Support

1. TrueStack Server Overview
2. What’s new in TrueStack 2.0
3. Installation
   • Manual Installation
   • Cloud Installs
     • AWS
     • Azure
     • Google Cloud
     • more..

       Digital Ocean (Coming soon)

       Akamai (Coming soon)
4. Using TrueStack
   • Initial Setup
   • Adding Computers
   • Installing the TrueStack Agent on a computer
     • Install on a Mac
     • Install on Linux
     • Installation link
   • more..

     Route to Subnet

     Route all traffic

     Bulk Import

     Localhost:3366 agent status

     Make changes to a computer

     Actions – make changes to multiple computers

     Security Codes

     Site Tokens

     Agent Token timeout

     Users

     Updates

     Managing Licenses
5. Network Security
   • Firewall Scenarios
6. Using TrueStack to manage Windows Active Directory computers
   • Windows Domain Scenarios
     • New Windows cloud AD
     • Extend the domain
     • Migrate your domain to the cloud
     • Troubleshooting
   • Deploy the TrueStack Agent with Group Policy
7. Migrate from TrueStack Direct Connect to the TrueStack server 2.0

1. TrueStack Server Overview
The TrueStack Server is a versatile VPN management solution designed to facilitate seamless VPN connections between Windows, Mac, or Linux computers and Windows Active Directory domain controllers or other servers, regardless of location. Additionally, it can be utilized to encrypt all internet traffic from your devices to the TrueStack Server, ensuring secure communication.

Support and Licensing

For support, contact us at [email protected]. Visit our Launch page for links to all platforms and virtual machines (VMs). TrueStack includes 5 free connections. Additional licenses can be purchased here.

Installation and Deployment

The TrueStack Server can be installed in any cloud environment or on-premises. It should be installed on the same network as your Windows Domain Controllers, VMs, or cloud servers. The TrueStack agent can be installed on your computers or deployed through Group Policy.

VPN Authentication and Traffic Routing

The TrueStack Agent authenticates the VPN using individual certificates, eliminating the need for users to remember usernames and passwords. TrueStack can encrypt and route all traffic from the computer through the VPN tunnel to the TrueStack Server or only route traffic destined for the Windows server. The TrueStack agent connects the VPN automatically at startup and operates invisibly to the user.

Management and Customization

Admins can manage each VPN computer connection individually using the TrueStack web interface. TrueStack uses Let’s Encrypt to assign a certificate to the TrueStack interface, and admins can choose custom domain names. Admins can manage connected computers using Windows servers or other cloud servers, route computers from different companies to different servers, and use TrueStack to migrate old Windows servers to new ones, whether on-premises or in the cloud. Admins can also manage server updates and schedule automatic restarts.

Reliability

TrueStack is fast, secure, and reliable.

2. What’s new in TrueStack 2.0

Platform:

• The TrueStack server now operates on Noble Numbat 24.04.
• The new TrueStack Agent is based on the OpenVPN 2.6 client.

Security:

• Support for TLS 1.3.
• Utilizes AES 256 GCM block cipher.
• SHA 512 for TLS Crypt.
• Improved performance with Data Channel Offload.
• Incorporates Elliptic Curve Cryptography ED25519 with SHA-512 Digest.

New Features:

• Redesigned admin interface.
• New TrueStack Agent MSI.
• New TrueStack VPN interface accessible via https://localhost:3366.
• Easy VPN restart on computers.
• Group Policy deployment.
• Import computer names from a CSV file for batch connection setup.
• Simplified license addition and upgrades.
• Enhanced logging on the admin tab and computers.
• Schedule automatic updates.
• Option to route all traffic through the VPN tunnel.
• Custom Let’s Encrypt secured URLs for the web interface.
• Ability to add users.
• Restart application or reboot from the Admin tab.
• New cloud servers tab for easy routing of computers to servers.
• Option to route to subnet for computers.
• Improved sorting, searching, and management of multiple computers.

back to top

3. Installations

The TrueStack server can be installed on any cloud platform that supports Ubuntu Noble Numbat 24.04. It can also be manually installed as a virtual machine or on your hardware. If TrueStack isn’t available on your platform, please contact us at [email protected], and we’ll investigate adding support for it.

Manual Installation

The TrueStack Server can be installed on any supported system, provided the following prerequisites are met:

• Supported OS: Currently, the only supported operating system is Ubuntu Linux 24.04 Noble Numbat.
• Configuration: The installation requires configuring several root-level items on the server, although it runs with reduced privileges.
• Primary Application: The TrueStack Server should be the primary application on the server. Mixing it with other daemons is not supported.
• Network Requirements: The server must be on the same network(s) as the other servers it will provide access to. Additional network configuration may be required for proper routing.

Computer Preparation

A computer, virtual machine, or container should be set up with a base installation of Ubuntu 24.04 Noble Numbat.

Network prep

To Network Preparation

To ensure proper network configuration for the TrueStack Server, the following connections must be allowed:

• Port TCP/22: For SSH, limited to trusted source network(s).
• Port TCP/80: For HTTP from everywhere, required for Let’s Encrypt certificate renewals.
• Port TCP/443: For HTTPS from everywhere (recommended). This can be limited to trusted source network(s) but must allow connections from TrueStack connected computers. If your TrueStack connected computers are mobile, this must be set to allow connections from everywhere, unless you know the networks they will be connected to.
• Port UDP/7473: For VPN from everywhere (recommended). This can be limited to trusted source network(s) but must allow connections from all TrueStack connected computers.

Egress:

• Port TCP/443: To Let’s Encrypt and TrueStack networks for certificate and DNS subdomain rental functionality.

By default, most platforms leave all outbound ports open.

Active Directory Integration

To enable your Windows Active Directory servers to manage your TrueStack connected computers, you will need to create a route for 5.6.0.0/16. This is necessary for the AD server to manage the computers using AD, GPOs, and PowerShell.

For more details, see the Network Security section for recommended configurations for the TrueStack webserver front-end and Windows server back-end.

System prep

The following steps need to be done to prepare the server.

Install prerequisite packages

These base packages are required for this guide.

$ sudo apt update
$ sudo apt full-upgrade
$ sudo apt install openssl locales haveged bzip2 curl

Install and configure PostgreSQL database

TrueStack Server uses PostgreSQL as a database to store information required for operation. The default pg_hba.conf in the package only allows connections from localhost. If you want to use an external PostgreSQL database then skip this step and look below for information on how to configure the database connection information.

$ sudo apt install postgresql
$ sudo -iu postgres createuser truestack
$ sudo -iu postgres createdb -O truestack truestack

Install OpenVPN 2.6 from the official apt repositories

We use the official OpenVPN package repository so that OpenVPN is updated immediately with any security patches or other updates. If you prefer to use the official Ubuntu version, skip this step. OpenVPN 2.6.x is required.

$ sudo mkdir -p /etc/apt/keyrings
$ curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/openvpn-repo-public.gpg >/dev/null
$ echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/openvpn-repo-public.gpg] https://build.openvpn.net/debian/openvpn/release/2.6 $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/openvpn-aptrepo.list
$ sudo apt update
$ sudo apt install openvpn openvpn-dco-dkms

Configure the official TrueStack apt repository

It is highly recommended to install TrueStack Server via the official repository. This will ensure that you always get the latest updates.

$ sudo mkdir -p /etc/apt/keyrings
$ curl -fsSL https://updates.truestack.com/truestack.key | sudo tee /etc/apt/keyrings/truestack.asc >/dev/null
$ echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/truestack.asc] https://updates.truestack.com/truestack $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/truestack.list
$ sudo apt update

Configure firewall

A firewall on the server is not only a good idea, it is required as TrueStack Server works better when there is a reverse NAT (masquerade) rule in place. If this isn’t in place, servers will see connections from the Agent’s IP addresses directly. If that is desired, then this can be skipped, but will not be supported.

There are a few options for how to configure the firewall depending on your needs.

NOTE: New installs of Noble Numbat default to enX0 but upgraded machines will still be eth0. Adjust as necessary. You can find your network interface name with ip address or ip route list default

Option 1: use truestack-firewall

The official TrueStack Server images use a separate packaged named “truestack-firewall” which uses “iptables-persistent” to configure a firewall. This is an all or nothing option, and does not allow easy customization.

$ sudo apt install truestack-firewall

Option 2:ufw

Use this command to detect the external interface and replace all occurrence of “enX0” with the output of this command.

$ ip route list default | awk '{print $5}'

Run these commands to setup the basic rules.

$ sudo apt install ufw
$ sudo ufw enable
$ sudo ufw allow OpenSSH
$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp
$ sudo ufw allow 7473/udp

The ufw script does not support source NAT via CLI commands, so we have to modify a couple files.

1. Edit “/etc/default/ufw” and change DEFAULT_FORWARD_POLICY="ACCEPT"
2. Edit “/etc/ufw/sysctl.conf” and uncomment net/ipv4/ip_forward=1
3. Edit “/etc/ufw/before.rules” and add the following lines near the top:*nat :POSTROUTING ACCEPT [0:0] # Start TrueStack VPN Rules # Source NAT traffic from OpenVPN client to enX0 -A POSTROUTING -s 5.6.0.0/16 -o enX0 -j MASQUERADE COMMIT # End TrueStack VPN Rules

Finally, reload your ufw firewall with:

$ sudo ufw reload
# sudo ufw status

Option 3: Just the required masquerade rule

If you already have some kind of firewall setup, you can add the required Source NAT route with the following. How this is ran on every reboot will depend on your system.

Use this command to detect the external interface for use in the next command.

$ ip route list default | awk '{print $5}'

Now add the source nat rule using iptables, replace “enX0” with the output of the previous command.

$ sudo iptables -t nat -A POSTROUTING -s 5.6.0.0/16 -o enX0 -j MASQUERADE

If you already have some kind of firewall setup, you can add the required Source NAT route with the following. How this is ran on every reboot will depend on your system.

Use this command to detect the external interface for use in the next command.

$ ip route list default | awk '{print $5}'

Now add the source nat rule using iptables, replace “enX0” with the output of the previous command.

$ sudo iptables -t nat -A POSTROUTING -s 5.6.0.0/16 -o enX0 -j MASQUERADE

If you already have some kind of firewall setup, you can add the required Source NAT route with the following. How this is ran on every reboot will depend on your system.

Use this command to detect the external interface for use in the next command.

$ ip route list default | awk '{print $5}'

Now add the source nat rule using iptables, replace “enX0” with the output of the previous command.

$ sudo iptables -t nat -A POSTROUTING -s 5.6.0.0/16 -o enX0 -j MASQUERADE

Install TrueStack Server

Install the TrueStack Server package. This will install a few other dependent packages as well. The service will be enabled (to start at boot), but not started yet.

$ sudo apt install truestack-server

A basic configuration is required that is unique to every machine. You can create a basic config file with:

$ sudo /usr/lib/truestack/bin/initconfig
Creating /etc/truestack.conf

You may edit this file to configure the server for your environment.

```bash
# A secret key is required for all cryptographic functions, such as session cookies, tokens, etc.
# THIS MUST BE UNIQUE FOR EVERY TRUESTACK SERVER AND MUST BE KEPT SECURE AND NEVER DISTRIBUTED
# This must be at least 64 characters long.
TS_SECRET_KEY="SOMELONGKEYOFRANDOMCHARACTERSTHATMUSTBEATLEAST64CHARACTERSLONG!!"

# TrueStack Server can connect to any postgres database accessible locally or via the network.
# NOTE: This should be in a fresh postgres "database" as many tables will be created and maintained.

# Database connection options in one line
TS_DATABASE_URL="postgres://username:password@hostname:port/database_name"

# Or in individual lines
TS_DATABASE_HOSTNAME="192.168.0.1"
TS_DATABASE_PORT="5432"
TS_DATABASE_USERNAME="myuser"
TS_DATABASE_PASSWORD="mypassword"
TS_DATABASE_NAME="nameofdatabase"

# If you want to connect via local unix socket (which is default)
TS_DATABASE_SOCKET_DIR="/var/run/postgresql"
TS_DATABASE_USERNAME="myuser"
TS_DATABASE_PASSWORD="mypassword"
TS_DATABASE_NAME="nameofdatabase"

# By default TrueStack Server listens on port 80 for HTTP and 443 for HTTPS. This can be customized as needed.
TS_HTTP_PORT=8000
TS_HTTPS_PORT=8443
```

At this point it is recommended to do a full reboot, as a few things are set automatically on boot, such as the Data Channel Offload kernel module.

$ sudo reboot

Cloud Installs

AWS: The TrueStack Server 2.0 is available for free with 5 licenses on the AWS Marketplace. Users only pay for the instance usage. Click here to launch the TrueStack server from the AWS Marketplace.

Note: If you are using TrueStack to provide computers access to a Windows domain controller and you already have a Windows domain controller in your AWS account, ensure you launch TrueStack in the same Region, VPC, availability zone, and subnet. This ensures the TrueStack server can communicate with the Windows server.

Next Steps: See Using TrueStack

AWS Network Configuration for Access to Windows Servers in the Same AWS Network

For Active Directory on your Windows Domain Controller to connect to the TrueStack VPN connected computers, follow these additional steps:

1. Stop Source/Destination Check on the TrueStack Server Instance:
   • Go to Actions > Networking > Change source/destination check, and select the Stop checkbox.
2. Associate an Elastic (Static) IP with the TrueStack Server Instance:
   • Turn off the TrueStack server before adding the IP.
3. Add a Route in the VPC for 5.6.0.0/16:
   • The computers will receive IPs from this subnet.
   • Open your default VPC and the associated Route Table.
   • Edit Routes and add a route:
     • Destination: 5.6.0.0/16
     • Target: Instance – Choose your TrueStack Server Instance

AWS Firewall

We recommend putting the TrueStack server in its own security group because it’s a front facing web server. See #networksecurity. If you need to isolate the Windows servers so they can’t access each other, put them in their own separate security groups. Create an All Traffic rule in the TrueStack SG to the Windows server(s) by IP/32. In the Windows server security group create an ALL Traffic rule to the TrueStack server also by IP/32.

Security Group Rules for AWS

1. The TrueStack security group must have TCP ports 80 and 443 open to Anywhere ipv4 and ipv6 and UDP 7473 open to Anywhere ipv4 and ipv6 because it is a front-end web server. Create these inbound rules on the TrueStack Security group.
   • Type: HTTP Source: Anywhere-Ipv4
   • Type: HTTP Source Anywhere-Ipv6Type: HTTPS Source: Anywhere-Ipv4
   • Type: HTTPS Source: Anywhere-Ipv6
   • Type Custom UDP Port: 7473: Source: Anywhere-IPv4
   • Type Custom UDP Port: 7473: Source: Anywhere-IPv6
   • 
2. Also in the TrueStack SG create a rule for All Traffic to the IP of the Windows server you are routing to.
   1. Type: All Traffic, Source: Custom, in the blank type the Windows server IP/32.
   2. 
3. If you have multiple Window servers, create a security group for each Windows server if you want to firewall them from each other. If they don’t need the Windows servers to be individually firewalled then leave them all in the same security group.
4. In the Windows security group(s) create an All Traffic rule to the TrueStack server IP/32
5. 

Read Using TrueStack to manage Windows Active Directory Computers

back to top

Azure – The TrueStack Server 2.0 is available for free with 5 licenses at the Azure Marketplace. Users only pay for the instance usage. Click here to launch the TrueStack server from the Azure marketplace.

Note: If you are using TrueStack to give computers access to a Windows domain controller and you already have a Windows domain controller in your Azure account, make sure to launch TrueStack in the same Resource group, Region and Availability zone so the TrueStack server will be able to communicate with the Windows server. If you haven’t already launched your Windows server then create a new Resource Group.

Launch: We recommend leaving the options to image to defaults however you can change the below items if you prefer.

Size: The TrueStack server uses very little resources and can run on most A, B or D series workload types. A is the least expensive. Note: sizes A and B or Basic sizes don’t come with Public (static) IPs. You will have to allocate a public IP after launch. Size D or Standard comes with a Public IP.

Authentication type: If you need to SSH into the TrueStack server you can authenticate with an SSH public key or password. Either way, remember the username which will be required to authenticate and save the Key to a secure location.

Networking: If you are testing the TrueStack server we recommend leaving everything at image defaults. The TrueStack server does require vnet, subnet and security group. See more below. You can rename each of these to your preference on the networking tab or choose your own if you already have these in place.

Next Steps: See Using TrueStack

Azure Network configuration for access to Windows Servers in the same Azure resource group and subnet.

For Active Directory on your Windows Domain Controller to be able to connect to the TrueStack VPN connected computers you need to do several additional steps. If you are using the TrueStack server purely as a VPN server you do not need to do any of the following steps.

1. Ensure your VM has a Public (static IP). Type Standard comes with a Public IP. Type Basic doesn’t include a Public IP so you will have to allocate one. First stop the VM and allocate a Public IP then restart it.
2. To allow the Windows servers to be able to communicate back to the computers you will need to create a Route to 5.6.0.0/16.
   • To do this search for Route tables in Azure.
   • Create a Route table
   • Ensure it’s in the same Resource group and Region.
   • Leave Propagate gateway routes to Yes
   • After you create the Route table, open it, click on Settings / Routes
   • Add a Route
   • Destination Type should be IP address. Type the TrueStack route subnet 5.6.0.0/16
   • Next hop should be Virtual appliance. Type the private IP of the TrueStack server. For example, 10.0.0.5
   • Next Associate your subnet
   • Click on Subnets / Associate, choose your Virtual Network and choose the default subnet or if you’ve created a separate subnet choose the subnet you created.

Azure Security Group configuration for Windows servers

The TrueStack server should be a front-end server in it’s own security group with ports 80, 443 and UDP 7473 open to anywhere. Windows servers should be in a separate security group.

4. Using TrueStack

• Create a new security group and move your Windows servers into that group. If you have multiple Windows servers and you want to isolate them, create a security group for each Windows server.
  • To move a Windows server to a different security group
  • Click on the Windows Virtual Machine, expand Networking and click on Network settings
  • Click on the Network Interface / IP configuration
  • Expand settings and click on Network security group
  • In the drop down you can change the server to a different security group
• Firewall rules:
• You need to create one firewall rule for each Windows security group to all access from the TrueStack server to the Windows server. This rule automatically creates a reverse route back to the TrueStack server
• In the Windows NSG, click on settings / inbound security rules / click Add
• The source is IP Addresses / IP of the TrueStack server
• Source port *
• Destination is IP Addresses / IP of the Windows server
• Service can be left as custom and destination port can be left as 8080
• Set the priority to a 100 or close to 100 so it will by at the top of the list.
• Add this rule for each NSG that a Windows server is in. This rule doesn’t have to be added to the TrueStack NSG.

Read Using TrueStack to manage Windows Active Directory Computers

Initial Setup

Step 1: Access the interface

• After installation and launch, access the TrueStack server by it’s public IP. This will start the Setup process, during which you will configure HTTPS certificates and from then on, HTTP will only be used for renewals of that certificate. Once HTTPS is set up, all requests to HTTP will just return a 301 redirect.
• Inbound ports: Open port 80, 443 TCP from anywhere 0.0.0.0/0 to the TrueStack server. These ports are required and used for the TrueStack interface and Let’s Encrypt. Port 443 may also be used to route all traffic through the VPN tunnel if this is turned on for a computer.
  • Open 7473 UDP from anywhere 0.0.0.0/0 to the TrueStack Server. This port is required and is used for the VPN tunnel.
  • Optional: Open SSH 22 to your IP if you want to SSH into the linux interface of the server. You may need to do this to get the hostname and perform other tasks. See below.
• Outbound ports: Open all outbound ports to anywhere 0.0.0.0/0. This allows the instance to reach the internet.
• At first launch access the server using http://virtualmachineIP, not https://virtualmachineIP. The initial set up uses port 80 to configure your custom URL before obtaining a certificate from Let’s Encrypt and redirecting to port 443 on your custom URL. In the future you will use https://customURL.
• Note: Some browsers automatically redirect to https://. You may have to to manually type or change the url to http:// to access the initial setup.

Step 2: Authenticate

• You will be prompted for either a hostname or an Instance ID depending on where the instance was launched from.
• If you’re prompted for the hostname, SSH into the TrueStack server instance and type “hostname” to find the hostname of your instance.
• Note: AWS instances will require the Instance ID, such as “i-abcdefghijk”. Azure will require the Machine Name. Instances installed on any other platform or manual installs will use the hostname.

Step 3: Accept EULA

• Please read the displayed End User License Agreement. Click accept and continue.

Step 4: Registration

• Optionally register with TrueStack, Inc to receive important updates and security notices. This email address will never be shared with a third party is only for important updates. However you can also subscribe to the Newsletter to get an occasional helpful article.
• This information is sent to a central TrueStack server via a secure HTTPS connection.

Step 5: Configure Hostname

• In order to enable HTTPS, we must be able to get a TLS Certificate from Let’s Encrypt, but they do not allow certificates for IP addresses. So a hostname is required. You can either configure your own, such as by setting up a subdomain of an existing domain, like “truestack.mycompany.com” or you can rent a subdomain of “truestack.net” for free as long as this instance is in use. Subdomains are allocated on a first-come, first-serve basis. If your server is disabled for more than 30 days, this subdomain will no longer be reserved and could be registered by someone else.

Step 6: Get and install HTTPS TLS Certificate

• We have partnered with Let’s Encrypt to enable quick and easy HTTPS certificate request and renewal. Simply accept the Let’s Encrypt Terms Of Service, optionally provide an email address to them, and click continue to automatically request and install the certificiate. Once this is done you will be prompted to restart the web server to enable the certificate.

Step 7: Create your Admin user

• The TrueStack Server allows you to create many different admin users, such as one for each of your team. During Setup, you will create yours so you can log in once Setup is complete. You can create more in the Admin section later.
  If you ever lose your password, you can reset it from the command line with:
  $ truestack reset_password username

Step 8: Choose Timezone and add Subnet

• Choose your Timezone and add your subnet. Finding your subnet will vary depending on which platform you are on.

Setup Complete!

• You may now log in and start using your TrueStack Server.

back to top

Adding Computers

On the computers tab it’s easy to add Computers.

Name: If the computer is connected to an Active Directory domain use the same name the computer has in Active Directory. This will allow the computer to be easily identified on the TrueStack server.

Primary User: We recommend using the name of the end-user who will be using the computer.

Group: You can group your computers for easy sorting. For MSPs who are using TrueStack to manage multiple Windows Domain Controllers we recommend creating groups by customer or company name.

Cloud Servers: Go to the Cloud Servers tab and create a cloud server. If you are routing computers to a Windows Active Directory cloud server, type the name and Local IP address of the Cloud server. This must be an IP address on the same network as the TrueStack server. We recommend isolating the front facing TrueStack server and backend Windows servers using Firewall Security Groups. How you do this will depend on which platform you are using.

• If you want to route one computer to various servers then create multiple servers on the Cloud Servers tab.
• Choose whether the server is a DNS server or WINS server. Active Directory servers should be DNS servers.
• With the DNS box checked the computer will route Active Directory lookups through the DCO adapter to the Windows AD server.
• WINS servers: Some old applications use a WINS Server to map computer names to IP addresses. With the WINS box checked the computer will route WINS lookups to a WINS server. This could be a Windows 2022 or earlier.
• The DNS and WINS servers will show on the TrueStack DCO Adapter.

On the Computers tab you can now choose your Cloud Server(s) from the drop-down menu.

Route to Subnet: This checkbox allows the computer to access all IP addresses in the entire subnet. This subnet is the private subnet your TrueStack server is on. It can be found in Settings / Network / Subnet. For example if you’re subnet is 10.0.1.0/24 then the admin will be able to access all cloud servers in this subnet. This setting will override individual cloud server settings. In general, do not turn this on for end-user computers. We recommend this checkbox only for Admins.

If your computer is a member of a Windows domain you will still need to connect a cloud server that is a domain controller, with the DNS checkbox on so the computer will be able to authenticate to the Windows domain controller.

Route all traffic: This checkbox will route all internet and network traffic through the VPN tunnel. With this checkbox unchecked only traffic destined for the cloud server, such as a Windows Active Directory server, will route through the VPN tunnel.

This is helpful for users who want to hide all their internet and network traffic on local subnets such as public WIFI’s. This will encrypt traffic between the computer and the TrueStack server. A tracert will show that the first hop will be your TrueStack server. Traffic sent beyond the TrueStack server to the internet will not be encrypted. This is true of all VPN services, since VPN only encrypts data between two points.

With Route all traffic turned on, the speed of your internet lookups will vary depending on the speed of your Truestack server, your cloud, your computer and local network. In general our customers rarely see the difference. However this checkbox could cause an increased latency and increase data usage.

For faster DNS lookups you can add public DNS cloud servers like Google’s 8.8.8.8 and 8.8.4.4 to your cloud servers. This will add 8.8.8.8 and 8.8.4.4 to the DCO adapter which you associate the Google DNS cloud servers with a computer.

Setting the DNS server IPs to Google’s DNS server for the DCO adapter isn’t recommended when you have a Windows Active Directory server with DNS installed because in order for the computer to communicate with the AD server all AD DNS lookups need to go to the server and not out to the internet.

If you use the Route all Traffic checkbox with a DNS server, all internet and network traffic DNS lookups, not just Active Directory lookups will go through the VPN tunnel. DNS lookups may be a little slower with this configuration however on standard networks most of our customers don’t experience the slowness.

Installing the TrueStack Agent on a computer

• After you Add your computer you can click on the download button and install the TrueStack Agent on your local computer.
• On a Windows computer the installation will launch a browser to this internet site localhost:3366 upon completion.
• On first connection you will be redirected to a webpage, Localhost:3366 and you will be prompted to enter your TrueStack URL or custom URL and security code.
• The security code is to ensure that the connection is only used on one device. If you try and connect multiple computers using the same security code only one of the computer VPN connections will work at a time.
• You can retrieve the security code in the TrueStack interface by clicking on the lock icon for the computer.
• 
• There’s also an option to send an email the with a link to download the agent in the TrueStack server interface.

Localhost:3366

• In Localhost:3366, once your computer is connected you can see the status of the TrueStack Agent and VPN connections to your TrueStack Server.
• You can restart or reload the connection here. Reload will disconnect and reconnect the tunnel. Restart will restart all the TrueStack agent associated processes.
• You can also see the computer VPN log and changes to the agent on the Config page.
• The TrueStack agent runs as a service. It isn’t visible to the end-user except in services and programs and features or if they navigate to localhost:3366

Making changes to existing computers

• You can click on the computer name to Edit the computer connection and view statistics about the connection.
• Changes made to the computer connection will update to the computer after the TrueStack agent is restarted
• 3 ways to restart the TrueStack Agent
  • In the TrueStack server interface, toggle Enabled to off. Wait approximately 30 seconds to a minute and toggle Enabled on. This will force a reload of the TrueStack agent and VPN.
  • 
  • On the computer that the TrueStack agent is installed on open a browser and go to localhost:3366. There you will have the option to restart the agent.
  • Restart the computer

Actions – make changes to multiple computers

The Action drop down menu allows you to choose multiple computers and make bulk changes to those computers, such as disabling, enabling and deleting multiple computers

You can also generate or remove security codes for multiple computers. This is useful if you think security codes have been compromised you can remove all of them and generate new ones as needed.

Install on a MAC

We recommend using the OpenVPN Connect V3. You can download the client here.

After installing OpenVPN Connect V3, download the .ovpn config file for your Mac by clicking on the download icon in the TrueStack server interface. Save the file on your Mac.

Open OpenVPN on the Mac and upload or drag and drop the .ovpn config file to the software. You can also double-click the .opvn file which will launch OpenVPN Connect and you’ll be prompted to import the file and connect.

We recommend changing the Launch option to Restore connection so the VPN will connect automatically.

Install on Linux

The below commands are for Ubuntu, however you can install openvpn on any version of Linux. Some OSs may use yum, rpm or dnf. Consult your OS documentation for installing applications.

$ sudo apt-get install openvpn

Create the Computer in the TrueStack Server interface. Download the .openvpn config file for Linux and upload it to your Linux computer or VM.

Navigate to the folder where you saved the .opvn config file and then run this command. Note that the VPN will connect in the interface but it will not exit to bash. Type ctrl + c to exit to bash. Without the “&” at the end of this command ctrl + c will exit to bash and disconnect the vpn.

$ sudo openvpn --config Demo01.ovpn &

To disconnect the vpn:

$ sudo killall openvpn

For a list of openvpn options:

$ openvpn --help

Installation link

You can copy or email an installation link to an end-user or another IT Admin by copying the installation link under Self-install and opening the URL on the computer that you would like to install the TrueStack agent on.

The user will be prompted for the Security Code of the computer. Retrieve the security code by clicking the lock icon in the TrueStack interface for the computer. Here you can also email the code and the Installation link by clicking on the email icon. This will open your default email application to send the email.

After entering the code the TrueStack agent download page will open.

Security Codes

• After installing the TrueStack agent, localhost:3366 will open in a browser and prompt for the computer’s security code. This is required into order to connect the VPN the first time.
• When using the Self-install installation link, to reach the download page you’ll be prompted for the computer’s security code.
• .opvn config files are specific to the computer. They can be downloaded from the TrueStack server or the download page. If you are installing a config file on a Mac, Linux or other computer using the OpenVPN Connect software you must install the .opvn config file specific to the computer you are trying to connect.
• IMPORTANT: You can only use a security code or .opvn config file on one computer at a time. If you try and connect multiple computers using the same security code or .opvn config file only one of the computer VPN connections will work at a time.
• Use the Action drop down to generate or remove security codes for multiple computers at a time.

Set Security code timeout: In Admin / Settings you can change the security code timeout. But default it’s set to 1 hour. These means that if you send a security code to a user or admin to install on a computer they will only have one hour to install it before the code will expire.

Site Tokens

• Use a Site Token to deploy the TrueStack Agent .msi using Group policy or other software.
• In the TrueStack server Admin / Agent you can generate Site Tokens.
• Choose the length of time before a Site Token expires
• Once the Site Token expires it can no longer be used to deploy the TrueStack Agent
• Use Examine Site Token to see if a Site Token has expired or not.
• Learn more: Deploy the TrueStack Agent with Group Policy

Bulk Import

The TrueStack server allows you to import a list of computers from a .csv file by clicking on the Import button and uploading a .csv file. You can create your own template or download our sample template here.

Before you import computers from the template make sure you’ve created the Group you would like to import the computers to.

The computer Name is the only required field. If the Group is left blank, the computers will show in the TrueStack interface under Show ALL.

Agent Token Timeout

If the TrueStack agent on a computer hasn’t connected for more than 30 days the agent on the computer will no longer be able to connect the VPN. 30 days is the default. You can increase the number of days on the Settings / Miscellaneous / Agent token timeout (days) field.

Users

On the Admin users tab you can add new Admin users. All users have the same permissions on the TrueStack server.

If you ever lose your password, you can reset it from the command line with:
$ truestack reset_password username

Updates

Scheduling updates and reboots: It is important to log in to your TrueStack Server on a regular basis and check for updates to any of the packages that make up the system. You can do this in the Admin section manually, or configure Auto Updates in the Settings. You can also configure auto reboots during scheduled maintenance windows. If you don’t think you can manually keep it up to date, please enable Auto Updates and Auto Reboots and configure maintenance windows so that your server always stays up to date and secure.

TrueStack Agent Updates

New released versions of the TrueStack agent will need to either be installed on the computers manually or installed via Group Policy or other deployment software. See group policy deployment.

Managing Licenses

Purchasing Licenses:

• The TrueStack server comes with 5 licenses free.
• For Licensing support email: [email protected]
• You can only activate your license key on one TrueStack server
• Purchase new licenses from our Pricing page.
• Monthly or Yearly license options are available. There is a 10% discount for yearly licenses.

Adding additional licenses:

If you have purchased 10 licenses and you want to add another 10, don’t purchase them from the pricing page. If you purchase a license from the pricing page and apply it to your current TrueStack server it will overwrite the current license.

• Log into your account.
• Choose the license you want to upgrade and click on View Licenses / View Upgrades
• 
• If you have 25 licenses you can upgrade to the next tier which is 50 licenses.
• This will give you an additional 25 licenses and leave your expiration date the same.
• It will pro-rate the additional licenses.

Moving a license to a different TrueStack server

• You can only activate your license key on one TrueStack server.
• To move your license key click on View Licenses / Manage Sites.
• Deactivate Site
• After deactivation you can activate the license key on a different TrueStack server.

back to top

Network Security

The TrueStack server is a front-end webserver with ports 80,443 and udp 7473 open to anywhere. This is required so the computers can connect to the TrueStack server from any IP. If you are using the TrueStack server to access other servers in your cloud or on-premise we recommend firewalling the other servers so they are back-end servers. In AWS and Azure this is done with Security groups. Each platform or your local network will have different ways to do this.

Create security groups so the TrueStack server and back-end Windows servers can communicate. How to do this is detailed for each platform or for manual installs in #installations or #cloudinstalls.

Firewall Scenarios:

1. Multiple Windows servers in same security group: Some Admins may want to put multiple Windows servers in the same security group.  For example, if the computers need to have access to Multiple Windows servers in the same domain and these Windows servers need to communicate to each other then put the Windows servers all in the same security group. 
2. Multiple Windows servers in separate security groups: If you using one TrueStack server to manage multiple different Windows AD domain controllers for different domains, then place each Windows server in a separate security group. This is ideal for MSPs who manage multiple companies that each have separate domain controllers.
3. TrueStack VPN only: If you are simply using TrueStack to encrypt all internet traffic from the computer to the Truestack server and you are not routing computers to different Windows servers, instead the computers go directly to the internet from the TrueStack server, then leave TrueStack in it’s own security group.

Route to 5.6.0.0/16

The Windows servers need to be able to access the computers in order to manage them with Active Directory. This requires a route to the 5.6.0.0/16 subnet. Each computer connected to the VPN will receive an IP on this subnet. This route needs to be created on your local network or cloud platform. How to do this is detailed for each platform or for manual installs in #installations or #cloudinstalls.

Using the TrueStack server to manage Windows Active Directory computers

The TrueStack server is an excellent tool to use for MSPs and I.T. departments who manage computers with Windows Active Directory servers. The TrueStack vpn makes a connection to the AD server and allows the computers to be mobile and managed from any location. The TrueStack server can be used to migrate your on-premise Windows domain to a an updated Windows domain controller in the cloud. TrueStack supports the TrueStack server only. We don’t offer technical support for local network or cloud network configurations or Windows server configurations. Contact TrueStack support by email at [email protected]

Network Configuration

• Set up the TrueStack server as a front facing web server.
• Put the TrueStack server on the same subnet as your Windows servers.
• You can use NAT or Firewalls to isolate the frontend TrueStack server from the backend AD servers. This will depend on your particular network hardware or VM hosting platform capabilities.
• The TrueStack server needs to have ports TCP 80 and 443 and UDP 7473 open to the internet. The backend AD servers need to be able to be able to access the TrueStack server.
• On the Truestack server network you will need a route from 5.6.0.0/16 to the TrueStack server. This allows access from your AD servers to the AD connected computers. You can verify this is working by pinging the local computers from the Windows server on their 5.6.0.0/16 IP which can be found in the TrueStack server interface by the name of the connected computer. Ping will require that firewall rules are opened on the local Windows firewall of the computers.

Windows domain Scenarios:

Connect computers to a new Windows cloud Active Directory domain controller in the cloud or on-prem.

• Install a Windows server either as a cloud VM or on-prem.
• Install Active Directory on the Windows server and promote it to a domain controller. Here’s a good how-to from Infrosos.
• Set up and install the TrueStack server on the same network. See Network Configuration above and see specific instructions for cloud, such as AWS, Azure, Google etc or manual installations.
• Configure firewall rules to isolate the TrueStack servers as a front-end web server.
• Add the computers in the TrueStack interface. Give the computers access to the Windows server.
• Install the TrueStack agent on the computers.
• Add the computers to the Windows domain. Here’s a good how-to from Wikihow.
• We recommend creating a naming system that will help you identify the physical computers.

Extend the domain with a second domain controller.

• Follow the steps in the first scenario above to install a Windows server and the TrueStack server.
• In the Truestack interface create a computer and a cloud server. The cloud server will be the second Windows server, the one you just installed. The computer will be the primary domain controller, the one that will replicate the domain to the new Windows server.
• In the TrueStack interface give the computer (primary DC) access to the cloud server (new server).
• Install the TrueStack agent on the primary domain controller.
• On the new Windows server set the preferred DNS to the TrueStack IP of the primary DC before adding it to the domain. After it’s been promoted to a domain controller change the preferred DNS back to it’s private IP or 127.0.0.1.
• 
• Add the new Windows server to the domain and then promote it as a domain controller.
• Here’s a good how-to from V2cloud.

Migrate your domain from a Windows on-premise server to a cloud Windows server. Many MSPs often find closet Windows domain controllers that are managing computers on a local network or across multiple networks using site to site VPNs. the TrueStack server is an excellent tool to use to consolidate on-premise Windows servers into one Windows server VM in the cloud that manages all of the computers wherever they are at.

• Follow the steps in the first 2 scenarios to set up a Windows domain controller and extend the domain to the new Windows DC.
• Ensure the new Windows DC has replicated to the domain.
• Migrate all of the FSMO roles to the new Windows domain controller. Here’s a good how-to from Microsoft.
• Install the TrueStack agent on all of the computers and give them permissions to access the new domain controller.
• Change DHCP on the LAN networks so it goes directly out to the internet for DNS on the local area adapter instead of looking for the on-premise domain controller. For example you could change the DNS IPs given out to the local computers to Google’s 8.8.8.8 and 8.8.4.4 or to your ISPs DNS IPs instead of the local Windows DC’s IP(s).
• Ensure that the computer can communicate and authenticate with the new primary domain controller.
• Demote the on-premise domain controllers.
• Remove them completely form the domain and rename them.
• If the computers have been accessing company shares on a file server you can rename the new Windows domain controller to the same name as the old file server name so that the shares will continue to open using the same DNS name.

Troubleshooting domain migration issues:

Most replication and migration issues are related to DNS. Generally if you can ping servers by name from both sides of the tunnel replication, adding additional DCs and migration will work. TrueStack installs a second adapter which gives the Windows server two IPs. Set the primary DNS server to replicate traffic through the IP of the TrueStack adapter instead of through the local adapter. This can be done in DNS settings.

• Be sure Zone Transfers is turned on, on both servers.
• 

Send DNS traffic from the primary DC through the truestack adapter.

You can use the “repadmin” command or Active directory sites and services to see if replication is working correctly. Here’s a How-to from Microsoft.

Deploy the TrueStack Agent with Group Policy.

In order to deploy the TrueStack agent with group policy the computers will need to have direct access to the Windows Active Directory server, meaning they either need to be on the same network as the Windows AD server or be able to access the server through another VPN tunnel.

1. Add the TrueStack setting to Group Policy. To add the tsagent options to Group policy, download the tsagent.adm, tsagent.admx and en-US/tsagent.adml files from here. This will download a .zip folder.
2. Extract the folder and upload it to your Windows Active Directory server.
3. Open your Sysvol policies folder, usually found in \\servername\domainname\Policies\
4. Move the entire PolicyDefinitions folder here. This will copy the tsagent.adm, tsagent.admx and en-US\tsagent.adml
5. Now open the Group Policy management console and create a new GPO or open a GPO that you already have in place for the computers (not users).
6. In the GPO when you expand Computer Configuration/Policies/Administrative Templates, you will see TrueStack/TrueStack agent
7. 
8. Add a Site Token: Attach the GPO to an OU where the computers are located. You will be remote installing the TrueStack agent to the computers not to the users.
9. There are a variety of settings options which you can configure, however to deploy the tsagent you only need two options to be set.
10. Server URL: Enable the setting and put in the domain name of your TrueStack server, for example https://mydomain.truestack.net.
11. Site Token: Enable the setting. Generate a Site Token from the Admin / Agent page of the TrueStack server console. Set the length of time before the token will expire. Paste the Site Token into the field in the Site Token settings in the GPO.
12. Create a network share. Add domain Computers to the Share Permissions and give them full control.
13. 
14. Click on the Security tab of the folder and give Domain Computers full control there also.
15. 
16. Copy the TrueStack Agent to this folder. You can download the TrueStack Agent from the console.
17. Import a list of computers from Active Directory into the TrueStack console.
18. In the Active Directory OU where you’re computers are, right-click the OU and choose Export List. This will export a list of the computers names.
19. Use the TrueStack Import template to create a CSV file with the computer names and settings. Using the Import button to import the CSV file into the TrueStack console. see Bulk Import.
20. Create a Software package. In the GPO you created under Computer Configuration / Software Settings / Software Installation, create a new package. Locate the tsagent that you downloaded in the shared folder you created. Make sure you add it from a network path, for example, \\servername\sharedfolder\tsagent-1.0.3-amd64.msi
21. Chose Deployment method “Assigned”
22. 
23. Now run command gpupdate /force on the server.
24. After the computers get the updated policy they will install the TrueStack Agent on the next restart.

Migrate from TrueStack Direct Connect to the TrueStack server 2.0

If you are upgrading from TrueStack Direct Connect 1.0 to the TrueStack server 2.0 you can use Group policy to deploy the new TrueStack agent to the computers. This will create a VPN to the new TrueStack server which will take precedence over the VPN from TrueStack Direct Connect 1.0. Then delete the computer in TrueStack Direct Connect 1.0 to terminate the VPN. To unisntall the TrueStack Direct Connect software you will need to manually uninstall it on the computer, however this may not be required since the VPN has been terminated..

• Install the TrueStack server 2.0 alongside your Windows server(s) and alongside the TrueStack Direct Connect server.
• Be sure to set up networking by opening ports with the route 5.6.0.0/16. This will give you 2 routes. The other one is to 5.5.0.0/20 for the TrueStack Direct Connect server.
• Open ports tcp 80, 443 and udp 7473 to the front-end TrueStack server. See #network and follow the directions for your platform or manual install #installations.
• Follow the directions for deploying the TrueStack agent with Group Policy.
• As the computers come online with the updated TrueStack agent in the TrueStack serve 2.0, delete them from TrueStack Direct Connect.
• In the Group policy Computer Configuration/Policies/Software Settings, ensure that “Uninstall this application when it falls out of the scope of management” is unchecked on the properties of the TrueStack Agent deployment.
• After all the computers migrate to the TrueStack server 2.0, terminate the TrueStack Direct Connect server and remove the Group policy.