Creating an OpenVPN client for bridging traffic between two networks.

This is going to be somewhat backwards, I will follow this up with a creating an OpenVPN server post at a later time.


Be aware that this client will be setup in AWS so there will be AWS references in the article. This can be easily translated to your own network.

A prerequisite for this is a OpenVPN server at a remote location that is not in AWS, your office for example.
Spin up an ami, preferably CentOS you can use the Amazon Linux AMI as well as it is built from the same meat and potatoes.
I used an ami with the ID of ami-033e6106180a626d0 this is a CentOS linux ami.
Make sure your instance has an elastic IP and it can be reached externally via SSH.
Always work with sudo, I use the sudo -i command to accomplish this.

*Note the service on the OpenVPN client is called openvpn-client@aws.service

 

Configure your OpenVPN server for the Client

You will need to do two things, assign the client a static IP when it connects to the VPN,
and advertise the subnets that sit behind the VPN client.
SSH into your Server instance.
Work as sudo, create a CCD directory, and a client file.

sudo -i
mkdir /etc/openvpn/ccd
cd /etc/openvpn/ccd
touch myuser

Edit the myuser file and add the following.

ifconfig-push 10.8.1.254 255.255.255.0
iroute 172.31.1.0 255.255.255.0
push "route 172.31.1.0 255.255.255.0 10.8.1.254"
push "redirect-gateway def1"
route 172.31.1.0 255.255.255.0 10.8.1.254

*Note that the file name myuser in this directory should reflect the user id that the AWS client will connect with and it should be unique.

This OpenVPN server configuration uses only one set of certificate files, but I created a unique LDAP user ID called myuser

that only this server connects with. This is defined by the server configuration line username-as-common-name each time an LDAP user connects

instead of the certificate name it will be identified as the LDAP user ID.

As such anytime myuser connects it is assigned a static IP of 10.8.1.254 as defined by the ifcongif-push line as defined in the myuser file.

The iroute 172.31.1.0 255.255.255.0 advertises the AWS subnet that sits behind the AWS client. 

You also don’t need the last 3 lines, especially push “redirect-gateway def1” only add that if you want to redirect all gateway traffic from AWS via the VPN. The other 2 are redundant as those routes are pushed and advertised via iroute and the entries below so either or. Navigate to the open vpn directory /etc/openvpn and edit the server.conf file and add the following.

push "route 172.31.1.0 255.255.255.0"
client-config-dir ccd
route 172.31.1.0 255.255.255.0
route 10.8.1.254 255.255.255.0

The above advertises the new route to all the clients that connect and tells the clients the configuration directory is ccd.

ipp.txt does not work for pushing static IPs as such we use the ccd directory here.

route 172.31…in this file in conjunction with the iroute 172 in the myuser file direct all traffic to said client.

route 10.8…in this file in conjunction with ifconfig-push 10.8 in the myuser file assign a static IP to the myuser client.

 

Install and configure OpenVPN on the client.

Use your key and remote into the client Linux instance. Work with sudo

sudo -i

Update your instance

yum update -y 

Install enterprise linux repository (EPEL)

yum install epel-release -y

Update your repository again

yum update -y

Install open vpn and wget

yum install -y openvpn

Create a client directory in the OpenVPN directory and move into it.

mkdir /etc/openvpn/client
cd /etc/openvpn/client

Create two configuration files.

touch aws.conf
touch login.conf

Edit the login.conf with your user id and password. First line is the user id and the second line is your OPEN VPN password.

nano login.conf

The file should look like this.

myuser
MyP@sswerd$

Save and exit the file.

Edit the aws.conf file using nano.

The file should look something like this.

client
dev tun
cipher AES-256-CBC
tls-client
tls-auth ta.key 1
remote-cert-tls server
auth-user-pass /etc/openvpn/client/login.conf
keepalive 10 60
proto udp
remote vpn.mydomain.com 1194 udp
topology subnet
pull
persist-tun
persist-key
user nobody
group nobody
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

Obviously add your own certificates to the aws.configuration file. Save the file and exit.

I include my certificates in the configuration file.

You don’t have to, you can move them somewhere else and reference them in the configuration file.

Also note that aws.conf will be the name of the service, you can name the file whatever you would like but then you have to reflect this in the configuration of the service.

 

IP Forwarding on the Client

Next you need to configure IP forwarding on the client as you do on the Server. Without this the bridging will not work.

First check and make sure your firewall is disabled on the AMI, generally they are by default.

systemctl status firewalld

If it’s disabled, move on, otherwise do the follwing.

systemctl stop firewalld
systemctl disable firewalld

Next enable IP forwarding.

nano /etc/sysctl.conf

Add the following line to the conf file.

net.ipv4.ip_forward = 1

Restart the network service.

systemctl restart network

Test your open vpn connection. If it is working disconnect and move on to the next step.

openvpn --config aws.conf

 

Create an OpenVPN service on the Client.

Next you will create an open VPN service which will restart and reconnect if it crashes.

Last thing you want is the tunnel crashing and not coming back up.

Create the service.

systemctl ebnable openvpn-client@aws.service

Note that the client portion between the openvpn and @ symobol is the client directory we created earlier, and the aws after the @ is the aws.conf file we created.

This will create the service.

Next start the service and check the status.

systemctl start openvpn-client@aws.service
systemctl status openvpn-client@aws.service

The status should spit out the following.

● openvpn-client@aws.service - OpenVPN tunnel for aws
Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2019-06-06 17:03:54 UTC; 1h 7min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 4209 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@aws.service
└─4209 /usr/sbin/openvpn --suppress-timestamps --nobind --config aws.conf

Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: TLS: soft reset sec=0 bytes=82353/-1 pkts=1140/0
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: VERIFY OK: depth=1, C=CA, ST=AB, L=Edmonton, O=Some Company, OU=IT, CN=domain.com, name=server, emailAddress=admin@domain.com
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: VERIFY KU OK
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: Validating certificate extended key usage
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: VERIFY EKU OK
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: VERIFY OK: depth=0, C=CA, ST=AB, L=Edmonton, O=Some Company, OU=IT, CN=domain.com, name=server, emailAddress=admin@domain.com
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 06 18:03:54 ip-172-31-1-81.ca-central-1.compute.internal openvpn[4209]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

Now we need to make sure that this service starts automatically when the server reboots or the tunnel crashes.

Check to see if the service is enabled to auto start.

systemctl is-enabled openvpn-client@aws.service

If you get the following that means the service will auto start.

[root@ip-172-31-1-81 /]# systemctl is-enabled openvpn-client@aws.service

enabled

Otherwise do the following.

Open the openvpn service.

nano /etc/systemd/system/multi-user.target.wants/openvpn-client\@aws.service

Under the [Service] heading add the line Restart=always

[Unit]

....

[Service]

...

Restart=always

[Install]

...

Test the service to see if it restarts by either rebooting the AMI or do the following.

Check the PID of the process, kill it, and see if it restarts.

systemctl status openvpn-client@aws.service

Should see something along the lines of….

Main PID: 4209 (openvpn)

Kill the process to see if it restarts

kill -9 4209

If you do a status again the process should have a new PID.

 

That’s it, now don’t forget to add your routes to the Networking side of things. Your gateway on the Server side needs to know how to get to the AWS client and it’s networks.

If you are putting this in AWS, rememeber to add the routes in the Route table and make changes to the security group as well. Traffic needs to flow both ways.

 

AWS Route Table Changes

In AWS find the VPN that the AWS client lives in and locate the route table for said Subnet.

In this case its called OpenVPN_RT

Click on this route table. 

Then Edit the route.

 

Click Add route… then type in the CIDR block of the Network in your remote location, the network that sits behind the VPN server.Select instance and select the AWS Client VPN instance that you have created.

This will translate the route to the instances Network Interface once you click save routes.

Do the same for the VPN CIDR and any other CIDRs that live behind the VPN Server.

 

Your security group should look like this.

Note the SSH entries, they were added in order to initially setup the linux boxes.

If your traffic is routing properly you can remove these last two entries as these are no longer needed and you can reach the AMIs via the AWS subnet IP.

Ignore the MKT VPC entry this is used for a peering connection.

PROFIT!

 

Resources:

https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-7

https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples

Advertisements

Vivaldi mobile Beta is here.

1560035641

On Sept 9th 2019 Vivaldi finally delivered their Mobile experience in beta form.

First impressions are good, it’s fast and the UI is fairly intuitive. The menus aren’t buried 10 layers deep, so intuitive in fact it took me all of 30 seconds at first boot to sync my data with Vivaldi servers. I hope they keep it this way. If their desktop experience is anything to follow they probably will.

I have been using their desktop browser for a while now, it’s a good alternative to Chrome and Firefox. Their desktop browsing experience is built on chromium, so all Chrome plugins work in Vivaldi as well.

For those curious about Vivaldi’s hostory, the President of this company used to run the show at Opera before it was sold to the Chinese.

He took the money from that sale and started his own browser company, which is now Vivaldi. Me, I can finally ditch the Opera Mobile experience and start using Vivaldi mobile.

Still in beta mind you so I’m sure it will have some hiccups. I also have yet to figure out how to sync my passwords and bookmark data.

While I was writing this post, the mobile browser ended up syncing all my data. Have to be patient I guess.

PowerShell Automation Script for IIS installation and more.

The below script was designed to install IIS with .Net Core Runtime 2.1.x to be used with NOPCommerce. It also enables WinRM (remote management) and changes network settings on the target machine. This is used with Win Server 2019 core to automate deployments with Ansible into AWS.

#
#    The following script changes the Network settings of the Machine
#    disables the firewall, installs IIS and Core Runtime 
#
#Change PS Execution Policy
Set-ExecutionPolicy Bypass -Scope Process -Force

#Enable TLS for Invoke-Webrequest
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols

######################### VARIABLES #############################################

$tmpdir="c:\temp\"
$newhostname="WIN-SRV-CORE-IIS"
$ipAdd="172.18.85.184"
$sMask="28"   #Ex. 24 = 255.255.255.0
$dGate="172.18.85.177"
######################### FUNCTIONS #############################################

function machineNMchange 
{
    #Change the machine name and reboot    
    $curhostname=hostname
    #$localuser="\Administrator"
    #$localcred=$curhostname+$localuser

    if ($newhostname -ne $curhostname)
    {
        Rename-Computer -ComputerName $curhostname -NewName $newhostname -Force -PassThru    
        # Add -LocalCredential $localcred to the above line if you want to be prompted for credentials, otherwise run as Admin
        # Add -Restart at the end if you want to automatically restart
    }
}

function installCoreRT 
{
    #Note that this installs CoreRuntime 2.1.8
    $url = "https://download.visualstudio.microsoft.com/download/pr/c2b2968d-022d-4889-afd0-b02010813c94/bd315e931f55eecfdaea258cf3dee48e/dotnet-hosting-2.1.8-win.exe"
    $outFile = "dotnet-hosting-2.1.8-win.exe"

    if (Test-Path -Path $tmpdir -PathType Container)
    { 
        Write-Host "$tmpdir already exists" -ForegroundColor Red
    }
    else
    { 
        New-Item -Path $tmpdir  -ItemType directory 
        Write-Host "$tmpdir created" -ForegroundColor Red
    }
    
    Invoke-Webrequest $url -OutFile "$tmpdir$outFile"    
    Start-Process -FilePath $tmpdir$outfile -ArgumentList "/quiet /norestart"
}

function installIIS 
{
    #Install IIS
    # To list all Windows Features: dism /online /Get-Features
    # Get-WindowsOptionalFeature -Online 
    # LIST All IIS FEATURES: 
    # Get-WindowsOptionalFeature -Online | where FeatureName -like 'IIS-*'
    # Source: https://weblog.west-wind.com/posts/2017/May/25/Automating-IIS-Feature-Installation-with-Powershell
    $arr = "IIS-WebServerRole","IIS-WebServer","IIS-CommonHttpFeatures","IIS-HttpErrors","IIS-HttpRedirect",
            "IIS-ApplicationDevelopment","NetFx4Extended-ASPNET45","IIS-NetFxExtensibility45","IIS-HealthAndDiagnostics",
            "IIS-HttpLogging","IIS-LoggingLibraries","IIS-RequestMonitor","IIS-HttpTracing","IIS-Security","IIS-RequestFiltering",
            "IIS-Performance","IIS-WebServerManagementTools","IIS-IIS6ManagementCompatibility","IIS-Metabase",
            "IIS-BasicAuthentication","IIS-WindowsAuthentication","IIS-StaticContent","IIS-DefaultDocument","IIS-WebSockets",
            "IIS-ApplicationInit","IIS-ISAPIExtensions","IIS-ISAPIFilter","IIS-HttpCompressionStatic","IIS-ASPNET45"#,"IIS-ManagementConsole"
            #Enable the last value for GUI servers only, for Core leave out.

    foreach ( $iis_value in $arr)
    {
        Enable-WindowsOptionalFeature -Online -FeatureName $iis_value
    }
}

function setNet ([string]$ip, [string]$sm, [string]$dg)
{
    #Disable Firewall
    Set-NetFirewallProfile -Name Domain,Public,Private -Enabled False

    #Disable IPv6
    Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6
    
    #Change IP
    Set-NetIPInterface -InterfaceAlias "Ethernet" -Dhcp Disabled
    Remove-NetIPAddress -InterfaceAlias "Ethernet" -Confirm:$false
    New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress $ip -PrefixLength $sm  $ip -DefaultGateway $dg
    #Ex. New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress "172.18.85.184" -PrefixLength "28" -DefaultGateway "172.18.85.177"
    Set-DnsClientServerAddress -InterfaceAlias “Ethernet” -ServerAddresses "172.18.85.177"   

    #Connection-specific DNS Suffix  . : mshome.net
    #Link-local IPv6 Address . . . . . : fe80::29bf:1ecc:e589:3e2c%4
    #IPv4 Address. . . . . . . . . . . : 172.18.85.182
    #Subnet Mask . . . . . . . . . . . : 255.255.255.240
    #Default Gateway . . . . . . . . . : 172.18.85.177

}

########################## MAIN ####################################################
setNet $ipAdd $sMask $dGate
installIIS
installCoreRT
machineNMchange

#Enables Win RM for remote management
winrm quickconfig -force
shutdown /r /t 0

Windows 10 (1803) UEFI Autounattend.xml network installation.

In Windows 10 version 1803 a new installation prompt has been added. As such in pass 7 oobeSystem, you need to add input locale Component which is located in amd64_Microsoft-Windows-International-Core_neutral.

One other thing that I have changed in the newer version of the Autounattend.xml is that the installer now formats the drive to boot as UEFI and the install.wim (Windows image) is located on my network. Custom wim files over 4GB will not fit on a FAT32 formatted flash drive. As such because you are now grabbing the installation image of the network you may need to inject network drivers into the boot.wim image in the sources folder on the flash drive/installation media. This will allow the installation media to connect to the network and grab the windows installation image from a shared folder. Note that there are two images in the boot.wim file, index 1 and index 2, you want to inject the network drivers into the index 2 in the image file which is the Microsoft Windows Setup image.

C:\>dism /Get-ImageInfo /ImageFile:c:\temp\bootwim\boot.wim

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Details for image : c:\temp\bootwim\boot.wim

Index : 1
Name : Microsoft Windows PE (x64)
Description : Microsoft Windows PE (x64)
Size : 1,394,055,012 bytes

Index : 2
Name : Microsoft Windows Setup (x64)
Description : Microsoft Windows Setup (x64)
Size : 1,553,327,748 bytes

The operation completed successfully.

DISM GUI no longer seems to support the latest version of Windows 10 either, so all DISM commands need to be performed from the Deployment and Imaging Tools Environment.

Mount the boot.wim and perform the following commands to add the network driver(s) to your image. Note in the above example that the image is 64 bit so only 64 drivers are required for your hardware.

C:\>dism /Mount-Image /ImageFile:c:\temp\bootwim\boot.wim /Index:2 
/MountDir:c:\temp\mount

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Mounting image
[==========================100.0%==========================]
The operation completed successfully.

C:\>dism /Image:c:\temp\mount /Add-Driver:c:\temp\drivers\64 /Recurse

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Image Version: 10.0.14393.350

Searching for driver packages to install...
Found 1 driver package(s) to install.
Installing 1 of 1 - oem1.inf: The driver package was successfully 
installed.
The operation completed successfully.

C:\>dism /Unmount-Image /MountDir:c:\temp\mount /Commit

Deployment Image Servicing and Management tool
Version: 10.0.17134.1

Saving image
[==========================100.0%==========================]
Unmounting image
[==========================100.0%==========================]
The operation completed successfully.

As you can see they are 3 simple commands and with the Recurse switch you can add multiple network drivers to the image if you have varying pieces of hardware deployed on your network.

Below is an example of an UEFI Autounattend.xml used to install windows from the network.

  • In pass 1, windowsPE, the Autounattend.xml, formats 2 drives in the machine, a primary one and a secondary one.
  • Also in pass 1 the image is then installed from a network location using domain credentials. You need to make sure the account has read permissions to the network location. The image is installed to disk “0” partition “4”.
  • In the specialize pass, pass 4, the machine is added to the domain using the “joinadmin” account using the Microsoft-Windows-UnattendedJoin component.
  • Finally in version 1803 of windows maybe even 1709 a new installation component was added that asks for Network and Locale information, you can fill this in using the Microsoft-Windows-International-Core component in pass 7

My suggestion would be to copy and paste the below text into a blank text file and save it as an .xml extension. Then take that and open it in Windows System Image manager.

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="windowsPE">
        <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SetupUILanguage>
                <UILanguage>en-US</UILanguage>
            </SetupUILanguage>
            <UserLocale>en-CA</UserLocale>
            <UILanguageFallback>en-CA</UILanguageFallback>
            <SystemLocale>en-US</SystemLocale>
            <InputLocale>en-US</InputLocale>
            <UILanguage>en-US</UILanguage>
        </component>
        <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <DiskConfiguration>
                <Disk wcm:action="add">
                    <CreatePartitions>
                        <CreatePartition wcm:action="add">
                            <Order>1</Order>
                            <Type>Primary</Type>
                            <Size>250</Size>
                        </CreatePartition>
                        <CreatePartition wcm:action="add">
                            <Order>2</Order>
                            <Type>EFI</Type>
                            <Size>100</Size>
                        </CreatePartition>
                        <CreatePartition wcm:action="add">
                            <Order>3</Order>
                            <Size>128</Size>
                            <Type>MSR</Type>
                        </CreatePartition>
                        <CreatePartition wcm:action="add">
                            <Order>4</Order>
                            <Extend>true</Extend>
                            <Type>Primary</Type>
                        </CreatePartition>
                    </CreatePartitions>
                    <ModifyPartitions>
                        <ModifyPartition wcm:action="add">
                            <Order>1</Order>
                            <PartitionID>1</PartitionID>
                            <Format>NTFS</Format>
                            <Label>Recovery</Label>
                            <TypeID>de94bba4-06d1-4d40-a16a-bfd50179d6ac</TypeID>
                        </ModifyPartition>
                        <ModifyPartition wcm:action="add">
                            <Order>2</Order>
                            <PartitionID>2</PartitionID>
                            <Label>System</Label>
                            <Format>FAT32</Format>
                        </ModifyPartition>
                        <ModifyPartition wcm:action="add">
                            <Order>3</Order>
                            <PartitionID>4</PartitionID>
                            <Label>SOCO</Label>
                            <Format>NTFS</Format>
                            <Letter>C</Letter>
                        </ModifyPartition>
                    </ModifyPartitions>
                    <DiskID>0</DiskID>
                    <WillWipeDisk>true</WillWipeDisk>
                </Disk>
                <WillShowUI>OnError</WillShowUI>
                <Disk wcm:action="add">
                    <CreatePartitions>
                        <CreatePartition wcm:action="add">
                            <Extend>true</Extend>
                            <Order>1</Order>
                            <Type>Primary</Type>
                        </CreatePartition>
                    </CreatePartitions>
                    <ModifyPartitions>
                        <ModifyPartition wcm:action="add">
                            <Label>Storage</Label>
                            <Format>NTFS</Format>
                            <Order>1</Order>
                            <Letter>D</Letter>
                            <PartitionID>1</PartitionID>
                        </ModifyPartition>
                    </ModifyPartitions>
                    <DiskID>1</DiskID>
                    <WillWipeDisk>true</WillWipeDisk>
                </Disk>
            </DiskConfiguration>
            <UserData>
                <ProductKey>
                    <WillShowUI>Never</WillShowUI>
                </ProductKey>
                <AcceptEula>true</AcceptEula>
                <Organization>Some Company</Organization>
                <FullName>Some Company Inc.</FullName>
            </UserData>
            <EnableFirewall>false</EnableFirewall>
            <EnableNetwork>true</EnableNetwork>
            <ImageInstall>
                <OSImage>
                    <InstallTo>
                        <DiskID>0</DiskID>
                        <PartitionID>4</PartitionID>
                    </InstallTo>
                    <InstallFrom>
                        <Path>\\server\IT\WIM\Win10-image.wim</Path>
                        <Credentials>
                            <Domain>domain.local</Domain>
                            <Password>MyP@ssw0rd!</Password>
                            <Username>netadmin</Username>
                        </Credentials>
                        <MetaData wcm:action="add">
                            <Key>/IMAGE/NAME</Key>
                            <Value>Windows 10 Pro</Value>
                        </MetaData>
                    </InstallFrom>
                    <WillShowUI>OnError</WillShowUI>
                </OSImage>
            </ImageInstall>
        </component>
    </settings>
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <BluetoothTaskbarIconEnabled>true</BluetoothTaskbarIconEnabled>
            <ComputerName>DTPC-0032</ComputerName>
            <TimeZone>Mountain Standard Time</TimeZone>
            <ShowPowerButtonOnStartScreen>true</ShowPowerButtonOnStartScreen>
            <RegisteredOrganization>Some Company</RegisteredOrganization>
            <ProductKey>VK7JG-NPHTM-C97JM-9MPGT-3V66T</ProductKey>
            <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
            <DoNotCleanTaskBar>true</DoNotCleanTaskBar>
            <RegisteredOwner></RegisteredOwner>
            <OEMName></OEMName>
        </component>
        <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Identification>
                <Credentials>
                    <Domain>domain.local</Domain>
                    <Username>joinadmin</Username>
                    <Password>MyP@ssw0rd!</Password>
                </Credentials>
                <JoinDomain>domain.local</JoinDomain>
                <MachineObjectOU>OU=DesktopOU,OU=ComputersOU,DC=domain,DC=local</MachineObjectOU>
            </Identification>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <VMModeOptimizations>
                    <SkipWinREInitialization>true</SkipWinREInitialization>
                    <SkipNotifyUILanguageChange>true</SkipNotifyUILanguageChange>
                    <SkipAdministratorProfileRemoval>true</SkipAdministratorProfileRemoval>
                </VMModeOptimizations>
                <HideEULAPage>true</HideEULAPage>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <ProtectYourPC>2</ProtectYourPC>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
            </OOBE>
            <UserAccounts>
                <LocalAccounts>
                    <LocalAccount wcm:action="add">
                        <Password>
                            <Value>BAAcwADAAcgBCEAUAAcwG8Ak=</Value>
                            <PlainText>false</PlainText>
                        </Password>
                        <Description>Local User Account</Description>
                        <DisplayName>LocalUser</DisplayName>
                        <Group>Administrators</Group>
                        <Name>User</Name>
                    </LocalAccount>
                </LocalAccounts>
            </UserAccounts>
            <TimeZone>Mountain Standard Time</TimeZone>
            <RegisteredOrganization>Some Company</RegisteredOrganization>
            <RegisteredOwner>IT Department</RegisteredOwner>
        </component>
        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>en-US</InputLocale>
            <SystemLocale>en-CA</SystemLocale>
            <UILanguage>en-US</UILanguage>
            <UILanguageFallback>en-CA</UILanguageFallback>
            <UserLocale>en-CA</UserLocale>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="wim:d:/iso/install_w10_1803.wim#Windows 10 Pro" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

CredSSP, Windows RDP connection error.

Recently Microsoft changed the security in regards to Remote Desktop connections. This was to address a vulnerability that existed with RDP that allowed an attacker to take complete remote control of a Windows PC.

With this came some security changes and you will need to add a registry entry to your machines if you get Security Connection errors in Windows OS and Server OS when you try and use RDP to connect to an older remote machines. When I say older I mean Windows 7 and Server 2008, Windows 8.x might be affected as well.

For more information on CredSSP see this Microsoft article: https://support.microsoft.com/en-ca/help/4056564/security-update-for-vulnerabilities-in-windows-server-2008

In Windows 7 the error looks like the following…

win7

In Windows 10 the error is a little more detailed and looks like this…

To get past this issue all you need to do is add the following registry entry to your machine.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
“AllowEncryptionOracle”=dword:00000002

Alternatively here is a reg file in a zip file that you can just run. Make sure you reboot after adding the registry entry.

https://drive.google.com/file/d/13vDjZQqwEGZYNL5wnbig5iOzOs26EKn-/view?usp=sharing

I created a group policy on my Domain to push this registry entry to all computers.

Disabling Automatic Updates on Server 2016

The server 2016 GUI does not provide a means to disable Windows Updates and by default the updates are set automatically download. There is a spot for updates in the GUI but it is a placebo. If you wish you can disable Windows Updates and run them manually at your hearts content, you need to do this via the sconfig text based applet.

Do the following. Start Powershell as admin and run the sconfig command. This is the server configuration text based applet.

Once you have run this applet option 5 is for Windows updates. For productions server the Manual option is probably the best choice.

A pop up will notify you of the changes once selected and from here on in all your updates will have to be downloaded and installed manually.

Virtual Machine Queues and Broadcom NIC Issues

Broadcom network adapters have a very big issue in Windows with Hyper-V. The issue is so big that at one point a year or so ago when I deployed a new Hyper V server with Broadcomm NICs my domain users were unable to use VPN properly due to a crippling network latency. I’m sure Broadcom is aware of this problem and the issue is documented all around the internet. The problem are Virtual Machine Queues, and on Broadcom network adapters they delay traffic to the VM and create latency issues.

There is a quick fix for that though. All you need to so is disable Virtual Machine Queues on your network adapter. It takes 5 min to fix.

To fix it, start up Powershell as an Administrator, then check to see if VMQ is enabled on your adapters, specifically anything by Broadcom.

Run the following command;

Run the Get-netAdapterVMQ

If you see True in the Enabled column, disable VMQ with the following command;

Disable-NetAdapterVmq -Name 'Adapter Name'

See the below example for reference. I even included an error where my name of the adapter wasn’t being caught because there was a space in the name. Use single quotes on the name to avoid this.

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Get-netAdapterVMQ

Name                           InterfaceDescription              Enabled BaseVmqProcessor MaxProcessors NumberOfReceive
                                                                                                        Queues
----                           --------------------              ------- ---------------- ------------- ---------------
Front End                      Microsoft Network Adapter Mu...#2 True    0:0                            16
Embedded LOM 1 Port 4          Broadcom NetXtreme Gigabit Eth... True    0:0              16            16
Embedded LOM 1 Port 3          Broadcom NetXtreme Gigabit E...#2 True    0:0              16            16
Embedded LOM 1 Port 2          Broadcom NetXtreme Gigabit E...#4 True    0:0              16            16
Embedded LOM 1 Port 1          Broadcom NetXtreme Gigabit E...#3 True    0:0              16            16
Back End(PA)                   Microsoft Network Adapter Mu...#3 False   0:0                            0
Back End(NeoTech)              Microsoft Network Adapter Mult... False   0:0                            0


PS C:\Windows\system32> Disable-NetAdapterVmq -Name Front End
Disable-NetAdapterVmq : A positional parameter cannot be found that accepts argument 'End'.
At line:1 char:1
+ Disable-NetAdapterVmq -Name Front End
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Disable-NetAdapterVmq], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Disable-NetAdapterVmq

PS C:\Windows\system32> Disable-NetAdapterVmq -Name 'Front End'
PS C:\Windows\system32> Disable-NetAdapterVmq -Name 'Embedded LOM 1 Port 1'
PS C:\Windows\system32> Disable-NetAdapterVmq -Name 'Embedded LOM 1 Port 2'
PS C:\Windows\system32> Disable-NetAdapterVmq -Name 'Embedded LOM 1 Port 3'
PS C:\Windows\system32> Disable-NetAdapterVmq -Name 'Embedded LOM 1 Port 4'
PS C:\Windows\system32> Get-netAdapterVMQ

Name                           InterfaceDescription              Enabled BaseVmqProcessor MaxProcessors NumberOfReceive
                                                                                                        Queues
----                           --------------------              ------- ---------------- ------------- ---------------
Front End                      Microsoft Network Adapter Mu...#2 False   0:0                            16
Embedded LOM 1 Port 4          Broadcom NetXtreme Gigabit Eth... False   0:0              16            16
Embedded LOM 1 Port 3          Broadcom NetXtreme Gigabit E...#2 False   0:0              16            16
Embedded LOM 1 Port 2          Broadcom NetXtreme Gigabit E...#4 False   0:0              16            16
Embedded LOM 1 Port 1          Broadcom NetXtreme Gigabit E...#3 False   0:0              16            16
Back End(PA)                   Microsoft Network Adapter Mu...#3 False   0:0                            0
Back End(NeoTech)              Microsoft Network Adapter Mult... False   0:0                            0