I thought this was going to be a one part thing, not 2 parts! Ok, time to do some explaining.
(I broke it up into sections, so hopefully it is easy to read and its very technical on computing stuff).
Some ideas seem like good ones, I mentioned in this blog about the server I am still running in 2026 despite being 12 years old and still running. It crashes every so often as its got too many servers, its running Windows 11 and Hyper-V which is a resource hog and keeps getting hacked.
How it all started….
..is that I wanted a computer to be accessible from anywhere and with my Trainz work, my council work and development work all separated. The plan was 1 Windows virtual machine, 1 Linux virtual Machine and one Linux/Windows/Whatever for my council work virtual machine as we don’t get issued computers in my Parish Council due to budget constraints, so have a BYOD policy.
The system looked like this:
How the topography looked afterwards was….. quite frankly a mess! But it works.
Somehow!
The plan was to move my server partially in the cloud to allow me to access the computer anywhere, I mean anywhere, so I looked for a cheap enough server deal, came across IONOS who looked reasonable, asked if I could use it for remote desktop which was fine, was asked if I was OK with Linux, recommended a package and got going. That ended up being a disaster but I got it working with XRDP. I’ll explain more. Then I needed more power, so got an upgrade, but ended up with 2 vServers. Ok, I’ve now got 2 vServers, now what? Put both to good use I guess.
Then came the fun.
The idea was to complete the whole lot in less than a week. That was late April/Early May. Fast forward to early June and I am near completion, plus a lot less hair, plus a lot more going on. The first thing I did was investigate “Proxmox”. That itself took about 3 weeks to get to a semi working state, which resulted in me face planting the keyboard at the end. The idea was to use Proxmox to host 2 virtual machines, Apache Guacamole to access the virtual machines via RDP and then have a separate Debian environment. For your sanity, if you don’t like the route of being restricted to a particular distribution, don’t chose this one. Seriously, don’t! Its not a beginner friendly route.
The concept works, don’t get me wrong, its a good idea if you need a full fat OS to work with like me. But the problem is, I was restricted to one of 9 images, all Linux and I couldn’t add my own custom image to the vServer (I get why, its for security.)
So setting it up was easy, adding and converting a disk image was easy. Went from VHDX (Microsofts format for virtual disks) to RAW with little trouble. Import the virtual machine and no network. Do plenty of troubleshooting to no avail and restart from scratch.
Go through the same steps, the host now looses its internet connection (because you can’t use a network bridge – I knew that already) and almost every tutorial said to tie the network card to the bridge. No, I want a NAT (Network Address Translation) which required manual config editing which was easy right? Wrong.
Rinse a few more times, fix the issue, now trying to get the guests to talk, right, without a DHCP server (Dynamic Host Configuration Protocol), I eventually realised that each host needed to have its own IP address set. That worked, but then came a bigger problem, no DNS (Domain Name Server), so I could access anywhere with an IP address by pinging it, but I could not use web addresses to connect, nor was there any sort of basic web browsing.
The funny bit:
In between all of this, I helped clean a flat as this was largely done while working around other jobs and I’ll talk about that in another blog of “Unprofessional professional Cleaners” – I even thought of a title and one night I was travelling from Twickenham, London (where I worked for that day) to Chichester, UK which is roughly where I reside.
This was about 2 to 3 weeks in and I remember going into a public area of the train and during the journey, this just shows the mentality of some people. I was joined by a youth who I said nothing to – to begin with and the mentality of “anything is a threat” and going to Haslemere, guard knew where I was anyway and it was a Saturday. I had my headphones on listening to V2 Radio online (Great local radio station!) and being this was around 22:00 on a Saturday, there were loads of club tunes. I didn’t have my headphones on too loudly but I ignored them, kept typing command after command and said.
Me: “I got a DNS problem”.
Youth: “You what?”
Me: “I got a DNS problem”. Obviously, only heard of “I got a problem” and probably related to him.
Youth; “What is that?”
Me: (incorrectly thinking) “Directory Name Service” (No, I know, Domain Name Service, I was in a situation – shows if you feed BS, they believe it)
Youth: “What does that do?”
Me: “Translate web addresses into IP addresses”
Youth: “Are you a hacker?”
Me: “I’m a programmer and programmers are good hackers.” (I might have to explain my justification)
Youth: “Can you hack my phone?”
Me: “I’m not interested in your phone”
Then proceeds to turn the volume up on my headphones a bit louder, blocking him out. All I heard afterwards is a very faint “hello, hello… HELLO”.
To be frank, his phone is probably polluted with problems and I got better things to do than try and hack an iPhone, especially when I found out that he had been kicked out of first class in the middle and decided to join me instead. Some people think their phone is the most important thing in the world and they have to keep it charged, in fact, battery life and lack of features is why I went away from iPhones – strange to say, but no desktop mode, but my Android has it and you are locked in the Apple ecosystem which grabs you and you get trapped in it.
After that, I thought “I’m not getting anywhere with Proxmox” and it was a few days, then I thought “what about if I just KISS and go with QEMU? The other problem I had is that when I set up the Windows VM, because there was no DNS, I couldn’t therefore set up Windows and further more, because there was no DHCP, there was no internet and therefore no DNS to connect to on a fresh install, especially when you need to use an online account to even set up Windows 11. Painful? It was!
A new start.
So a few more erases then went for plain old QEMU, moved everything across and everything worked. Almost flawlessly, I started from scratch with the Windows VM again. But then installing Guacamole and getting everything working? That was a different matter. Found an online script and it worked, if it wasn’t the local computer, my remote desktop worked without issues, but locally? Forget it! Loads of searching, wiping again and then I went for a Docker Container. Nearly gave up with Guacamole after a few weeks even in a Docker container which I screwed up completely because I screwed up the SQL server on the hottest day of the year and head butted the keyboard in frustration. So I gave Guacamole in a Docker container one last go with a fresh install, it worked, it wouldn’t connect to the remote Linux machine anymore, I did a bit of searching and found 2 check boxes. It worked, it connected. Tried the local machine, with the same 2 checkboxes, it worked. I finally got somewhere on little sleep. At this time, I was also setting up an OpenVPN container as well, realising my dream may never come true. This was on the hottest May bank holiday we had in the south.
Now I overcome 2 problems, here came the third.
NAT.
NATS!
Network Address Translation (NAT) can be useful, however, they are a lot more complex to set up. Now here is an excellent tutorial (read me!) of how to deal with port forwarding on NATs in Linux. This bit was just as troublesome because, the moment you switch off the machine, goodbye to your rules. Have a text document with your rules that are tested as working saved with you!! You will need it. So, Debian in my case, comes with UFW (Uncomplicated Firewall), great, you can allow ports to be opened, type in a simple command and it works nicely with iptables (the other bit you need) until you kill the power and kill your rules. A fix? Simple, iptables-persistent which….
.. is incompatible with ufw! So needs to be uninstalled. ARRGHHH!!!!!!
Yes, really. So I ended up using firewalld and firewall-gui, manually adding the rules via command line first (the gui doesn’t save them either by the looks of it or did something wrong). And then nearly lost my last bit of brain cell with any sort of sanity.
Now I got everything working, on one server, I followed the tutorial, got 2 port forward rules working, able to access my machines from Remote Desktop Client on my “thin client” and was thinking, “yay, a step in the right direction, it works!”. Guacamole didn’t, I tried the web address, IP address (which then suddenly worked for the local session, so I got now 2 servers working with 2 check boxes I mentioned earlier), then typed the local address on the third Linux VM, I suddenly had a third machine that worked. Then the Windows one that went:
NOPE.
A few mods later, yay, it suddenly worked. Windows 11 works by default with Network Level Authentication, i.e. you need to input your username and password into a box before you are allowed to connect.
Then machine no.5 was on the other server with a version of Linux, but when I tried to add a rule, the machine suddenly lost its connection. Worse it was now exhibiting “I don’t like the DNS anymore”, so started afresh again. This is why backups are important but I didn’t get that far so I didn’t shed a tear in losing a handful of files and my new Curriculum Vitae (CV) which is in an email somewhere. This is after I got rejected for a job role and found many issues with my application which was fair.
So started from scratch, did a similar thing to the other server, used all my experience and then set up the port forwarding rules. It worked, finally. I had got somewhere. Now, I’m able to access all my desktops from a web browser. Until I was bored again. Well, not really, but I somehow had been targeted with MS Azure services with my last brain cell with any sanity attached to it, so I thought I’ll get a free tier Windows Server and see what it is like (then lost my sanity), added it to Guacamole and to be fair, its not a patch on my others, but it works, I wrote this document on it (Windows Server 2022 Standard Azure edition) which I had to start from scratch because I installed the core version with no desktop experience.
But that took less than half a day to setup and it was wet when I wrote this.
Final result, full screen site, works on any device (see below) almost and I can access any computer listed. One more joined but that’s a physical server – photo because its from the Thin Client.
So, that was everything, it took me 2 months to build, it robbed me of my sleep, it almost robbed me of my sanity. Okay, it did! But it works. I only got one apparently easy bit to do, ngnix reverse proxy and a HTTPS certificate. That is it. Can I go back to modeling?
Why do it? Is it worth it?
Actually, I’ve lost my sanity, I’m now typing in “ls” into a command prompt than “dir” and forgetting I’m in Windows, but why? As I mentioned, I wanted my computers to be accessible from anywhere and wanted to keep my council stuff, for Data Protection reasons, (GDPR you know!) and storing council stuff means I’m subjected to a FOI request. Because Freedom of Information (FOIA) includes storing anything on a personal device means that all documents relating to the organization means that my device is also subjected to a FOIA if it is related to the council. I found this out when I went for FOIA training with the company I am with. Coupled with SAR (Subject Access Request), I really do not want to take the risk.
Another point is to learn skills, I do intend to stay in Train Planning, but as I learned how to set up my own Linux system, I’m basically messing with stuff that organizations deal with, then there is a motion to get me into IT. I was asked by the Head of IT “why don’t you join IT?”, “Because I know nothing about ActiveDirectory” which is I guess easy to teach, I knew of Azure but never messed with it until now and I’ve done some seriously complex stuff. Who do you know for loads of computers created a bootable disk image using a virtual machine? Me! I deployed it to several physical machines, and it worked. It was basically a Windows 10 install with all my programs installed with a user account, ready to go, all I did was write the disk image to the disk and start. Anything else had a run once script in cmd and I did that easily. I also created scripts to automate installs for Windows, yeah, these are skills I don’t talk about, found a way to PXE boot (that was hard) with TFTP, so network installs. Etc.
Finally, my computer from everywhere. I’ve stopped using my desktop completely and for several years, I access that everywhere, OK, it was a security risk as I learned and wised up to security issues and always was worried about getting hacked as port 3389 was exposed to the internet. I previously used 3312 as well for other machines. But then I went and learned about virtual machines and putting them to different uses. I used Virtualbox which is a Type 2 Hypervisor and used that for nearly everything. It does the job, it’s great to learn from, but slow. I learned about Hyper-V and its differences (I’ve used Hyper-V before as a virtual machine, not in any complex layout but I found it consumed resources by the bucket load), it’s not until I started playing with it, I found out what it’s like and moved onto Linux KVM from there, despite my initial problems.
With multiple devices, having a server online, does help with accessibility. Also, I don’t actually carry a laptop most of the time in the strictest sense and it goes with a wider problem in the UK – policing.
Think about this, you got your laptop, OK, 90% of your data lives on it, its not backed up anywhere, you go outside, you use your laptop, it disappears on some machete wielding, Sur-Ron riding youth with no identification and wearing all black. As in no number plate, can’t be traced, etc. You shout “Hey, Hey!” and you get the middle finger as they don’t look where they are going. Hopefully they will end up in the railings, you hope.
But I’ve seen someone do exactly that in London with phones, losing a phone means you lost a lot of contacts. Losing a computer with your content on it would be devastating, so I’ve taken proactive steps to stop that, I’ve come close to losing it several times, not through theft thankfully, but hard drive failures.
Now, I carry what s pretty much a “mobile thin client”, or a laptop setup as one, that gets nicked, I lose nothing. That gets nicked, it’s very well locked down, even I forgotten the password to access the admin account (truly!). So, it gets nicked, what have I lost? A relatively inexpensive device to replace. What does the thief have?
Not entirely theft proof, but you don’t lose your data.
A VPN certificate (easy to revoke), a load of links and no passwords. Now you may go “but you are more likely to be hacked”. Yes, true, but I’ve thought about that, hence why I use Guacamole and with MFA enabled. Furthermore, the virtual machines are restricted to 2 IP addresses, so I cannot use remote access via RDP anywhere else apart from the web browser or at home. That works and works well. I’ve got more to do, but that will be for another blog another time.
(You know its bad when I’ve restricted SSH on port 22 to one IP address)
Leave a Reply