check this link to find out more.
SLS Certificate via Certbot
First, make sure that any previously installed version of Certbot is removed. It probably is not installed, but just double check
$ sudo apt-get remove certbot
Install cerbot
$ sudo snap install --classic certbot
Run the cerbot configuration wizzard.
$ sudo certbot --apache
The created certificate is valid for 3 months. It will automatically be prolonged via certbot service running on the server. In order to prove the validation status run the command.
$ sudo certbot renew --dry-run
SLS Certificate with Self-Signature
As mentioned above I recommend using a self-signed certificate only for local websites e.g. intranet or testing purposes.
Now that we have our SLS Certificate up and running we must tell any traffic to be actually redirected over the HTTPS Protocol. If you type for example www.your-site.com it will open as http per default. When it does so, the browser will tell that the site is in an unsecure mode. This might, in many cases cause people to leave the website before even entering it. In order to avoid this we must tell apache to redirect all the traffic to https protocol using your newly created SLS certificate and key.
Here comes the .htaccess file in play. It is found inside the wordpress folder and is invisable by default
/var/www/wordpress/.htaccess
This file has got to be modified with the right entry.
There are two ways of achieving this:
Manually editing the .htaccess file
Using a plugin
Using method 1:
$ sudo nano /var/www/wordpress/.htaccess
Add this entry before the “# BEGIN WordPress” line.. It’s importan to add it before!
# BEGIN HTTPS Redirection Plugin
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END HTTPS Redirection
Save the file with Ctrl+x
You don’t need to restart apache here. “.htaccess” file is being read upon each time of refreshing a webpage.
Using Method 2:
Go into the plugin menu and search for Easy HTTP SLS Redirect. This plugin does the same without u needing to modify the .htaccess file manually.
Website Health Status
At this stage we are almost done. There are still a few small steps to undertake in order to have WordPress be able to use all of its features.
For this go into the Site Health Status page and check which modules still need to be installed onto the PHP server. You will most likely see this:
Please run the following commands in order to install the missing modules:
This concludes the tutorial. Now you have installed and fully configured linux server to be able to host a wordpress website. Should you have questions or suggestion don’t hesitate to contact me via email, or post a comment in the comments section.
Update: phpmyadmin installation & Firwall rules
Previously I have not mantioned how to install PHP MyAdmin for graphical database management. Additinally we are going to enable ufw Firewall and set the right rules.
Let us now configure PhpMyAdmin. For this we are going to have to create a new file inside ” /etc/apache2/conf-available/ ” folder and call it phpmyadmin.conf
now add this configuration code to the file and save the file.
Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
<RequireAny>
Require all granted
</RequireAny>
</IfModule>
</Directory>
<Directory /usr/share/phpmyadmin/setup/>
<IfModule mod_authz_core.c>
<RequireAny>
Require all granted
</RequireAny>
</IfModule>
</Directory>
Firewall Configuration
If your firewall ist not enabled yet we should do this now.
$ sudo ufw enable
Let us add rules for the following protocols: http, https which obviously correspond to port 80 and 443. Both are needed to access the website and and http to access phpmyadmin
$ sudo ufw allow http
$ sudo ufw allow https
If you wish to create more sofisticated rules with ufw you can follow this post
You may now access your PhpMyAdmin portal by simply typing:
In this example I am looking at scenario where some particular users in your organisation need to be automatically logged of from a specific computer (in this case it is a Terminal Server) after some time, after the user has closed the connection to the Terminal Server but did not log off from the server.
In real life this will be a very frequent scenario, because the user simply closes the remote desktop session with “x” on the bar of the remote desktop window. I do it even myself , because the “log off” button is somewhat hidden.
You might be writing those beautiful email to your users, explaining the correct process for closing the RDS, but you are most likely to loose this battle because there will always be someone who doesn’t obey. That’s life, ….. get used to it 🙂
But why would we want to force a log off from a Terminal Server? Well, its all about the precious resources. If you have one or two users, they will not have much of negative influence on the server performance, but if u have 100 users, …. then things change dramatically.
In this tutorial I will quickly look at one of few ways that this can be achived. We will be using a special GPO function called “Loop Back”
We will cover following steps:
Creating a group of users who are not to be logged off automatically
Creating an OU (Organisational Unit) to hold our Terminal Server
Creating a GPO to automatically log off users
1. Creating a group of users who are not to be logged off automatically
Go into Server Manager and start the Active Directory Users and Computer Console. Please note that all will be done on the Active Directory Server and not on the Terminal Server directly.
From there navigate to the OU where you store your groups. Create a new local group. In my case it will be
\FunctionGroups\RDS_Auto_LogOff_Exceptions
Now assign the users who are not to be affected by the auto logoff function by simply adding those users to the group.
2. Create an OU to hold the Terminal Server
Open the Group Policy editor via Server Manager. Right-Click on your domain tree and from the menu add a new Organisational Unit. Let us call it TerminalServer. Now drag the Terminal Server Computer into that newly created OU. Most likely the Terminal Server is found inside the “Computers” OU. Be advised though that if u had any other GPOs strictly connected the Computers OU and the Terminal Server should be affected by this GPO, make sure to relink this GPO to the newly created OU “TerminalServer”
3. Create a GPO to automatically log off users
As a next step we are going to create a GPO which will log of the users after x time of being disconnected form the Terminal Session.
Create a new GPO, name it for example “AutoLogOff Disconnected Users from TerminalServer“
Best Practice: Makes sure to always use descriptive names for the GPOs. At the end of the day you must be able to know what the GPO is all about.
Let us modify the GPO and go into following settings:
We are going to modify two entries. (Unfortunatelly the screenshot below is in German but you will certainly find it in english too 😉
We are going to activate both settings:
1. Set time limit for disconnected session
2. Set time limit for Log off for RemoteApp Sessions
Let us choose a time limit. I set it to 30 min. You can set it to anything you like.
In general it would be enough to just setup one of the settings. The first one is more general with a brighter spectrum, independent of remote apps. For the purpose of this tutorial I will leave both activated.
As the next step we will have to active a Loop Back settings for this particular GPO.
Now we go back to GPO list and on the right side in the properties of the GPO make sure that Authenticated Users is set in the Security Filterring option as shown below.
As next step, we need to go into the delegation tab of the GPO. When being there click on the advanced options and add the previously added Group “RDS_Auto_LogOff_Exceptions”
When being inside the advanced security opotions we need to do the following
1. Set Attributes to Authenticated User to Allow for Read and Policy Apply
2. Set Attributes to RDS_Auto_LogOff_Exceptions to Deny for Read and Policy Apply.
Once this has been done we are going to link the newly completed policy to the TerminalServer OU.
As the last step we must force “GPupdate” command on both the DC Server and Terminal Server.
> gpupdate /force
After completion make sure that all users on the terminal server are logged off. If not the case, go to the terminal server and force-log-off each user. This can be done via Task Manager in the User Tab.
This is it. Now each user who only disconnects from the terminal server will be from now on also logged of automatically. Any exceptions can be added to the Exceptions Group “RDS_Auto_LogOff_Exceptions” and these users will not be affected by the auto log off.
If you are looking for a way to get a list of installed program on a remote pc follow these steps
You will need to make sure the firewall rules on the remote pc are set to allow.
If you are an IT Admin you can deploy a rule through the GPO to all your desired clients without the need of accessing them manually.
Just go to Computer Settings>Windows Settings>Security settings>Windows Defender with extended settings>Incoming Rules. Then choose a predefined rule and find the WMI section and set it to allow. It will directly mark three necessary components.
2. You will need to run CMD as Admin and start the wmic program. Once done follow the syntax
> wmic
> /node: "COMPUTERNAME" /output:C:\listofprograms.txt pruduct get name,version,vendor
Make sure to replace the “COMPUTERNAME” with the right remote computer name or just use the IP address (but without the quotes). The output list name can be anything really.
You can also view the installed software direct in the console by just omitting the output command
>/node: "COMPUTERNAME" pruduct get name,version,vendor
This one on the contrary provides a full list which will be formatted as csv and comma-separated
>/node: "COMTUTERNAME" /append:"C:\programlist.txt" product list full /format:csv
The purpose of this short tutorial is to set the server internal clock, which will be synchronised with the internet rather than the local BIOS clock. A Bios clock can get inaccurate over time and this would be something we do not want to happen.
To do so, start the CMD as Admin and type the following:
Lets presume you have an application that should be accessed by multiple users. You do not want to have the application be installed on multiple clients but rather be on a central host which will be accessed by all users. The benefit of such set up is that you have one application to be deployed and managed rather then multiple separate installations.
In our case study we are having two separate servers.
One is our Terminal Server where we want all the clients to connect to via Remote desktop. The other one is our Active Directory Server where all users are managed and authenticated.
Following steps are required in order to achieve our task:
Adding Windows Roles and Features to Terminal Server
Adding Group Policies (GPO) to Terminal Server
Installing License for Remote Desktop on our Terminal Server
Linking Licensing Server to Active Directory Server
Adding Windows Roles and Features to Terminal Server
Firstly, you must add the following roles:
Remote Desktop Licensing
Remote Desktop Session Host
see the screenshot below. Although in German you should be able to get the idea.
After having installed the two roles let us move to the next point.
Adding GPO to terminal server
Now let us start the GPO editor. Just type in the search bar
Here again a screenshot in German but you should be able to find it 🙂
Now edit the highlighted 3 options.
Automatic Reconnection
Limit number of connections
Restrict Remote Services Users to a single Remote Desktop Session
We want to have the first option activated. It will make sure you get reconnected after for example short internet disconnection.
The second option set as desired depending on the number of users authorized to use RDS
Third option make sure to deactivate.
At this stage we are ready to install the RDS license.
Installing License for Remote Desktop on Terminal Server
At this stage it is important to install the CAL License. You can actually use RDS without a valid license, but this is allowed only for a limited time and any per son logging into a Terminal Server will be informed that not license is not present. Additional you will be receiving a ballon message saying:
Remote Desktop licensing mode is not configured. Remote Desktop Service will stop in 10 days. On the RD Connection Broker server, use Server Manager to specify the Remote Desktop licensing mode and the license server.
Let’s open the Remote Desktop Licence Manager. You can find it by searching the name in the Start Menu.
Now we will click on the name of our Server with the right mouse button and choose Install License. This will open a Wizzard which will guide you through the process. Makes sure you have got a valid license.
Once you have added a valid license, it will validate and allocate it. I for example use a license for 50 users. (In this case I use a license per user)
So now we are almost done but still one point needs to be adjusted. Because in this tutorial we a using active directory, we must tell our AD Sever that there is an valid license for the Remote Desktop Sessions. For this reason we will point Active Directory to the RD Licensing Server (which in our case is found on our Terminal Server)
Linking Licensing Server to our Active Directory Server
This procedure will be done using the Group Policy.
Lets add a new organizational unit to our Active Directory and name it e.g. TerminalServer.
Having done so let us move the Terminal Server Computer inside this newly created OU.
Now open the Policy Editor. Let us create a new policy and call it “Licensing_RDP”
Now edit the newly created policy and navigate to:
You will want to activate and set the Set the Remote Desktop licensing mode option. I have chosen the option “per user” as this corresponds to my license type
Now we must point where our Remote Desktop Licensing Server is found. For this active and edit Use the specified Remote Desktop license servers. Inside the option just add the server IP address.
Now we are done done with the configuration. Run gpupdate /force on both servers and test your RDS connections
Useful Trouble Shooting
Should you get difficulties with the RDS Profiles at some point it is crucial to check the the C:\Users Folder for any TEMP Folders. If these get created check out the SID of the USERS and look for the settings in the Registry editor:
The Purpose of this article is to go thought the setup process of UFW Firewall as well as to learn some essential commands for managing your firewall rules
Requirements
Ubuntu 20.04
Sudo non-root user
Please note that most of the commands apply also to previous versions of ubuntu. In this tutorial we are concentrating on IPv4 rules. Should you be using IPv6 on your server make sure to also enable IPv6 in UFW
UFW installation
In order to install the fire wall run this command
$ sudo apt update
$ sudo apt install ufw
Now let us enable IPv6 (if needed) by editing the default configuration file
$ sudo nano /etc/default/ufw
please make sure that the value of IPv6 is set to yes
IPV6=yes
Setting up default UFW policies
When freshly installing an UFW firewall all of the policies are default and set to allow outgoing traffic but block incoming traffic. If you have had already an UFW running and wish to set all the default rules to default settings you can execute this command.
we can prove the current state of the firewall with the next command
$ sudo ufw status verbose
we receive a return showing us that the ufw is active allowing outgoing connections and denying incoming. Should you receive a status message as inactive you can enable the firewall with the following command.
$ sudo ufw enable
analogically should you wish to disable the firewall just type
$ sudo ufw disable
and further more a restart can be done by combining the two
sudo ufw disable && ufw enable
or
sudo systemctl restart ufw
Since by default there are no individual rules set let us add a rule for SSH so that we could manage our server form another Client via the ssh protocol which uses port 22 as default. The command “enable” switches the firewall permanently on, also after a system reboot.
Allowing SSH connection through UFW
As mentioned before we can allow the application directly or allow the specific port. First option will automatically open the necessary port therefore:
sudo ufw allow ssh
sudo ufw allow 22
both will allow communication on port 22 for us.
Please note that if you have specified a different port for ssh to listen on make sure to manually allow that port on ufw. For example if you set ssh on port 6666, analogically the command would be like this:
$ sudo ufw allow 6666
Allowing Specific Connections
You have seen by now how to allow a specific port. We can additionally configure our UFW to allow or block specific:
ip addresses
range of ports
subnets
network interfaces
Let us have a look at the first one. Imagine we would like to join our home server from work so that you could manage it any time you desire. Presuming you know what the external IP of your work is , which in our example would be 185.234.123.45 then we could add a rule allowing connection to our server for this IP only over the SSH port. Our command in this case looks like this.
$ sudo ufw allow from 185.234.123.45 to any port 22
should you wish to allow the specific IP to enter the whole network just leave the port out.
$ sudo ufw allow from 185.234.123.45
A word of advice: It is always best to have as few ports open as possible. Lowering the number of open ports lowers the risk of security breach. Try accessing your local network through a secure connection such as VPN. The process of setting up such a connection is quite straight forward. If interested follow this link.
Subnet
Should you want to allow or deny a whole range of IP addresses, we could do it by specifying a netmask. For example we wish to block a whole IP range from 192.168.1.1 to 192.168.1.254. In order to do so we would write:
$ sudo ufw deny from 192.168.1.0/24
analogically we can also allow this subnet to connect to specific port.
$ sudo ufw allow from 192.168.1.0/24 to any port 6666
We also have the possibility to narrow the allow/deny rule to a specific protocol. For example we would like to only allow UDP traffic on port 6666. We just replace have to replace “any” with “allow”
$ sudo ufw allow from 192.168.1.0/24 to UDP port 6666
Range of Ports
What if instead of a IP range we would like to add a rule for a port range. Let’s presume an app requires ports 5000 to 5005 over UDP. The syntax looks as follows:
$ sudo ufw allow 5000:5005 /udp
analogically you can allow or deny any range of ports as desired.
Network Interface
But what if we would like to add rules for specific netwrok interfece. Let’s presume we have multiple NICs on our server. We would like to allow external traffic to our server only via NIC 1. First we need to find out the interface name on ubuntu. We do it by running ‘ifconfig’ command.
$ sudo ifconfig
in my case the desired interface has a name of enp0s3. We are going to use this interface to allow external http traffic to our server.
$ sudo ufw allow in on enp0s3 to any port 80
Deleting Rules
Having added rules we might want to also delete them too. The best way to do it, is to first get a listing of all the applied rules in a numbered way. We achieve this by typing:
$ sudo ufw status numbered
In my case there are two available rules numbered as 1 and 2. I would like to get rid of the rule for IPv6 connections. To do so we just type:
$ sudo ufw delete 2
Resetting or Disabling UFW
Let’s summaries the few commands that we had previously used for disabling/restarting or resetting of the ufw process.
This is a continuation of the previous post “OpenVPN Installation”. Here I would like to go through the configuration process of OpenVPN Server so that the credentials authorisation will be done with active directory on a separate server.
In the previous post we had gone through the configuration process of the openvpen server and creating an .ovpn file. Now let us extend it so that when connecting to a vpnserver we will be prompted to enter user name and password which will be checked against the windows active directory server.
It is essential that you have basic kowledge of active directory management.
In this tutorial we are going to:
Install openvpn-auth-ldap tools
Add Users to Active Directory
Configure auth.ldap.conf file
Adjust openvpn configuration file
Firstly, let us jump over to our OpenVPN server and install necessary packages and libraries.
§ sudo apt install openvpn-auth-ldap
After the installation has been completed we will jump into usr/share/doc/openvpn-auth-ldap/examples/ and copy an example config file auth-ldap.conf into /etc/openvpn/. This file is the main configuration for our authentication.
Additionally let us note the location of the authentication module /usr/lib/openvpn/openvpn-auth-ldap.so. We are going to need this path for configuration later on.
Adding Users to Active Directory
In order to authenticate users against AD we are going to need to create a user just for the vpnserver, so that auth-ldap module can read the content of the Active directory users, groups and organisational units (OU):
In this case I create a user : VPNUser who resides inside an OU called MyUsers and is a part of a Group called VPNGroup. The VPNGroup is inside an OU called MyGroups. Any other AD user will also be inside OU:MyUsers and will be a part of the group called VPNGroup (in our scenario the users inside this group will be allowed to connect to our vpnserver)
The default file which we have just copied into /etc/openvpn/ looks like this:
<LDAP>
# LDAP server URL
URL ldap://ldap1.example.org# Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com# Bind Password # Password SecretPassword# Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable yes# Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP
<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"# User Search Filter SearchFilter "(&(uid=%u)(accountStatus=active))"# Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users # Uncomment and set to true to support OpenVPN Challenge/Response #PasswordIsCR false <Group> # Default is true. Match full user DN if true, uid only if false. # RFC2307bis true # Default is true. Uncomment and set to false if you want to use a Search operation to determine group # membership instead of Compare. Lower performance, so Compare should generally be used, but Search is # required in certain LDAP environments. # UseCompareOperation true BaseDN "ou=Groups,dc=example,dc=com"SearchFilter "(|(cn=developers)(cn=artists))"MemberAttribute uniqueMember# Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group>
</Authorisation
According to the Active Directory users and groups we set up previously we are going to change the red marked lines of the config file. The new configuration should look as follows:
<LDPA>
# LDAP server URL
URL ldap://xxx.xxx.xx.xx:389 #Your IP here with Port number
# Bind DN (If your LDAP server doesn't support anonymous binds) BindDN cn=VPNUser,ou=MYUsers,dc=example,dc=local#Bind Password Password "YourPasswordforVPNUser" # Network timeout (in seconds) Timeout 15 # Enable StartTLSTLSEnable no# Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH
</LDPA>
<Authorisation>
# Base DN
BaseDN "ou=MYUsers,dc=example,dc=local"# User Search Filter SearchFilter "(samaccountname=%u)" #Replace the default with this function# Require Group Membership RequireGroup true # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users # Uncomment and set to true to support OpenVPN Challenge/Response #PasswordIsCR false <Group>
# Default is true. Match full user DN if true, uid only if false.
# RFC2307bis true
# Default is true. Uncomment and set to false if you want to use a Search operation to determine group # membership instead of Compare. Lower performance, so Compare should generally be used, but Search is # required in certain LDAP environments. # UseCompareOperation true BaseDN "ou=MYGroups,dc=example,dc=local"SearchFilter "(cn=VPNGroup)"MemberAttribute "Member"# Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group>
</Authorization>
Son now we have our configuration file adjusted. There is one last step that we must undertake. We are going to tell the VPNServer that it should use the LDPA module and the LDPA configuration file.
Adjust openvpn configuration file
Navigate to our server.conf file
$ sudo nano /etc/openvpn/server.conf
we are going to add this line to the end of the file:
The overall configuration of both the server as well as the LDAP service is somewhat long. Due to many configuration steps mistakes can unfortunatelly happan. Here are a few commands that will help rule out some of the mistakes:
1. Journal
The journal can tell a lot and point you directly to where the problem is:
$ sudo journalctl -xe
2. TCPDump
Tracking traffic on particular interfaces and ports can give a good indication if connection is established. If for example you like to check open vpn communication with Active Directory server then simply use:
$ sudo tcpdump -ni eth0 tcp and port 389
‘eth0’ – is my network adapter in this case. Check yours using “ifconfig” command.
3. VPN Logs
Watch realtime logs as you execute client connections. You will get a live feed on any activity on the vpn server
$ sudo tail -f /var/log/openvpn/openvpn.log
4. Filter System Logs
You can filter system logs for any VPN activity
$ grep VPN /var/log/syslog
5. Check Server Configuration File
You can check your main config file. Should any error accure you will be informed.
$ sudo openvpn --config /etc/openvpn/server.conf
6. OpenVPN Processes
It is always good to check if your processes are running and activated
Why would you want to install a private VPN Server?
The major purpose of having a vpn server is being able to access your local network from any place in the world in a secure manner. Looking at the nature of a VPN connection, which can forward all the traffic from the remote device to a VPN Server, there might also be other reasons why someone would want to use a VPN connection. For the purpose of this article, I am going to concentrate on solely accessing our home or business local network from anywhere in the world.
The process of setting up a VPN server can be somewhat difficult for a beginner. When I had done it for the first time it took me hours to have the task completed. No fear though, in this guide I will go through all the necessary steps and I will try to be as prompt and concentrated as possible.
Firstly let’s see what we need in order to accomplish this task.
Requirements
Two separate Linux Ubuntu 20.04 installations
Windows with PSCP command installed
We will be using two linux installation due to security reasons. On one server we will will run VPN server the other one will be used as a key and certificate signing authority. Having the two separated increased the overall security.
For the purpose of this guide, I will be using following names for the server:
CAServer: for certificate authority
VPNServer: for open-vpn server
Since we are going to be operating on two server installations I find it much easier to manage those from my Windows 10 installation via CMD using ssh protocol. We are also going to transfer files between Linux and Windows. In this case we are going to need PSCP on Windows.
Creation of Certificate Authority (CA), Server key and Certificate
Server Certificate Signature
Creation of client key & certificate and signing of the client certificate
Creation of TLS authentication key and DH Parameters
Open VPN firewall rules
Open VPN Server configuration
Creation of client OVPN file
User authorisation against Windows Active Directory (optional)
1. Creation of CA, Server key and certificate
Assuming that you have already created two independent servers we are going to perform operations on the CAServer first. We will need to install the easy-rsa package, which will serve as out certificate authority. We are also going to update our package repository before hand.
Placing ‘-y’ in the command line simply saves us time by accepting any options before hand.
As a next step we will use the in-built command of rsa to create a folder which contains all configuration files and any tools that come with it. In our case lets create a folder called rsa_certificate
$ make-cadir rsa_certificate
Let’s change directory to the newly created folder
$ cd rsa_certificate
Let’s list the content of the new folder
$ ls
you should be able to see a file named vars. We will open this file using nano command
$ sudo nano vars
edit the content of the file with your appropriate details e.g:
save the changes using Ctrl+x and then confirm by pressing enter.
Our next step ist to create a public key infrastructure. For this we are going to initiate a built-in command of easyrsa which will create a new folder called PKI with all the necessary tools.
$ ./easyrsa init-pki
Let us now create/generate our server certificate (CA) and server key. Execute the command below. You will be asked to enter a password for the ca key as well as a common name. If you leave the common name blank and press enter an automatic name will be assigned such as Easy-RSA CA.
$ ./easyrsa build-ca
The command generates two files inside the /pki folder.
ca.crt
ca.key (/pki/private/)
These files are: a public certificate and key used to sign the open-vpn server and clients certificates. In other words, each certificate, the server and client, need to receive a signature so that later a connection can take established between the vpn client and the vpn server. The ca.key is very important, therefore make sure you keep it safe. Also never forget the password you made before.
Now, that we have both the certificate and its key let us do the same for our Open-VPN server.
Let’s generate both and get a signature for them from our certificate authority (easy-rsa).
Switch over to the VPNServer. Install openvpn and easy-rsa
$ cd
$ make-cadir rsa_certificate
$ cd rsa_certificate
$ sudo nano vars
$ ./easyrsa init-pki
After going through these steps we will want to create a certificate and a key. These certificates are somewhat different because these are requests for a signature and the signature will be provided by the authentication server. Therefore also a slightly different command.
$ ./easyrsa gen-req server nopass
The above command will generate a request certificate with no password and with the above name ‘server’. You can call it whatever u want, but I will stick to the simplicity of calling these as server and client for ease of recognition.
The generated key and certificate will be placed in:
Now, we move back to CAServer in order to sign the request
2. Server Certificate Signature
Being on your CAServer change folder to your home directory if you haven’t done it yet. Inside you should find the transferred file from the previous step.
$ cd
$ ls
rsa_certificate server.req
Let us navigate to rsa_certificate folder
cd rsa_certificate
Now let’s import the certificate request. We are going to use a function of the easyrsa import-req
we use following syntax:
import-req <request_file_path> <short_basename>
$ ./easyrsa import-req /home/'your_user_name'/server.req server
It should return following output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
The request has been successfully imported with a short name of: server
You may now use this name to perform signing operations on this request.
Now, since we have imported the request, it needs to be signed. To do so we will use sign-req with short_basename syntax.
$ ./easyrsa sign-req server server
Upon execution we are going to be asked to provide the CA key password that we had previously set up.
Let us delete the server.req
$ cd
$ ls
rsa_certificate server.req
$ rm server.req
$ ls
… and copy the server.ctr & ca.crt (public certificate) back to the vpnserver
$ cd rsa_certifcate/pki/issued/
$ scp server.crt yourusername@your_vpnserver_ip:/home/yourusername
$ cd rsa_certificate/pki/ca.crt
$ scp ca.crt yourusername@your_vpnserver_ip:/home/yourusername
On the VPNServer lets move/copy the files into /etc/openvpn/
Switch over to the CAServer now and import the request
$ cd /rsa_certificate
$ ./easyrsa import-req /home/'yourusername'/client.req client
Now as it is time to sign the imported certificate request. You will be prompted to enter the CA Certificate key password which you have created at the beginning
$ cd
$ cd rsa_certificate
$ ./easyrsa sign-req client client
The client signed certificated will be created in
Certificate created at: /home/’yourusername’/rsa_certificate/pki/issued/client.crt
Now let us move all client related files into a folder called client. For this purpose we are going to create a new folder.
This is being done on the VPNServer now!
$ cd
$ mkdir client
$ cd rsa_certificate
$ mv pki/private/client.key /home/'yourusername'/client/client.key
$ cd
$ mv client.crt /home/'yourusername'/client/client.crt
Now our new client certificate and client key are in one folder for the ease of access.
4. Creation of the tls key (ta.key) and Diffie-Hellmann parameters (dh2048)
Open Vpn integrates tls-auth in order to further improve security. With the following steps we are going to generate a ta.key. Make sure to switch back to your VPNServer.
$ cd /rsa_certificate
$ openvpn --genkey --secret ta.key
Having done so let’s now generate a Diffie-Hellmann key used in the transfer of crypto key over insecure and public channels. We will create the key and move it form its default location the openvpn folder while changing its name to dh2048.pem
$ cd /rsa_certificate
$ ./easyrsa gen-dh
Let’s move both files to Openvpn folder
$ cd rsa_certificate
$ sudo cp ta.key /etc/openvpn
$ cd
$ cd rsa_certificate/pki/
$ sudo cp dh.pem /etc/openvpn/dh2048.pem
5. VPN Firewall rules
We are going to set up some firewall rules of the Open Vpn server now. This is important to further increase the security of the server. Before we proceed to ufw rules lets first activate IP forwarding on our VPNserver.
$ cd /etc/
$ sudo nano sysctl.conf
after opening the file find and uncomment the line
net.ipv4.ip_forward=1
now let’s reload the setting
$ sudo sysctl -p
Now we are going to modify the ufw by allowing the forwarding. We navigate to /etc/default/ufw file and change Default_Forward_Policy to accept.
$ sudo nano /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
As the next step we are going to add a routing rule, which will be added prior to any existing firewall rule. To do so you will need first to check the exact name of the interface used for the connection and secondly to add the rule to a file called before.rules
… so let’s check the Interface name first
$ ifconfig
in my case the interface is called enp03. In many cases it might be called eth0.. Make sure to check this out.
We have conducted many steps by now. Now is the time to configure the vpn server so that it actually accepts incoming connections. For this we will use a sample configuration file delivered with the server installation. File should be found in: /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
Let’s use the zcat command for compressed files and resave it as a new file
$ cd /usr/share/doc/openvpn/examples/sample-config-files/
§ zcat server.conf.gz | sudo tee /etc/openvpn/server.conf > /dev/null
We can now work on the newly generated file inside the /etc/openvpn/server.conf file.
So let us ‘nano’ the file.
$ sudo nano /etc/openvpn/server.conf
Now we have to make sure that the file contains the right names for our ca, cert, key and dh. We have created them before and placed inside the /etc/openvpn/ folder. Check it
ca ca.crtcert server.crtkey server.keydh dh2048.pem
Now find lines user nobody and group nobody. Unhash these. This will allow anyone with the client configuration file to connect to the vpn server. If you are willing to have user authentication against an Active Directory server you can find the steps in chapter 8.
Another parameter worth changing is on line 192.
push "redirect-gateway def1 bypass-dhcp"
This will tell the server to forward your default gateway through the vpn server. This option is great for geo-locked content. For example while visiting a foreign country for holidays it will in virtually place your laptop at home location :-). Isn’t that cool? Think of some other benefits such as your favorite movies that are geo-locked!!
Worth considering is line 200 and 201
push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
I use this myself.. If you have local network with server and devices, this option will save you typing in all the individual IP addresses as now you can us DNS Names.
So as a next step we must verify that we have all the necesary files inside /etc/openvpn folder. We have been moving them into that folder along the way. So lets check:
$ ls /etc/openvpn
ca.crt dh2048.pem server.conf server.crt server.key ta.key
These files should be found there. If you are missing any, go back and verify the steps.
There is one more step to go in this chapter but before we proceed lets copy the ta.key file into our /client folder. We normaly would not need to do this, but if you intend to use OpenVPNconnect App on your smart phone, this file might be needed. Well it was in my case at least.
$ cp /etc/openvpn/ta.key /client
Now as a final step let us change permissions on the etc/openvpn to root user. We do it to seal this folder from unauthorized access. Remember that if u decide later on to move this folder or the files inside of it to a different location you will have to reapply new permission or to elevate your user to root.
$ sudo chown -R root:root /etc/openvpn
7. Client configuration file
In chapter 3 we have created a folder called /client. We will use this folder to store all client files. Until now we have placed the client.key, client.crt, ta.key
Now we need to place inside the folder the client.conf file. We will use a template from /usr/share/doc/openvpn/examples/sample-config-files/client.conf
please replace ‘my-server-1’ with the actual external IP of your server or a host name e.g. itpassion.org. you can also replace the default port number. makes sure to forward this port on your router/firewall/gateway.
The next two entries that need uncommenting are:
;user nobody
;group nogroup
Just remove the semicolon ; Please note that if u decide to use user authentication we are going to set this up via the openvpn server. This will be explained in the next chapter though.
As the last step we will be adding some lines to the bottom of the file
<ca>
# Copy and paste the content of the ca.crt file
</ca>
<cert>
# Copy and paste the content of the client.crt file
</cert>
<key>
# Copy and paste the content of the client.key file
</key>
key-direction 1
<tls-auth>
# Copy and paste the content of the ta.key file
</tls-auth>
You will be placing the long chain of random signs from ca.crt, client.crt, client.key, ta.key. As you might remember these are stored on the VPNServer in the /home/client folder.
Once this has been completed you simply secure copy the client.config to your windows installation. Check this post to find out how to transfer files between linux und windows.
Once this has been done please rename the client.config to any desired name with *.ovpn extension. This file needs to be placed inside the OpenVPN installation folder. In my case this was “C:\Program Files\OpenVPN\config”. This would actually be all to establish a secure connection to your network. The negative point is that if any one got in position of this configuration file, he would be able to connect without user prompt. Since you already have setup a VPN server I strongly recommend to also run an Active Directory for your local network which manages all your local network user permissions. Therefore in the next chapter I will concentrate on explaining how to set up VPN User Authentication.
8. OpenVPN user authentication against Active Directory
Due to the length this chapter has been moved to a separate Post. Please follow this post to read more.
SSH known as Secure Shell is a protocol for operating network services securely. It is needed especially if you are for example planning on managing your Linux Server from Windows.
Installation:
SSH protocol can be installed automatically during ubuntu fresh installation. An option is being displayed which merely needs to be marked with an ‘x’ for an automated installation.
Lets presume this was not the case and you need to install this afterwords. The procedure is very simple.
Replace ‘linuxusername’ with the your linux username and replace ‘192.168.100.10’ with the IP address of your linux installation.
After doing so you will be prompted to enter the password of the linux username and you will be asked to accept the ssh key. After accepting it the key will be saved on windows machine as a trusted ssh keys.
Your are now logged into linux from a windows Command Prompt.
You might also consider setting up the appropriate firewall rules on your linux server especially opening the port 22 to gain access. You can follow this post to learn how to use, configure the ufw firewall
If you are looking for a way to copy files directly from Linux to windows I strongly recommend using a “pscp” command. This command which is by default part of Linux but in Windows environment it requires the necessary libraries. These can be downloaded here.
Upon downloading please place the file inside this path: C:Windows\System32.
You can test if the new command works by:
Starting CMD as Administrator
Starting PowerShell by typing ‘Powershell’
Type: pscp
You should receive a similar return:
Now you can start copying files from Linux to Windows using the following syntax
After pressing enter you will be prompted to accept ssh certificate (make sure that ssh is enabled on your Linux installation, if not follow this link) and you will be asked to enter the ‘sudo’ linux user password.
After doing this the desired file will be copied over port 22 into C:\temp. Here, instead of C:\temp, you are allowed to type any path to a desired folder on windows installation.
How to copy Files from Windows to Linux?
In order to achieve this just reverse the syntax. Using the example above type the following:
If you are intending to ssh your linux installation from the internet, make sure to forward port 22 to your Linux IP address.
Although this means of managing your server is possible. I do not recommend it due to security reasons. Firstly it open your server vulnerable to port scans, secondly the ssh ist not secure enough enough to sleep tightly in my opinion.
As alternative means I strongly suggest to use SSH over VPN (Virtual Private Network). Since you already have a Linux Server, it should not pose too much difficulties on setting up your own VPN Server, which will allow you to enter your own local network from all over the word 🙂
Please follow this link to learn how to install and configure a private VPN Server based on OpenVPN.
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
