Tools for the Smart Start-Up in 2018 (I)

If you start a project on a small budget today in 2018, there is no need to do without state-of-the-art IT infrastructure for your team. Let me give you some ideas. [Edited Jun 28, 2019]

We are not a start-up, so we don’t have the luxury of experimenting endlessly. How do you work within the constraints of our limited budget?

Question from an interview at the Swiss Financial Market Supervisory Authority FINMA

This was a question I was asked in an interview when I applied for a new job after my start-up experience.

Of course, we all read and hear about the astronomical valuations of the start-ups i.e. in Silicon Valley and the amounts of money they can pour into their R&D and innovation labs. This, however, distorts our perception of reality: The fact is that the vast majority of business ventures start with very few resources at their disposal.

So my response was: “Sure, we had a lot of freedom to experiment. But like for most start-ups in their initial phase, our budget was extremely tight, too, and we had to be extra smart about how we spent every single Swiss franc. I will employ the same approach in this role as well!”

Now, four years later, I observe that being smart in the above sense has become so much easier with the range of high quality, low-cost software available today. It now is possible with little to no extra money to do things that previously were achievable only in a very complex and very cost-intensive manner.

So how do you get the most bang for the buck? Let me highlight a few services and applications (and how to combine them) that are less known but deliver outstanding value—especially for start-ups on a small budget. This article is the first in a series of two and is written from an IT infrastructure perspective. The second article focuses on the application level.

For this series of articles, let’s assume a start-up with a team of eight people.

Hardware ¶

To start, your team probably needs some hardware to communicate and collaborate. Outfitting everybody with devices can quickly exceed your budget, though. Imagine paying upfront a total of $4,000 for eight mid-range laptops, before your team even worked a single minute on the project…

So, here are a few ideas on how to address this challenge:

BYOD: Bring Your Own Device ¶

This is probably a no-brainer, but still: Just have your team use their privately owned devices to work on your project. These are already set up and operational, so you and your teammates can hit the ground running. This concept of <abbr=“Bring Your Own Device”>BYOD will carry you a long way.

At some point though, your team probably will run into more and more issues due to the different setups of their hardware and operating systems: Apple users might have problems to work on files that are used by users with Microsoft devices–while the Windows people might not be able to execute applications that run just fine on macOS systems. The friction caused by BYOD starts to show.

One way to deal with this is to install a hypervisor on each device and run a virtual machine on top of it. This gives you the ability to align the virtual working environment of all team members and eliminate interoperability issues. For example: With VirtualBox as hypervisor and a Linux distribution like Ubuntu as the desktop operating system for the virtual machines, you can set up a cost-free and homogeneous virtual workplace for your entire team. (In cases where Linux is no option and you need a Microsoft operating system: There are ways to buy genuine but cheap software as described below. Virtualizing Apple operating systems, unfortunately, is no practical option due to legal and technical impediments.)

Then there are cases where installing a hypervisor like VirtualBox on your team’s hardware is impossible or impractical. However, there exist solutions for such a scenario, they are categorized as VDI: virtual desktops in the cloud.

Hardware as a Service ¶

There are only a few cloud providers of virtual desktops (compared to the number of cloud providers who offer virtual servers), and most of them target rather large enterprises than start-ups.

However, there is one provider that I can recommend:

VDI Provider Paperspace ¶

If paid by the hour, the pricing of a reasonably sized Paperspace virtual desktop today is roughly somewhere between $16 and $22 per month based on a 40-hours-week. Given the Windows 10 license already included, this appears to be a fair offer in my opinion.

The fact that Paperspace desktops can simply be used via browser without any additional software to install, makes this option especially valuable if you don’t want to or can’t touch your team members’ devices.

I have used Paperspace productively myself a few months ago and generally can recommend their service. The only issue I encountered was a weird keyboard mapping concerning the German Umlauts (äöü).

But what if $16 per month per team member is already too high of a price? Imagine a team of 8 people; they would have to pay roughly $128/month to use Paperspace—or more if they burn the midnight oil and exceed the 40 hours per week in that calculation. What if team members forget to turn off their virtual desktops after work? We certainly can be even smarter and bring this cost down further. What about instead running our own VDI on a server that we rent?

Dedicated Server Providers Online.net, Hetzner, and Servdiscount ¶

Several providers in Europe offer server hardware as a service at very low prices: the French provider Online.net (with data centers in France and the Netherlands) as well as the German providers Hetzner (with data centers in Germany and Finland) and Servdiscount (with a data center in Germany). The low-end divisions Kimsufi and So you Start of OVH are hands down no match for Online.net, Hetzner, and Servdiscount.

Overall, Hetzner currently has better deals in my opinion. The new vSwitch feature, available for all their servers with no additional cost, allows to securely interconnect servers within Hetzner’s data centers. This adds a lot of value if you need more than one server (for clustering for example).

One feature that I especially like at Online.net is the availability of a KVM console within seconds. Such a console allows accessing the server’s screen even during boot time or after accidentally having locked out oneself (by i.e. messing with the servers connectivity settings). In the case of Hetzner, users first have to raise a support ticket, never knowing upfront how long it might take to get the requested KVM console. (The Hetzner support usually acts fast, but gets squarely beaten by the automated process at Online.net.)

On the other hand, Hetzner rarely seems to run out of stock while Online.net appears to constantly being sold out. It might take months for Online.net to restock their portfolio.

I have intensively used Online.net and Hetzner services in professional projects and for my private lab and can recommend them both. On the rare occasions that I had issues, both support teams act fast and in a very friendly manner.

Back to the example of our team of eight persons: A reasonably sized mid-range server from Hetzner costs around $60 per month. It comes with hardware resources that would easily accommodate virtual desktops for eight people—or more!

Compared to the $128 per month for eight Paperspace virtual desktops that run only about 8 hours per day (compared to the 24 hours that the Hetzner server is available), this looks like a steal.

Software ¶

Hang on! A server from Hetzner does not include any licenses for virtual desktops like Windows 10. How is this supposed to help?

Great question, but there is a smart solution for that.

Microsoft Software Licensing ¶

On a Subreddit called Microsoft Softwareswap, people sell Microsoft software licenses that they own for low prices. At first glance, this marketplace seems a bit phony—but from what I can tell and have researched, these are legitimate, genuine Microsoft software licenses. The handful that I bought there in the past all activated the software perfectly fine without any problem whatsoever.

One license is particularly interesting: the Windows Server Datacenter edition. The current version 2016, for example, sells as low as $40 on Reddit. Compared to the price that Microsoft asks, it’s unbelievably cheap: Microsoft sells the Datacenter 2016 license for currently $6,155. Read that again. Yes, you pay only 0.65% of the list price if you buy such a license via the Subreddit mentioned above instead of buying it directly from Microsoft.

Ever wanted to save 99.35% on something? Here you go: A genuine Windows Server Datacenter edition license for $40 instead of $6,155.

This Datacenter edition is so interesting due to one feature: Any Windows server that runs as a Hyper-V virtual machine inside of such a Windows Server Datacenter can be activated at no additional cost. Read that again, too. You only pay a one-time investment as low as $40 to obtain a single Windows Server license which then enables you to run as many Windows Server instances on top of it as you possibly can.

To come back to our hypothetical team of eight people: Rent a hardware server from Hetzner for $60 per month; then install Windows Server Datacenter on that hardware server and activate it with the $40 license from Reddit. Then create as many Windows Servers as virtual Hyper-V machines on your hardware server and activate them with the official AVMA keys from Microsoft.

With this setup, you can offer every team member a dedicated virtual client in a homogeneous environment. The financial impact of your team growing from eight to i.e. ten is zero: Just create new virtual machines. Your hardware can handle it and you already have the software licenses built-in. Your team connects via RDP and can work on their virtual Windows desktops in the cloud. All of this for the fraction of the price that VDI providers like Paperspace ask. And of course, if your start-up implodes already after two months, you have only invested like $250 (considering the one-off fee to provision the server) instead of $4000 that you would have spent to buy every team member a mid-sized Windows laptop right from the start. That’s smart.

One feature, however, is still missing: the ability to connect to the virtual desktops via browser. Maybe not all devices in your team of eight people have an RDP client installed—but certainly, all already have a browser ready to be used. This kind of “zero-touch BYOD” is preferable, especially in the beginnings of your start-up. (Because as soon as you “touch” and modify your teammates’ devices, you assume some sort of responsibility for them.)

Fortunately, there exists an excellent open-source software that enables this feature: Guacamole. And as an avid lover of Mexico and Mexican food, I love this software and its name even more!

Web Gateway Apache Guacamole ¶

The developers call Guacamole a “clientless remote desktop gateway”. This means that you can access the gateway simply via a web browser, without any specific client. This gateway then connects to the desktops and lets users interact with them through their browsers.

The installation of Guacamole is a bit of a head-scratcher, though. Following the official installation guide involves many manual steps. Fortunately, some smart people found ways to simplify the process with the help of Docker. So, all you need is a Linux virtual machine somewhere (i.e. on the server from Hetzner that runs all your virtual desktops), install Docker and Docker Compose and then run the following three commands:

git clone git@github.com:BrowncoatShadow/compose-guacamole.git
cd docker-compose-guacamole
sudo docker-compose up -d

Now point your browser to your Docker host that runs the Guacamole container, log in and add the users and virtual desktops. That’s it. You now have your browser-accessible virtual desktop infrastructure up and running at extremely low cost.

If you are interested in encrypting the traffic between your users and this gateway, however—and you should—, you might want to secure the gateway behind an SSL-capable proxy. Like I composed Guacamole with Træfik in my Wapps repository.

Talking about security: We still need to address a few concerns. Read on!

Firewall OPNsense ¶

Having lots of (physical or virtual) Windows servers and desktops running somewhere in the cloud without any particular security measures in place is a very bad idea. Fortunately, there are a few excellent open source solutions available to implement a firewall and secure the small network of Windows desktops in the cloud. Simply create another virtual machine on your Windows Server Datacenter host and install the firewall on that virtual machine, then connect all other virtual machines to that firewall VM instead of the open Internet.

My favorite for quite some time was the Sophos XG UTM firewall that is available as Free Home Use XG Firewall at zero cost.

However, I recently gave the open-source firewall OPNsense a try—and never looked back. It has the same feature set as the Sophos XG but with a much, much smaller footprint in terms of hardware resources (especially RAM, hovering over extremely economical 160MB in my current cloud lab setup). It also installs much faster.

Additionally, OPNsense even has one crucial feature that most other firewalls lack: support for ZeroTier. Which brings me to my next point.

Software as a Service ¶

I love SaaS providers who offer a free entry-level to their service, letting users come to appreciate the service so much that at some point they upgrade to a paid service level. Let me introduce two such services that can help a smart start-up better manage their IT devices.

Virtual Private Network ZeroTier ¶

The first service I’d like to mention is called ZeroTier. It works like a VPN in the sense that it allows to interconnect devices in a private network wherever they are: at home, in the data center, somewhere in the cloud or roaming abroad. All at once, all encrypted.

What separates ZeroTier from traditional VPN technology like OpenVPN is that it does not require any user intervention. Users don’t have to dial in—their devices simply interconnect as soon as they get Internet connectivity. It works a bit like Microsoft DirectAccess with the difference that ZeroTier is also available for Apple (macOS and iOS), Linux, Android, Microsoft, and even some NAS devices. With ZeroTier you can offer your team to directly but securely connect to their virtual desktops via RDP.

Combined with the ZeroTier capable OPNsense firewall mentioned above, it is possible to significantly reduce the attack surface of your virtual desktops in the cloud while still conserving ease of access and keeping the complexity of the setup at a low level. I strongly recommend this service over other VPNs.

The free ZeroTier service is limited to 100 devices. For our team of eight persons, this should be more than sufficient. Speaking about persons: Let’s also manage your team’s user accounts.

User Directory JumpCloud ¶

We all know the pain of having to manage a myriad of our logins and user accounts. One way to deal with this problem is by relying on a password manager—as I also recommend doing in the second article of this series.

The second approach is called SSO. It involves a central store for your team’s credentials where each user is represented with a single account. Applications and services then connect to this central user directory to authenticate users whenever they try to log in. The advantage is that users only have to remember a single sign-on and that there is only one place that stores this sensitive information.

JumpCloud is such a service, offering a free entry-level plan for up to ten users. The neat thing about it is that you can use it to even manage the logins for large parts of the DIY mentioned above: native Windows and Linux logins, Apache Guacamole, and OPNsense logins. Simply define which user is allowed to access which device, and with what kind of privileges (root/administrator or normal user). This also means that your IT administrator can revoke access to any or all devices by a single click if need be. I can recommend the service as it improves both overall security and user comfort.

Conclusion ¶

I hope this overview gave you some insight into how to leverage services and software capabilities out there to set up a smart and powerful team infrastructure at a very low cost. If you have any further suggestions, please feel free to reach out and share your ideas.

The second article in this series focuses on the application level (compared to the emphasis on infrastructure in this blog post). It lists applications and services that deliver high quality at low prices in the area of design, web publishing, knowledge management, password management, and more. Stay tuned!