Wiseindy

How to set DNS in CentOS/RHEL 7 & prevent NetworkManager from overwriting /etc/resolv.conf?

2019-02-21T15:03:00+00:00

This guide shows you how to set custom DNS entries for CentOS 7 / RedHat 7 and ensure that the settings are persistent even after a reboot.

What you need

A CentOS 7 or a Red Hat Enterprise Linux (RHEL) 7 server
A couple of minutes

Overview

In CentOS and Red Hat Enterprise Linux (RHEL) 7, any custom DNS entries are stored in the file /etc/resolv.conf. However, if we simply go ahead and add our nameservers to this file, we’ll notice that after a reboot or a restart of the network.service, the file is overwritten by NetworkManager.

In this guide, we will first configure NetworkManager to not overwrite this file. Then, we will go ahead and actually add our custom nameservers to /etc/resolv.conf.

Step 1

The NetworkManager configuration is located here: /etc/NetworkManager/NetworkManager.conf Open this file using vim or your favorite text editor.

Search for the [main] section in this file. It should look something like this:

...
[main]
#plugins=ifcfg-rh,ibft
...

Add dns=none just after the [main] tag like this:

...
[main]
dns=none
#plugins=ifcfg-rh,ibft
...

Go ahead and save the file.

Step 2

Let’s restart the NetworkManager.service service so that it picks up the changes we made to the configuration.

sudo systemctl restart NetworkManager.service

Note that the service name NetworkManager.service is case-sensitive.

Step 3

Now, let’s add our nameservers to /etc/resolv.conf

Open this file in you favorite text editor and specify the name servers as follows:

# Generated by NetworkManager
nameserver 8.8.8.8
nameserver 8.8.4.4

That’s it! You’re done. The nameservers added to /etc/resolv.conf will now persist even after a reboot. NetworkManager will not longer overwrite this file.

Photo by Steve Johnson on Unsplash

Steve Johnson

How to install OpenVPN server on Ubuntu 14.04 - A Step-by-Step Guide

2017-04-27T12:00:00+00:00

This is a detailed & step-by-step guide that will show you how to install and configure OpenVPN on Ubuntu 14.04. You can use OpenVPN to access the Internet safely and securely while on the move. To learn more about OpenVPN, you can check out the Wikipedia link or read about it on the official site

What you need:

An Ubuntu 14.04 system.
Root access
And as always, an internet connection

This guide is split into 4 main sections. Don’t worry if the titles look intimidating. If you follow the instructions, it should go smoothly and you should have a functioning OpenVPN server to which you can connect to from anywhere and using any device.

Installation and configuration of OpenVPN server
Creating a Certificate Authority and Server-Side Certificate and Key
Generate Certificates and Keys for your devices
Create a Unified OpenVPN Profile for each of your devices

Part 1

Installation and configuration of OpenVPN server

Step 1.1:

First, update your package lists and then install the openvpn and easy-rsa package.

sudo apt-get update
sudo apt-get install openvpn easy-rsa

Step 1.2:

From now onwards, all the steps below have to be run as root. So, go ahead and login as root.

su

Step 1.3:

Lets extract the sample VPN server configuration file to this location: /etc/openvpn

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Note: gunzip is a utility that uncompresses a gzip file. gz or .Z is the extension for gzip files.

Step 1.4:

Still as root, open this file.

I prefer vim to open files on ubuntu. If you prefer nano instead, you can use that too.

vi /etc/openvpn/server.conf

Step 1.5:

Now, we have to modify a few lines in this file.

Search for a section that looks like this

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem

Change dh1024.pem to dh2048.pem. This doubles the RSA key length when we generate the server and client keys later in the guide.

Step 1.6:

Find and uncomment the line below. To uncomment, simply remove the semicolon ; in front of the line.

Before:

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

After:

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

This makes sure that the OpenVPN server will pass the client device’s web traffic to its destination.

Step 1.7:

Still in the same file, find and uncomment the following two lines. To uncomment, simply remove the semicolon ; in front of the two lines.

Before:

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

After:

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

The two IP addresses above belong to OpenDNS and will be used to lookup DNS request where possible. You can use any DNS service of your choice. Here we have used OpenDNS, and hence their IP addresses are listed in the file.

Step 1.8:

This is the last thing to change in the file. Look for this section below and uncomment the two lines by removing the semicolons ;

Before:

# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nogroup

After:

# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

Save and close the file.

Step 1.9:

Packet Forwarding

We need to now enable an option that allows the server to forward traffic from client devices out to the Internet. If this is not done, the client traffic will stop at the server. To enable packet forwarding, run this command.

echo 1 > /proc/sys/net/ipv4/ip_forward

This setting is not yet permanent and will not survive a reboot. To make it permanent, we need to edit the sysctl.conf file.

vi /etc/sysctl.conf

In this file, find and uncomment the following line. To uncomment, remove the # in front of the line.

Before:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

After:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Save the file and exit.

Step 1.10:

Set up firewall rules in the Uncomplicated Firewall (ufw)

We will be using OpenVPN over UDP, so the firewall must allow UDP traffic over port 1194.

Still as root, enter the following command:

ufw allow 1194/udp

Open the firewall’s (ufw) primary configuration file. We habe to set the firewall forwarding policy.

vi /etc/default/ufw

Search for the string DEFAULT_FORWARD_POLICY="DROP" in this file. Change the DROP to ACCEPT.

Before:

DEFAULT_FORWARD_POLICY="DROP"

After:

DEFAULT_FORWARD_POLICY="ACCEPT"

Save the file and exit.

Step 1.11:

There’s one more step before we can move on to the next section.

We need to add add additional firewall rules.

Open this file

vi /etc/ufw/before.rules

We will be adding rules for NAT (network address translation) and IP masquerading of connected devices.

Modify this file to look like this.

Before:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter

After:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

#################################
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] 
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
#################################

# Don't delete these required lines, otherwise there will be errors
*filter

Once you’ve added the section, enable the firewall (ufw).

ufw enable

Part 2

Creating a Certificate Authority and Server-Side Certificate and Key

Okay, so we have installed and configured OpenVPN and the firewall settings in the above section. Now, let’s go ahead and create certificates and keys for our new OpenVPN server.

Creating a certificate authority (CA)

Step 2.1:

Make sure you’re still logged in as root.

Copy the Easy-RSA generation scripts to /etc/openvpn

cp -r /usr/share/easy-rsa/ /etc/openvpn

Step 2.2:

Now, create a directory to store our keys.

mkdir /etc/openvpn/easy-rsa/keys

Step 2.3:

Now we will edit the vars file and add in some default values for a person or a business. The information that is entered into this file will be copied to the certificates and keys and will help us in identifying them later.

You can put in any values you like. Here is an example.

export KEY_COUNTRY="CA"
export KEY_PROVINCE="ON"
export KEY_CITY="Toronto"
export KEY_ORG="Wiseindy"
export KEY_EMAIL="wiseindy@example.com"
export KEY_OU="WiseOU"

There is one more line to edit in this file before you close it. We need to set the default filename for the server key and certificate. In this tutorial we’ve used the name server for simplicity. If you’re using a different name, please make sure you replace server with your custom name in the commands.

export KEY_NAME="server"

Save and close the file.

Step 2.4:

The next step is to generate the Diffie-Hellman parameters.

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Step 2.5:

Now, navigate to the easy-rsa directory.

cd /etc/openvpn/easy-rsa

Step 2.6:

Once you’re in the easy-rsa directory, run the following command to initialize the PKI (Public Key Infrastructure).

. ./vars

Note the . (dot) and ` ` (space) in front of ./vars.

The above command will output the following:

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

You can ignore this warning message since we haven’t yet generated anything.

Step 2.7:

Let’s clear the working directory of any example keys and start fresh.

./clean-all

Step 2.8:

We are all set to create our certificate authority now. When you run the following command, it will ask you to confirm the values you had entered in the vars file in step 2.6. Hit enter to confirm the values.

./build-ca

Generate a Certificate and Key for the Server

Step 2.9:

Well, we now have a certificate authority (CA) set up. Let’s build our server key now.

./build-key-server server

Note: Note that I’ve used the name server in the above command. This is because I’ve set export KEY_NAME="server" in the vars file (step 2.6). If you’ve used a different name, make sure you modify the command accordingly

When you run this command, you’ll see a similar output as the previous step. You can hit enter to confirm them. However, this time you will see two additional prompts.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Both of the should be left blank. Hit Enter to continue.

When it prompts you to sign the certificate and commit, type y for both the prompts and hit enter.

Sign the certificate? [y/n]  y
1 out of 1 certificate requests certified, commit? [y/n]  y

Now you should see the following output. This means that all is good so far.

Write out database with 1 new entries
Data Base Updated

Step 2.10

Move the Server Certificates and Keys

Well, we’ve now generated the server CA, keys and certificate. Let’s copy these over to the correct location /etc/openvpn/.

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Step 2.11

Well, guess what? Our OpenVPN server is ready now. Let’s start it.

service openvpn start

Part 3

Generate Certificates and Keys for your devices

In the previous section, we created the key and certificate for our server. We are going to do that for our devices now.

We will build one for a client device called myphone. You can name your client device anything. Just make sure to substitute the name in the commands that follow.

Step 3.1:

You should still be root and still working from this directory /etc/openvpn/easy-rsa.

./build-key myphone

Like in the previous steps, you’ll be asked to confirm the Distinguised Name variables. Hit enter to accept the defaults.

Step 3.2:

Now copy the sample client configuration file to the easy-rsa/keys directory. This file will be used as a template. We will be editing this template file for each of our devices.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/myphone.ovpn

You can repeat this section (steps 3.1 and 3.2) for each client device. Just make sure you use a different name for each of your devices (in this case we’ve used myphone)

Part 4

Create a Unified OpenVPN Profile for each of your devices

Now that you have created keys and certificates for your device myphone, let’s create one unified .ovpn file which will contain all this information.

Step 4.1:

From the /etc/openvpn/easy-rsa directory, copy the following files to your computer (the one you’re reading this article on). We will be editing these in a text editor (Notepad, TextEdit, etc.).

myphone.crt
myphone.key
myphone.ovpn
ca.crt

Step 4.2

Open the myphone.ovpn file in a text editor like Notepad (Windows) or TextEdit (macOS) or whatever you prefere, really.

Add your server’s IP address to the this section in the beginning of the file. Replace my-server-1 with your server’s IP address.

Before:

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194

After:

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 142.189.11.1 1194

Step 4.3

In the same file, scroll down and uncomment this section (This doesn’t apply to Windows, so you can skip it if you’re going to use thie VPN profile on a Windows machine).

Before:

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup

After:

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

Step 4.4:

Scroll further down and this time you’ll comment a few lines instead of uncommenting. We do this because we are directly including the .crt and .key files within this .ovpn file.

Before:

# SSL/TLS parms.
# . . .
ca ca.crt
cert client.crt
key client.key

After:

# SSL/TLS parms.
# . . .
#ca ca.crt
#cert client.crt
#key client.key

Step 4.5:

At the end of the file, add this text to block outside DNS

# Prevent DNS leak
block-outside-dns

Step 4.6:

Now, at the end of the file, we will be copying and pasting the contents of ca.crt, myphone.crt, and myphone.key files.

Open the .crt and .key files in a text editor and copy-paste the content as shown below

This is how we will be doing it.

<ca>
  (insert ca.crt here)
</ca>

<cert>
  (insert myphone.crt here)
</cert>

<key>
  (insert myphone.key here)
</key>

Once you’re done copy-pasting the content, the end of your .ovpn file should look like this:

<ca>
-----BEGIN CERTIFICATE-----
. . .
-----END CERTIFICATE-----
</ca>
  
<cert>
Certificate:
. . .
-----END CERTIFICATE-----
. . .
-----END CERTIFICATE-----
</cert>
  
<key>
-----BEGIN PRIVATE KEY-----
. . .
-----END PRIVATE KEY-----
</key>

Save the changes and close the file.

Step 4.7:

Windows

If you’re using Windows, install the official OpenVPN client from here. After installation, paste your myphone.ovpn file here C:\Program Files\OpenVPN\config\.

To connect to your VPN server, right-click the OpenVPN client in the taskbar and click Connect.

To verify if you’re connected, go to Google and type What is my IP. If it returns the IP address of your OpenVPN server, all is well and your VPN is working as expected.

macOS

For macOS, install Tunnelblick and import your .ovpn profile. Note: If you get an error and Tunnelblick is unable to connect, remove the following text from your .ovpn profile.

# Prevent DNS leak
block-outside-dns

Android

For Android, download the OpenVPN Connect app from the Google Play Store. Import your .ovpn profile and you’re all set!

iOS

For iPhone and iPad, download the OpenVPN Connect app from the Apple App Store. Import your .ovpn profile and you’re all set!

Guess what? You’re done.

I recommened you create separate .ovpn files for each of your devices instead of using the same key & certificate for everything.

To create .ovpn profiles for more devices, repeat steps from part 3 onwards.

(header image source: commons.wikimedia.org)

How to install Jekyll on Ubuntu 16.04 or Windows 10 - A Step-by-Step Guide

2017-04-26T11:00:00+00:00

This guide will show you step by step how to install Jekyll 3.4.3 on a machine running Ubuntu or Windows 10. Jekyll’s official guide is good, but it’s very basic and doesn’t explain how to install Ruby, RubyGems and other dependencies.

What you need:

An Ubuntu 16.04 or Windows 10 system. This guide should also work for older Ubuntu 14.04
And as always, an internet connection

Step 1:

Skip to step 2 if you’re installing Jekyll on Ubuntu.

To install Jekyll on Windows 10, we need to first enable Windows Subsystem on Linux. Here is a detailed guide that will show you how to do this step-by-step.

Step 2:

We will now install ruby2.3. To do so, we have to first add the brightbox repository. When asked whether you want to confirm adding the repository, hit ENTER to proceed.

sudo apt-add-repository ppa:brightbox/ruby-ng
sudo apt-get update

Install ruby2.3

sudo apt-get install ruby2.3 ruby2.3-dev

Now you should have Ruby and RubyGems installed which are the prerequisite for installing Jekyll.

Step 3:

Install GCC and Make

sudo apt-get install gcc make -y

Step 4:

Install Jekyll and Bundler gems

sudo gem install jekyll

Guess what? That’s it. You have Jekyll 3.4.3 installed.

Further information:

Here are some commands from jekyllrb.com that should get you up and running with a new blog.

# Create a new Jekyll site at ./wiseblog
jekyll new wiseblog

To build this site:

# Change into your new directory
cd wiseblog

# Build the site and preview it
bundle exec jekyll serve

Note: If you’re running Windows, you may get an error when you try to run bundle exec jekyll serve. In this case, simply run it with the --force_polling option as follows:

bundle exec jekyll serve --force_polling

Now you can preview your website on http://localhost:4000

Notes:

(You can skip this part. This is only for my reference and for anyone who faces a similar issue)

I had to install Nokogiri for my site and was having issues. This is how I solved it.

Below are the installation instructions on nokogiri.org:

sudo apt-get install build-essential patch
sudo apt-get install ruby-dev zlib1g-dev liblzma-dev
sudo gem install nokogiri

(header image source: jekyllrb.com)

How to fix error 0x80004005 - Cannot enable developer mode in Windows 10

2017-04-26T10:00:00+00:00

“Developer mode package failed to install. Error code 0x80004005”. A few people, including me, faced issues when trying to enable developer mode in Windows 10. This guide will show you how to fix it.

Why this happens?

After quite some digging and research online, I found that this problem is related to WSUS (Windows Server Update Services). If you’re in an environment where your PC gets updates from WSUS, you can face this problem. Luckily, it’s a straightforward fix.

Step 1:

Click Start and type regedit. Open it.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU in regedit

Double click UseWUServer and set the value to 0

Step 2:

Restart your PC. Now try to enable developer mode again. This time you will not see the error 0x80004005 and it should be enabled successfully.

(header image source: sf.co.ua)

Enabling Linux Bash Shell in Windows 10

2017-04-26T05:43:44+00:00

Windows 10 (the new Anniversary update, specifically) has a new feature called “Windows Subsystem for Linux”. It’s basically a full-fledged Ubuntu based bash shell running directly under Windows. Pretty cool, eh? This guide will show you how exactly to enable it.

What you need:

A PC running 64-bit of Windows 10 Anniversary Update build 14393 or later (Step 1 shows you how to check your Windows 10 version).
And as always, an internet connection.

Step 1:

First, let’s find out whether your Windows 10 is build 14393 or later.

To do this, simply open Settings

Click on System

Scroll to the end and click on About. Here you’ll see your OS Build number. This should be equal to or higher than 14393. Also, verify if your Windows 10 installation is 64 bit.

If your build number is less than 14393, check for updates.

Step 2:

The next step is to enable Developer Mode in Windows 10.

Open Settings again. Select Update & security.

Click on For developers and enable Developer mode. If it asks you to restart the PC, go ahead and restart.

Note: If you get an error message Developer mode package failed to install. Error code 0x80004005 while trying to enable developer mode, please click here to see how to fix it

Step 3:

Now, let’s enable Windows Subsystem for Linux. Click the Start button and search for Turn Windows features on or off.

Check Windows Subsystem for Linux (Beta) to enable it and click OK

Restart your PC when it prompts you to.

Step 4:

After you’ve rebooted your PC, open a command prompt window (click the Start button and type cmd).

Type bash and hit enter.

Since this is the first time you’re running bash, you’ll be asked whether you want to install it. Type y and hit enter to proceed.

After the installation is complete, you will be asked to create a new UNIX username and password. This user account is for the new Ubuntu environment and in no way related to your Windows account.

Well, that’s all there is. You should have a bash prompt now and can run linux commands.

Step 5:

To start bash you can use two ways:

Simply open any command prompt window and type bash. It will start the Ubuntu command line environment.
Click the Start button and search for bash. Open Bash on Ubuntu for Windows.

That’s it!

Note: While in the Ubuntu environment, you can access your Windows drives under /mnt/. All Windows drives will be listed under this. You can cd to any directory and work with the files.

(header image source: wall.alphacoders.com)

How to install megatools in Ubuntu 14.04.5 LTS (Trusty Tahr)

2016-10-09T05:43:44+00:00

Megatools is a great collection of command line utilities that allow you to interact with your mega.nz account directly from the command line. You can directly download using the cli on your Ubuntu machine. They are a great set of tools, however, installing them does get confusing for a new Linux user. This guide will show you how to install it and set it up in no time.

What you need:

SSH or terminal access to an Ubuntu 14.04 server.
An internet connection (duh).

Step 1:

First you need to find out what’s the latest version of megatools available.

To find out the latest version, simply visit any one of the links below and see what’s the latest version number:

At the time of writing this article (9 October 2016), the latest version was 1.9.97. If it is different in your case, simply replace 1.9.97 with your version in all the commands below.

Step 2:

Open your Ubuntu terminal (or SSH to it) and type in the following commands one after the other.

sudo apt-get update

Run this command to download the package lists from the repositories and “update” them to get information on the newest versions of packages and their dependencies.

sudo apt-get install libtool libglib2.0-dev gobject-introspection libgmp3-dev nettle-dev asciidoc glib-networking openssl libcurl4-openssl-dev libssl-dev

This installs all the dependencies that you may need to compile megatools from source.

wget https://megatools.megous.com/builds/megatools-1.9.97.tar.gz

wget is used to download the latest megatools. Replace 1.9.97 with the latest version is available.

zcat megatools-1.9.97.tar.gz > megatools-1.9.97.tar
tar -xf megatools-1.9.97.tar

Use zcat to decompress the downloaded file and tar -xf to extract the contents to a folder.

cd megatools-1.9.97/
./configure
make
sudo make install

Finally, run the above commands to compile megatools and install it in your system.

Step 3:

If all went well, you should now have megatools installed on your system.

To download from a mega.nz link, simply type megadl '<link>' and the download will start.

Here’s an example:

megadl 'https://mega.nz/#G!IK9KLpRS8J1h82Kpa0kWJkPwDh!2adB'

For syntax of other commands, type

man megatools

That’s it. You’re done!

How to install or renew SSL certificate in Exchange 2010

2016-08-01T08:00:08+00:00

You will need to create and assign a new SSL certificate if you’re putting up a new Exchange server into production or renewing it for an existing server. The steps are fairly straightforward, however it may seem daunting and completely foreign for new users who aren’t familiar with certificates.

This guide will show you how to create a CSR (Certificate Signing Request) using your Exchange server and subsequently generating a new SSL cert and installing it.

Here’s a brief overview of what we will be doing in this guide:

Create a certificate signing request (CSR) in Exchange.
Buy a new certificate from one of many SSL providers (GoDaddy in this case - process should be similar for other providers).
Use the CSR to create a new certificate on GoDaddy and download it
Install this in our Exchange server.

What you need:

Microsoft Exchange Server
- In this guide, we are using Microsoft Exchange 2010.
A commercial Certificate Authority such as DigiCert, GoDaddy, etc.
- In this guide, we are using Godaddy.

Step 1:

The first step is to generate a Certificate Signing Request. This is a requisite for generating your SSL certificate.

Open up your Exchange Management Console

Step 2:

Navigate to Server Configuration > Select your server (from the Server Configuration list) > Exchange Certificates tab and click on New Exchange Certificate.

Step 3:

In the New Exchange Certificate Wizard, enter a name for your certificate. It can be anything you want. Click Next.

Step 3:

If you want to apply the certificate to all your sub domains, check Enable wildcard certificate. In my case, I wish to apply this certificate to 2 subdomains (not all), so I leave it unchecked.

Step 4:

On the next page, you’ll need to provide your Exchange Server configuration. Select whatever is applicable for each section.

In my case, OWA (Outlook Web App/Access) is being accessed from the web. This is why I enable the second option “Outlook Web App is on the Internet” in the below image. The URL should be automatically populated.

Go through each of the sections below and verify if everything you need is selected. In my case, I didn’t need to change anything other than the Outlook Web App part in the above step. I left everything else as it is.

Some more pics to help you cross-verify your info.

If you use POP/IMAP, check the appropriate check boxes or leave them unchecked (as in my case since I don’t use it).

Click Next.

Step 5:

On this page, enter the details of your organization. Everything should be self-explanatory. At the bottom it asks you to specify the location of the Certificate Request File Path also known as a Certificate Signing Request or CSR in short.

Specify the location and click Save.

Verify the information and click New.

Step 6:

If all goes well, which it should, you will find that your CSR is generated and saved it in the location you specified. It’s basically a text file with a .req extension. We will need this file in a while.

Step 7:

Make sure you buy a Unified Communications Certificate (UCC) (also known as a Multiple Domain SSL or SAN certificate). A UCC/SAN certificate will allow you to secure multiple domains. You need this for Microsoft Exchange. More information here: https://www.godaddy.com/help/what-is-a-multiple-domain-ucc-ssl-certificate-3908

In this tutorial, I’m using GoDaddy, but the steps should be more or less the same for other providers.

Step 8:

After you buy your SSL certificate, you’ll have to provide it your CSR that was generated in Step 6.

In my case, I’m renewing my certificate instead of purchasing a new one, so some screens may be different for you. If you’re renewing your certificate, you’ll have to re-key your certificate. Again, that means you have to provide your CSR from step 6.

Login to your SSL provider. Open your CSR (.req) file with notepad. Copy everything and paste it wherever your SSL provider asks you to.

Step 9:

Once you provide your CSR, you’ll have to wait for a bit till your domain and other details are verified. You may even need to prove your domain ownership. In case you have to, then your SSL provider will give you the steps to do so.

Step 10:

Once your certificate is ready, click the Download button.

From the server type drop down, select Exchange and click Download File. It will be a zip with two files. Extract it and copy this over to your Exchange server.

Step 11:

Go to your Exchange server. Right-click your certificate in Exchange Management Console and select Complete Pending Request…

Step 12:

Click the Browse button in the window that pops up.

In the Browse window, select All Files(.) and then choose your certificate file that you received from your SSL provider (GoDaddy).

Click Complete.

If everything goes well, you’ll see the following screen. Click Finish.

Step 13:

The new Exchange certificate should have a little blue tick on the icon now. The only thing remaining now is to assign Exchange services to this certificate. That’s easily done. Right click the certificate and choose Assign Services to Certificate…

Step 14:

In the window that pops up, select your server and click Next.

Select all appropriate services for this certificate. Click Next.

If you have some services already assigned to a different certificate, Exchange will ask you to confirm if you want to overwrite it with the new one. In my case, I do want to replace it, so I click Yes.

Guess what? That’s it! You’ve successfully installed a new SSL certificate for your Microsoft Exchange server.

(header image source: animalhi.com)

How to Fix Outlook PDF Previews and Explorer thumbnails on 64-bit Windows

2016-02-07T03:47:20+00:00

“This file cannot be previewed because of an error with the following previewer: PDF Preview Handler for Vista”.

You might’ve seen this pretty common error in Outlook when you cannot preview PDF files in the preview pane. This happens on 64-bit Windows.

Well, it’s a pretty easy fix.

The manual way to fix this error

Step 1:

Click the Start button, type regedit.exe and open it.

Step 2:

Once open, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\ CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}

Step 3:

Double-click AppID in the right column and copy paste this in the Value Data field: {534A1E02-D58F-44f0-B58B-36CBED287C7C}

Click OK and close regedit. That’s it!

The automatic way to fix this error

Step 1:

Download the Adobe Reader preview handler x64 fixer by Leo Davidson, from this link: https://www.pretentiousname.com/adobe_pdf_x64_fix/#downl

You could download either with installer or without. I choose to do the one without the installer.

Step 2:

Extract the downloaded files. You’ll see two folders. Open the one that says “Fix for x64 Adobe Reader preview handler”.

Run the preview handler fix utility and click Apply Fix.

That’s it!

(header image source: automart.co.za)

How to change primary domain of free or paid Google Apps account.

2016-01-31T08:05:38+00:00

2018-02-04 Many users have reported that this method no longer seems to work.

Back in the day, Google Apps for Business (Work) was free for up to 10 users. Sadly, that is no longer the case. If you are one of the lucky ones to have grabbed an account during those times and you’re now looking for ways to change that domain, well, you’ve come to the right place. This guide will show you how to do this AND it’s applicable for both free Google Apps accounts and paid Google Apps subscriptions.

If you have a paid account, you can simply create a new alias for your existing domain. However, you cannot do this if you have one of the “legacy” free accounts (which are now discontinued - however if you created one back in the day, you can still use them - at least at the time of writing this post).

There can be many reasons for you to change your primary domain. For me it was because I lost ownership of my old domain and didn’t want my free Google Apps account sitting and gathering dust.

Google has a couple of support articles - here and here - that can help you achieve this. However even with the help of these articles it took me quite a while to figure it out. This is why I wrote this step-by-step guide to make it easier for you guys.

So, enough talk. Let’s get started.

What do you need:

A free or paid Google Apps account.
Access to your new domain's registrar/hosting account (so that you can verify domain ownership when Google asks you to).

In short, this is what will we be doing:

If you have a “legacy” free account: We are going to temporarily convert our free account to a free 30 day enterprise trial account. Then we are going to add in another domain to your account and make it the primary one. Next, we disable and remove the old domain and cancel our trial to convert our paid account back to free.

If you have a paid Google Apps for Work subscription: We are going to add in another domain to your account and then make it the primary one.

Note: If you have a paid Google Apps subscription, skip to Step 3.

Step 1:

Log into your existing Google Apps account. Navigate to https://apps.google.com and sign in.

Alternatively, you could navigate to https://www.google.com/work/apps/business/ or even use your domain’s custom Google Apps URL.

For example, if your domain is wiseindy.com, simply navigate to https://google.com/a/wiseindy.com.

Step 2:

Once you’re logged in, click on the big red Upgrade Now button on the right hand sidebar.

Enter in your information, check the terms and conditions check box and click I accept! Upgrade my account.

Step 3:

Next, go back to the admin console and click Domains. If you don’t see the Domains tile, click the Show More link at the bottom and then select Domains.

Then click on Add/Remove domains.

Alternatively, you can just navigate to the domains page directly via this link: https://admin.google.com/AdminHome?pli=1&fral=1#Domains:

Disable the test domain alias by clicking the Deactivate button as shown below. A popup box will ask you to confirm this action. Confirm it.

After the test domain alias is deactivated, click the Add a domain or domain alias button at the top.

Step 4:

Enter the new domain name. Follow Google’s verification steps to verify ownership for your new domain. This should be pretty straightforward if you have access to your domain registrar/hosting account. Since Google shows you step by step how to verify your domain, I won’t cover it here.

Step 5:

If everything goes well, you should have your new domain added to your Google Apps account. You can confirm by going to the Domains panel from the admin console (here is the direct link: https://admin.google.com/AdminHome?pli=1&fral=1#Domains:)

You’ll notice that even though the new domain has been successfully added, the old domain is still marked as the primary one. Let’s change that.

Navigate to https://developers.google.com/admin-sdk/directory/v1/reference/customers/update

Make sure you’re logged into your existing Google Apps account (you can see your email address in the top right corner).

Click Try it now.

Enter the information as shown in the screenshot below.

customerKey: my_customer
fields: customerDomain
Request body: { "customerDomain":"newwiseindy.com" }

For Request body, you don’t need to type the brackets and all that. They will automatically appear when you click the Request body field. Simply choose customerDomain from the dropdown and then type in your new domain (the one that you want as your primary domain).

Click Authorize and Execute.

A couple of popups might show up asking you to authorize this with your Google account, Authorize everything.

Guess what? Your secondary domain (the one you typed above) is now your primary domain! You can confirm by going to the Domains panel from the admin console (direct link: https://admin.google.com/AdminHome?pli=1&fral=1#Domains:)

Step 6:

If you are using a paid Google Apps account, you can stop here.

However if you are using a free account, make sure you follow these steps to DOWNGRADE your 30 day trial back to the free account.

If you do not downgrade within 30 days, you’ll lose your free account (in the sense that you’ll have to pay for it beyond the 30 days time period).

You can only downgrade if you have only one domain in your account. But we now have two. The old domain and the new domain (which was just promoted to primary).

Let’s remove the old domain (that USED to be the primary once upon a time).

Go to the Domains panel from the admin console (direct link: https://admin.google.com/AdminHome?pli=1&fral=1#Domains:)
Delete the old domain
- If you're unable to delete it (ie, even after clicking Delete, the domain still stays, make sure the Test domain alias is deactivated. If that is active, you won't be able to delete the old domain).

Step 7:

Let’s convert our 30 day trial back to a free account. In the admin console, click on Billing. Alternatively, directly open it via this link: https://admin.google.com/AdminHome?pli=1&fral=1#DomainSettings/notab=1&subtab=subscriptions

Click the 3 vertical dots and in the dropdown select Cancel Subscription.

Chose Downgrade to Google Apps.

Do not choose Cancel Google Apps for Work. This will completely delete your account. Yes. Free, paid, everything. Make sure you choose Downgrade to Google Apps. If you do not see the “downgrade” option, then make sure that you have only one domain in your Domains panel (direct link: https://admin.google.com/AdminHome?pli=1&fral=1#Domains:)

Click Continue.

That’s it. You’ve successfully changed the primary domain of your free/paid Google Apps account!

(header image source: Seinfeld)

How to set up Shrew Soft IPSec VPN Client for WatchGuard

2016-01-20T06:36:14+00:00

This guide will show you how to enable Mobile VPN with IPSec for WatchGuard Firebox M300. It’s a pretty straightfoward process, however it took me quite a while to figure out initially. Hope this guide makes it easier for you.

It will also show you how to install and configure the Shrew Soft IPSec VPN Client. In my opinion, you are better off using this client than the WatchGuard IPSec Mobile VPN Monitor. Old versions of this WatchGuard IPSec Mobile VPN Monitor were free, but they do not work on Windows 10. The new version of the IPSec client needs a paid subscription license. Unless you want to go this route, I would suggest using the Shrew Soft IPSec VPN Client. It’s free and you can download it from their official website.

Note: While this guide was created for Firebox M300, it should work with other WatchGuard XTM devices as well.

What do you need:

An environment where a WatchGuard firewall is installed and running.
Administrative access to the firewall (of course).

So let’s being shall we?

Step 1

Fire up your browser and navigate to the web interface of your firewall? If your firewall’s IP address is 192.168.1.1, then type https://192.168.1.1:8080 in the URL bar.

After logging in, go to VPN > Mobile VPN with IPSec.

Click on Add to add a new group.

Step 2:

Select the General tab. Type in a Name and select Authentication Server as Firebox-DB. You can also set it to authenticate it with your domain, but for this tutorial we will use the firewall as the authentication server.

Next, enter the passphrase and enter your firewall’s external IP address. This is the IP address that you use to connect to your firewall from the Internet.

Step 3:

Select the IPSec Tunnel tab. Make the following changes as shown in the image below.

Select Use the passphrase of the end user profile as the pre-shared key.
Under Phase 1 Settings, select Authentication as SHA1 and Encryption as 3DES.
Under Phase 2 Settings, seelct PFS and choose Diffie-Hellman Group 1.

Step 4:

Select the Resources tab. Here under Allowed Resources you can specify which IP addresses are allowed to connect through the tunnel. Click Add and type in an IP range.

Next, you’ll have to specify the Virtual IP Address Pool. Whenever a device connects to your tunnel, it will be assigned an IP address from this pool.

Step 5:

Finally, go the Advanced tab and set the Connect mode to Manual and Inactivity timeout to 0 seconds.

Click Save.

Step 6:

The next step is to create a user which will connect to the tunnel.

In your firewall web interface, navigate to Authentication > Servers.

Select Firebox.

Step 7:

Under Firebox Users, click Add to create a new user.

Step 8:

This part is pretty straight forward. Enter the Name, Description, Passphrase and timeout values.

Under Firebox Authentication Groups, select the Group we created previously. In our case, it was WISEINDY, so we check that one.

Click OK.

Step 9:

Now, navigate back to VPN > Mobile VPN with IPSec in the firewall web interface.

Here you can download the configuration settings for your preferred IPSec VPN Client. I prefer the free Shrew Soft IPSec VPN Client (click to download the client).

From the Client dropdown box, select Shrew Soft VPN and click Generate. It will generate a .vpn file. Save this on your PC.

Step 10:

Go ahead and install the Shrew Soft VPN Client on your PC. Once installed, double click the VPN Access Manager icon on your desktop to launch it.

Select File > Import.

Choose the .vpn file that was downloaded in the previous step. Click Open.

Step 11:

A new connection will be created from the imported settings. Select this connection and click Connect.

When you click Connect, a window will pop up asking you to input credentials to connect to the tunnel.

Enter the Username and Password that you used to create a user in Step 8.

Click Connect.

If the connection is successful, you’ll see a tunnel enabled message in the window.

That’s all. You have sucessfully set up and configured IPSec VPN for your WatchGuard XTM device.

Additional information:

In case someone needs it, here are my configuration settings that were imported into the Shrew Soft VPN client. You don’t need to change anything here. The correct settings should automatically be configured when this file was generated by your firewall. I’ve only put up this screenshots in case someone is facing any issues and would like to double-check or compare his settings.

(header image source: sciencenews.org)