Create Windows 10 Kernel-based Virtual Machine (KVM) on Linux Debian server

There are many tutorials out there about how to create KVM, but not many go in to details on how to do it if your guest OS is Windows and also scares info on the problems you may encounter. This is why I decided to put in brief the steps how to do it and describe the problems I had to deal with.

This guide assumes you already have a working Debian 9 installation /the steps should in general work for Debian 10 as well/. Commands has to be executed as root.

Before you start is a good idea to check some hardware capabilities of the host computer, especially if it is not relatively new.

First you need to check if your CPU supports virtualisation, to do this run the command:

 

egrep -c ‘(vmx|svm)’ /proc/cpuinfo

 

If the output of the command is 1 or 2 you are good, 0 means no go for you.

Then you need to check if the hardware virtualisation is enabled and if not you need to change the settings in your BIOS. Run this command and read the output:

 

dmesg | grep “disabled by bios”

 

If the output is “kvm: disabled by bios” you need to alter the BIOS settings, otherwise you are fine.

When ready you need to install quite a lot of packages, so in your terminal type the command:

 

apt-get install –no-install-recommends qemu-kvm libvirt-daemon-system libvirt-clients libvirt-daemon-system libvirt-dev libguestfs-tools genisoimage virtinst libosinfo-bin virt-viewer virt-manager acpid

 

Be patient, it will take some time. The reason of –no-install-recommends switch is to avoid installation on packages related to GUI, which I personally avoid on server installations.

When the installation is finished you will have to change your network interfaces so the virtual machine becomes part of your LAN. For this you will have to create a bridge interface, make sure you have the bridge-utils package installed. If it happens to have a OpenVPN server already running on the Debian server as I did, make sure you change your VPN interface to TAP and add it to the bridge, otherwise you won’t be able to browse your network.

This is how my /etc/network/interfaces file looked like after the configuration change:

 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
# allow-hotplug enp2s0
# iface enp2s0 inet static
# address 192.168.1.2
# netmask 255.255.255.0
# gateway 192.168.1.1

######################################
# bridge part, coment above int conf                      #
######################################

auto enp2s0
iface enp2s0 inet manual

auto tap0
iface tap0 inet manual

auto br0
iface br0 inet static
address 192.168.1.2
broadcast 192.168.1.255
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports enp2s0 tap0
bridge_stp off
bridge_waitport 0
bridge_fd 0
dns-nameservers 8.8.8.8
dns-nameservers 8.8.4.4
dns-nameservers 192.168.1.2

 

Restart the networking service (or reboot) and test your connectivity is working as intended.

Next step is to let regular user to manage the VM:

adduser your_user libvirt
adduser your_user libvirt-qemu

Then reload group membership:

newgrp libvirt
newgrp libvirt-qemu

Verify your group membership with id command:

id

 

Check virtual machine network and state

virsh net-list –all
virsh list –all

 

Bridge networking has to be configured for the VM as well, so do the following:

Create a file using a text editor

 

nano /root/bridged.xml

 

Append the following config in the file, make sure bridge interface name is the same as in your interfaces configuration:

 

<network>
<name>br0</name>
<forward mode=”bridge”/>
<bridge name=”br0″/>
</network>

 

Save and close the file. Then run the following commands to apply this configuration to the VM:

 

virsh net-define –file /root/bridged.xml
virsh net-autostart br0
virsh net-start br0

 

Veryfy bridged network

 

virsh net-list –all

 

In order Windows 10 to recognise your virtual hard disk during its installation you will need to get the vertio drivers. Create “virtio” (or some other name) folder in /var/lib/libvirt/boot/ and download the drivers (checking for the latest version is probably a good idea):

 

cd /var/lib/libvirt/boot/virtio/

wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.173-2/virtio-win-0.1.173.iso

 

Next create the VM’s virtual disk, adjust to your needs:

qemu-img create -f qcow2 /var/lib/libvirt/images/windows_10_x64.qcow2 80G

 

With the disk set it is time to create the VM:

 

virt-install \
–virt-type=kvm \
–hvm \
–name=windows10 \
–ram=2048 \
–cpu=host \
–vcpus=2 \
–os-type=windows \
–os-variant=win10 \
–disk path=/var/lib/libvirt/images/windows_10_x64.qcow2,format=qcow2,bus=virtio \
–disk /var/lib/libvirt/boot/Win10_1909_EnglishInternational_x64.iso,device=cdrom,bus=ide \
–disk /var/lib/libvirt/boot/virtio/virtio-win-0.1.173.iso,device=cdrom,bus=ide \
–network=bridge=br0,model=virtio \
–graphics vnc

 

If stumble upon error stating that the access to the KVM kernel module is denied do the following:

Open the file qemu.conf and edit the following:

 

nano /etc/libvirt/qemu.conf

#user = root -> user = root
#group = “root” – > group = “kvm”

 

After a successful VM creation you will need a VNC client to connect to the VM and start the installation of Windows. In the installation process you will have to navigate to the folder containing the virtio disk driver, mind in my case it was drive E:, but may not be the same for you. The path for me was: E:\viostor\w10\amd64. After the installation you can run RDC on Windows and set users to connect to your VM directly without third party software.

To have your VM starting automatically when the host starts or is rebooted run the commands:

First make sure libvirtd service is stared on boot:

 

systemctl enable libvirtd

 

Then run:

 

virsh autostart Your_VM_Name_Here

 

If you  try to shutdown your VM from host terminal with the virsh shutdown VM_Name_Here without success this might be due to not working acpi event handler. To fix this edit the content of powerbtn file (create the file if does not exist):

nano /etc/acpi/events/powerbtn

 

Then type these lines (delete anything in the file if the file exists)

 

event=button/power
action=/sbin/poweroff

 

and restart the acpid service

 

service acpid restart

 

And this is the end of it in general, next is to post the script to shutdown, backup and then start the KVM when time is available.

Have fun!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisement

Configure BT Echolife/Huawai HG612 as ADSL modem only device

Quite a lot of information on this little, but rather useful device (which in fact is a VDSL/ADSL modem router) can be found at kitz.co.uk, but a step by step guide of how to use this device as a ADSL modem only is not easy to find, so I decided to put my adventures in writing.

First thing first – to get a hold on a device like this you have to visit eBay, as these are made for BT and are the cheapest possible option to get a hold on a device capable of being VDSL/ADSL modem, compared to NETGEAR DM200 with its bad reputation or the pricey DrayTek Vigor 130.

What basically has to happen is to set the WAN interface of the device in bridging mode, so it just passes on the frames to your cable router. The device is by default configured to be a VDSL bridge for the BT network in UK, so it has to be unlocked first, which is a fairly easy procedure, which I have only performed with HG612 type 3B device.

Navigate to https://mega.co.nz/#F!LdJFDIJL!e_E1twsIg2kTet8mPjrb4w and go to B030SP08 folder, where you will need to download the firmware. The file you would most likely want is called bcm96368MVWG_fs_kernel_HG612V100R001C01B030SP08_webgui, which you could probably guess by the name has the web GUI, unless you would like to try the hard way of course…

When ready, do the following:

Configure your computer’s Ethernet port with the IP address 192.168.1.2 and subnet mask 255.255.255.0

With the HG612 powered off, connect a cable between the LAN2 port (you may need to remove the “not in use” sticker) and the Ethernet port on your computer.

Hold down the reset button on the back of the HG612 whilst inserting the power cable. Keep the reset button held for about 5–10 seconds after powering up, then release.

After about 10 seconds you should be able to access the HG612’s “Update Software” web page at the address http://192.168.1.1

Follow the on-screen instructions to upload the latest firmware, you will be notified the process will take 2 minutes – please be patient, give it 3 minutes, go to the toilet, make yourself a coffee, but do not interrupt or power off.

When this is done navigate again to http://192.168.1.1 and you should be greeted by the login page, use default username and password which are both “admin”. Navigate to BASIC -> DSL, tick ALL and then Submit.

 

 

Next step is important, configuring the ATM interface. It has to be configured as Ethernet over ATM type so it can translate the PPPoA frames to PPPoE and pass it on to your cable router to do the authentication, this is a handy function you won’t easily find on many devices, especially cheap once. More about the technology behind can be found at https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet#PPPoEoE-to-PPPoA_converting_modem

Navigate to BASIC -> ATM and choose these options: for the virtual identifiers use 0/38, these are for UK, if it happens so you are somewhere else round the globe check these with your ISP. Leave DSL latency as it is – Path1. For the DSL link type pick the correct one, EoA, this is kind of important. Encapsulation mode – pick VCMUX, again check with your ISP if not sure or see what it is on the router you are supplied, if available. Service type is UBR without PCR. When ready press Submit.

 

 

We are almost ready… Now we have to assign the ATM interface to be the WAN interface. You have few things to do before that though, as by default the device is set to be a VDSL modem, not a ADSL. You have to either remove the PTM interface from the WAN setup, or disable it. In my case I just disabled it, thinking it might one day save me a few clicks.

Go to BASIC -> WAN and select the PTM interface, there untick the WAN connection option and also untick the Port binding LAN1. Click submit when ready.

 

 

Now while you are still there click on the New tab so you can assign the ATM to WAN. From the Layer 2 interface drop-down menu pick atm1/(0_0_38), thick WAN connection so it enables the interface on the WAN, Service list live as it is – INTERNET, Port binding – tick LAN1, this will be the port you connect to your cable router, LAN2 will remain the port you can connect to HG612 if you want to do some configuration changes in the future. For Connection mode select Bridge. And final, but important bit, set Bridge type as PPPoE_Bridged. Click Submit button.

 

 

And this is it! You have a pure ADSL modem only device which passes the WAN IP to the WAN port on your cable router as nature intended! 🙂

On your cable router under the WAN interface configuration choose Connection type PPPoE, add your username and password and you should be good to go, enjoy!

Install Windows 10 64 bit on iMac 7.1 Early 2007 or how to make your old Mac usefull again

As title says it I was given the task to resurrect an iMac and put it back in business! 🙂

Unlike Microsoft, Apple are very picky on how you gonna use your computer and are unpleasantly pushy on dragging you to buy more of their stuff. Simply said as some of you may already know you can not use old, but quite descent hardware wise Mac with Apple’s latest OS due to firmware restrictions. Luckily you can still make some use of it with Windows or Linux.

The iMac in question had a faulty hard drive, which luckily was not too difficult to replace. But as usual the troubles came soon after! 🙂

With a freshly burned DVD with Windows 10 x64 a thought I will be quickly in the game, but NO – got stuck with a black screen and a message to pick the boot type and irresponsive keyboard! It turns out though the computer is 64 bit architecture its EFI is 32 bit and you have no chance to boot it from Windows 10 installation media…

Thanks to good and clever people online help is available! I read this post, downloaded the exe file provided and it all went well!

As the steps I took are slightly different I wanted to have a note of it.

First of course you will need the Windows 10 x64 image file, which you can download from Microsoft. Under Windows 10 with right click on the file select “Mount”.

Just to make life organised create a folder with a name of your choice, in my case it was “NewISO”.

Run Command Prompt as administrator and navigate to where you have the OSCDIMG.EXE file saved /or just type the full path to it/.

Then run the command:

oscdimg -n -m -bf:\boot\etfsboot.com f:\ c:\NewISO\win10_efi32.iso

where f is the drive letter where the image file is mounted.

After this you will have e 64 bit Windows 10 image file with 32 bit EFI, do not worry about the warning message related to NT 3.5, just burn it on DVD or USB stick and use it.

Final words – I do not quite know how this program, which is a Microsoft genuine tool, manages to change the boot loader. I would advice you to download it from the post link above or at least make sure you use the same version, which is 2.54, as this may have something to do with the success of the procedure and a newer one may just put back 64 bit EFI again. I will be glad if someone more knowledgeable explains it in detail.

OpenVPN client and server on Windows 7/8.1

Now – if you are having free time and wonder what to do you can certainly try to setup an OpenVPN server on a Windows machine… To save you some time / may be 🙂 / and to keep some record of what I have done – I am writing this quick article.

For a general idea on the subject and easy to follow guide to OpenVPN general setup and creation of the certificates you can read here:

https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide

Do not forget to run the installer as administrator on both client and server PC.

After this, as I am sure you will encounter some difficulties with the communication between your devices. Before testing any setups make sure windows firewall is off, this will save you a lot of frustration. Please read this article and decide for yourself what you are going to use/need from it:

http://blog.defron.org/2013/01/openvpn-server-on-windows.html

In my case I did not want all the traffic to be redirected through the VPN, so I left alone the option push “redirect-gateway def1 bypass-dhcp”. On my server configuration I had to have client-to-client and topology subnet options and float on the client configuration to have a successful ping between the client and the server. Also I changed the registry value of IPEnableRouter in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters from 0 to 1 on both client and server.

I did not try the

push “route-metric 512”

push “route 0.0.0.0 0.0.0.0”

trickery to sort the windows firewall issue as I did not wanted more mess in my already messy routing tables… 🙂 Instead I decided that I can live with the firewall disabled on the TAP interface only. Probably better solution – have a third party firewall on and the windows one off, now days all the bloated antivirus software comes with firewall built in.

Below are my client and server configuration files, might be useful. Good luck!

##################SERVER###########################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# “C:\\Program Files\\OpenVPN\\config\\foo.key” #
#                                               #
# Comments are preceded with ‘#’ or ‘;’         #
#################################################

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 11194

# TCP or UDP server?
proto tcp
;proto udp

# “dev tun” will create a routed IP tunnel,
# “dev tap” will create an ethernet tunnel.
# Use “dev tap0” if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use “dev-node” for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the “easy-rsa” directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see “pkcs12” directive in man page).
ca “C:\\Program Files\\OpenVPN\\config\\ca.crt”
cert “C:\\Program Files\\OpenVPN\\config\\server.crt”
key “C:\\Program Files\\OpenVPN\\config\\server.key”  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh “C:\\Program Files\\OpenVPN\\config\\dh2048.pem”

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.20.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Uncomment this directive to allow different
# clients to be able to “see” each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server’s TUN/TAP interface.
client-to-client

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
##################CLIENT########################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your.server.net 11194
;remote my-server-2 1194

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don’t need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# SSL/TLS parms.
# See the server config file for more
# description.  It’s best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca “C:\\Program Files\\OpenVPN\\config\\ca.crt”
cert “C:\\Program Files\\OpenVPN\\config\\CLIENT.crt”
key “C:\\Program Files\\OpenVPN\\config\\CLIENT.key”

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# Enable compression on the VPN link.
# Don’t enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

float

Windows batch script for auto reconnection to wireless network

 

Recently I had a client with an odd problem – a laptop randomly disconnecting from the WLAN connection. After ruling out all the possible software issues – OS setup, network configuration, drivers, etc. as well as the access point I was left with no choice but to think of something to go around this. And what I came up with was a looped batch script using netsh command. Now some of you may ask – why not powershell, it is modern – well I do not know much about it and from what I have read about network interface manipulation one could only enable or disable the interface, but that was not what I wanted anyway.

Just a bit of info for those who are not familiar with netsh command, to make the script working you will need some information regarding your wireless setup. You will need the SSID, profile name and the name of your WLAN interface. Using netsh command you can:

C:\>netsh wlan show all – this will give you the full information in relation to wireless network and all the info needed, but if you are not interested in all the details you can be more specific.

C:\>netsh wlan show networks – to find the SSID

C:\>netsh wlan show profile – to find the profile name

C:\>netsh wlan show interfaces – to find the name of the interface

Most likely your SSID and profile name are going to be the same. Of course you can just left click on the network connections icon in task bar’s notification area, move the pointer over the connected wireless network and in the popup message you will see your profile name and SSID. In Windows 7 the WLAN interface name is “Wireless Network Connection”, Windows 8 – “Wi-Fi”.

Now to the batch script, what it basically does is to check if default gateway exists and if it doesn’t – the netsh command to reconnect is executed. The script is looped, so it runs itself constantly with a delay you can adjust:

 

:loop

for /f “tokens=1-2 delims=:” %%a in (‘ipconfig^|find “Default”‘) do if not [%%b]==[] goto restart

netsh wlan connect ssid=”Wireless Network” Name=”Wireless Network” Interface=”Wireless Network Connection”

:restart

timeout /t 5

goto loop

 

Copy/Paste it in let say Notepad and save it as .bat file /BTW when copy/paste from the web content make sure you got the lines correctly/. Adjust it to your needs and to stop it you can interrupt it with Ctrl+C.

There is an annoying inconvenience thought – when you run the script the Command Prompt window is visible, but there is luckily a solution for that – wrapping it in a VBS /found this solution on internet, thanks to a man who’s name cannot sadly remember/ and run it in the background. So the VBS file looks like this:

 

Dim WinScriptHost

Set WinScriptHost = CreateObject(“WScript.Shell”)

WinScriptHost.Run Chr(34) & “C:\PathTo\mybat.bat” & Chr(34), 0

Set WinScriptHost = Nothing

 

Copy/Paste and change the path to the .bat file accordingly and save the file as .vbs. Now every time you need to keep your WLAN connection alive – start the VBS file. If you think it will be convenient you can add it to your start up items.

And that’s all. 🙂