Sign in Subscribe

My Foray Back Into Linux...

So I decided to make use of one of the mini-pcs I had gotten for the homelab to build a little web browsing box. My first iteration of the web browsing box was a Windows 11 machine, which is the same machine that got me banned from reddit for VPN use (oops), but I've finally decided it was time to graduate from Windows and move to the more private OSes.

The goal was straightforward enough. I wanted something separate from my main machine that I could use for general web browsing. Something isolated, so if I picked up some nasty malware or clicked a bad link, my actual workstation would be fine. Something that wasn't Windows. And I wanted to remote into it from my Mac Studio so I didn't need yet another monitor on my desk.

The last time I seriously touched Linux was probably 15 years ago. Back then, getting a Linux box to just work was an adventure that usually ended poorly. There's a reason there were so many memes about the ridiculous complexity of doing simple things in Linux. And it especially didn't help that I wanted to dual boot with Windows... I swear, it seems like Windows kills the Linux bootloader by design sometimes.

So walking into this, I was mentally preparing for that same experience. I figured I'd brick the machine at least three times before I got anything usable.

I ended up using a Kamrui mini PC. AMD Ryzen 7 5700U, 32GB of RAM, 1TB of storage. Small enough to tuck away somewhere, powerful enough to handle a browser without breaking a sweat. And I went with Linux Mint with Cinnamon because multiple folks told me it was the easiest transition from Windows.

All together, the process was WAY easier now in the age of LLMs. What used to be an arduous processes of digging through tutorials and forum posts was actually a pretty painless task of just having GLM 5 and Claude talk me through various issues as they came up.

The installation was painless. LUKS disk encryption is now just a checkbox in the installer. No hunting down down proprietary drivers, either. I had to use Ethernet because the WiFi card in this thing has no mainline Linux driver support, but that's fine.

Where things got interesting was the hardening. Because I'm me, I couldn't just install the OS and call it a day. I wanted this thing locked down. UFW firewall, OpenSnitch for outbound traffic monitoring, NordVPN with a kill switch, Firefox hardened, AppArmor running, unnecessary services stripped out, etc.

In the past, I would have absolutely bricked this machine multiple times. The robits helped with all of that. When xrdp kept failing with a sesman connection error, when NordVPN's kill switch locked me out of the machine entirely, when xrdp kept killing the webgl process in firefox causing it to crash over and over... the bots had an answer for everything.

In the end, I still did a full refresh, just because I had gone to town on some of the config files in this thing trying to get it the way I wanted, and I couldn't tell if I'd made a mess or not. But another nice thing with the bots was that as I did stuff, I was telling them, so in the end I got them to spit out all the highlights and write up a doc that I could use to replicate the whole process.

A few things I learned along the way:

  • NordLynx doesn't work with OpenSnitch; at least as of the time of this writing. Both manipulate iptables at the kernel level, and they fight each other. I had to switch to OpenVPN, which runs in userspace and plays nice with the firewall, though it's slower.
  • The xrdp 0.9.24 version in Mint repos has an IPv6 binding issue that causes intermittent connection failures. The fix is checking the sesman binding after every reboot and restarting services if it's wrong.
  • Firefox's built-in fingerprinting protection sounds great to have, but when I enabled it, Firefox would hang on JavaScript-heavy sites. I eventually dropped it, especially with uBlock Origin blocking tracking scripts anyway.
  • Right Ctrl gets stuck when you switch virtual desktops on macOS while the MintOS RDP window is in focus. Linux sees the key press but not the release. I had to disable Right Ctrl entirely within Linux via xmodmap to fix it. Took me way too long to figure out what was happening there. But if you think about it... when do you ever use right ctrl? I didn't until I started using Mac more, and that's just for virtual desktop swapping.

The final result is a machine that boots up, connects to VPN automatically, and sits there waiting for me to RDP in from my Mac. All traffic goes through NordVPN. DNS queries go through NordVPN's DNS servers. WebRTC is disabled in Firefox. Third-party outbound connections are blocked unless explicitly allowed. The firewall only accepts inbound SSH and RDP connections from my local subnet.

At this point, I've relegated Windows to gaming only; which I really don't do a lot of these days, but nice to have around anyhow. I had been putting off the Windows 11 upgrade (there's an extension for Win 10 security updates until Oct 2026 available, so I had done that). Now that I've got everything personal off my Windows box, I'll get that updated to Win 11.

Most of the house is now Mac and Linux. Huzzah. I used to love Windows, but they've just been too weird lately about OneDrive. I still really like Outlook and O365; I use both a lot. But my personal machine doesn't need to be so closely tied to the cloud, and if the core Windows experience is going to be a cloud-centric OS, then it's really just not for me anymore.

Read more