VPN actually stands for virtual private network. What that means is that when you connect to a VPN, you are essentially creating a secure encrypted tunnel from your device to the network on the other side. A VPN prevents “snooping eyes” from seeing the actual network traffic that crosses the wire, meaning that you only you and the other end know what you are doing. That traffic will be visible from the other end as it comes out there, but that is a network you “trust”, and that traffice is protected as it traverses across the Internet.
You’ve probably heard of VPN services before or you might already use one. They are common for work places to use, to connect back to your office. As well commercial VPN services for individuals looking to bypass geo-location filters when they are overseas to make it appear that you are in the U.S., or users as an attempt to anonymize their internet traffic. Those are all great examples of VPNs. But those are not what I am going to cover….
So what about if you want to access resources you have at home while you are away? (i.e. – printers, file storage or file backups, remote support of a non-tech-savvy family member)
Or what if you want to use the Pi-Hole adblocker you set up at home while your at school/work/traveling?
This is the type of “home VPN” that I am talking about. This “home VPN” will keep your browsing secure while you are hopping onto free WiFi hotspots all across town, but it will not anonymize your traffic at all. All of your traffic is [securely] going to go thru your VPN and it will be as if you are surfing the Internet from home. So don’t think that just because you setup a VPN on your Raspberry Pi at home that you can blindly surf the Internet and download illegal torrents without consequence, because you’d be wrong. You will however, be able to connect back home and retrieve those files you forgot to put on your thumb drive before walking out the door.
The magic that will make it happen is called PiVPN. It’s a small piece of software that can be installed on a Raspberry Pi with a single line of code, and can be configured, ready-to-go, in less time than it take to watch a sitcom episode on Netflix.
So I already have PiHole installed at home and it works great to block ads at home. But if you’re not at home, how do you to block ads? What about if you want to access resources you have at home (i.e. – printers, file storage, remote support of non-tech-savvy family) while you are away? Well the answer is PiVPN.
You’ve probably heard of VPN services before or you might already use one. They are common for work places to use, to connect back to your office. As well as for individuals looking to bypass geo-location filters when you are overseas, to make it appear that you are in the U.S.
VPN actually stands for virtual private network. What that means is that when you connect to a VPN, you are essentially creating a secure encrypted tunnel from your device to the network on the other side. A VPN prevents “snooping eyes” from seeing the actual network traffic that crosses the wire, meaning that you only you and the other end know what you are doing. The caveat to that, depending on how your VPN is set up, is that the internet traffic on your device will appear to be coming from the network you are VPNed into and that will be visible to the ISP. So don’t think that just because you setup a VPN on your Raspberry Pi at home that you can blindly surf the Internet and download illegal torrents without consequence, because you’d be wrong. The best use case, in my opinion, for setting up a VPN, or in our case PiVPN, is to access your files and storage when you’re not at home.
Lets get started with setting up PiVPN. As a prerequisites, make sure that you have already installed and setup PiHole.
Open a terminal window or SSH into your Raspberry Pi (RPi)
Enter the following command:
curl -L https://install.pivpn.io | bash
By running the above command essentially piping the curl command to bash, the RPi will automatically download and run PiVPN.
A cautionary note about piping curl to bash – Basically, be sure you trust the source, because you’re essentially letting them run whatever they want on your device!
The PiVPN Automated Installer should appear. Click ‘Ok’.
The installer will need to apply a static IP address to your Raspberry Pi. This is a PiVPN requirement. If you’re running PiHole, you should already have a static IP assigned to your device. If you don’t… go fix that now, and come back. If you do already have a static IP address assigned at this screen, click ‘No’.
Comment on the above step… Even if you set a static IP on the device, if that IP is within the DHCP reservation pool, the DHCP server (the router, for most people) could theoretically still assign that IP to another device. That should never happen for an always on device, but if you take it offline for a while or switch routers it could happen. So when setting static IP addresses, take a look into your network’s settings and assign addresses outside of the DHCP pool’s range. This will help prevent the possible scenario i just mentioned above.
The next screen shows your current network settings and confirms that you want to use it as your static address. Click ‘Yes’.
The next screen is just a warning of what could happen with an IP conflict if the RPi does not have a static IP address and is using DHCP. We’re all set though using a static IP, so click ‘Ok’.
Next we will choose the user which we’ll install PiVPN under… Click ‘Ok’.
Then choose the desired user, and click ‘Ok’ again.
We want to install WireGuard. So on this screen, select it and click ‘Ok’.
*If you need, or wish, to install OpenVPN to meet you needs then that option is available. My recommendation – If this is your first time setting up a VPN, stick with the default – WireGuard.
Wait and watch the status bar complete….
Select your default port. I am going to leave mine set to the default value “51820”. Click ‘Ok’.
Confirm the port, click ‘Yes’.
Because PiHole is already install, PiVPN detects it and offers to set that as our desired DNS. This is what we want, so click ‘Yes’.
This next screen asks how we will be connecting remotely to our PiVPN.
Most of us do not have a static “external” IP given to us by our ISP. So with that in mind, we do not want to use the public IP address that is shown.
We want to use a Dynamic DNS (DDNS) service. The best example of this type of DDNS service is No-IP (noip.com). This type of service allows you to run a client within your network that will go out and check what your external IP is, and then update No-IP with that address any time it changes. Dynamically updating the DNS record that you have setup with the DDNS service provider.
Note: This DDNS value can be changed later if your DDNS public name ever changes, though you would need to update your user/client endpoints to use the updated name.
Since we already have DDNS set up, we will be chooseing “DNS Entry – Use a public DNS”. Click ‘Ok’.
Enter your DDNS public DNS name. Click ‘OK’.
Confirm your entry. Click ‘Yes’.
The generation of the encryption keys are the next step. Click ‘Ok’.
We will want to acknowledge the ‘Unattended Upgrades’ page. It’s just letting us know that we should enable this feature and have the RPi automatically check for and install security updated for us daily. Note, that it will not automatically reboot the RPi, so we’ll need to do that manually from time to time. Click ‘Ok’.
Click ‘Yes’
Wait and watch the status bar complete….
Click ‘Ok’. PiVPN has now been installed! Woohoo!!! We will still need to add our users/profiles before we can log in.
Click ‘Yes’ to reboot your RPi. Then ‘Ok’ again to initiate the reboot.
Now we need to log into our router. We will need to setup a port forwarding. We need to forward port 51820 to our Raspberry Pi. This will allow traffic both ways between the Internet and your PiVPN.
Note: If you skip this port forwarding step, you will not be able to connect remotely to your PiVPN.
Typing “pivpn” will show you all of the available options of PiVPN.
Now that PiVPN is running, it’s time to add device profiles to the VPN and grant them the permissions they need to be able to connect.
Ideally you will want to create a new client account for each device that will be connecting remotely to your VPN. This is a best practice, and my recommendation. It gives you the granular control, per device, in case you need to revoke or regenerate a device’s credentials. It’s easier to redo one device then it is to redo every device.
To add your user, type the following command below.
pivpn add
Then add the name of your user. In my example, my user is named “P-W-W-F”
Just like that you’ve added a user to your VPN!
Repeat the above steps as many times as necessary to add profiles for every device that will be connecting to your VPN.
This default setup will create a user with a “full” VPN, meaning that all of their traffic is going to get routed thru the Internet over to your RPi. Your RPi will then determine what traffic is meant for your home network, and anything else will get re-routed back out of your home network to the Internet.
The config can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device
To copy or backup your configuration files use the following command:
So PiVPN is setup. We’ve added the user/client into PiVPN. Now we need to setup the endpoint so they can connect back to PiVPN.
When we set up PiVPN we had to make a choice. We had to choose whether we wanted to use WireGuard or OpenVPN for the “magic” behind our VPN. In my article, we set up PiVPN using WireGuard, which was the PiVPN default.
So… we are going to want to download and install the WireGuard client on our endpoint device(s). Go ahead and get the latest/greatest version of the WireGuard client for your Operating System directly from WireGuard.
I’ll go over how to add it via QR code on your mobile iOS device. As well as how to add it from a config file onto a Desktop PC.
Note: If you created both a full and split-tunnel VPN client/user, then you will need to repeat the steps below to add the second profile.
Mobile Devices
Using a mobile OS like Apple’s iOS or Google’s Android, or other system that can read a QR code is probably going to be the easiest way to setup the endpoint device with it’s PiVPN configuration and encryption keys.
On the RPi, it’s possible to use PiVPN to generate a QR code for each client/device that you setup. That QR code will hold all the info that WireGuard needs on the endpoint to properly configure it. Just remember to guard that QR code and keep it safe… as it is literally the keys to your Castle/Home Network.
On the RPi, enter the following command below:
pivpn -qr
PiVPN will then list the users you have created, and you can choose which user you want a QR code to be generated for.
In my example, I get the QR code for the user “P-W-W-F”
On your mobile iOS device, open the WireGuard app. Tap “+” to add a new tunnel. Then tap “Create from QR code”.
Your phone’s camera will open and allow you to scan the QR code.
Give the VPN connection a name when prompted. I used the name “PiVPN”.
Click “Allow” when prompted to allow WireGuard to “Add VPN Confiurations” to your device.
It will then proceed to auto-magically set everything up for you. You’ll have a simple toggle available in the WireGuard app that you can use to enable/disable your VPN.
Desktop Devices
Setting up the WireGuard app on a desktop is not hard, but it’s not as easy as simply scanning a QR code. PiVPN will automatically generate a file that will contain the configuration and encryption keys for each user/client, as you create each of your users/clients. We just have to copy that file from the RPi on to our desktop.
When we create the user/client in PiVPN, it generated a file named “User/Client.conf” and placed in the RPi’s users’ home folder.
In my example below, when I created the user “P-W-W-F” it generated the file “P-W-W-F.conf” and placed in the folder “/home/pi/configs”.
From your Desktop, open WinSCP, and connect to your RPi. On the RPi side, navigate to the folder that was listed when you created your user/client in PiVPN. Copy that “User/Client.conf” file over to your desktop.
On your Desktop, open the WireGuard app. Click on button to “Import tunnels(s) from file”.
Browse to the file you copied off of your RPi, and click ‘Open’. It will load all of your settings. Click the ‘Activate’ button to turn on your VPN.
Your PiVPN VPN using Wiregaurd is now active. You are now connected to it and can access all of your resources safely and securely. To disconnect, just click the “Deactivate” button.
Installing Pi-Hole is really simple. In fact it only takes entering one line to setup.
curl -sSL https://install.pi-hole.net | bash
By running the above command essentially piping the curl command to bash, the RPi will automatically download and run PiVPN.
A cautionary note about piping curl to bash – Basically, be sure you trust the source, because you’re essentially letting them run whatever they want on your device!
You’ll see it start to load
Then you’ll have a few informational screens to click “Ok” through.
On this screen you choose the upstream DNS provider we want to use. I’m going with Cisco’s OpenDNS, but can choose which ever you want.
Any of them are better then using your default ISP’s DNS. Regardless of what anyone tells you, none of them on this list are really that much better than any other. Yes, they each have a few different features that you’ll need to look into. But, let me be truthful with you, whichever one you do decide to choose it really just boils down to your personal preference. And… the best part is that you can easily change it anytime you want to use a different upstream DNS provider in the admin console, post-install.
Come back revisit this after you’ve gotten Pi-Hole up and running: When you are ready to dive deeper down into the DNS hole, take a look at Steve Gibson’s DNS benchmark. Apparently one of the biggest considerations to take into account when choosing “the best” DNS is speed, and that is a metric which IS totally location dependent. He has an interesting tool that can help you run benchmarks against multiple DNS providers to see whom is “the best” for you.
Select the block lists you want to use. I’m just leaving it default with all of the lists selected. These can all be changed (enabled/disable) later in the web admin interface.
Select which protocols (IPv4 and/or IPv6) that you wish to block ads on. I’m leaving them both selected, which is the defaulted selection. These values can be changes later.
The next screen shows the RPi’s current IP address. Mine is currently using a DHCP IP address, but we want set it to a static address. So I am going to click “No” here.
This screen is where the desired static IP address, and subnet mask (in CIDR format) gets set. Your network will likely be different than mine, I’m setting mine to use the IP address 192.168.1.254. As for the subnet mask, in most scenarios you can just use “/24”. That is CIDR shorthand for 255.255.255.0 and is basically saying that this subnet has 256 addresses in it; 192.168.1.0 to 192.168.1.255.
On this screen we enter the gateway. This will most likely be your router’s IP address. Mine is 192.168.1.1.
This screen shows us our updated settings. Click “Yes” to accept the values you have entered.
Yes, we wish to install the web admin interface.
Yes, we wish for the web server to be installed and enabled.
Yes, we wish to log queries.
I want to see EVERYTHING! You can change this to what you prefer. These will be the statistics you can see on the web admin interface. This value can get changed later from the web admin interface. More info about this at: https://docs.pi-hole.net/ftldns/privacylevels
Pi-Hole will finish applying all of the settings it’s collected…
And then you are done. You did it!
The last screen of the Pi-Hole setup will show you the IP address and the URL for the web admin interface, as well as the admin password.
Press “Enter” to exit the installer and return to the command line.
Make your Pi-Hole the DNS of your network
Log into your router.
Navigate to it’s settings and clear any values that are currently set as it’s DNS.
Now enter the IP address of your Pi-Hole.
That’s it. Your network is now using Pi-Hole for all of it’s DNS queries.
Viewing your Network DNS Queries
Open a web browser and go to either the IP address of your RPi, or enter “pi.hole” as the URL. In my example, I am either going to enter either “192.168.1.254/admin” or “pi.hole/admin”
That will load the Pi-Hole Web Admin Interface. Go ahead and click that login button. You’ll get even more details about what devices are doing on your network.
Pi-Hole does have some more advances features available in it that can allow it to act as your network’s DHCP server, on top of already serving up DNS. However I’ll save that for another time though…. For now, just sit back and enjoy fewer ads.
If you happened to this post by following my series about PiVPN, then click the following link to go to the next step: Part 3: Installing PiVPN
Cisco Call Manager is an integral part of any company that runs it for all of their “voice” or telephony services. I’ll be honest… I’m always a little afraid to console in and do stuff on a CUCM server because I don’t feel like I know enough to quickly troubleshoot issues I might cause.
However that doesn’t mean that I can avoid CUCM all together. I do have to jump into a CUCM server occasionally. Like when it’s been virtualized and it’s time to update the version of VMware Tools (VMTools) that is running on it. Thankfully, that task is a lot easier than it might initially seem. I’ll demonstrate how to upgrade the VMTools on a server running CUCM v10.5.2.
In vCenter, select your CUCM server. Dropdown the ‘Actions’ menu and select ‘Guest OS’. Then click on “Install VMware Tools…”.
You’ll see a pop-up message, click ‘Mount’. This will make vCenter mount the VMTools iso in your virtual machine so that the guest OS can access the installer.
Now, login into your CUCM vm’s console as an admin, and enter the following commands.
admin: utils os secure permissive
admin: utils vmtools refresh
You will be prompted that the tools install will reboot the machine twice. Press ‘y’ and hit ‘Enter’ to continue….
If vmtools has not ever been installed on this vm, or if the install didn’t complete, you might see a message that stating that you need to manually restart the server. If so, enter the command it shows to finish the intsall by rebooting the server.
admin: utils system reboot
After the reboots are finished, log back in as admin to your CUCM server. Enter the following command.
admin: utils os secure enforce
That’s it! Your VMtools have been updated. The updated guest OS info should now be visible when you look at this CUCM vm in your vCenter.
I recently had to migrate some services from an old Windows 2008 server to Windows 2016. One of those services was a Network Policy Server (NPS) service, which is used by RADIUS to authenticate users into some more secure resources.
I was kind of dreading the task, as I had no recollection of how I had configured it, some five or more years ago. My initial search on the subject landed me on this Microsoft documentation site, which was very informative. Luckily, the task of exporting and migrating your NPS configuration to import onto another server is quite simple. It can all be done with a few lines at a command prompt and a single XML file.
In Windows 2008 or 2008 R2, you use ‘netsh’. In Windows 2012 and above, you can use PowerShell or ‘netsh’.
Both methods are equally simple, it really just comes down to which version of Windows Server are you migrating from.
Export and Import the NPS configuration by using Netsh
Log into to your source NPS server with your Administrative credentials.
Open a ‘Command Prompt’ as an administrator, type netsh, and then hit Enter.
At the netsh prompt, type nps, and then hit Enter.
At the netsh nps prompt, type export filename="<path>\<filename>.xml" exportPSK=YES Update <path> with the folder location where you want to save your configuraation file. The path can be relative or absolute, or it can be a UNC path. Update <filename> with what you want to name your xml file.
After you press Enter, you’ll see a message showing whether the export was successful or not.
Copy the xml file you created to the destination NPS server.
Open a ‘Command Prompt’ as an administrator on the destinantion NPS. Type the following command, then hit Enter. netsh nps import filename="<path>\<file>.xml" A message will appear to show whether the import was successful or not.
Export and Import the NPS configuration by using Windows PowerShell
Log into to your source NPS server with your Administrative credentials.
Open a ‘PowerShell window’ as an administrator, type the following command, and then hit Enter. Export-NpsConfiguration –Path c:\NPSconfig.xml
There is no message after the command completes, but if you check your path location, you should see your xml file.
After you have exported the NPS configuration to a file, copy the file to the destination NPS server. I’m copying mine to the root of the c:\ so it’s easy to find.
Open a ‘PowerShell window’ as an administrator on the destination server. Type the following command, and then hit Enter, to import your configuration.
When working on Cisco devices, sometimes you have to delete files from the device. It’s moreless the same on all Cisco devices. While there are other file systems available to you on your device (see first command listed), Cisco devices use “flash:” as their default file system. My examples will also use the default “flash:” but note that the commands will work the same on any other available file system, such as “usb0:“.
Show Available File Systems Device# show file systems
Upgrading the IOS version on your Cisco 3850 Catalyst switch is not something to be dreaded. In fact it should probably be rejoiced, as these days it most likely means you’re also catching up on patching some vulnerabilities on your device. While the upgrade process is a little different on the 3850 then older generations of the Catalyst switches, not much has changed. Overall it is an easy process that won’t take you long to complete.
What has changed is that the 3850 switch? Well the “operating system” that the hardware now runs on is called IOS-XE. Whereas previous generations of Cisco hardware ran on IOS software.
The IOS-XE software is delivered as a bundle containing a set of packages which your device will use. These packages, during the install step, will get expanded before they are actually installed on the device. The older generations of devices that ran IOS had a .bin file that was essenitally a “flat” image and not a bundle of packages. While there are other changes too, that is the main difference between the “new” IOS-XE and the “old” IOS.
Okay… Lets get our switch upgraded…
Step 1: Download the latest (or rather the recommended) IOS-XE version from the support portal of Cisco.com. (At the time of me writing this, the recommended release version is “Fuji-16.9.4”)
Step 2: Transfer the .bin file you downloaded in step 1 to your device. There are a few ways to so; TFTP or USB being the most common.
Via TFTP
3850-SW# copy tftp flash: Address or name or remote host []? 10.1.2.3 Source filename[]? cat3k_caa-universalk9.16.09.04.SPA.bin Destination filename[cat3k_caa-universalk9.16.09.04.SPA.bin]? Accessing tftp://10.1.2.3/cat3k_caa-universalk9.16.09.04.SPA.bin... Loading cat3k_caa-universalk9.16.09.04.SPA.bin from 10.1.2.3: !!!!!!!!!!!!!
Once the software install completes, you will need to reboot the switch so that it can boot into the freshly installed IOS-XE version.
3850-SW# reload
Step 4: Verify the new version. After rebooting the device in the previous step, you will want to verify that you are indeed running the new IOS version. You can run the following command to do so.
3850-SW# show version | i Switch Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.9.4, RELEASE SOFTWARE (fc2) Switch Ports Model SW Version SW Image Mode
Here we can see that the switch is running Fuji, and that it is on version 16.9.4. And now we’re done!
Advertising, love it or hate it, truly drives the internet. It is scary the amount of data companies skim about you from the ads that get served to and what you click onto. But with the right tools, you can do a lot to protect your privacy. One of the best thing you can do at home to protect your privacy and those stop unwanted ads, is to deploy Pi-hole.
As described on their homepage Pi-hole is “A black hole for Internet ads”, that is “Easy-to-install”, and “is a DNS sinkhole that protects your devices from unwanted content”. All of which can be done in a one-time setup, usually on a RaspberryPi, without installing any software on your devices.
Pi-hole acts upon your network. It takes on the role of serving as the DNS on your network, and optionally role of a DHCP server.
In most homes today, both of these roles are usually preform by your router/wifi access point. DNS, in its’ most simplistic terms, acts as the whitepages that helps your devices translate a URL to an IP addresses. DHCP allows your device to get a ‘dynamically’ assigned address on the network so that it can communicate with everythign else. So by utilizing some whitelists and blacklists, the PiHole can simply not serve the address to known advertising URLs. Cutting the ads off before the request ever leaves your house.
I’ve been using it at home for about 3 years now and absolutely love it. There are some ads that still come thru, and sometimes if I click on an ad, I’ll get a “page can’t be reached” message. It was different at first to get used to, but now… I would trade it for the world!
Another great piece of software to install on you RPi is PiVPN. It’s an easy and secure way to create a VPN (a private tunnel) to your home when you are out and about. The best part about it is that it can allow you to use Pi-Hole when your not at home. Check out my article here.