What is Paperclip AI agent?

Paperclip is an open-source agent orchestration tool that lets you create multiple AI agents working together like a company with a management structure. You assign each agent a specialization, give a high-level objective to a manager agent, and it delegates tasks to the appropriate specialist agents automatically.

Can you still install Windows 11 without a Microsoft account in 2025?

Yes. Even though Microsoft removed the old cxh:local workaround, you can still create a local account during Windows 11 setup using a command script. Press Shift+F10 during OOBE to open Command Prompt, then download and run the bypass script from bikrambhujel.com.np/bypass.

Does the cxh:local trick still work on Windows 11?

No. Microsoft patched the cxh:local method in recent Windows 11 builds. The current working method is to use a registry-based bypass script during the Out-of-Box Experience (OOBE) setup phase.

What is the bypassnro script for Windows 11?

The bypassnro script is a small batch file that tweaks a Windows registry key to skip the network and Microsoft account requirement during Windows 11 OOBE setup. The source code is available at github.com/BikramBhujel/bypassnro and can be downloaded directly during setup using the curl command.

How do I open Command Prompt during Windows 11 setup?

During the Windows 11 Out-of-Box Experience (OOBE), press Shift+F10 on your keyboard. This opens a Command Prompt window directly within the setup environment without needing to complete installation first.

Is it safe to install Windows 11 with a local account?

Yes. A local account is a traditional Windows account stored on your device only, with no connection to Microsoft servers. It gives you full control over your machine without requiring an internet connection or Microsoft login. The bypass method only modifies a temporary registry key during setup.

Bikram Bhujel

Troubleshooting SSO Authentication Failures: HTTP 404 on STS Endpoint

2026-05-08T02:00:00.010+05:45

Troubleshooting SSO Authentication Failures: HTTP 404 on STS Endpoint

By Bikram Bhujel | April 2026 | 6 min read | Category: Networking, Windows, Home Server

Users on corporate networks sometimes hit a wall during single sign-on login, seeing a "We can't connect you" error backed by an HTTP 404 on the Security Token Service endpoint. The application is running. The credentials are correct. The issue is the network underneath. This guide explains why it happens, how to confirm the diagnosis, and the exact steps to resolve it.

THE PROBLEM

What Is Actually Happening

Single sign-on authentication relies on a Security Token Service (STS) to issue and validate identity tokens. When a user clicks sign-in, the application redirects their request to the STS endpoint, for example sts.example.com. That service validates the credentials and returns a token the application trusts.

An HTTP 404 on that request means the client machine successfully reached a server but received a "resource not found" response. That is different from a connection timeout or a refused connection. A 404 specifically means the address resolved to something, but what it found at that address was not the STS service the application expected.

In plain terms: the machine is being directed to the wrong place. It thinks it knows where the authentication server lives, but the address it has on file is stale, incorrect, or being intercepted by something in the network path.

Common misconception: Users and helpdesk staff often assume a 404 during login means the authentication server is down. In most cases the server is running fine. The problem is that the client machine cannot find the correct IP address for it because of a DNS issue on the local network segment.

ROOT CAUSE

Root Causes: Three DNS Scenarios

1. Stale DNS Records

DNS servers cache records to reduce lookup time. When an STS endpoint moves to a new IP address, or when the authentication infrastructure is updated, local DNS servers sometimes hold onto the old address longer than they should. The Time to Live (TTL) value on the record controls how long a cache entry stays valid, but network equipment does not always honor these values correctly, particularly on older hardware or manually managed DNS configurations.

A client machine asking its local DNS server for the IP address of sts.example.com may receive an outdated address that no longer hosts the authentication service. The request reaches a server that exists, which is why you get a 404 rather than a timeout, but it is not the right server.

2. Firewall or Traffic Filtering Rules

Corporate networks often run deep packet inspection, URL filtering, or proxy rules that intercept requests to certain endpoints. If a security appliance or proxy configuration has an outdated rule for the authentication service URL, it may redirect authentication traffic to an internal page rather than allowing it to pass through to the STS. That internal redirect page returns a 404 because it has no content to serve for that request path.

This scenario is more common after infrastructure changes such as migrating the STS to a new platform or updating authentication URLs, where the firewall rules are not updated in sync with the endpoint changes.

3. VLAN Specific DNS Configuration

Many enterprise networks segment users into different VLANs: standard user networks, guest networks, executive networks, IT networks, and so on. Each VLAN may be configured to use a different DNS server, and those DNS servers do not always have identical records. A user on the standard corporate VLAN may be assigned a DNS server that has a stale or misconfigured record for the STS endpoint, while the same lookup from a guest VLAN resolves correctly because it uses a different DNS server that has the current record.

This VLAN discrepancy is the most common pattern in enterprise SSO failures of this type. The issue is not the user's machine. It is the DNS infrastructure on their specific network segment.

DIAGNOSIS

Confirming the Diagnosis

Before spending time on fixes, confirm that DNS is actually the problem. Open Command Prompt and run a DNS lookup against the STS hostname:

nslookup sts.example.com

Note the IP address returned. Then run the same command specifying a public DNS resolver:

nslookup sts.example.com 8.8.8.8

If the two IP addresses differ, the local DNS server is returning a different record than the authoritative global DNS. That confirms a stale or misconfigured local DNS entry is the root cause. If the addresses match but the 404 persists, the issue is more likely a firewall or proxy rule intercepting the traffic.

Quick check using ping: Run ping sts.example.com and note the IP address it resolves to. If that address is different from what you see when the same hostname is accessed from a machine outside the corporate network, the local DNS is the culprit.

STEP 1

Step 1: The Network Swap Test

Action

Disconnect from the primary corporate network and connect to either a guest Wi-Fi network or a mobile hotspot from a phone. Then attempt the SSO login again.

This test immediately tells you whether the problem is the machine or the network. A guest network and a mobile hotspot both use DNS servers outside the corporate infrastructure. If login succeeds on either of these networks but fails on the corporate LAN, the diagnosis is confirmed: the corporate network's DNS is the issue, not the user's device, not the credentials, and not the authentication service itself.

This also doubles as a temporary workaround that lets affected users stay productive. They can connect to guest Wi-Fi to complete authentication, then return to the corporate network for other tasks. It is not a permanent fix but it keeps work moving while IT investigates the underlying DNS problem.

Security note for IT teams: Allowing users to authenticate through guest networks is a reasonable short term workaround, but it bypasses the network controls on the primary corporate LAN. Document this workaround, monitor for it, and treat it as temporary rather than a long term solution.

STEP 2

Step 2: Clear the DNS Cache

Action

Open Command Prompt as administrator and run the following command:

ipconfig /flushdns

This clears all cached DNS records from the local machine. The next time the machine needs to resolve any hostname, including the STS endpoint, it will send a fresh query to the DNS server rather than using a locally cached address.

On its own, flushing the DNS cache only helps if the problem is a stale record stored on the user's machine rather than on the network's DNS server. If the corporate DNS server itself holds a bad record, flushing the local cache will just result in the machine fetching the same bad address again from the network DNS. However, it is a quick and harmless step that eliminates one variable before moving to network-level investigation.

After running the flush, attempt the SSO login again while still on the corporate network. If it now succeeds, the stale record was cached locally. If it still fails, the DNS server on the network is the source of the problem and the fix needs to happen there.

STEP 3

Step 3: Reset the Application Identity

Action

Sign out of the application completely. Clear the cache of the system's default web browser. Then attempt sign-in again while connected to the alternate network (guest Wi-Fi or hotspot) confirmed to work in Step 1.

Applications that use browser-based authentication flows store session tokens and authentication state in the browser cache. If a failed authentication attempt created a corrupted or partial token, subsequent sign-in attempts on the same session may inherit that broken state even after the DNS issue is resolved.

Clearing the browser cache forces the application to start the authentication flow from scratch. Combined with being on a network where DNS resolves correctly, this ensures a clean token exchange with the STS.

In most browsers, cache clearing is found under Settings or Preferences, in the Privacy or History section. The specific option to clear is "Cached images and files" or "Browsing data." Cookies can be cleared as well if sign-out alone did not fully remove the application session.

Shortcut: In most browsers, pressing Ctrl and Shift and Delete together opens the clear browsing data dialog directly. Select "All time" as the time range to ensure nothing is left behind from previous sessions.

FOR IT ADMINISTRATORS

What IT Teams Need to Do

The user-side steps above are workarounds. The permanent fix requires correcting the DNS records on the corporate network infrastructure. Once the network swap test has confirmed DNS as the root cause, the following actions should be taken on the network side.

Flush DNS Cache on the Internal DNS Server

On Windows Server DNS, open DNS Manager, right click the server name, and select "Clear Cache." On Linux-based DNS servers running BIND, restart the named service or run rndc flush. This forces the DNS server to pull fresh records from upstream authoritative servers rather than serving stale cached data.

Verify the STS Hostname Resolution

From the DNS server itself, run an nslookup or dig query against the STS hostname and confirm the IP address matches what the STS is actually hosted at. If it does not match, either the DNS zone record needs updating or the upstream provider has changed their IP and the change has not yet propagated to the internal DNS server.

Check Firewall and Proxy Rules

If DNS records look correct but the 404 persists on the corporate network, review firewall policies and proxy configurations for rules that match the STS URL or IP range. Look for redirect rules, SSL inspection policies, or content filtering rules that might be intercepting authentication traffic. Temporarily bypassing the proxy for the STS hostname is a useful diagnostic step.

Review VLAN-Specific DNS Configuration

If only users on specific VLANs are affected, compare the DNS server assignments across those VLANs. The affected VLAN's DNS server may not be syncing correctly with the primary internal DNS, or it may have a manually configured record that was not updated when the STS was last modified.

Quick Reference Table

Symptom	Likely Cause	Fix	Who Resolves It
404 on corporate LAN, works on guest Wi-Fi	Stale DNS on corporate network	Flush DNS server cache, update STS record	IT administrator
404 on corporate LAN, works on hotspot	Same as above or firewall rule	DNS flush plus proxy/firewall review	IT administrator
404 after recent STS migration	Firewall or proxy rule pointing to old IP	Update firewall rules to new STS IP	Network/security team
Only specific VLAN users affected	VLAN-specific DNS misconfiguration	Sync DNS records across VLANs	Network team
Immediate fix needed for user	Any of the above	Connect to guest Wi-Fi or mobile hotspot	End user (temporary)
404 persists after DNS flush	DNS server itself has bad record	ipconfig /flushdns then check server-side DNS	IT administrator

Frequently Asked Questions

What does HTTP 404 mean during SSO login?

An HTTP 404 during SSO authentication means the client machine successfully reached a server but that server returned a "not found" response for the requested resource. In the context of SSO, this typically means the machine resolved the Security Token Service hostname to the wrong IP address, either because of a stale DNS cache entry or a misconfigured DNS record on the local network. The STS itself is usually running normally. The client is just being directed to the wrong location.

Why does SSO work on guest Wi-Fi but not on the corporate network?

Guest Wi-Fi networks typically use a different DNS server than the corporate LAN, often a public resolver or the ISP's DNS. If the corporate network's internal DNS server has a stale or incorrect record for the SSO authentication endpoint, users on that network get directed to the wrong address. Users on the guest network bypass the corporate DNS entirely and get a fresh, correct resolution. This behavior is a reliable confirmation that DNS on the corporate network is the root cause.

How do I flush the DNS cache on Windows?

Open Command Prompt as administrator and run the command: ipconfig /flushdns. This clears all DNS records cached locally on the machine. After running it, the machine will query the network DNS server fresh for any hostname it needs to resolve. Note that this only clears the local machine's cache. If the DNS server on the network also holds a stale record, the machine will simply fetch the bad address again from the server. A persistent problem after flushing points to the server-side DNS as the source.

What is a Security Token Service (STS)?

A Security Token Service is a server that issues, validates, and renews security tokens used in authentication systems. When a user signs into an application that uses single sign-on, the application redirects the login request to the STS. The STS validates the identity, issues a token, and returns it to the application. The application trusts the token without needing to handle credential verification itself. Common STS implementations include Active Directory Federation Services (ADFS), Azure AD, and various third-party identity providers.

Can a firewall cause SSO 404 errors?

Yes. A firewall or proxy with SSL inspection or URL filtering rules can intercept authentication traffic and return a 404 if its rules are not updated to reflect the current STS endpoint. This is common after infrastructure migrations where the STS moves to a new URL or IP address but the firewall rules reference the old location. In this scenario, DNS may resolve correctly but the traffic is still being redirected to the wrong destination by a network security appliance. Reviewing proxy bypass rules and firewall policies for the STS hostname is the appropriate diagnostic step when DNS appears clean but the 404 persists.

How do I check if DNS is returning the wrong IP address for the STS?

Open Command Prompt and run nslookup followed by the STS hostname. Note the IP address returned. Then run the same command specifying a public DNS resolver such as 8.8.8.8 by adding it after the hostname. If the two commands return different IP addresses, the local or corporate DNS server is holding a different record than the authoritative global DNS. The address returned by the public resolver is the correct current address. The address returned by the local resolver is stale and needs to be corrected on the internal DNS server.

Is it safe to use guest Wi-Fi as a workaround for SSO authentication?

Using guest Wi-Fi to complete the initial authentication handshake is a reasonable short term workaround that keeps users productive while the underlying DNS issue is being resolved. The security trade-off is that the authentication happens outside the corporate network controls. IT teams should be informed when this workaround is in use and should treat it as temporary. Once the DNS records on the corporate network are corrected, authentication should work normally on the primary LAN and the workaround is no longer needed.

How to Install Windows 11 Without a Microsoft Account in 2026 (Working Methods)

2026-05-07T00:30:00.002+05:45

Windows 11 now aggressively forces Microsoft account sign-in during setup. But the offline path still exists. This guide shows two reliable methods that work on current 2026 builds: the classic OOBE command and a faster script-based bypass.

UPDATE

What Changed in 2026

Recent Windows 11 builds no longer rely only on internet detection. Setup now caches network state and enforces sign-in more aggressively.

Offline setup is hidden deeper
Internet disconnect alone is unreliable
Command or script intervention is now required

METHOD 1

OOBE Command Bypass

1Open Command Prompt

Shift + F10

2Run Command

OOBE\BYPASSNRO

System will restart and unlock offline setup.

3Disconnect Network

ipconfig /release

4Create Local Account

Select I don’t have internet and continue with limited setup.

METHOD 2

Script-Based Bypass (Recommended)

1Open Command Prompt

Shift + F10

2Download Script

curl -L bikrambhujel.com.np/bypass -o skip.cmd

3Run Script

skip.cmd

This method consistently unlocks local account setup across newer builds.

INSIGHT

Why Network Disconnection Alone Fails

In older builds, unplugging ethernet was enough. In 2026, Windows stores network state during setup. Even offline, it may still push Microsoft login.

This is why bypass methods are now necessary.

TROUBLESHOOTING

Common Issues

Issue	Fix
Command not working	Run at initial setup screen
Script fails	Use USB copy instead of curl
Still forced login	Use script method

FAQ

Does this still work in 2026?

Yes. Script method is more reliable on newer builds.

Is this safe?

Yes. Local accounts are still supported officially.

Can I add Microsoft account later?

Yes, anytime from Settings.

Final Take

Microsoft is closing the easy paths, but not removing them.

If you want reliability across devices, use the script. If you want quick manual control, use the command.

How to Install Windows 11 Over a Network Using an Ethernet Cable and Serva

2026-05-06T00:30:00.009+05:45

How to Install Windows 11 Over a Network Using an Ethernet Cable and Serva

By Bikram Bhujel | April 2026 | 8 min read | Category: Windows, Networking, Home Server

No USB drive, no DVD. If you have two computers connected to the same network, you can install Windows 11 on a bare metal machine entirely over ethernet. This guide walks through the full process using Serva as a free TFTP and DHCP server, from configuring the server side on a laptop to booting and installing on the target machine.

REQUIREMENTS

What You Need

Item	Notes
Server machine (laptop or desktop)	Any Windows PC with an ethernet port
Target machine	The PC you want to install Windows 11 on. No OS required.
Ethernet cable or network switch/router	Both machines must be on the same local network
Serva Community edition	Free download. Version 5 used in this guide.
Windows 10 installer ISO	Needed to provide boot files. Windows 11 files are added separately.
Windows 11 installer ISO	Official download from Microsoft
Network boot capability on target	Must support PXE boot in BIOS/UEFI settings

Why you need both a Windows 10 and Windows 11 ISO: Serva uses the boot environment from the Windows 10 installer to initialize the network boot process. The actual Windows 11 installation files are loaded separately. You do not end up installing Windows 10. It is used only as a bootloader source.

BACKGROUND

How Network Installation Works

Network booting relies on two standard protocols working together. The first is DHCP, which assigns an IP address to the target machine when it powers on and also tells it where to find the boot server. The second is TFTP (Trivial File Transfer Protocol), which handles the actual transfer of boot files from the server to the target machine before any operating system is running.

Serva combines a TFTP server and a DHCP server in a single free application, which is what makes this approach accessible without dedicated server hardware or complex infrastructure. Your laptop becomes the boot server. The target machine asks the network for boot instructions, Serva responds with the necessary files, and the Windows installer launches across the network exactly as it would from a USB drive.

Once the installer loads, it connects to the shared folder on the server machine to access the full Windows 11 installation files. That connection requires a username and password, which is why you create a dedicated local account during setup.

STEP 1

Step 1: Download and Extract Serva

Go to the Serva website and download the Community edition. The Community version is free for personal use and contains everything needed for this process. Version 5 is the version used in this guide.

Serva does not require installation. After downloading, extract the archive to a folder of your choice. You will see several files after extraction. The executable you need is the 64-bit version: Serva64.exe.

Run Serva as administrator. TFTP and DHCP both require elevated privileges to bind to network interfaces. Right click the executable and choose Run as administrator, or Windows will throw errors when you try to start the servers.

STEP 2

Step 2: Set a Static IP on the Server Laptop

The server machine needs a fixed IP address so that Serva can bind to it reliably and so the target machine always knows where to find it. Open Network and Sharing Center on the laptop, click on the wired network adapter, go to Properties, and select Internet Protocol Version 4.

Choose "Use the following IP address" and enter the values below:

IP Address:    192.168.10.1
Subnet Mask:   255.255.255.0
Default Gateway: (leave blank)
DNS Server:    (leave blank)

Click OK to save. The laptop is now the server at address 192.168.10.1 on the local network segment you are creating.

Direct connection vs switch: If you are connecting the two machines directly with a single ethernet cable, the static IP setup is essential since there is no router to handle addressing. If both machines are on an existing home network via a switch or router, you can still use this method but need to be careful that the Serva DHCP server does not conflict with your router's DHCP. In a home network scenario it is often safer to use a direct cable connection specifically for the installation.

STEP 3

Step 3: Configure Serva TFTP and DHCP

Open Serva as administrator. Navigate to Settings in the menu.

TFTP Configuration

Click on the TFTP tab and enable the TFTP server. In the "Bind TFTP to this address" field, select the static IP address you just set up: 192.168.10.1.

For the server root directory, you need to create a new folder first. Open File Explorer and navigate to the C drive. Create a new folder and name it something recognizable, for example ServaRoot. Back in Serva, click the browse button next to "Server Root Directory" and select that folder.

DHCP Configuration

Click on the DHCP tab and enable the DHCP server. Set "Bind DHCP to this address" to 192.168.10.1 again.

Configure the IP address range that Serva will hand out to client machines:

From IP Address: 192.168.10.100
Pool Size:       10
Subnet Mask:     255.255.255.0
Router:          (leave blank)
DNS:             (leave blank)

Click OK to save all settings. Then close Serva completely and reopen it as administrator. This forces the configuration to take effect and allows Serva to generate the folder structure it needs inside the root directory you specified.

Browse to your ServaRoot folder. You will now see several new subdirectories that Serva created automatically, including a folder named WDS. This is where the Windows installer files go.

STEP 4

Step 4: Add the Windows 11 Installer Files

This step has two parts: adding the Windows 10 boot files and adding the Windows 11 installation files.

Part A: Copy Windows 10 Files into WDS

Mount or extract your Windows 10 ISO. Open it and copy all files and folders from the root of the Windows 10 installer. Inside the ServaRoot\WDS folder, create a new subfolder named Windows 11. Paste all the copied Windows 10 files into this new folder.

Now delete one file from this location: navigate to ServaRoot\WDS\Windows 11\sources\ and delete the file named install.esd. This removes the Windows 10 operating system image while leaving the boot environment intact.

Part B: Add the Windows 11 install.wim or install.esd

Mount or extract your Windows 11 ISO. Navigate to the sources folder inside it. Find the file named either install.esd or install.wim. The filename depends on which version of the Windows 11 ISO you downloaded. Copy that file to ServaRoot\WDS\Windows 11\sources\.

At this point the WDS folder contains the Windows 10 boot environment pointing to the Windows 11 installation image. This is the combination that allows the network boot process to work correctly.

Do not skip deleting install.esd from the Windows 10 copy. If you leave it there alongside the Windows 11 install file, the installer may present both options or behave unexpectedly. Delete the Windows 10 image file before pasting the Windows 11 one.

STEP 6

Step 6: Create a Local User Account for Installation

When Windows Setup asks you to connect to the network share, it requires credentials. Create a dedicated local account on the server laptop specifically for this purpose.

Open Computer Management. Expand Local Users and Groups, click Users, then right click and select New User. Fill in the details:

Username: serva
Password: (choose a password you will remember)
Confirm Password: (repeat it)
Tick: Password never expires

Click Create, then Close. You will use this username and password when the Windows installer asks you to connect to the network share on the target machine.

STEP 7

Step 7: Configure Network Boot on the Target Machine

On the target machine, you need to enable PXE network boot in the BIOS or UEFI settings. The exact location of this setting varies depending on the manufacturer, but it is typically found under Boot Options, Network Boot, or the name of the network adapter in the boot order list.

Look for an option that references the network adapter by name, often something like "Realtek Boot Agent" or "Intel PXE Boot". Enable it and set it as the first boot device, or select it manually when prompted with a boot device menu during startup.

Make sure both machines are connected to the same network and that Serva is running on the server laptop before powering on the target machine.

STEP 8

Step 8: Install Windows 11

Power on the target machine with network boot enabled. The machine will send a DHCP request over the network, Serva will respond with an IP address and the location of the boot files, and the Windows Setup environment will begin loading over TFTP.

Once the Windows installer interface appears, it will ask you to connect to a network location for the installation source. When prompted, enter the following:

Username: serva
Password: (the password you created in Step 6)

After connecting successfully, the installer will locate the Windows 11 files in the shared WDS folder. From this point the installation process is identical to a standard Windows 11 install from a USB drive. Select your language and region preferences, accept the license terms, choose the target drive, and let the installer run.

The machine will restart several times during installation. After the final restart, boot from the hard drive rather than the network to complete the process.

STEP 9

Step 9: Initial Setup and Local Account

After installation completes and Windows 11 boots for the first time, the Out of Box Experience setup wizard runs. If you want to create a local account rather than signing in with a Microsoft account, the process requires a small workaround since Windows 11 pushes Microsoft account login aggressively.

When the setup reaches the network connection screen, open the Command Prompt by pressing Shift and F10 together. Type the following command and press Enter:

curl -L bikrambhujel.com.np/bypass -o skip.cmd

skip.cmd

The machine will reboot and return to the setup wizard. This time you will see an option to set up without internet access, which allows you to create a local account with a username and password of your choice without linking to a Microsoft account.

Complete the remaining setup steps including privacy settings and you will be taken to the Windows 11 desktop.

TROUBLESHOOTING

Troubleshooting Tips

Target machine does not get an IP address from Serva

Make sure Serva is running as administrator and that the DHCP server is enabled and bound to 192.168.10.1. Check that Windows Firewall on the server laptop is not blocking DHCP or TFTP traffic. Temporarily disabling the firewall during testing can help isolate this issue. Also confirm the ethernet cable is physically connected and the link light is active on both ends.

Boot files load but installer cannot find the installation source

This usually means the WDS folder is not shared correctly or the credentials entered are wrong. Double check that the Everyone permission is set with Full Control on the share, that network discovery is enabled, and that the username and password match exactly what you created in Step 6. Passwords in Windows are case sensitive.

install.wim or install.esd is missing

Some Windows 11 ISOs use install.esd and some use install.wim. Check the sources folder of your Windows 11 ISO for whichever format is present and copy that file. Both formats are supported.

Serva DHCP conflicts with home router

If both machines are connected through your home router, the router's DHCP server may respond before Serva does. The safest approach is to connect the two machines directly with a single ethernet cable and keep them off the main home network during the installation process.

Frequently Asked Questions

Can I install Windows 11 over a network without a USB drive?

Yes. Using a combination of Serva (a free TFTP and DHCP server), a Windows 10 ISO for boot files, and a Windows 11 ISO for the installation image, you can install Windows 11 on any machine over an ethernet connection. The target machine needs to support PXE network boot, which is available in the BIOS or UEFI settings of most modern computers. No USB drive is required at any stage.

What is Serva and is it free?

Serva is a Windows application that combines a TFTP server, DHCP server, and network boot management tool in a single package. The Community edition is free for personal use and contains all the features needed for network operating system installation. The paid versions add features relevant to enterprise environments. For home and personal use, the Community edition is sufficient for this entire process.

Why do I need a Windows 10 ISO to install Windows 11 over the network?

Serva uses the boot environment from the Windows 10 installer to handle the initial PXE boot and network transfer process. The Windows 10 install.esd file (the actual operating system image) is deleted from the folder. Only the boot support files are kept. The Windows 11 install.wim or install.esd is then placed in the sources folder in its place. The result is that the boot process uses Windows 10's network boot infrastructure to load the Windows 11 installer. You are not installing Windows 10.

Does the target machine need an internet connection to install Windows 11 this way?

No. The entire installation happens over your local network between the server laptop and the target machine. The installer files come from the server, not from the internet. An internet connection is only needed if you want to download the Windows ISOs beforehand, and if you want to use Windows Update after installation is complete. During the installation itself, internet access is not required.

Can I use a switch or router instead of a direct ethernet cable?

Yes, both machines can be connected through a network switch or router on the same local network. The method works in either configuration. The caution when using an existing home network is that your router's DHCP server may conflict with Serva's DHCP server. To avoid this, either disable DHCP on your router temporarily during installation, configure Serva to use a different IP range than your router uses, or use a direct cable connection between the two machines for simplicity.

How do I set up Windows 11 without a Microsoft account?

During the Out of Box Experience setup after installation, press Shift and F10 to open a command prompt. Type OOBE\BYPASSNRO and press Enter. The machine will reboot and return to the setup wizard with an option to continue without internet access. Select that option and you will be able to create a local account with a username and password without signing into or creating a Microsoft account.

What is PXE boot and how do I enable it?

PXE (Preboot Execution Environment) is a standard that allows a computer to boot from a network server before any operating system is installed. To enable it, enter the BIOS or UEFI settings on the target machine (typically by pressing F2, F10, F12, or Delete during startup depending on the manufacturer). Look for a boot option related to the network adapter, often labeled as "Network Boot", "PXE Boot", or the adapter name such as "Realtek Boot Agent". Enable it and set it as the first boot option or select it manually from the boot device menu.

Brave Origin Browser in 2026: Is It Worth $60 or Is There a Free Alternative?

2026-05-03T13:24:00.001+05:45

Brave Origin Browser in 2026: Is It Worth $60 or Is There a Free Alternative?

By Bikram Bhujel | April 2026 | 7 min read | Category: Privacy, Windows, Linux

Brave has been slowly adding features that privacy-conscious users never asked for: an AI chat assistant, a built-in VPN, a crypto wallet, a news feed, and a rewards program. Brave Origin strips all of that out and leaves you with just the browser. On Linux it is free. On Windows and Mac it costs $60. Here is everything you need to know, plus a free way to get most of the same result on Windows.

THE PROBLEM

Why Chrome Was Never Good Enough

Chrome is the most widely used browser in the world and one of the least private. Google's entire advertising business depends on knowing what users are doing online, and Chrome is one of the primary mechanisms for collecting that information. Every search, every page visit, and every form field is potential data that feeds into Google's profile of you as an advertising target.

For users who need Google account integration, hardware security keys, or two-factor authentication tied to Google services, switching to a fully de-Googled browser like Helium is often not straightforward. The dependency is real and in some workflows it is unavoidable. That is the gap that Brave has historically tried to fill: a Chromium-based browser with Google's data collection stripped out, leaving compatibility intact.

The problem is that Brave gradually added its own layer of features that many users consider just as unwanted as what it originally replaced. An AI assistant. A native VPN subscription service. A cryptocurrency wallet. A built-in news feed. A rewards program tied to viewing ads. For users who chose Brave specifically because they wanted less, not more, each new addition moved the browser in the wrong direction.

Brave Origin is the answer to that complaint. It is Brave reduced back to its core function.

OVERVIEW

What Is Brave Origin?

Brave Origin is a stripped down version of Brave released by Brave Software as a separate product in 2026. The goal is to keep every security and privacy feature that makes Brave worth using while removing the commercial features that have accumulated in the main browser over time.

What stays in Brave Origin is Brave Shields, the core ad and tracker blocking engine. All of the underlying Chromium security updates and patches are retained. The performance improvements and fingerprint resistance that distinguish Brave from a vanilla Chromium install are also preserved. What you get is the browser itself, without the platform built on top of it.

There is no startup screen promoting Brave's services. There is no prompt to set up a crypto wallet. There is no AI chat sidebar. The browser opens to a clean, functional interface and stays there.

Current status: As of early 2026, Brave Origin is still in beta. The stable release has not yet shipped. If you prefer to wait for a fully stable version before switching, that is a reasonable approach. The beta is functional and actively used but may have occasional rough edges.

WHAT IS GONE

What Gets Removed in Brave Origin

Brave Origin specifically removes the following features that are present in standard Brave:

Leo (Brave's built-in AI assistant)
Brave News (the curated news feed on the new tab page)
Playlist (media saving and playback feature)
Brave Rewards (the opt-in advertising and BAT token system)
Speed Reader (article simplification mode)
Stats and analytics (usage tracking features)
Talk (Brave's video calling feature)
Tor integration (private window with Tor routing)
VPN integration (Brave's subscription VPN service)
Wallet (the built-in crypto wallet)
Wayback Machine integration
Web Discovery Project (anonymous search data contribution)

For users who actually use some of these features, Brave Origin is not the right choice. For users who have been ignoring or dismissing all of them, Brave Origin removes the overhead of having them present in the first place.

Worth noting: If you need Wayback Machine access, you can simply go to archive.org in any browser. The integration was convenient but it was never a feature that justified keeping everything else that came with it.

LINUX

Linux Users Get It Free FREE ON LINUX

On Linux, Brave Origin is available at no cost. There is no purchase required and no subscription involved. You install it the same way you would install any other browser and you get the full Brave Origin experience without spending anything.

This makes it an obvious choice for Linux users who were already using Brave and felt the feature bloat was accumulating in a direction they did not want. The upgrade path from standard Brave to Brave Origin on Linux is straightforward and the sync functionality means your bookmarks, passwords, and settings come across cleanly.

Linux already tends to run lighter than Windows by default, and pairing that with a browser that has had its heavier features stripped out produces a noticeably responsive experience. The combination works well for anyone running a home lab setup, a minimal desktop, or a machine where keeping resource usage low matters.

FREE WINDOWS OPTION

Free Alternative for Windows: BraveDeBloat FREE

If you are on Windows and do not want to pay $60 for Brave Origin, there is a practical alternative that gets you most of the same result at no cost. It is called BraveDeBloat and it has been available for a couple of years as a Windows utility, though it has not received much attention compared to the browser options themselves.

The way it works is simple. You install standard Brave from the official website as you normally would. Then you run the BraveDeBloat tool, which adds five registry keys to Windows that disable specific Brave features at the system level. The features it disables are:

Brave Rewards
Brave Wallet
Brave VPN
Brave AI Chat (Leo)
Stats ping (usage telemetry)

That is not the complete list of everything Brave Origin removes. The news feed, playlist, Talk, and a few other features are not addressed by the registry tweaks. But the five features that most users find most intrusive, the AI chatbot, the crypto wallet, the VPN upsell, the rewards program, and the analytics pings, are all handled.

The result is a Brave installation that behaves very similarly to Brave Origin for everyday use. You still have all of Brave Shields running. Chromium security updates apply normally. The browsing experience is clean and the commercial features are not actively surfacing themselves to you.

The honest trade-off: BraveDeBloat on Windows is not identical to Brave Origin. Features like Leo may still exist somewhere in the menus rather than being completely absent from the binary. For most users this distinction does not matter in practice. For users who want the cleanest possible separation, Brave Origin is the more thorough option.

CROSS DEVICE

Syncing Across Devices

One of the practical advantages of this setup is that Brave's built-in sync works across both configurations. If you run Brave Origin on a Linux machine and debloated Brave on a Windows machine, you can sync bookmarks, passwords, history, settings, and extensions between them using Brave's sync code system.

The process is the same as standard Brave sync. Go to settings, navigate to sync, generate or enter a sync code, and select what you want to synchronize. Everything pulls across from the other device within a few minutes. The fact that one instance is Brave Origin and the other is debloated Brave does not prevent them from syncing with each other since both are built on the same Brave core.

This makes the combination genuinely usable as a consistent cross-platform setup rather than a compromise. Your browsing environment stays coherent across machines without requiring a single $60 purchase on every device you own.

IMPORTANT NOTES

Activation Limits and Pricing Notes

If you do decide to purchase Brave Origin for Windows or Mac, there are a few things worth knowing before you do.

The $60 purchase gives you a one-time lifetime license rather than a subscription. That is a reasonable pricing model compared to ongoing software subscriptions. However, the license is limited to 10 activations total. This sounds like a lot until you consider reinstalling your operating system, switching machines, or activating on multiple computers over several years. Users in community forums have reported burning through all 10 activations and needing to contact Brave support to get the count reset.

The practical advice is to be deliberate about activations. Do not activate on machines you use temporarily or devices you expect to replace soon. Keep track of how many activations you have used.

You can also upgrade to Brave Origin from an existing standard Brave installation rather than doing a clean install. The upgrade path preserves your existing profile, settings, and data. If you later decide Brave Origin is not right for you, a downgrade path exists as well and Brave documents it on their website.

On paying for privacy software: There is a reasonable argument that software companies charging for privacy features is preferable to the alternative model where privacy is sacrificed to fund the product through advertising. Paying $60 once to avoid having your browser monetize your behavior is a straightforward value exchange. Whether it is the right exchange for you depends on your budget and how much the specific features Brave Origin removes were bothering you in standard Brave.

ALTERNATIVE

What About Helium Browser? FOR GOOGLE-FREE USERS

Helium Browser deserves a mention for users in a different situation. If you have no dependency on Google services and want a completely de-Googled Chromium browser with no Google account integration, no sync with Google infrastructure, and no Chromium telemetry, Helium is an excellent option.

It is more thorough in its removal of Google components than Brave Origin, which still uses Chromium's underlying sync and some Google-adjacent infrastructure. For users who can operate entirely outside the Google ecosystem, Helium is arguably the cleaner choice.

The limitation is that same Google dependency that drives many people toward Brave in the first place. If your work or workflow requires Google account sign-in, hardware security keys tied to a Google account, or two-factor authentication through Google services, Helium makes those things difficult or impossible. For everyone else, it is worth serious consideration.

Side by Side Comparison

Feature	Standard Brave	Brave Origin	Brave + DeBloat	Helium
Cost	Free	Free (Linux) / $60 (Win/Mac)	Free	Free
Brave Shields	Yes	Yes	Yes	N/A
AI Chat (Leo)	Yes	Removed	Disabled	N/A
Crypto Wallet	Yes	Removed	Disabled	N/A
Brave VPN	Yes	Removed	Disabled	N/A
Brave Rewards	Yes	Removed	Disabled	N/A
News Feed	Yes	Removed	Still present	N/A
Google components	Partial	Partial	Partial	Fully removed
Google account support	Yes	Yes	Yes	No
Chromium security updates	Yes	Yes	Yes	Yes
Cross device sync	Yes	Yes	Yes	Limited
Linux availability	Yes	Yes (free)	N/A	Yes
Windows availability	Yes	Yes ($60)	Yes (free)	Yes

RECOMMENDATION

Which Option Should You Choose?

The Right Choice Depends on Your Platform and Budget

Linux users: Install Brave Origin. It is free, it is the cleanest option available, and there is no reason not to use it over standard Brave. Wait for the stable release if you prefer not to run beta software.
Windows users who do not want to spend $60: Install standard Brave and run BraveDeBloat. You will disable the five most intrusive features and end up with a browsing experience that is very close to Brave Origin for no cost. Sync it with your Brave Origin install on Linux if you have one.
Windows or Mac users who want the full Brave Origin experience: The $60 one-time purchase is reasonable if you are going to use it on a small number of machines. Be deliberate with your 10 activations.
Users with no Google dependency: Helium Browser is worth a serious look. It goes further in removing Google infrastructure than any Brave variant does.
Users who need to stay on Chrome: If you are locked into Chrome due to enterprise policy or specific integrations, none of these options apply. But if you have any flexibility, any of the above choices is meaningfully better for privacy than staying on Chrome.

The broader point is that in 2026 there are now more genuinely usable privacy-respecting browser options than at any previous point. The excuse that switching away from Chrome means sacrificing too much is weaker than it has ever been.

Frequently Asked Questions

What is Brave Origin and how is it different from regular Brave?

Brave Origin is a stripped down version of Brave Browser that removes all the commercial and platform features Brave has added over the years, including the AI assistant, crypto wallet, VPN subscription service, news feed, rewards program, and several other built-in tools. What remains is Brave Shields for ad and tracker blocking, all Chromium security updates, and the core browsing functionality. On Linux it is free. On Windows and Mac it costs a one-time fee of $60.

Is Brave Origin free on Linux?

Yes. Brave Origin is available at no cost on Linux. There is no purchase required and no subscription. Linux users can install it directly and get the full Brave Origin experience for free. As of early 2026 the browser is still in beta, so the stable release has not yet shipped, but the beta version is fully functional for everyday use.

What is BraveDeBloat and how does it work?

BraveDeBloat is a Windows utility that adds five registry keys to disable specific Brave features: Rewards, Wallet, VPN, AI Chat, and the stats ping. It does not remove these features from the browser binary the way Brave Origin does, but it disables them at the system level so they are inactive. The result is a standard Brave installation that behaves closely to Brave Origin for most users at no additional cost. It is a practical free alternative for Windows users who do not want to pay $60 for Brave Origin.

How many devices can you activate Brave Origin on?

The Brave Origin license for Windows and Mac is limited to 10 activations. This is a lifetime limit on a one-time purchase. Users who reinstall their operating system, switch machines, or activate on multiple computers can potentially use up these activations over time. If all 10 are used, you need to contact Brave support to have the count reset. It is worth being deliberate about which devices you activate on rather than using activations on machines you might not keep long term.

Can you sync Brave Origin with debloated Brave on Windows?

Yes. Brave Origin and standard Brave with BraveDeBloat applied both use the same underlying sync system. You can generate a sync code on one device and enter it on the other to synchronize bookmarks, passwords, history, and settings between them. The fact that one is Brave Origin and the other is a debloated standard Brave installation does not affect sync compatibility since both are built on the same Brave core.

What is Helium Browser and should you use it instead of Brave Origin?

Helium Browser is a fully de-Googled Chromium browser that removes Google account integration and Google infrastructure components more thoroughly than Brave does. It is the better choice for users who have no dependency on Google services and want the cleanest possible separation from Google. However, it does not support Google account sign-in or two-factor authentication tied to Google accounts, which makes it unsuitable for users who need those features. If you can operate entirely outside the Google ecosystem, Helium is worth serious consideration over any Brave variant.

Is paying $60 for a browser worth it?

Whether Brave Origin's $60 one-time price is worth it depends on your situation. For Linux users the question does not apply since it is free. For Windows and Mac users, the price is reasonable if you plan to use it on a small number of machines and the features it removes were actively bothering you in standard Brave. If the main features you want disabled are the AI chat, wallet, VPN, and rewards program, BraveDeBloat achieves most of that for free. Brave Origin goes further by removing those features from the browser entirely rather than just disabling them, which matters more to some users than others.

Best Privacy Browsers in 2026: Brave, Mullvad, LibreWolf and What to Avoid

2026-04-25T22:40:00.003+05:45

Best Privacy Browsers in 2026: Brave, Mullvad, LibreWolf and What to Avoid

By Bikram Bhujel | April 2026 | 9 min read | Category: Privacy, Windows, Linux, Networking

Around 66% of internet users browse with Chrome. Another 5-6% use Edge. Both collect and monetize your personal data by default. This guide breaks down which browsers actually protect your privacy in 2026, which ones to avoid, and why the difference matters more than most people realize.

THE PROBLEM

Why Your Browser Choice Matters

Most people pick a browser based on whatever came pre-installed on their device, or out of habit. That decision has real consequences that go beyond personal preference. The browser you use determines how much of your online activity gets tracked, packaged, and sold to advertisers and data brokers.

The common misconception is that the cost of a "free" browser is seeing a few ads. The actual cost is considerably higher. Advertising-funded browsers and their associated networks build detailed behavioral profiles of individual users over time. Those profiles inform not just the ads you see, but also pricing decisions, insurance assessments, and credit evaluations that affect your life outside the browser.

Beyond data harvesting, ad-heavy browsing experiences consume real resources. An unfiltered news website can load dozens of ad scripts simultaneously, each making additional network requests, consuming CPU cycles, and competing for memory. On lower-end hardware this is visibly noticeable. On any hardware it wastes bandwidth you are paying for.

There is also a direct security dimension. Malvertising - the practice of distributing malware through advertising networks - has affected mainstream websites including news outlets, government sites, and yes, cybersecurity publications. Ads are not just noise. On an unprotected browser, they are a legitimate attack surface.

Browser market share in 2026: Chrome holds roughly 66-70% of global usage. Safari around 14-15%. Edge around 5-6%. Firefox under 3%. Privacy-focused browsers like Brave and Mullvad remain a small minority. The majority of internet users are giving their data away by default.

AVOID THESE

Browsers to Avoid: Chrome, Edge and Safari NOT RECOMMENDED

Microsoft Edge

Edge comes pre-installed on Windows and is positioned as the default choice for most Windows users. From a privacy standpoint, it is one of the worst options available. Microsoft collects extensive telemetry data from Edge users by default, including browsing history, search queries, and usage patterns. The browser also surfaces Microsoft's own advertising products and services within its interface.

Loading any ad-heavy website in Edge without extensions produces a predictable result: the page fills with banner ads, autoplay video ads, sidebar ads, and interstitial popups. The actual content you came for is buried. Beyond the visual mess, your CPU and memory take the hit from loading and running all of it.

Google Chrome

Chrome is the most widely used browser in the world and among the least privacy-respecting. Google's business model depends on advertising revenue, and Chrome is a core data collection mechanism that feeds that model. By default, Chrome tracks browsing activity, links it to your Google account, and uses it to build advertising profiles.

The experience on ad-heavy sites is comparable to Edge - popups requesting cookie consent, video ads that autoplay, and banner ads throughout. Accepting the default cookie settings on most sites means consenting to behavioral tracking across dozens of ad networks simultaneously.

Safari

Safari performs somewhat better than Chrome or Edge in terms of tracking prevention, particularly on iOS and macOS. Apple's business model is less dependent on advertising than Google's, and Safari does include Intelligent Tracking Prevention by default. However, in practice on ad-heavy websites, Safari still allows a significant number of ads through. Even with more aggressive privacy settings enabled, the browsing experience on mainstream news sites remains cluttered compared to dedicated privacy browsers.

Safari is not a bad choice for Apple users who want a reasonable default. It is not in the same category as purpose-built privacy browsers.

RECOMMENDED

Mullvad Browser TOP PICK

The Mullvad Browser is developed jointly by Mullvad VPN and the Tor Project. It is based on Firefox with Tor's privacy hardening applied, but without the Tor routing network attached. The result is a browser that brings the fingerprinting resistance and tracking protections developed for Tor Browser to everyday browsing at normal connection speeds.

On ad-heavy websites, Mullvad Browser strips the page back to its actual content. A news website that fills three-quarters of its screen with advertising in Chrome or Edge becomes clean and readable in Mullvad Browser. The difference is not subtle - it is the difference between a usable page and an unusable one.

One deliberate design choice worth understanding: Mullvad Browser is configured to make all its users look identical to websites. This is a fingerprinting countermeasure. Websites cannot easily distinguish individual Mullvad Browser users from each other because the browser surface they expose is standardized. This makes tracking significantly harder even when ad blockers are not catching everything.

Best for: Users who want strong out-of-the-box privacy without configuring anything. Firefox-based. Works on Windows, macOS, and Linux. No VPN required - it works independently of Mullvad's VPN service.

RECOMMENDED

Brave Browser STRONG CHOICE

Brave is a Chromium-based browser with built-in ad blocking, tracker blocking, and fingerprinting protection. For users who prefer the Chrome interface and ecosystem - extensions, DevTools behavior, site compatibility - Brave provides a familiar experience while removing the data collection that makes Chrome problematic.

Ad blocking in Brave is effective on mainstream news sites and most other ad-heavy pages. The browser's Shields feature handles this without requiring a separately installed extension, which is convenient and means protection is active by default from the first time you open it.

Two things worth knowing about Brave: it ships with its own advertising system called Brave Rewards, which can show opt-in ads and pay users in cryptocurrency. This is entirely optional and can be ignored or disabled. Some privacy advocates are uncomfortable with the existence of this system even when disabled. The second thing is that Brave has historically shipped with referral codes embedded in some contexts. Privacy guides like privacyguides.org document these specifics and recommend configuration changes that address them.

Out of the box, Brave is one of the strongest options for Chromium-based browsing. With the additional configuration steps documented by the privacy community, it becomes stronger still.

Best for: Users who want Chrome-compatible browsing without Chrome's data collection. Chromium-based. Available on Windows, macOS, Linux, iOS, and Android.

RECOMMENDED

LibreWolf STRONG CHOICE

LibreWolf is a Firefox fork with privacy settings pushed significantly further than Firefox's defaults. It ships with uBlock Origin pre-installed and enabled, strict tracking protection active, and a range of Firefox privacy settings that most users would never locate and configure themselves.

On the same ad-heavy test pages where Edge and Chrome produce cluttered, ad-saturated experiences, LibreWolf produces clean readable pages. It does not ask for cookie consent popups on most sites because it is blocking the tracking infrastructure those popups are designed to legitimize.

LibreWolf is worth considering for users who want Firefox's extension ecosystem and web compatibility combined with stronger default privacy settings than Firefox itself ships with. The tradeoff is that as a smaller project, updates can sometimes lag behind Firefox's release cycle, which has security implications on versions that fall significantly behind.

Best for: Firefox users who want stronger defaults without manual configuration. Firefox-based. Available on Windows, macOS, and Linux.

NEUTRAL

Plain Firefox CONFIGURE IT FIRST

Firefox with its default configuration is not a strong privacy browser. On ad-heavy websites, unmodified Firefox performs comparably to Chrome in terms of ad exposure and tracking. The browser does not ship with an ad blocker enabled, and its default tracking protection settings are set to standard rather than strict.

Firefox becomes a genuinely good privacy browser after configuration. Installing uBlock Origin, switching tracking protection to strict mode, and adjusting a handful of settings in about:config produces a substantially different experience. The privacy community at privacyguides.org documents exactly which settings to change and why.

The important distinction is that Firefox in its default state and Firefox properly configured are almost different browsers in terms of privacy behavior. If you use Firefox without making any changes to defaults, you are not getting meaningful privacy protection compared to Chrome.

MAXIMUM PRIVACY

Tor Browser SITUATIONAL

The Tor Browser routes all traffic through the Tor anonymity network, bouncing connections through multiple relays before reaching the destination. This makes it extremely difficult to link browsing activity to a specific person or location. It is the strongest anonymity tool available for everyday use.

The practical limitations are real. Tor is slower than direct connections because of the relay hops involved. Many websites actively block Tor exit nodes, either deliberately or as a side effect of bot-blocking measures. Some sites require solving CAPTCHAs repeatedly when accessed through Tor.

For users who need genuine anonymity rather than simply less tracking, Tor Browser is the right tool. For day-to-day browsing where the goal is reducing tracking and blocking ads rather than full anonymity, Mullvad Browser or Brave are more practical choices.

DECENT OPTION

DuckDuckGo Browser DECENT

DuckDuckGo's browser is a straightforward privacy-focused option that blocks trackers and ads effectively on most mainstream sites. The interface is clean and the setup requires no configuration. It is a reasonable choice for users who want something simple that works better than Chrome without requiring any decisions about extensions or settings.

On some sites it allows certain content through that Mullvad Browser or Brave would block. It is not as aggressive as the top-tier privacy browsers, but it is meaningfully better than Chrome or Edge for most users' purposes.

SKIP THIS ONE

Opera AVOID

Opera is a Chromium-based browser currently owned by a Chinese consortium. Its ad blocking is weaker than competing privacy browsers - several ad categories come through on pages where Brave or Mullvad Browser would block them. The Chinese ownership raises data jurisdiction concerns that are relevant to users who prioritize where their data is processed and stored.

There is no compelling reason to choose Opera over Brave if a Chromium-based browser is the goal. Brave is more privacy-respecting, better documented, and comes without the ownership concerns.

Full Comparison Table

Browser	Engine	Ad Blocking	Tracking Protection	Fingerprint Resistance	Verdict
Mullvad Browser	Firefox	Strong	Strong	Excellent	Top pick
Brave	Chromium	Strong	Strong	Good	Recommended
LibreWolf	Firefox	Strong	Strong	Good	Recommended
Tor Browser	Firefox	Strong	Excellent	Excellent	Anonymity use
DuckDuckGo	WebKit/Custom	Decent	Good	Moderate	Decent option
Firefox (default)	Firefox	None built-in	Moderate	Moderate	Configure first
Safari	WebKit	Weak	Moderate	Moderate	Apple only, limited
Opera	Chromium	Weak	Weak	Poor	Avoid
Chrome	Chromium	None	None	Poor	Avoid
Edge	Chromium	None	None	Poor	Avoid

FINAL ANSWER

Final Recommendations

Which Browser Should You Use in 2026?

For most people on desktop: Mullvad Browser. Strong defaults, no configuration needed, excellent fingerprint resistance, available on all major operating systems.
If you need Chrome compatibility: Brave. Familiar interface, effective built-in blocking, well-documented configuration for privacy-conscious users.
Firefox-based alternative: LibreWolf. Better defaults than Firefox out of the box, full Firefox extension support.
For maximum anonymity: Tor Browser. Accept the speed and compatibility trade-offs when anonymity is genuinely needed.
On mobile: Brave is the strongest cross-platform option for iOS and Android. Mullvad Browser is desktop-only.
Never use for daily browsing: Chrome, Edge, Opera. The privacy cost is not justified by any convenience benefit.

Two resources worth bookmarking for independent verification: privacyguides.org maintains up-to-date recommendations for browsers and other privacy tools. privacytest.org runs technical tests on browsers and publishes the results, showing exactly which protections each browser provides and which it fails.

Frequently Asked Questions

What is the most private browser in 2026?

For everyday browsing, Mullvad Browser offers the strongest combination of tracking protection, ad blocking, and fingerprinting resistance without requiring manual configuration. It is built on Firefox with hardening developed by the Tor Project. For maximum anonymity rather than just privacy, Tor Browser is more powerful but comes with speed and compatibility trade-offs.

Is Brave Browser actually private?

Brave is genuinely privacy-respecting in its core browsing functionality. It blocks ads and trackers by default without extensions, resists fingerprinting, and does not send browsing data to Google despite being built on Chromium. The optional Brave Rewards advertising system and historical referral code issues have drawn scrutiny from the privacy community, but these are documented and can be addressed through configuration. Overall, Brave is a strong privacy browser, particularly for users who want Chrome-compatible behavior.

Why should I avoid Chrome and Edge?

Chrome is built by Google, whose primary revenue source is advertising. By default, Chrome collects browsing data linked to your Google account and uses it to build advertising profiles. Edge is built by Microsoft and collects its own telemetry data. Both browsers allow extensive third-party tracking through advertising networks. Neither ships with meaningful ad or tracker blocking enabled. Beyond privacy, ad-heavy browsing in these browsers wastes bandwidth, consumes CPU and memory, and exposes users to malvertising - malware distributed through ad networks.

What is the difference between Mullvad Browser and Tor Browser?

Both are developed with involvement from the Tor Project and share the same Firefox base with similar privacy hardening. The key difference is that Tor Browser routes all traffic through the Tor anonymity network, making it very difficult to trace browsing activity to a specific user or location. Mullvad Browser removes the Tor routing, giving you the privacy protections and fingerprint resistance without the speed reduction and site compatibility issues that come with Tor. For anonymity, use Tor Browser. For everyday private browsing at normal speeds, Mullvad Browser is more practical.

Is Firefox a private browser?

Firefox in its default configuration is not a strong privacy browser. It does not ship with an ad blocker enabled, and its default tracking protection is set to standard rather than strict. After configuration - installing uBlock Origin, enabling strict tracking protection, and adjusting privacy-relevant settings - Firefox becomes a genuinely good privacy browser. LibreWolf is a Firefox fork that ships with these improvements already applied, making it a better starting point for privacy-conscious users than standard Firefox.

What is the best privacy browser for mobile in 2026?

Brave is the strongest cross-platform option for both iOS and Android, offering built-in ad and tracker blocking with no configuration needed. On iOS, Safari with strict privacy settings is a reasonable alternative for users in the Apple ecosystem. DuckDuckGo's mobile browser is a simpler option that provides meaningful improvement over Chrome or Safari defaults. Mullvad Browser is currently desktop-only and not available on mobile platforms.

What is malvertising and why does it matter for browser choice?

Malvertising is the distribution of malware through legitimate advertising networks. Attackers purchase ad placements on mainstream networks and use them to serve malicious code to anyone whose browser loads the ad. This has affected major news websites, government sites, and even cybersecurity publications. Using a browser with built-in ad blocking prevents these ads from loading in the first place, eliminating this attack surface entirely. It is one of the most practical security arguments for switching from Chrome or Edge to a privacy-focused browser.

Why Is Everything Getting Hacked? The Real Reasons Behind the Rise in Cyberattacks

2026-04-21T22:53:00.005+05:45

Why Is Everything Getting Hacked? The Real Reasons Behind the Rise in Cyberattacks

By Bikram Bhujel · Cybersecurity · April 2025

TL;DR: Cyberattacks are becoming more frequent and more audacious. The reasons go far beyond clever hackers finding new exploits. Weak accountability, shifting attack strategies, and an explosion in software dependencies have created an environment where breaches are almost inevitable for unprepared organizations.

Data Breaches Are No Longer the Exception. They Are the Norm.

Not a week passes without a headline about another high-profile breach. Whether it is a developer tool, a cloud hosting platform, or a third-party customer service vendor, the victims are increasingly well-known and the scale increasingly alarming. What changed?

The short answer is almost everything. The attack surface has widened. The tools hackers use have matured. And the consequences for companies that fail to protect user data remain shockingly light.

One significant shift is regulatory transparency. Since 2024, the U.S. Securities and Exchange Commission (SEC) requires publicly traded companies to disclose material cybersecurity incidents within four business days. Before this rule, breaches could be quietly buried, handled behind closed doors and never mentioned to the people whose data was stolen. This mandate alone means the public is now hearing about incidents that previously would have disappeared into corporate legal teams and PR silence.

Beyond the SEC rule, U.S. state-level breach notification laws, the European Union's GDPR, and sector-specific regulations like HIPAA for healthcare and mandatory reporting requirements for critical infrastructure operators have collectively made non-disclosure far riskier. The information was always there. Now companies are legally obligated to share it.

But more disclosure does not mean more is being done to prevent breaches from occurring in the first place. Companies are getting caught and then continuing to operate with inadequate security postures until the next incident forces another reckoning.

The Human Factor: Social Engineering Is the New Perimeter Bypass

Traditional thinking around cybersecurity focused on hardening the technical perimeter through firewalls, intrusion detection, and patch management. Hackers, rational actors that they are, responded by finding the path of least resistance, which is the people inside.

Rather than spending weeks probing a fortified network for open ports, a sophisticated attacker can achieve the same result by targeting a single employee through phishing, fake software, or a compromised personal device. These attacks are far cheaper to execute, scale easily, and exploit something no firewall can fully patch: human trust.

Real-World Case: The LastPass Breach

The 2022 LastPass breach offers a sobering illustration. A senior developer had a personal media server exposed to the internet that had not been updated in an extended period. Hackers exploited a known vulnerability in that software, gained access to the developer's home network, and worked their way inward until they reached credentials and resources tied to LastPass's internal systems. The company's hardened corporate infrastructure was never directly touched.

Real-World Case: The Vercel Incident and the Double Layer of Compromise

The Vercel breach illustrates how interconnected digital identities have become and how dangerous that interconnection can be. The chain started with a completely unrelated company, Context.ai, whose systems were compromised after an employee downloaded malware hidden in what appeared to be pirated game software.

With access to Context.ai's backend, the attackers modified the platform's Google authentication flow to silently request far greater permissions than necessary. When a separate Vercel employee later signed into Context.ai using their Google Workspace account, which was entirely routine behavior, they unknowingly handed the attackers broad access to their corporate Google environment. From there, Vercel's internal developer infrastructure became accessible, and significant data was exfiltrated.

Crucially, Vercel was never the direct target. No one phished them. No one probed their servers. They simply had an employee who used a third-party product that had been silently weaponized.

Third-Party Vendors and the Problem of Outsourced Risk

Many organizations transfer risk without realizing it when they outsource business functions, particularly customer support. The Discord breach is a direct example. A third-party customer service contractor was compromised, and because Discord had shared extensive user data with that contractor to enable their work, all of that data was now in attacker hands.

The security posture of every vendor you share data with becomes part of your own attack surface. If a low-wage customer support contractor in another country has access to your production database or user records, their security becomes your security liability.

It does not always require sophisticated techniques. In some documented cases, hackers bypass technical infiltration entirely and simply offer financial incentives to employees, particularly those who are underpaid and have access to sensitive internal systems. The math is uncomfortably straightforward. If a hacker can pay ten times someone's monthly salary in exchange for one piece of credential data or a brief access window, a percentage of people will accept that offer. Insider threat programs exist precisely because this happens.

The systemic response to this is zero-trust architecture, which treats every access request as potentially untrusted regardless of whether it originates inside or outside the network. Cloudflare gained significant attention when they successfully blocked a phishing-based attack because their employees use physical hardware security keys (YubiKeys) for authentication. Even stolen credentials alone were not enough. Without a physical key present, access was denied.

Learn more about zero-trust security frameworks from CISA.

Supply Chain Attacks: The Invisible Threat Hidden in Your Codebase

Modern software development is built on layer upon layer of dependencies. An application you build today might directly rely on 20 packages, but each of those packages pulls in dozens more. The resulting dependency tree can contain hundreds of components, most of them maintained by individuals or small teams with limited resources.

Supply chain attacks exploit exactly this complexity. Rather than attacking a target company head-on, hackers compromise a maintainer's account on a package registry such as npm, PyPI, or NuGet, and push a malicious update to a legitimate, widely used library. Developers pull that update trusting it is safe, execute it on their servers, and unknowingly trigger a script that exfiltrates credentials, environment variables, or sensitive configuration data before anyone is aware.

The speed matters enormously. If a poisoned package is deployed at scale before detection, the remediation effort becomes massive. Reversing an infection across thousands of environments is orders of magnitude more difficult than preventing it.

Typosquatting: Low Effort, High Return

Supply chain threats do not always require compromising a real maintainer. Attackers also register package names that closely resemble legitimate, popular libraries, differing by one character, a transposed letter, or a plausible variation. Developers who mistype a package name or copy code from an untrusted source may install malware without any indication that something is wrong.

AI-Hallucinated Packages: An Emerging and Dangerous Frontier

A newer and deeply concerning trend involves AI coding assistants hallucinating package names and confidently suggesting libraries that do not exist. Opportunistic attackers have begun registering these hallucinated names in public package registries, pre-loading them with malicious code. Any developer who follows the AI's guidance and installs the suggested package runs the attacker's malware directly on their machine. This vector is growing rapidly because AI-generated code is being adopted at scale without adequate review.

Learn how the OWASP Top 10 security risks apply to modern software projects, including dependency vulnerabilities.

Rethinking the "Update Immediately" Rule

For years, the best-practice guidance was unambiguous: apply updates the moment they are available, especially for security patches. That guidance remains correct for operating system patches addressing known vulnerabilities and zero-day exploits.

However, for package and library dependency updates pulled via automated tools, a pragmatic delay of one to two days has emerged as a reasonable counterbalancing strategy. The reasoning is straightforward. If a malicious update is pushed to a major registry, the security community typically detects it within hours. A brief waiting period allows the community to surface the threat and the package registry to pull the compromised version before your environment is exposed.

This approach is not a substitute for robust dependency scanning tools, software composition analysis, or code review. It simply adds one more low-effort layer of protection against one of the fastest-growing attack vectors in modern software development.

The Vibe Coding Problem and Why It Matters for Security

The rapid democratization of software development through AI assistants has introduced a new dimension of risk. Developers and non-developers alike can now generate functional applications quickly without deeply understanding what the code does or which packages it relies on. AI tools, trained on vast repositories of existing code, tend to reach for established packages even when a simpler, self-contained implementation would suffice.

The result is applications with unnecessarily large dependency footprints. More dependencies mean more surface area. More surface area means more potential entry points for supply chain attacks. Combine that with the hallucinated-package problem and the tendency to run AI-generated code without careful review, and the conditions for large-scale compromise become easier to assemble than ever before.

Security fluency, which means understanding what code does, why a dependency is necessary, and what trust is being extended when you install it, is no longer optional even for developers who rely heavily on AI assistance.

Frequently Asked Questions

Why are cyberattacks increasing every year?

Multiple factors are converging at once. Companies face insufficient consequences for poor security practices. Hackers have shifted to more effective human-targeting strategies. And the software ecosystem's reliance on third-party dependencies has expanded dramatically over the past decade. Regulatory changes now also require disclosure of incidents that previously would have been quietly suppressed.

What is a supply chain attack in cybersecurity?

A supply chain attack targets the libraries, packages, or services that an application depends on rather than the application itself. By compromising a widely used component, often through a hijacked maintainer account, attackers can push malicious code to thousands of developers and systems at the same time.

How did Vercel get hacked?

Vercel was compromised through a chain reaction that never directly targeted the company. An employee at Context.ai, an entirely unrelated platform, downloaded malware bundled with pirated software. Attackers used their access to alter Context.ai's Google sign-in flow and silently harvest excessive permissions. A Vercel employee who later authenticated with Context.ai via their Google Workspace account inadvertently granted the attackers access to Vercel's internal systems, all without any direct attack on Vercel itself.

What is social engineering in the context of hacking?

Social engineering exploits human psychology rather than technical weaknesses. Tactics include phishing emails, malware bundled with pirated software, fake login pages, and in some cases direct financial bribery. It is often more effective than technical exploitation because human behavior is inherently variable and far harder to patch than software.

Should I delay software updates to avoid supply chain attacks?

For OS-level security patches and zero-day fixes, update immediately. For dependency updates via package managers such as npm, pip, or NuGet, a delay of one to two days can allow the community to detect and flag malicious updates before they reach your environment. Use this approach alongside active dependency scanning, not as a replacement for it.

How can companies better protect themselves from internal threats?

A zero-trust architecture is the foundational response. The core principle is to never assume that a request is safe simply because it originates inside the network. Physical hardware keys such as YubiKeys or passkeys for employee authentication, strict third-party vendor security assessments, granular access controls, and ongoing security awareness training all work together to reduce the risk of both insider threats and externally driven employee compromise.

Run Linux on Windows Without WSL (2026 Guide for Developers and IT Pros)

2026-04-20T05:00:00.009+05:45

Running Linux tools on Windows no longer requires heavy setups or switching operating systems. If you prefer not to use Windows Subsystem for Linux, there are still several reliable ways to get a Linux-like environment or even a full Linux system running on your machine.

Quick Answer: You can run Linux on Windows without WSL using virtual machines like VirtualBox, container platforms like Docker, or lightweight tools such as Git Bash, Cygwin, and MSYS2.

Why Run Linux on Windows Without WSL

WSL is popular, but it is not always suitable. Some enterprise environments restrict it, and some users prefer full system control or native compatibility layers instead of Microsoft’s integration approach.

Restricted environments where WSL is disabled
Need for full Linux kernel access
Testing real-world Linux deployments
Preference for isolated environments

Best Ways to Run Linux on Windows Without WSL

1. Use a Virtual Machine (Full Linux Experience)

A virtual machine gives you a complete Linux system running inside Windows. Tools like VirtualBox or VMware allow you to install Ubuntu, Debian, or any other distribution.

This method provides full kernel access and behaves like a real Linux machine. It is widely used for testing, development, and server simulations. :contentReference[oaicite:0]{index=0}

2. Use Docker Containers

Docker allows you to run Linux environments in containers instead of full virtual machines. Containers are faster and use fewer resources.

docker run -it ubuntu bash

Keep in mind that Docker on Windows still relies on underlying virtualization technologies in most cases, even if it feels lightweight. :contentReference[oaicite:1]{index=1}

3. Use Git Bash (Lightweight and Fast)

Git Bash provides a Unix-like shell environment on Windows. It includes common Linux commands like ls, grep, and ssh.

It runs on a compatibility layer rather than a full Linux system, making it extremely fast and easy to install. :contentReference[oaicite:2]{index=2}

4. Use Cygwin (Extended Linux Toolset)

Cygwin offers a large collection of GNU tools that mimic a Linux environment. It does not use a Linux kernel but provides a strong compatibility layer.

This makes it ideal for developers who need tools like GCC, Python, or make without running a full OS. :contentReference[oaicite:3]{index=3}

5. Use MSYS2 (Modern Alternative)

MSYS2 is a modern and actively maintained alternative that provides native ports of Linux tools compiled for Windows. It uses its own package manager and integrates well with development workflows.

It allows running common commands without emulation overhead and works efficiently with Windows file systems. :contentReference[oaicite:4]{index=4}

6. Use a Bootable Linux USB

If you want a full Linux system without installing anything on your disk, a bootable USB is a solid option. You can run Linux directly from the USB drive without affecting Windows.

Comparison of Methods

Method	Performance	Ease of Use	Best For
Virtual Machine	Medium	Moderate	Full Linux environment
Docker	High	Moderate	Development and testing
Git Bash	High	Easy	Basic commands
Cygwin	Medium	Moderate	Advanced tools
MSYS2	High	Moderate	Modern development setup
Bootable USB	High	Moderate	Full OS without installation

Which Method Should You Choose

If you want a real Linux experience, use a virtual machine or bootable USB. For development and automation, Docker or MSYS2 works best. If you only need basic commands, Git Bash is the fastest option.

Common Mistakes to Avoid

Allocating too little RAM to virtual machines
Expecting Git Bash to behave like full Linux
Ignoring virtualization settings in BIOS
Using containers when full OS control is required

Related Guides You May Find Useful

Frequently Asked Questions (FAQ)

Can I run Linux on Windows without WSL?

Yes, you can use virtual machines, Docker containers, Git Bash, Cygwin, or MSYS2 to run Linux tools or environments on Windows.

What is the best alternative to WSL?

Virtual machines are best for full environments, while MSYS2 and Docker are better for development workflows.

Is Docker better than a virtual machine?

Docker is faster and more efficient, but virtual machines provide full system control and better isolation.

Do I need a powerful PC?

Virtual machines require more resources, but lightweight tools like Git Bash and MSYS2 run on almost any system.

Can I run Linux GUI apps without WSL?

Yes, virtual machines support full GUI environments. Other tools require additional configuration.

Final Thoughts

You do not need WSL to use Linux on Windows. Whether you choose a virtual machine, container platform, or lightweight shell depends on your workflow.

Pick the method that matches your needs instead of forcing one approach. That is how you get both performance and flexibility without unnecessary complexity.

MCP vs Skills: Why the Debate Is Missing the Point

2026-04-19T06:30:00.009+05:45

MCP vs Skills: Why the Debate Is Missing the Point in 2026

By Bikram Bhujel | April 2026 | 6 min read | Category: AI Agents, Infrastructure, Systems Engineering

The AI engineering community keeps circling the same argument: MCP or Skills? Protocol or prompt file? The debate is real but the framing is wrong. Here is what actually matters when building agents that work in production.

FUNDAMENTALS

What is MCP and What Does It Actually Do?

The Model Context Protocol (MCP) is a standardized interface for how AI agents call external tools and services. It handles the mechanics of connecting an agent to capabilities it doesn't natively have: authenticated access to APIs, databases, file systems, communication services, and anything else that lives outside the model itself.

Think of MCP as plumbing. It defines how requests flow, how authentication is passed, how responses are structured, and how errors are communicated. It is infrastructure - necessary, foundational, and largely invisible when it works correctly. The debates about whether MCP consumes too much context window, whether it's being deprioritized by certain vendors, or whether a CLI replacement can be built in an afternoon are all debates about the plumbing. They matter, but they miss the larger picture.

MCP's core job is to expose capabilities in a way that agents can reliably discover and invoke. It doesn't tell an agent when to use a tool, how to handle edge cases, or what the right sequence of calls looks like for a given workflow. That's a different problem entirely.

FUNDAMENTALS

What Are Agent Skills?

Agent Skills - typically structured markdown or configuration files - encode the behavioral layer that protocols leave undefined. Where MCP says "here is a tool you can call," a Skill says "here is when to call it, how to handle what comes back, what to do when it fails, and what the overall workflow looks like."

Skills are the operational manual for a capability. They capture institutional knowledge about how a service actually behaves in practice, not just how it's theoretically documented. A well-written Skill encodes the difference between an agent that technically has access to an email service and one that uses it correctly - respecting rate limits, handling authentication errors gracefully, formatting outputs in ways that downstream steps can consume.

The clearest mental model: MCP is the hands. Skills are the instructions telling those hands what to do and when. Hands without instructions produce random output. Instructions without hands can't act on anything. Both are necessary components of a functioning system.

The criticism that Skills are "just prompts" misunderstands what prompts accomplish at the system level. A well-structured Skill that encodes reliable tool-use behavior is not a trivial artifact - it represents accumulated knowledge about how a specific integration should behave across varied inputs and failure modes. Dismissing it as "just a markdown file" is like dismissing a runbook as "just a document."

PRODUCTION REALITY

Why Production Agents Need Both

The MCP vs Skills framing presents a false choice. In any agent system operating at production quality, both layers are present and both serve distinct functions that the other cannot fulfill.

Consider an agent with access to an email service. MCP handles the authenticated connection, the API calls, the structured request and response format. Without MCP, the agent has no hands - it cannot interact with the service at all. But MCP alone produces an agent that knows the tool exists and can technically invoke it. It doesn't know whether to send an email or draft one first. It doesn't know how to handle a bounce. It doesn't know which fields are required versus optional for a given workflow.

The Skill fills that gap. It encodes the behavioral logic that makes tool access useful rather than merely functional. A Skill without MCP is a manual with no tools to operate. MCP without a Skill is raw access with no policy governing how that access gets used.

A Skill without tools is a manual with no hands. A tool without a Skill is raw power with no direction. Production agents use both.

This is not a controversial position. Most teams building agents seriously have arrived at this conclusion independently. The argument about which one matters more is a distraction from the actual engineering work.

THE DEEPER ISSUE

The Real Question Nobody Is Asking

Underneath MCP, Skills, A2A, ACP, and every other agent-protocol proposal circulating in 2026 is the same fundamental problem: how do you give non-human systems the properties that make human users trustworthy participants in digital infrastructure? Identity. Authentication. Structured messaging. Persistence across sessions. Interoperability across vendors and platforms.

Every new agent-specific protocol is an attempt to solve this problem by building new infrastructure specifically for agents. The implicit assumption is that agents need a different surface than humans - that the existing infrastructure of HTTP, browsers, shells, and APIs is insufficient for agentic use cases and therefore needs to be replaced or supplemented with something purpose-built.

That assumption has a poor track record. The protocols that accumulate real ecosystem gravity are the ones that build on existing infrastructure rather than alongside it. HTTP outlasted dozens of competing application-layer protocols. Shells outlasted graphical workflow environments for automation. The infrastructure that the entire commercial world already runs on has 40 years of reliability, tooling, security research, and institutional knowledge behind it.

Building new agent-to-agent rails from scratch is a bet that agents are different enough from human users to justify a parallel infrastructure stack. That bet may occasionally be correct for specific narrow use cases. As a general approach to agent infrastructure, it has historically produced fragmented ecosystems with high integration overhead and short shelf lives.

SYSTEMS THINKING

Agents and Existing Infrastructure

The more productive framing is not "which new protocol should agents use" but "how do we make agents first-class participants in the infrastructure that already exists everywhere." Agents that can authenticate as users in existing identity systems, interact with services through existing APIs, communicate through existing messaging protocols, and persist state in existing storage systems inherit decades of tooling, monitoring, and security hardening for free.

This doesn't mean MCP or Skills are wrong. It means the energy spent arguing about which one wins would be better directed toward the harder question: how do we integrate agent capabilities with the HTTP endpoints, OAuth flows, shell environments, and database interfaces that every organization already operates and trusts?

The agent protocols that will matter in five years are most likely the ones that extend existing infrastructure rather than replace it. The ones building entirely new interaction surfaces face an adoption barrier that compounds with every new vendor they ask to implement the spec.

The practical test: Does this protocol make agents better participants in infrastructure that already exists, or does it require building new infrastructure before agents can participate at all? The first approach scales. The second rarely does.

TAKEAWAY

The Practical Takeaway

What Actually Matters for Building Agents in 2026

MCP and Skills are complementary layers, not competing choices. Use both. The debate about which one wins is a distraction.

The more important architectural question is whether agent infrastructure extends what already exists or tries to replace it. History consistently rewards the former. New agent-specific protocols are worth evaluating, but the bar should be whether they reduce integration overhead against existing systems - not whether they represent an elegant standalone design.

Build agents that can participate in the infrastructure organizations already trust. That is a harder engineering problem than picking a protocol, and it is the one that actually determines whether agents work reliably in production environments.

Frequently Asked Questions

What is MCP in AI agents?

MCP (Model Context Protocol) is a standardized interface that defines how AI agents connect to and invoke external tools and services. It handles authentication, request formatting, response parsing, and error handling between an agent and the capabilities it needs to access. MCP is the infrastructure layer - it gives agents access to tools but does not define how those tools should be used.

What are Agent Skills and how do they differ from MCP?

Agent Skills are structured documents - typically markdown or configuration files - that encode the behavioral logic for using a specific tool or service correctly. Where MCP exposes what tools an agent can call, Skills define when to call them, how to interpret responses, how to handle failures, and what the correct workflow looks like for a given task. MCP is the mechanism of access; Skills are the policy governing that access.

Should production AI agents use MCP or Skills?

Production AI agents should use both. MCP and Skills solve different problems and are not interchangeable. MCP provides authenticated tool access. Skills provide the behavioral guidance that makes that access useful rather than just functional. An agent with MCP but no Skills has raw capability with no direction. An agent with Skills but no MCP has instructions but nothing to act on. Both layers are required for reliable production behavior.

What is the difference between MCP, A2A, and ACP protocols?

MCP (Model Context Protocol), A2A (Agent-to-Agent), and ACP (Agent Communication Protocol) are all proposals attempting to solve similar underlying problems: how agents establish identity, authenticate to services, communicate structured messages, and interoperate across different vendor platforms. They differ in scope, design philosophy, and ecosystem backing. All are circling the same fundamental challenge of making non-human systems trustworthy participants in digital infrastructure.

Why do new agent protocols keep emerging in 2026?

New agent protocols keep emerging because the fundamental problem - giving AI agents reliable identity, authentication, persistence, and cross-vendor interoperability - has not been conclusively solved by any single approach. Each new proposal reflects a different set of design priorities or vendor interests. The proliferation also reflects a recurring assumption that agents need purpose-built infrastructure separate from existing human-facing systems, an assumption that deserves more scrutiny than it typically receives.

Should AI agents use existing infrastructure like HTTP or purpose-built agent protocols?

The stronger engineering case is for agents that integrate with existing infrastructure rather than requiring new parallel systems. HTTP, OAuth, shells, and standard APIs carry decades of reliability, security research, and tooling that purpose-built agent protocols cannot replicate quickly. Protocols that extend existing infrastructure for agentic use cases have historically outperformed those that try to replace it. New agent-specific protocols are worth evaluating, but the meaningful test is whether they reduce integration friction against systems organizations already run - not whether they are elegantly designed in isolation.

Best Home Lab Services to Run in 2026: What to Install and In What Order

2026-04-18T15:07:00.045+05:45

Best Home Lab Services to Run in 2026: What to Install and In What Order

By Bikram Bhujel | April 2026 | 10 min read | Category: Home Server, Linux, Networking

A home lab is only as useful as the software running on it. Whether you just finished setting up Proxmox, Docker, or a NAS, the real question is what to actually run. This guide covers the services that make a home lab genuinely worth having, how to prioritize them, and the order that delivers the most value with the least instability.

IMPORTANT

The Most Common Home Lab Mistake

New home lab users frequently encounter a list of 40 self-hosted applications, install most of them in a weekend, and then wonder why nothing feels stable. The problem isn't ambition it's sequencing. More containers does not produce a better home lab. It produces more things that can break simultaneously.

The productive approach is to begin only with services you will open every week: tools that replace something you're already paying for externally, or that solve a concrete problem you have right now. Everything else can wait until the foundation is solid. That principle shapes the entire structure of this guide.

START HERE

Media Services: Jellyfin, Plex & Immich INSTALL FIRST

Jellyfin vs Plex

If you have a collection of films or television shows on local storage, Jellyfin or Plex transforms it into a proper streaming library with metadata, cover art, watch history, and support for practically every device you own. Media servers are typically where home lab users begin because the payoff is immediate configure the library once and you have something genuinely useful the same day.

The distinction between the two is straightforward: Jellyfin is fully open-source with no paid tier and no feature restrictions. Plex offers a polished free experience but reserves certain capabilities including offline downloads and enhanced remote streaming behind a Plex Pass subscription. For users who want full functionality without recurring costs, Jellyfin is the natural choice. Plex makes sense if you already subscribe or prefer its particular interface.

Immich: Self-Hosted Photo Backup

Immich is a self-hosted photo and video management platform built around automatic mobile backup. The experience is comparable to Google Photos browsing, search, albums, facial recognition except the data stays entirely on your own hardware. There is no subscription, no external account required, and no storage limit beyond what your drives provide.

For households where multiple people have phones full of photos they'd rather not store on a commercial platform indefinitely, Immich addresses a genuine privacy concern rather than an abstract one. The mobile app handles background uploads automatically. The interface has matured considerably and is now a viable daily driver for most users.

Which to prioritize? If a media collection is the primary motivation, start with Jellyfin or Plex. If photo privacy and backup are the bigger concern, Immich often delivers more immediate household value. Both are reasonable day-one installations.

NETWORK

Network Services: DNS Ad Blocking & Internal DNS HIGH PRIORITY

Pi-hole or AdGuard Home

A DNS-level ad blocker is one of the most impactful network improvements available to home lab users. Both Pi-hole and AdGuard Home work by intercepting DNS queries from every device on the network and refusing to resolve domains associated with advertising, tracking, and telemetry. The effect is network-wide: phones, smart TVs, laptops, and IoT devices all benefit without requiring any software installed on those devices.

Either tool runs quietly once configured and requires minimal ongoing attention. The practical impact shows up daily noticeably faster page loads on ad-heavy sites, reduced background data usage from apps reporting home to analytics servers, and cleaner browsing experiences across the entire household.

For a detailed side-by-side comparison of both tools including DNS encryption support, parental controls, and per-client configuration, see the full Pi-hole vs AdGuard Home comparison on this site.

Internal DNS

Once more than a handful of services are running, memorizing which IP address belongs to which application becomes an unnecessary cognitive burden. Internal DNS resolves this by mapping readable names to services allowing access to jellyfin.home or nas.home instead of numeric addresses and port numbers.

Both Pi-hole and AdGuard Home include DNS rewrite functionality natively. If one is already running for ad blocking, internal DNS can be handled in the same interface with no additional software. This is a setup that feels minor until it's in place, after which the lab feels considerably more organized and professional.

Important: DNS misconfiguration can take the entire network offline. Before making router-level DNS changes, confirm a fallback DNS server is configured and understand how your router distributes DNS settings to clients via DHCP.

NEXT LEVEL

Local Reverse Proxy & SSL AFTER DNS

Once internal DNS is working, a local reverse proxy like Nginx Proxy Manager extends it further. Instead of accessing services through IP addresses and port numbers, a reverse proxy lets you assign clean subdomain names and provision valid SSL certificates for them removing the browser security warnings that appear on self-hosted services by default.

The prerequisite for full functionality is owning a domain name, which not every home lab user will have initially. Internal DNS alone provides substantial usability improvement and is the right first step. A reverse proxy with SSL is the natural progression once DNS is stable and a domain is available.

PRODUCTIVITY

Productivity: Nextcloud & File Sync WHEN NEEDED

Nextcloud is the most comprehensive self-hosted productivity platform currently available. It handles file storage and sync, calendar and contacts, document collaboration, notes, and more functioning as a private alternative to Google Workspace or Microsoft 365. For users whose workflows genuinely depend on these features, Nextcloud is a strong option.

The practical caveat is that Nextcloud requires more administrative attention than most other services on this list. It benefits from regular updates, and the broader feature surface means more potential points of failure. For users who only need file sync between devices and a NAS, Syncthing is a more focused and lower-maintenance alternative that handles that specific task extremely well.

The decision comes down to how much of Nextcloud's feature set will realistically be used. When the answer is "most of it," Nextcloud earns its place. When the answer is "mostly just file sync," Syncthing is more appropriate.

CONVENIENCE

Home Lab Dashboard OPTIONAL

Applications like Homarr, Heimdall, and Homepage provide a single entry point to all running services. Most include built-in status indicators that show at a glance which services are currently online. A dashboard is not a priority during initial setup, but once five or six services are running it eliminates the need to remember different addresses for different tools. Configuration typically takes under 30 minutes and the usability improvement is immediate.

SMART HOME

Smart Home: Home Assistant IF RELEVANT

Home Assistant is the leading self-hosted smart home platform, built around consolidation. Its core function is pulling devices from different vendor ecosystems Zigbee, Z-Wave, Google, Apple, Amazon, MQTT, and hundreds of others into a single interface with a unified automation engine. The automation capabilities extend well beyond what individual manufacturer apps provide, enabling conditional logic, scheduling, and cross-device integrations that would otherwise be impossible.

Home Assistant is not a universal recommendation. Users with only a small number of smart devices may find the initial investment disproportionate. For anyone who is genuinely building out a smart home environment, however, Home Assistant becomes foundational infrastructure rather than a supplementary tool the kind of service that starts small and gradually becomes deeply integrated into daily routines.

CRITICAL

Backups: The Non-Negotiable Step DO NOT SKIP

Backups receive less attention than they deserve in home lab discussions, partly because they're unglamorous and partly because the consequences of skipping them only become apparent after something goes wrong. Running a home lab without a backup strategy means that every experiment, misconfiguration, or hardware failure carries the full risk of permanent data loss.

Proxmox Backup Server

For Proxmox-based environments, Proxmox Backup Server should be deployed as early as possible ideally in parallel with the first application installs, not afterward. It provides incremental, deduplicated backups of virtual machines on a configurable schedule. The deduplication capability is particularly valuable: effective deduplication ratios mean that backup storage requirements are a fraction of what uncompressed backups would require. More practically, having reliable VM backups converts experimentation from a risk into a routine restore from backup and be back to a known-good state in minutes.

Machine Backups: UrBackup

For protecting physical machines on the network Windows, macOS, or Linux UrBackup is a capable open-source option that runs as a background service with minimal administrative overhead. Users on Synology hardware may find Active Backup for Business a more integrated option given its native NAS support.

RAID is not a backup. RAID provides redundancy against drive failure. It offers no protection against accidental deletion, ransomware encryption, filesystem corruption, or user error. Proper data protection requires separate physical copies ideally with at least one stored in a different physical location from the primary system.

If the underlying filesystem supports snapshots (ZFS and Btrfs both do), configure them. Snapshots capture point-in-time states of data volumes and allow fast recovery from accidental changes a complement to full backups, not a replacement for them.

VISIBILITY

Monitoring: Uptime Kuma & Beszel EARLY PRIORITY

Uptime Kuma

Uptime Kuma performs one job reliably: it checks whether your services are responding and sends alerts when they stop. Without monitoring in place, a service can go offline for an extended period without anyone knowing until it's actually needed. Setup is minimal point it at each service URL and configure a notification channel. The time investment is small and the value is immediate.

Beszel

Beszel extends monitoring to the system layer, tracking CPU utilization, memory usage, disk capacity, and network throughput across the devices in the lab. Where Uptime Kuma identifies that a service has stopped responding, Beszel provides the context to understand why a disk approaching capacity, sustained CPU saturation, or abnormal memory consumption. Both tools are lightweight and complement each other well. Running both provides a clear picture of both service availability and underlying resource health.

SECURITY

Authentication & SSO INTERMEDIATE

A foundational security principle for any home lab: services should not share passwords, and any service accessible beyond the local network should have multi-factor authentication enabled. Separate accounts for separate services, strong unique passwords, and MFA wherever it's supported. These measures are straightforward to implement and significantly reduce exposure.

Once the lab has grown to the point where managing individual logins for every service becomes friction, a self-hosted single sign-on solution becomes worthwhile. Authentik is one of the more capable self-hosted identity providers available configure it once with strong authentication and use it as the login mechanism for multiple services. It improves both security and usability simultaneously.

Authentik has a real learning curve and is not an appropriate first-week project. It belongs on top of a stable, well-understood foundation the kind of addition that makes sense once the core of the lab is running reliably and the overhead of managing individual service logins has become a genuine inconvenience.

REMOTE ACCESS

Remote Access: VPN & Zero Trust Networking DO EARLY

WireGuard

WireGuard is the current standard for self-hosted VPN in home lab environments fast, cryptographically modern, and straightforward to configure compared to older alternatives. It requires port forwarding on the router to function, which works in most residential setups but fails when the ISP provides carrier-grade NAT (where the user does not control the upstream router).

Tailscale

Tailscale is the practical alternative for users behind double NAT or those who want the fastest path to functional remote access. It establishes encrypted peer-to-peer connections between devices without any port forwarding, using a relay infrastructure to handle connections that can't go direct. Installation takes minutes, configuration is minimal, and it works reliably across network topologies that would break a traditional VPN setup.

Zero Trust Networking

The model gaining adoption in the self-hosting community is zero trust networking an approach where access is granted to specific services for specific users rather than placing a user on the network broadly. Traditional VPN access gives a connected device potential reach across the entire network. Zero trust narrows that to exactly the services a given user needs and nothing more.

This model eliminates lateral movement as an attack surface: a compromised credential can only access what it was explicitly permitted to reach. For labs that expose services to external users or handle data that warrants careful access control, understanding zero trust principles is worthwhile even during early setup stages.

SUMMARY

Recommended Installation Order

Install in This Sequence

Useful applications first Jellyfin or Plex for media, Immich for photos, or Nextcloud/Syncthing for file sync. Pick the one that solves the most pressing current need. Run it for a week and confirm it actually gets used before adding more.
Backups simultaneously Proxmox Backup Server for VMs, UrBackup or equivalent for local machines. This should happen in parallel with step one, not weeks later.
Monitoring Uptime Kuma and Beszel. Low setup cost, immediate visibility benefit.
Network services Pi-hole or AdGuard Home with internal DNS rewrites. Improves every device on the network without touching any of them.
Remote access WireGuard or Tailscale. Configure this before the lab grows complex enough that remote troubleshooting becomes necessary.
Supporting tools Dashboard (Homarr or Homepage), reverse proxy with SSL (Nginx Proxy Manager) once a domain is available.
Advanced layers Home Assistant for smart home automation, Authentik for SSO, zero trust networking for access control. These belong on top of a stable foundation.

Service	Category	When to Install	Difficulty
Jellyfin / Plex	Media streaming	Day 1	Easy
Immich	Photo backup	Day 1	Easy
Proxmox Backup Server	VM backups	Day 1	Medium
UrBackup	Machine backups	Day 1	Easy
Uptime Kuma	Service monitoring	Week 1	Easy
Beszel	System monitoring	Week 1	Easy
Pi-hole / AdGuard Home	DNS ad blocking	Week 1	Easy
WireGuard / Tailscale	Remote access	Week 1–2	Easy–Medium
Nextcloud / Syncthing	File sync	When needed	Medium
Nginx Proxy Manager	Reverse proxy + SSL	After DNS + domain	Medium
Homarr / Homepage	Dashboard	After 5+ services	Easy
Home Assistant	Smart home	If relevant	Medium–Hard
Authentik	SSO / Identity	Intermediate stage	Hard

Frequently Asked Questions

What is the best first service to run on a home lab?

The best starting service depends on the most immediate need. For media collections, Jellyfin is the most common and rewarding first install. For household photo backup and privacy, Immich delivers concrete value quickly. Whichever application comes first, backups should be configured at the same time not added as an afterthought weeks later.

What is the difference between Jellyfin and Plex?

Jellyfin is fully open-source and free with no feature restrictions. Plex has a polished free tier but reserves certain features including offline sync, enhanced mobile playback, and some remote access features behind a paid Plex Pass subscription. For users who want full functionality without ongoing costs, Jellyfin is the stronger choice in 2026.

Is Nextcloud worth setting up on a home lab?

Nextcloud is worth setting up if you will genuinely use its broader feature set: file sync, calendar, contacts, and document collaboration. If the primary need is just syncing files between devices, Syncthing handles that specific task more reliably with significantly less maintenance overhead. The right choice depends on how much of Nextcloud's functionality you will actually use week to week.

What is the easiest way to get remote access to a home lab?

Tailscale is currently the fastest path to home lab remote access. It requires no port forwarding, works reliably behind carrier-grade NAT, and takes minutes to set up. WireGuard is the better option for users who prefer a fully self-hosted solution and have direct control over their router for port forwarding. Both are encrypted and well-suited to home lab use.

Does RAID replace the need for backups in a home lab?

No. RAID protects against a single drive failure and nothing else. It does not protect against accidental deletion, ransomware, filesystem corruption, or configuration errors. Proper data protection requires backups stored on separate physical media, ideally with at least one copy in a different physical location. RAID and backups serve complementary purposes both are necessary, neither replaces the other.

What is Immich and how does it compare to Google Photos?

Immich is a self-hosted photo and video backup platform that provides a Google Photos-like experience on your own hardware. Photos and videos stay entirely on your own storage there is no subscription fee, no commercial data access, and no storage limit beyond your drives. The mobile app handles automatic background backups from iOS and Android. It is a strong choice for users who want photo library management without dependence on a commercial cloud service.

How many services should a home lab beginner run?

Beginners should start with two or three services that address real, current needs not a broad collection of interesting applications. A home lab running a handful of well-configured, actively used services is significantly more valuable than a full dashboard of containers that rarely get opened. Complexity should be added incrementally, only after the existing foundation is stable and well understood.

What is the best monitoring tool for a home lab?

For most home lab setups, running both Uptime Kuma and Beszel together covers the full monitoring picture. Uptime Kuma monitors whether services are reachable and sends alerts when they go down. Beszel monitors the underlying systems CPU, memory, disk, and network to provide context on why a service may be struggling. Both are lightweight, easy to deploy, and complement each other well.

Pi-hole vs AdGuard Home: Which DNS Ad Blocker Should You Use in 2026?

2026-04-17T15:30:00.006+05:45

By Bikram Bhujel | April 2025 | 8 min read | Category: Networking, Home Server

Between 15–20% of all DNS traffic on a typical home network is ads, trackers, and telemetry software quietly phoning home without your knowledge. This guide compares Pi-hole and AdGuard Home across every dimension that matters so you can choose the right DNS level blocker for your setup.

BASICS

What is DNS-Level Ad Blocking?

Browser extensions like uBlock Origin are useful, but they only protect one device and can't see traffic from your smart TV, IoT sensors, or mobile apps. DNS-level ad blocking takes a completely different approach.

Every time a device on your network tries to reach a domain whether to load a webpage, fetch an ad, or phone home to a tracking server it first asks a DNS server for that domain's IP address. A DNS ad blocker steps into that role and simply refuses to resolve domains that appear on its blocklists. No address means no connection, which means the ad or tracker never loads at all.

The result: every phone, laptop, smart TV, game console, and connected appliance on your network gets automatic protection without installing a single thing on any of them. Pi-hole and AdGuard Home are the two most popular tools for doing exactly this.

ROUND 1

Installation & Setup DRAW

Both tools are remarkably easy to get running. If you're using a NAS platform like TrueNAS, both are available directly from the app catalog and install in a few clicks. For everyone else, Docker is the most common deployment method a single docker run command and you're up.

One notable difference: Pi-hole does not run natively on Windows, while AdGuard Home does. If Windows is your only server option, that decision is already made for you.

Both tools have excellent documentation and active communities. First-time setup for either takes under 15 minutes for most people.

Port conflict tip: If you're running Pi-hole alongside other web-facing services on the same machine, change Pi-hole's web interface port during setup to avoid conflicts. Port 80 is commonly used by other tools in a home server environment.

ROUND 2

User Interface Comparison PI-HOLE WINS

Pi-hole has a colorful, information-dense dashboard built for active monitoring. Real-time query charts are interactive and granular you can filter by client, inspect blocked domains by frequency, and track query trends over any time window. Several UI themes are available for those who want to customize the look.

AdGuard Home takes a cleaner, more minimal approach with both light and dark modes. The interface looks polished, but the activity charts are smaller and offer less interactivity than Pi-hole's. If you want to actively observe what's happening across your network hour by hour, Pi-hole's dashboard gives you considerably more to work with.

The practical difference: Pi-hole rewards users who like to monitor and tune their setup. AdGuard Home is better suited to those who want to configure it once and let it run quietly in the background.

ROUND 3

Setup & Configuration ADGUARD WINS

Upstream DNS Resolvers

Both tools let you select which DNS provider handles queries that aren't blocked. Pi-hole offers a clean list of popular providers like Cloudflare, Google, and Quad9 with one-click selection, plus a field for custom entries. AdGuard Home requires you to type in the address but compensates by offering a browsable catalog of hundreds of DNS servers to choose from.

Blocklists

This is where AdGuard Home gains a clear advantage. Pi-hole lets you add blocklists from any URL but has no built-in discovery mechanism you have to find the lists yourself from community sources like firebog.net. It's not difficult, but it's an extra step.

AdGuard Home includes a built-in catalog of curated blocklists covering ads, trackers, malware, gambling, and more. Adding comprehensive protection takes seconds rather than minutes of research.

Local DNS Records

Both tools support local DNS entries, letting you assign friendly names to devices on your network (so you can type nas.home instead of 192.168.1.50). Pi-hole manages A and CNAME records separately; AdGuard Home combines both into a single "DNS rewrites" list. The difference is minor both approaches work well.

ROUND 4

Feature Comparison ADGUARD WINS

Per-Client Control

Pi-hole uses a group system: you create groups, assign clients to them by IP or MAC address, and then link blocklists to those groups. It works reliably and gives you reasonable granularity.

AdGuard Home goes further. Every individual client can have its own upstream DNS server, its own custom blocking rules, and even a schedule for when blocking is active. Want to block social media on your kids' tablets only during school hours? AdGuard Home can do that. Pi-hole cannot.

Parental Controls and Category Blocking

AdGuard Home includes built-in parental controls and the ability to force SafeSearch on major search engines. It also lets you block entire categories of services gambling, cryptocurrency, adult content, social media with a single toggle. These features simply don't exist in Pi-hole without significant manual configuration.

For households with children or anyone wanting a quick way to manage what's accessible on the network, AdGuard Home is in a different league here.

ROUND 5

Security & Privacy ADGUARD WINS

Both tools support DNSSEC, which validates that responses from your upstream DNS resolver haven't been tampered with in transit. That's a useful baseline protection.

However, DNSSEC is not the same as DNS encryption. DNSSEC verifies the integrity of responses; DNS over HTTPS (DoH) and DNS over TLS (DoT) actually encrypt your DNS traffic so your ISP cannot see which domains you're querying.

AdGuard Home supports DoH and DoT natively. Pi-hole does not you need to install additional software like Unbound or cloudflared and configure them manually to achieve equivalent encryption.

A note on DNS privacy: Even with encrypted DNS, your ISP can see the IP addresses of sites you visit. Your DNS provider (like Cloudflare) can see your queries. True network privacy requires a VPN on top and then your VPN provider sees your traffic instead. There is no perfect solution, but DoH/DoT is still significantly better than sending DNS queries in plain text.

REAL-WORLD DATA

Real-World Performance

In practice, both tools perform reliably at DNS-level blocking, but the numbers reveal some interesting patterns. On a home network with around 27 connected devices, Pi-hole typically intercepts 15–17% of all DNS queries in a given day a figure that covers ad networks, analytics platforms, and background telemetry from apps and operating systems. Some unexpected sources show up regularly in blocked domain lists: Apple and certain privacy-focused browsers generate more DNS requests to ad-adjacent domains than most users would expect.

AdGuard Home's default blocklist configuration tends to start conservative, blocking around 7–8% of queries out of the box. The real potential unlocks when you add additional lists from the built-in catalog block rates climb to 18% or higher, which shows just how much the choice of blocklists affects real-world results. It's worth spending 10 minutes on the blocklist catalog during initial setup.

One notable AdGuard Home behavior: it uses a latency-based round robin system when multiple upstream DNS servers are configured. In most setups this means Cloudflare handles the majority of queries since it typically responds faster than alternatives like Quad9. This is an automatic optimization that Pi-hole doesn't replicate without manual configuration.

Side-by-Side Comparison Table

Category	Pi-hole	AdGuard Home	Winner
Installation ease	Very easy	Very easy	Draw
Windows support	No	Yes	AdGuard Home
Dashboard & UI	Rich, interactive charts	Clean but limited charts	Pi-hole
Blocklist catalog	Manual URLs only	Built-in catalog	AdGuard Home
Per-client controls	Group-based	Individual + scheduling	AdGuard Home
Parental controls	No (manual setup)	Yes (built-in)	AdGuard Home
DNS encryption (DoH/DoT)	Requires extra setup	Native support	AdGuard Home
DNSSEC	Yes	Yes	Draw
Community & support	Very large	Growing	Pi-hole
Configuration backup	Teleporter tool (easy)	YAML file (manual)	Pi-hole
Category blocking	No	Yes	AdGuard Home
SafeSearch enforcement	No	Yes	AdGuard Home

The Verdict: AdGuard Home for New Setups, Pi-hole If You're Already Running It

AdGuard Home edges out Pi-hole on the features that matter most for modern home networks: native DNS encryption, per-client scheduling, built-in parental controls, and a blocklist catalog that removes the research burden. For anyone setting up DNS-level blocking for the first time in 2025, AdGuard Home is the stronger choice.

That said, Pi-hole is excellent. If you already have it running and it's working well, there is no compelling reason to migrate. Pi-hole blocks ads just as effectively, has a more information-rich dashboard, and benefits from years of community knowledge and third-party tooling. The gap between them is real but not enormous.

ADVANCED

Setting Up Redundancy

Whichever tool you choose, running a single DNS server is a single point of failure. If your server goes offline for maintenance, a crash, or a power blip DNS resolution stops. Websites stop loading. Every device on your network grinds to a halt.

The solution is a secondary DNS node running on a different physical machine. Configure your router's DHCP settings to hand out both IPs as DNS servers, so devices automatically fall back to the secondary if the primary is unreachable.

Redundancy with Pi-hole

Pi-hole includes a built-in tool called Teleporter that exports your entire configuration blocklists, whitelist, local DNS records, group settings into a single archive file. Import that file into a second Pi-hole instance and they're in sync. It's genuinely one of Pi-hole's most practical advantages.

Redundancy with AdGuard Home

AdGuard Home stores all its configuration in a single file: AdGuardHome.yaml. To sync two nodes, copy that file from your primary server to the secondary. It works, but it requires SSH access and some comfort with the command line. Community tools like AdGuard Home Sync automate this process if you find yourself making frequent changes.

Alternatives Worth Knowing

Pi-hole and AdGuard Home dominate the conversation, but they're not the only options:

Unbound A recursive DNS resolver that queries authoritative DNS servers directly, removing the need for a third-party DNS provider entirely. More private, more complex.
Technitium DNS Server A full-featured DNS server with ad blocking capabilities, extensive protocol support, and a polished web UI. Worth exploring for advanced users.
NextDNS A cloud-based alternative that requires no self-hosting. Offers similar features to AdGuard Home via a subscription service.

Frequently Asked Questions

What is the difference between Pi-hole and AdGuard Home?

Both are DNS-level network ad blockers that protect every device on your home network. The key differences are that AdGuard Home natively supports DNS over HTTPS and DNS over TLS encryption, includes built-in parental controls, has a built-in blocklist catalog, and offers more granular per-device control. Pi-hole has a more detailed dashboard, a larger community, and a simpler backup/restore tool.

Does Pi-hole or AdGuard Home work on Windows?

AdGuard Home supports Windows natively. Pi-hole does not run directly on Windows, though you can run it on Windows through WSL2 (Windows Subsystem for Linux) or Docker Desktop. For Windows-only environments, AdGuard Home is the simpler choice.

Which is better for parental controls Pi-hole or AdGuard Home?

AdGuard Home is significantly better for parental controls. It includes built-in category blocking (gambling, adult content, social media), per-device scheduling so you can restrict access during specific hours, and SafeSearch enforcement on major search engines. Pi-hole requires manual blocklist curation to achieve similar results.

Does Pi-hole support DNS over HTTPS?

Not natively. To enable DNS over HTTPS with Pi-hole, you need to install a separate tool like cloudflared or Unbound and configure it to forward encrypted DNS queries. AdGuard Home supports DNS over HTTPS and DNS over TLS out of the box with no additional software required.

What percentage of DNS traffic is typically ads and trackers?

In real-world home network deployments, DNS ad blockers typically intercept between 15% and 20% of all DNS queries, depending on the blocklists configured and the types of devices on the network. Devices running ad-heavy apps, smart TVs, and IoT gadgets tend to generate the most blocked traffic. Choosing a comprehensive set of blocklists makes a significant difference AdGuard Home users who add extra lists from the built-in catalog often see block rates jump from under 8% to over 18%.

Can I run Pi-hole and AdGuard Home at the same time?

You can run them on the same hardware by assigning different ports, but you should only designate one as your active DNS server at a time. Some users run one as primary and the other as a secondary/backup, though using the same tool for both nodes is simpler to manage and troubleshoot.

What happens if my Pi-hole or AdGuard Home server goes offline?

If your DNS server goes offline and no secondary DNS is configured, devices on your network cannot resolve domain names, meaning websites and apps that rely on domain lookups will stop working. To prevent this, configure a secondary DNS node on a separate physical device and set your router's DHCP server to distribute both DNS addresses to connected devices.

AI Agents Explained: LLMs, Workflows, and Autonomous AI in Plain English

2026-04-13T11:00:00.006+05:45

Artificial Intelligence · Automation

📅 April 12, 2026 ✍ Bikram Bhujel ⏱ 10 min read

Why Everyone Is Talking About AI Agents

If you have spent any time following tech news recently, you have noticed one phrase appearing everywhere: AI agents. It is not just a buzzword. It represents a genuine shift in how artificial intelligence is being built and used.

The progression has moved in three clear stages. First came large language models, the technology behind ChatGPT, Claude, and Gemini. Then came workflows, which extended those models by connecting them to real tools. Now we are firmly in the age of agents, where AI systems make autonomous decisions without waiting for human instructions at every step.

This article breaks down each of those three levels in plain language, explains exactly what separates them, and shows you the tools people are actually using today to build with each approach.

Level 1

LLMs

ChatGPT, Claude, Gemini. Passive systems that respond to prompts and generate text output.

Level 2

Workflows

N8N and similar tools. LLMs connected to external services that follow predefined automation scripts.

Level 3

AI Agents

OpenClaw, Paperclip. Autonomous systems that receive a goal and decide independently how to achieve it.

Level 1: Understanding LLMs

Every popular AI tool you interact with today is built on what we call a Large Language Model, or LLM. Claude, ChatGPT, Gemini, and Perplexity all fall into this category. Understanding how they actually work makes it much easier to understand why agents are such a significant step forward.

An LLM operates in three stages. It receives an input, which is whatever text you type. It processes that input using patterns learned from enormous amounts of training data. Then it produces an output, typically text, though modern models can also generate images or video.

The process is genuinely impressive. You can ask an LLM to write a formal email, summarise a long document, answer technical questions, or generate code. It handles all of these tasks well because it has processed so much human-written content during training.

📌

A simple example: you type "write me an email to schedule a meeting with Alex" and the LLM immediately produces a polished, ready-to-send email. Input processed, output returned. That is the complete cycle of a basic LLM interaction.

The Real Limitations of LLMs

LLMs are powerful but they have a fundamental constraint that becomes obvious the moment you try to use them for anything personal or time-sensitive. They are passive systems.

They do not have access to your personal data. They cannot check your calendar, read your inbox, or look up what happened in the news this morning. They only know what they were trained on, and that training has a cutoff date.

Here is a concrete example. You ask your LLM "when is my next meeting with Alex?" It cannot answer correctly. It has no idea who Alex is, no access to your calendar, and no way to retrieve that information. It might generate a plausible-sounding response, but it will be wrong.

This limitation means LLMs cannot take initiative. They wait for you to prompt them, respond to what you asked, and then stop. Every action requires a human to start the process. That is exactly the gap that workflows and agents are designed to close.

The core limitation of LLMs in one sentence: They are trained on the world's data but they have no access to your data, your tools, or the current state of anything outside their training set.

Level 2: AI Workflows with N8N

The next evolution was connecting LLMs to external tools. The idea is straightforward: instead of the AI only knowing what it was trained on, give it the ability to reach out to live systems and take real actions.

The most widely used tool for building these connections is N8N, an open-source workflow automation platform. N8N lets you create pipelines where an LLM sits at the centre and can interact with services like Google Sheets, Gmail, social media platforms, databases, and hundreds of other integrations.

What a Workflow Actually Does

Think of a workflow as a detailed script that the AI follows. You define every step in advance. For example, a content creation workflow might work like this:

You submit a topic idea through a form or message
The LLM generates a script based on that idea
A video creation tool converts the script into a video
The finished video gets published automatically to TikTok or another platform

Each of those steps is predefined. N8N connects the services, the LLM handles the creative work, and the whole thing runs without you touching it after the initial setup. That is genuinely powerful and it solves the biggest limitation of standalone LLMs.

💡

N8N is free and open-source. You can self-host it on your own server for unlimited usage with no monthly fees. This makes it one of the most cost-effective automation tools available for individuals and small teams.

The Limitation Workflows Still Have

Workflows solve the connectivity problem but they introduce a rigidity problem. Every workflow follows a fixed, predefined path. If something changes in the real world that the workflow did not anticipate, it fails or produces wrong results.

You have to map out every possible scenario in advance with exceptional detail. If a new situation arises that falls outside the script, the workflow has no way to adapt. It simply breaks or produces an irrelevant result.

Advanced Workflows and RAG

Before we get to full AI agents, there is an important intermediate step worth understanding: advanced workflows with what is called RAG, or Retrieval Augmented Generation.

In a standard workflow, the LLM only works with what you explicitly give it. In an advanced workflow using RAG, the LLM is given access to multiple tools and it can decide which one to use based on your question. It retrieves information before generating its response.

Here is a practical example of what this looks like in action. You ask the system "how long will it take me to drive from the office to the client site?" The system understands that Google Maps is the right tool for this question, queries it automatically, and returns a real travel time. You did not tell it to use Google Maps. It figured that out on its own.

Or you ask "show me all emails sent by my sales team this week." The system recognises that this requires accessing Gmail, retrieves the relevant messages, and presents a summary. Again, no explicit instruction to go to Gmail was necessary.

🔍

RAG in simple terms: The AI searches before it speaks. Instead of answering from training data alone, it pulls in current, relevant information from connected sources and then generates a response based on what it actually found.

This is much more capable than basic workflows, but there is still a ceiling. The system is responding to individual requests. It is not setting its own agenda or pursuing multi-step goals without being asked each time. That is what agents do.

Level 3: AI Agents and Autonomous Decisions

AI agents represent the most significant shift in the entire progression. The defining characteristic is autonomy. You give an agent an objective, and it works out how to achieve that objective on its own.

With an LLM, you write a prompt and get a response. With a workflow, you trigger a predefined script. With an agent, you state a goal and step back.

The agent goes through three internal stages without needing your guidance at each one. First, it thinks through the best strategy for achieving the goal. Second, it selects and executes the appropriate tools. Third, it evaluates whether the goal was achieved and refines its approach if the result is not good enough.

What Makes This Different in Practice

Consider a real example. You tell an agent: "create marketing content for these two products and publish it." A workflow would need you to have pre-mapped every step of that process. An agent figures out the steps independently.

It decides which platforms to target. It chooses the right tone for each one. It generates the content, reviews it against the objective, improves it if needed, and publishes it. You gave it a goal, not a script.

One of the tools people are using for this today is OpenClaw, a chat-based AI agent system. Unlike standard ChatGPT interactions, OpenClaw allows you to install skills, which are essentially tool packages that extend what the agent can do. The more skills it has, the more capable it becomes at pursuing complex goals.

⚠️

AI agents are powerful but they require careful setup. Giving an agent access to live systems like email or social media means it can take real actions with real consequences. Always test in a controlled environment before deploying an agent on production systems.

Paperclip: Multi-Agent Orchestration

Single agents are capable. Multiple agents working together are extraordinary. That is the idea behind Paperclip, an open-source agent orchestration platform.

Instead of one agent trying to do everything, Paperclip lets you build a team of specialised agents. Think of it like running a small company. You have a manager agent at the top who receives the objective. Under the manager, you have specialist agents each focused on a specific domain.

A real-world setup might look like this:

A CEO agent receives high-level objectives and delegates work
A YouTube content agent handles video scripts and publishing
A LinkedIn agent manages professional content and engagement
An N8N automation agent builds and maintains workflow integrations
A research agent gathers information from external sources

You give the CEO agent a goal like "grow our content presence this month" and it distributes the work across the team. Each specialist agent focuses on what it does best. The results of multiple experts working in parallel far exceed what any single agent could produce alone.

Why Paperclip Matters

The real power here is the architecture. By separating concerns across multiple agents, each one can be optimised for its specific task. The YouTube agent has different tools, different context, and different evaluation criteria than the LinkedIn agent. They do not interfere with each other and they can work simultaneously.

Paperclip also integrates with existing AI models. You can use Claude or ChatGPT as the underlying intelligence inside individual agents within the Paperclip framework, combining the best of both worlds.

LLM vs Workflow vs Agent: Full Comparison

Now that we have covered all three levels, here is a direct comparison to make the differences concrete and memorable.

Feature	LLM	Workflow	AI Agent
How it starts	You write a prompt	A trigger fires the script	You give an objective
Decision making	None, responds to input	Follows predefined steps	Autonomous, chooses its own path
Access to tools	None by default	Fixed set defined in advance	Selects from available tools as needed
Handles surprises	Generates a response but cannot act	Breaks or produces wrong output	Adapts strategy and tries again
Personal data access	No	Yes, if connected	Yes, and it decides when to use it
Self-improvement	No	No	Yes, evaluates and refines its own output
Best example tools	ChatGPT, Claude, Gemini	N8N, Zapier, Make	OpenClaw, Paperclip

The trajectory is clear. Each level removes a layer of human involvement. LLMs need you to prompt every action. Workflows need you to script every scenario. Agents need you to state a goal, and then they handle the rest.

This does not mean agents replace the other two approaches. For many tasks, a simple LLM prompt is all you need. For predictable, repeatable processes, a workflow is faster and more reliable than an agent. The right tool depends on the complexity and variability of what you are trying to accomplish.

💡

If you are just starting with automation, begin with N8N workflows before jumping to agents. Workflows teach you how to think about connecting systems and defining processes. That foundation makes agent design much more intuitive when you are ready for it.

Frequently Asked Questions

What is the difference between an LLM and an AI agent?

An LLM is a passive system that waits for your input and generates a text response. An AI agent is an active system that receives a goal and autonomously decides which tools to use, what steps to take, and how to improve the result without needing step-by-step instructions from the user.

What is N8N and how does it relate to AI workflows?

N8N is an open-source workflow automation tool that connects LLMs to external tools and services like Google Sheets, Gmail, and social media platforms. It lets you build automated pipelines where AI can take actions beyond just generating text. It is free to self-host with no usage limits.

What is RAG in AI?

RAG stands for Retrieval Augmented Generation. It is a technique where an AI system searches external data sources before generating a response, allowing it to access current information and personal data that was not part of its original training. Instead of answering from memory alone, it retrieves relevant information first.

What is Paperclip and what makes it different from a single AI agent?

Paperclip is an open-source agent orchestration tool that lets you create multiple AI agents working together like a company. You assign each agent a specialisation, give a high-level objective to a manager agent, and it delegates tasks to the appropriate specialist agents automatically. Multiple specialised agents working in parallel produce far better results than one generalist agent trying to handle everything.

Can AI agents work without human input for every step?

Yes. Unlike LLMs that need a prompt for every action and workflows that follow a fixed predefined script, AI agents operate autonomously. You give them an objective and they decide the strategy, select the tools, execute the steps, and refine the output without needing human guidance at each stage.

Should I use an LLM, a workflow, or an agent for my use case?

It depends on the complexity of what you need. For one-off creative tasks or questions, a plain LLM is fastest. For predictable, repeatable processes with fixed steps, an N8N workflow is more reliable and efficient. For complex, variable goals where the path to success is not known in advance, an agent is the right choice.

Written by Bikram Bhujel · IT Infrastructure Specialist · Nepal · April 2026

Tags: AI Automation N8N AI Agents LLM ChatGPT Self-Hosted

How to Set Up qBittorrent with VPN, Sonarr, Radarr & Prowlarr on TrueNAS Scale

2026-04-12T16:50:00.000+05:45

Homelab · TrueNAS

📅 April 12, 2026 ✍ Bikram Bhujel ⏱ 12 min read

What We Are Building

Running a home media server is one thing. Running one that automatically finds, downloads, organises, and streams your content all while keeping your traffic private behind a VPN is a completely different level. That is exactly what this guide covers.

By the end, your TrueNAS Scale NAS will have a fully automated media pipeline. Prowlarr manages your torrent indexers. Sonarr handles TV shows. Radarr handles movies. qBittorrent does the actual downloading. And Gluetun wraps all of it inside a ProtonVPN WireGuard tunnel so your ISP never sees what you are doing. Jellyfin then picks up the finished files and serves them to every screen in your home.

💡

This guide was built and tested on TrueNAS Scale Community Edition with an Intel N100 processor and 16 GB RAM. The same approach works on any TrueNAS Scale system running Docker via Dockge.

The Full Stack Explained

Before touching any configuration, understand what each piece does and why it belongs in the setup.

VPN

Gluetun

A lightweight VPN client container. Every other container routes its traffic through Gluetun. Built-in kill switch if the VPN drops, downloads stop immediately.

Downloader

qBittorrent

The actual torrent client. Runs inside Gluetun's network so all peer connections happen over ProtonVPN, not your real IP address.

Automation

Sonarr

TV show automation. Monitors RSS feeds, grabs new episodes, renames files, and moves them to your library automatically.

Automation

Radarr

Same as Sonarr but for movies. Add a movie once Radarr finds it, downloads the best available quality, and organises it.

Indexer

Prowlarr

Central indexer manager. Add your torrent sites once in Prowlarr and it syncs them automatically to both Sonarr and Radarr.

Proxy

FlareSolverr

Bypasses Cloudflare protection on indexer sites like 1337x that block VPN IP addresses. Required for most major public indexers.

Prerequisites

TrueNAS Scale installed and accessible on your local network
A storage pool created this guide uses a pool named Pool
Jellyfin installed with your media dataset already configured
A paid ProtonVPN account the free tier lacks port forwarding and uses throttled servers
Dockge installed from the TrueNAS community app catalog
Basic comfort navigating the TrueNAS web interface

🔑

Never share your WireGuard Private Key publicly. It authenticates your identity to the VPN server. Anyone with it can use your VPN quota and get your ProtonVPN account flagged. Treat it exactly like a password if you accidentally share it, generate a new one immediately.

Setting Up Dockge on TrueNAS Scale

Dockge is a visual Docker Compose manager that runs as a TrueNAS app. It gives you a clean UI to deploy and manage multi-container stacks without touching the command line for most tasks.

Go to Apps → Discover Apps and search for Dockge
Install it, pointing Dockge Stacks Storage to /mnt/Pool/dockge as a Host Path
Note the WebUI port number shown after installation completes
Access Dockge at http://YOUR_TRUENAS_IP:PORT in your browser

Once inside Dockge, any compose stacks you deploy appear in the left sidebar with real-time container status. It also streams logs from every container in one place, which makes troubleshooting straightforward.

The Docker Compose File

All six services live in a single compose file. Every container except Gluetun itself uses network_mode: service:gluetun this means they share Gluetun's network interface and all their traffic routes through the VPN tunnel automatically.

In Dockge, click + Compose, name your stack media-stack, and paste the following:

docker-compose.yml YAML

version: "3"
services:

  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    dns:
      - 8.8.8.8
      - 1.1.1.1
    ports:
      - "8081:8080"   # qBittorrent WebUI
      - "8989:8989"   # Sonarr
      - "7878:7878"   # Radarr
      - "9696:9696"   # Prowlarr
      - "8191:8191"   # FlareSolverr
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=<YOUR_PRIVATE_KEY_HERE>
      - WIREGUARD_ADDRESSES=10.2.0.2/32
      - SERVER_COUNTRIES=Singapore
      - DOT=off
      - FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/24
    restart: unless-stopped

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    network_mode: service:gluetun
    environment:
      - PUID=568
      - PGID=568
      - TZ=Asia/Kathmandu
      - WEBUI_PORT=8080
    volumes:
      - /mnt/Pool/config/qbittorrent:/config
      - /mnt/Pool/Jellyfin/JellyFin_Content:/downloads
    depends_on:
      - gluetun
    restart: unless-stopped

  sonarr:
    image: lscr.io/linuxserver/sonarr:latest
    container_name: sonarr
    network_mode: service:gluetun
    environment:
      - PUID=568
      - PGID=568
      - TZ=Asia/Kathmandu
    volumes:
      - /mnt/Pool/config/sonarr:/config
      - /mnt/Pool/Jellyfin/JellyFin_Content:/media
    depends_on:
      - gluetun
    restart: unless-stopped

  radarr:
    image: lscr.io/linuxserver/radarr:latest
    container_name: radarr
    network_mode: service:gluetun
    environment:
      - PUID=568
      - PGID=568
      - TZ=Asia/Kathmandu
    volumes:
      - /mnt/Pool/config/radarr:/config
      - /mnt/Pool/Jellyfin/JellyFin_Content:/media
    depends_on:
      - gluetun
    restart: unless-stopped

  prowlarr:
    image: lscr.io/linuxserver/prowlarr:latest
    container_name: prowlarr
    network_mode: service:gluetun
    environment:
      - PUID=568
      - PGID=568
      - TZ=Asia/Kathmandu
    volumes:
      - /mnt/Pool/config/prowlarr:/config
    depends_on:
      - gluetun
    restart: unless-stopped

  flaresolverr:
    image: ghcr.io/flaresolverr/flaresolverr:latest
    container_name: flaresolverr
    network_mode: service:gluetun
    environment:
      - LOG_LEVEL=info
      - TZ=Asia/Kathmandu
    depends_on:
      - gluetun
    restart: unless-stopped

networks: {}

⚠️

Replace <YOUR_PRIVATE_KEY_HERE> with your actual WireGuard private key from ProtonVPN. Also update volume paths if your pool or dataset names differ from this guide.

Configuring ProtonVPN WireGuard with Gluetun

WireGuard is the right choice over OpenVPN here. It is faster, uses less CPU, and establishes connections in milliseconds. On a low-power processor like the Intel N100, the difference is meaningful under sustained load.

Getting Your WireGuard Config from ProtonVPN

Log in at account.proton.me and go to VPN → Downloads → WireGuard configuration
Select a server with low load percentage — servers at 10–20% load give the best performance
Select WireGuard as the protocol and download the config file
Copy the PrivateKey value from the [Interface] section and paste it into your compose file

Key Environment Variables Explained

Variable	Value	Purpose
VPN_SERVICE_PROVIDER	protonvpn	Tells Gluetun which provider's server list to use
VPN_TYPE	wireguard	Protocol selection WireGuard is faster than OpenVPN
WIREGUARD_ADDRESSES	10.2.0.2/32	Your VPN tunnel IP from the ProtonVPN config file
DOT=off	off	Disables DNS-over-TLS, preventing DNS resolution failures on startup
FIREWALL_OUTBOUND_SUBNETS	192.168.0.0/24	Allows containers to reach your local network for qBittorrent and Jellyfin communication

Verifying the VPN is Working

After deploying the stack, open the Gluetun container logs in Dockge. A successful connection shows:

Gluetun container log LOG

INFO [wireguard] Connecting to 149.50.211.164:51820
INFO [vpn] wireguard setup is complete
INFO [ip getter] Public IP address is 159.26.115.129 (Singapore, Singapore)

That Singapore IP confirms your traffic is leaving through ProtonVPN and not your real ISP connection. Every container sharing Gluetun's network uses this same tunnel.

Connecting Prowlarr, Sonarr and Radarr

With all containers running, the wiring is straightforward. Prowlarr acts as the central hub — configure indexers once there and it pushes them to both Sonarr and Radarr automatically.

Step 1: Connect Apps in Prowlarr

Open Prowlarr at http://YOUR_NAS_IP:9696 and go to Settings → Apps → Add
Add Sonarr — Server: http://localhost:8989 — API Key: copy from Sonarr → Settings → General
Add Radarr — Server: http://localhost:7878 — API Key: copy from Radarr → Settings → General
Both should show Full Sync status when connected successfully

Step 2: Add Indexers in Prowlarr

Go to Indexers → Add Indexer and add the following. Test each one before saving:

YTS best for high-quality movie releases, works reliably through VPN
EZTV solid TV show indexer
Nyaa.si essential if you watch anime
1337x general purpose, requires FlareSolverr (see next section)
TorrentGalaxy good fallback for both movies and TV

Step 3: Add qBittorrent as Download Client

In both Sonarr and Radarr, go to Settings → Download Clients → Add → qBittorrent and enter your NAS IP, qBittorrent port, username, and password. Click Test if it returns green, save it.

Step 4: Set Root Folders

In Radarr → Settings → Media Management → Root Folders, add /media/Movies. In Sonarr, add /media/TV. These paths match the volume mounts defined in the compose file.

Adding FlareSolverr for 1337x and Cloudflare-Protected Sites

Many popular torrent indexers use Cloudflare bot protection. When Prowlarr running behind a VPN IP tries to access sites like 1337x, Cloudflare blocks the request. FlareSolverr sits between Prowlarr and the indexer, handling the challenge automatically.

Go to Prowlarr → Settings → Indexers → Indexer Proxies → Add
Select FlareSolverr as the proxy type
Set the URL to http://localhost:8191
Click Test you should see a green success response
When adding 1337x as an indexer, assign this FlareSolverr proxy to it in the indexer settings

💡

Use localhost:8191 not your NAS IP because FlareSolverr and Prowlarr share the same Gluetun network namespace and communicate internally without leaving the container network.

Pointing Jellyfin at Your Media Folders

If you already have Jellyfin running as a native TrueNAS app, connecting it to your download folders is quick. Under Storage Configuration → Additional Storage, add these host path entries:

Mount Path (inside Jellyfin container)	Host Path (on TrueNAS disk)
/Movies	/mnt/Pool/Jellyfin/JellyFin/Movies
/TV	/mnt/Pool/Jellyfin/JellyFin/TV
/Documentary	/mnt/Pool/Jellyfin/JellyFin/Documentary

When Radarr downloads a movie and moves it to /media/Movies inside its container, that maps directly to /mnt/Pool/Jellyfin/JellyFin_Content/Movies on disk exactly where Jellyfin is looking. Download finishes, Jellyfin picks it up automatically, it appears in your library within minutes.

Frequently Asked Questions

Can I use ProtonVPN free tier with qBittorrent on TrueNAS Scale?

Technically yes, but it is not practical for a media server. The free tier throttles speeds, limits you to three server locations, and does not support port forwarding. Without port forwarding, qBittorrent operates in passive mode with fewer peer connections and slower downloads. A paid ProtonVPN plan removes all these restrictions.

Does Gluetun have a kill switch?

Yes and it is always enabled by default. Gluetun uses iptables rules to block all outbound internet traffic for containers sharing its network unless that traffic routes through the VPN tunnel. If the WireGuard connection drops, qBittorrent immediately loses internet access. Your real IP is never exposed.

What is FlareSolverr and why do I need it?

FlareSolverr is a headless browser proxy that solves Cloudflare bot challenges. When Prowlarr queries indexers like 1337x from a VPN IP address, Cloudflare often returns a 403 block. FlareSolverr handles the JavaScript challenge automatically and passes the result back to Prowlarr, making the indexer accessible through the VPN.

Why use WireGuard instead of OpenVPN with Gluetun?

WireGuard is faster, more efficient, and simpler than OpenVPN. It uses modern cryptography, has a codebase roughly 100 times smaller which reduces the attack surface, and establishes tunnels in under a second. On a 24/7 NAS handling multiple workloads, WireGuard's lower CPU overhead is a meaningful advantage.

Do Sonarr and Radarr need to be inside the VPN tunnel?

They do not strictly need to be, but running them inside Gluetun's network is best practice. It ensures all their outbound traffic indexer queries, metadata fetches, update checks — also routes through the VPN. It also simplifies networking since all containers communicate over localhost rather than needing your NAS IP address.

How do I verify my torrent traffic is going through the VPN?

Check the Gluetun container logs in Dockge. Look for the line starting with "Public IP address is" — it shows the VPN server's IP and location. You can also add a test magnet link from ipleak.net to qBittorrent, which reports the IP address used for that torrent connection. It should show the VPN IP, not your real ISP IP.

Written from a real homelab build. Tested on TrueNAS Scale Community Edition · Intel N100 · 8 GB DDR4 · April 2026

Tags: TrueNAS Homelab Docker ProtonVPN Sonarr Radarr Prowlarr Jellyfin Self-Hosted qBittorrent WireGuard

Claude Mythos Explained: AI Cybersecurity Risks, Capabilities, and Impact on Software Development

2026-04-11T21:51:00.000+05:45

Artificial intelligence is rapidly transforming software development, but recent advancements are introducing new security challenges. One of the most discussed developments is Claude Mythos a highly advanced AI model with the ability to analyze, detect, and potentially exploit vulnerabilities in modern systems.

This guide explains what Claude Mythos is, its cybersecurity implications, and what developers and organizations need to understand moving forward.

What Is Claude Mythos?

Claude Mythos is an advanced AI model designed for high-level reasoning, coding, and system analysis. Unlike traditional models that focus on generating code or text, it demonstrates deeper understanding of software architecture and behavior.

This allows it to:

Analyze complex systems at scale
Identify hidden vulnerabilities
Simulate real-world attack scenarios

These capabilities position it as both a powerful development tool and a potential cybersecurity risk.

Why This AI Model Is Not Publicly Available

Access to Claude Mythos is currently restricted. The reason is not performance it is risk.

Because of its ability to uncover vulnerabilities quickly, early access has been limited to major technology companies. This allows them to patch systems before broader exposure.

This controlled release signals a shift in how advanced AI systems are handled.

AI Cybersecurity Risks You Need to Understand

The biggest concern is how AI accelerates vulnerability discovery.

Faster identification of security flaws
Reduced time between discovery and exploitation
Increased attack surface for modern applications

In traditional environments, vulnerabilities could remain undiscovered for years. With AI, that timeline is shrinking dramatically.

Autonomous Vulnerability Detection and Exploitation

One of the most important shifts is the level of autonomy AI systems now demonstrate.

Advanced models can:

Scan entire codebases
Detect vulnerabilities without manual input
Suggest or simulate exploit strategies

This introduces a new paradigm where both attackers and defenders can leverage AI.

Key Takeaways for Developers

Security must be integrated early in development
AI-assisted code review will become standard
Manual testing alone is no longer sufficient
Continuous monitoring is essential

Developers who adapt to AI-assisted workflows will be better positioned in this evolving landscape.

Future of Software Development with AI

The development lifecycle is shifting toward automation:

AI writes and reviews code
AI identifies and patches vulnerabilities
AI systems monitor production environments

This creates a feedback loop where systems continuously improve and secure themselves.

Risk vs Opportunity

Like all advanced technologies, AI introduces both benefits and risks.

Risk: Accelerated discovery of exploitable weaknesses
Opportunity: Stronger, more resilient systems

The outcome depends on how organizations implement AI in their workflows.

Related Guides

Frequently Asked Questions

What is Claude Mythos?

It is an advanced AI model capable of analyzing software systems and identifying vulnerabilities at scale.

Why is Claude Mythos restricted?

Because of its ability to rapidly discover security flaws, access is limited to reduce risk.

How does AI impact cybersecurity?

AI accelerates vulnerability detection and changes how systems are secured and monitored.

Will AI replace developers?

No, but it will significantly change how development and security processes are performed.

How can developers prepare?

By adopting AI tools, improving security practices, and staying updated with emerging technologies.

Conclusion

Claude Mythos represents a shift in how software systems are built and secured. The focus is no longer just functionality it is resilience against increasingly capable AI-driven analysis.

Understanding this shift early allows developers and organizations to adapt and stay ahead.

Automate Your Newsletter with Listmonk (RSS to Email Workflow Guide)

2026-04-11T21:31:00.003+05:45

If you’re running a blog and using Listmonk, automation is the step that turns your setup into a real publishing system. Instead of manually creating campaigns, you can automatically convert blog posts into email newsletters.

This guide explains how to build a complete automation pipeline from RSS feed to delivered email using Listmonk and a lightweight Python script.

How the Automation Works

Blog (RSS Feed)
        ↓
Python Script
        ↓
Listmonk API
        ↓
Email Campaign → Sent Automatically

This architecture ensures that every new article is distributed consistently without manual effort.

Step 1: Get Your RSS Feed

If you're using Blogger, your RSS feed is available at:

https://www.bikrambhujel.com.np/feeds/posts/default?alt=rss

This feed acts as the data source for your automation.

Step 2: Install Dependencies

pip3 install feedparser beautifulsoup4 requests

Step 3: Fetch and Format Latest Posts

import requests
import feedparser
from bs4 import BeautifulSoup

RSS_URL = "https://feeds.feedburner.com/BikramBhujel"

feed = feedparser.parse(RSS_URL)
posts = feed.entries[:5]

content = "<h2>Weekly IT Insights</h2>"

for post in posts:
    title = post.title
    link = post.link
    summary = BeautifulSoup(post.summary, "html.parser").get_text()[:120]

    content += f"""
    <h3>{title}</h3>
    <p>{summary}...</p>
    <a href="{link}">Read More</a>
    <hr>
    """

This script collects the latest five posts and formats them into an email-friendly structure.

Step 4: Create Campaign via Listmonk API

response = requests.post(
    "https://your-domain/api/campaigns",
    auth=("admin", "API_TOKEN"),
    json={
        "name": "Weekly Newsletter",
        "subject": "Latest Insights from Bikram Bhujel",
        "lists": [3],
        "type": "regular",
        "content_type": "html",
        "body": content
    }
)

Step 5: Send Campaign Automatically

campaign_id = response.json()["data"]["id"]

requests.put(
    f"https://your-domain/api/campaigns/{campaign_id}/status",
    auth=("admin", "API_TOKEN"),
    json={"status": "running"}
)

This step removes the need for manual sending.

Best Practice: Use Digest Instead of Single Post

Single post emails: High frequency, lower engagement
Digest emails: 3–5 posts, higher value (recommended)

Digest newsletters reduce inbox fatigue and improve click-through rates.

Common Issues

Invalid list ID: Use numeric ID (e.g., 3), not UUID

Authentication error: Use API token correctly

No emails sent: Check SMTP configuration and subscriber count

Frequently Asked Questions

Can Listmonk automate email sending?

Yes. Using the API, you can create and send campaigns automatically.

How many posts should I include in a newsletter?

Three to five posts provide a good balance between value and readability.

Does this work with Blogger RSS?

Yes. Blogger RSS feeds work seamlessly with this setup.

Can I schedule emails instead of sending instantly?

Yes. You can use the send_at field in the API request.

Is this setup suitable for production use?

Yes. With proper SMTP and domain configuration, it is production-ready.

Conclusion

Automating your newsletter with Listmonk transforms your blog into a complete distribution system. Once configured, every post is automatically delivered to your audience in a structured format.

For the initial setup, refer to this guide:

Self-Hosted Email Newsletter Setup Using Listmonk

Self-Hosted Email Newsletter Setup Using Listmonk (Complete Guide)

2026-04-11T17:41:00.002+05:45

If you want full control over your email newsletters without relying on third-party platforms, this guide walks through a complete real world setup using Listmonk, SMTP, and domain authentication.

Why Build Your Own Newsletter System?

Most platforms are convenient but restrictive. A self hosted system gives you:

Full control over branding and data
No recurring subscription costs
Flexibility in customization

Tools and Stack Used

Listmonk (open-source newsletter manager)
Brevo SMTP for email delivery
Custom domain (subscribe.bikrambhujel.com.np)
Cloudflare for DNS management
Ubuntu Server (self-hosted)

Step 1: Install and Configure Listmonk

Deploy Listmonk on your server and expose it via a subdomain. This allows centralized management of subscribers and campaigns.

Step 2: Configure SMTP for Email Sending

Host: smtp-relay.brevo.com
Port: 587
Encryption: STARTTLS

This enables your system to send emails reliably through an external provider.

Step 3: Configure DNS (SPF, DKIM, DMARC)

SPF

v=spf1 include:spf.brevo.com ~all

DKIM

Configured via SMTP provider.

DMARC

v=DMARC1; p=none; rua=mailto:info@bikrambhujel.com.np

These records improve trust and authentication of your emails.

Step 4: Create Email Templates

Design a reusable layout with header, content block, and footer. Use dynamic placeholders for campaigns.

Step 5: Create and Send Campaigns

Campaigns include subject line, content, and audience. Keep subject lines simple and benefit-focused to improve open rates.

Step 6: Import Subscribers

Prepare a clean CSV file and import into Listmonk. Only include users who expect your emails.

Why Emails Go to Spam Initially

New domains lack reputation. Even with correct setup, email providers may classify emails as spam until trust is built.

How to Improve Deliverability

Start with small batches
Encourage replies and engagement
Send consistently

Self-Hosted vs Email Platforms

Email platforms use shared reputation, while self-hosted systems rely on domain reputation. The latter takes time but offers long-term control.

Security Note

Sensitive information such as SMTP passwords, API keys, and private credentials should never be shared publicly. Always store them securely using environment variables or protected configuration files.

Conclusion

A self-hosted newsletter system requires effort but provides unmatched flexibility and ownership. With proper setup and consistency, it becomes a powerful communication tool.

Frequently Asked Questions (FAQ)

Is Listmonk better than Mailchimp?

Listmonk offers more control and no recurring costs, while Mailchimp provides ease of use and built-in reputation.

Why are my emails going to spam?

New domains lack reputation. Engagement and consistent sending improve inbox placement over time.

Do I need SPF, DKIM, and DMARC?

Yes, these are essential for authentication and improving deliverability.

Can I use this setup for business newsletters?

Yes, once properly configured, this setup is suitable for professional and business use.

How long does it take to reach inbox?

Typically a few days to a couple of weeks, depending on engagement and sending behavior.

Kubernetes Troubleshooting: Essential kubectl Commands That Actually Work

2026-04-10T12:43:00.002+05:45

It's 3 AM. Your Kubernetes cluster is behaving strangely. Pods are crashing, services aren't responding, and you have no idea where to start looking. This is where most engineers panic and start wildly scrolling through pod logs.

Stop. There's a systematic way to debug Kubernetes that works every time. In this guide, I'll walk you through the exact kubectl commands and troubleshooting approach that experienced engineers use daily no guesswork, just results.

Why Kubectl Troubleshooting Matters

Kubernetes abstracts away infrastructure complexity, which is great until something breaks. When it does, you can't just ssh into a box and poke around. You need to understand how to query the cluster state, inspect logs, and trace problems from the cluster level down to individual containers.

The good news: kubectl gives you everything you need. You just need to know what to ask.

The Top Down Troubleshooting Approach

Always start at the cluster level and work your way down. Most issues reveal themselves in this progression:

Cluster health Is the cluster itself working?
Namespace health Are resources in the right namespace?
Pod status Are pods running or stuck?
Container logs What's the application actually doing?

This ordering saves hours. Don't skip to logs immediately you'll miss obvious issues.

Step 1: Check Cluster Health

Start here every single time:

kubectl get nodes

This shows all nodes in your cluster. Look for the STATUS column. You want Ready, not NotReady or SchedulingDisabled.

If a node is NotReady, dig deeper:

kubectl describe node <node-name>

This shows conditions, capacity, and recent events. Look for things like DiskPressure, MemoryPressure, or PIDPressure. These are often the culprit.

Check component health:

kubectl get cs

This gives you the status of core Kubernetes components: api-server, controller-manager, scheduler. If any show Unhealthy, your cluster has fundamental problems.

Step 2: Check Namespace and Pod Status

Once the cluster looks healthy, narrow down to your workload:

kubectl get pods -n <namespace>

Look at the STATUS column. Healthy pods show Running. Problem pods show things like:

Pending Pod can't be scheduled (usually resource constraints)
CrashLoopBackOff Application is crashing repeatedly
ImagePullBackOff Can't pull the container image
OOMKilled Out of memory
Evicted Node ran out of resources and killed the pod

For more detail on a specific pod:

kubectl describe pod <pod-name> -n <namespace>

Read the Events section at the bottom. This is your treasure map. It shows exactly what happened in chronological order.

Step 3: Get Inside the Logs

Now you can safely look at logs:

kubectl logs <pod-name> -n <namespace>

If the pod has multiple containers, specify which one:

kubectl logs <pod-name> -c <container-name> -n <namespace>

For a crashing pod, see the previous run's logs:

kubectl logs <pod-name> --previous -n <namespace>

Stream logs in real-time:

kubectl logs -f <pod-name> -n <namespace>

The -f flag works just like tail -f on Linux.

Step 4: Check Services and Networking

If pods are running but your app is unreachable:

kubectl get svc -n <namespace>

Look at the CLUSTER-IP and EXTERNAL-IP. Make sure they exist and look reasonable.

Check endpoints:

kubectl get endpoints -n <namespace>

A service with no endpoints means the selector isn't matching any pods. This is surprisingly common.

Test connectivity from inside the cluster:

kubectl exec -it <pod-name> -n <namespace> -- /bin/sh

Now try to reach the service from inside the pod. This tells you if the issue is external routing or internal networking.

Real-World Example: Debugging a CrashLoopBackOff

Let's say you deploy an app and immediately see CrashLoopBackOff. Here's exactly what you do:

1. Get the pod status:

kubectl get pods -n production

You see your app is CrashLoopBackOff.

2. Describe the pod:

kubectl describe pod myapp-abc123 -n production

The Events section shows "Back-off restarting failed container".

3. Check the logs from the previous run:

kubectl logs myapp-abc123 --previous -n production

You see: "Error: Database connection refused".

4. Check if the database service exists:

kubectl get svc -n production | grep database

Nothing. The database service isn't running.

5. Deploy the database:

kubectl apply -f database.yaml -n production

6. Verify the app recovers:

kubectl get pods -n production

Your app should move to Running now.

That's the entire workflow. Top-down, methodical, and it works.

Essential Commands Reference

Cluster overview:

kubectl cluster-info General cluster information
kubectl get nodes List all nodes and their status
kubectl describe node <name> Detailed node info

Pod debugging:

kubectl get pods -A All pods in all namespaces
kubectl describe pod <name> Pod events and status
kubectl logs <pod> Container logs
kubectl logs <pod> --previous Previous run logs
kubectl logs -f <pod> Stream logs
kubectl exec -it <pod> -- /bin/sh Shell into a pod

Services and networking:

kubectl get svc List services
kubectl get endpoints Service endpoints
kubectl port-forward <pod> 8080:8080 Forward local port to pod

Resource inspection:

kubectl get all -n <namespace> Everything in a namespace
kubectl describe <resource-type> <name> Details on any resource
kubectl events -n <namespace> Recent cluster events

Common Mistakes to Avoid

Not specifying the namespace. kubectl defaults to the "default" namespace. Your pod might be in "production". Always use -n or set your default context.

Skipping the describe step. People jump straight to logs. The Events section in describe output often tells you the real problem before you even look at application logs.

Ignoring node-level issues. If multiple pods are failing in strange ways, check your nodes first. Disk full, out of memory, or kernel panics will affect everything.

Not checking the selector. Pods not being created? Service with no endpoints? Check if your labels match your selectors.

Assuming logs are the root cause. An error in logs is a symptom, not always the cause. A pod might crash because a dependency is missing, not because of code in the pod itself.

When to Escalate

If your cluster itself is unhealthy (nodes NotReady, api-server Unhealthy), you're looking at infrastructure or etcd problems. This needs a different level of troubleshooting.

If individual pods are hitting resource limits repeatedly (OOMKilled, CPU throttling), it's a capacity planning issue, not a bug.

If networking looks broken (endpoint discovery failing, services not accessible), check your CNI plugin and network policies.

The Bottom Line

Kubernetes troubleshooting isn't magic. It's a repeatable process: start at the cluster, work down to the namespace, then the pod, then the container. Use kubectl describe for context, logs for details, and always check the Events section first.

Next time something breaks at 3 AM, you'll know exactly where to look.

Share Mobile Internet to Router via Ethernet (Easy Guide)

2026-04-08T16:36:00.002+05:45

Sharing your phone’s internet with a router is a practical fallback when broadband isn’t available. With a USB-C to LAN adapter and an Ethernet cable, you can convert mobile data into a wired connection for your router.

What You Need

Smartphone with USB-C support
USB-C to Ethernet adapter
Ethernet cable
Router with WAN port

Step-by-Step Setup

Connect the USB-C to LAN adapter to your phone. Plug the Ethernet cable into the adapter and the router’s WAN port.

On your phone, go to Settings → Connections → Mobile Hotspot and Tethering, then enable Ethernet tethering. Your phone will automatically assign an IP address to the router.

Within seconds, the router should be online. You can verify by connecting a device and running a speed test.

Why This Works

Ethernet tethering turns your phone into a wired modem. Compared to Wi-Fi hotspot, it reduces interference and provides a more consistent connection.

Will This Be Reliable?

Reliability depends mainly on your mobile network quality. If your 4G or 5G signal is strong and stable, the connection will perform well for browsing, streaming, and light office work.

That said, network congestion, weak signal, or extended usage can affect performance. Battery drain and device heating are also factors, so keeping your phone charged helps maintain stability.

Conclusion

Ethernet tethering gives you a fast, stable way to power your router using mobile data. It’s simple to set up, more consistent than Wi-Fi hotspot, and ideal as a backup internet solution. While not a permanent replacement for broadband, it delivers reliable performance when you need quick connectivity.

FAQ

1. Does every phone support Ethernet tethering?
No, only selected Android devices with USB-C and tethering support offer this feature.

2. Is this faster than a hotspot?
Often yes. Wired connections reduce interference and improve stability.

3. Will this drain battery quickly?
Yes, so keeping your phone plugged in is recommended.

4. Can I use this on any router?
Any router with a WAN port should work without special configuration.

5. Is setup complicated?
No. Once connected, enabling tethering takes less than a minute.

How to Use a Laptop as a Second Monitor (Windows Guide)

2026-04-07T16:37:00.005+05:45

How to Use a Laptop as a Second Monitor (Windows 10/11 Guide)

You can use your laptop as a second monitor using built-in Windows Wireless Display or third-party tools like spacedesk. This allows you to extend your screen without buying extra hardware.

If you need more screen space for multitasking, system monitoring, or IT workflows, this setup gives you a fast and cost-effective dual-screen solution.

Example of a dual-screen setup using a laptop as a second monitor

Why Use a Laptop as a Second Monitor?

Work across multiple applications without switching tabs
Monitor logs, emails, or dashboards in real time
Improve productivity and reduce clutter
Ideal for IT support, developers, and remote work

Method 1: Use Windows Wireless Display (Built-in)

Step 1: Enable Projection on Secondary Laptop

Press Windows + I → open Settings
Go to System → Projecting to this PC
Install Wireless Display if required
Launch the Wireless Display app

Step 2: Connect from Main Laptop

Press Windows + K
Select your second laptop
Choose:
- Extend (recommended)
- Duplicate

Step 3: Arrange Displays

Go to Display Settings and drag screens to match your physical layout. This ensures smooth cursor movement.

Method 2: Use spacedesk (More Flexible Option)

spacedesk is useful if Wireless Display is unstable or unsupported. It works across laptops, tablets, and even phones.

How spacedesk works:

Install spacedesk driver on your main PC
Install viewer on the second device
Connect both devices on the same network

Setup Steps

Install spacedesk on your main device
Install viewer app on second device
Launch both apps
Select and connect

Extend vs Duplicate Mode (Quick Comparison)

Mode	Best For	Use Case
Extend	Productivity	Multitasking, coding, IT monitoring
Duplicate	Presentation	Meetings, demos, screen sharing

Performance Optimization Tips

Use Ethernet instead of Wi-Fi for lower latency
Keep both devices on the same network
Close unnecessary applications

When to Use Each Method

Use Windows Wireless Display for simplicity
Use spacedesk for compatibility and flexibility
Use spacedesk for mobile devices

Troubleshooting Common Issues

Why is my second monitor lagging?

Weak Wi-Fi is the most common cause. Switching to Ethernet improves stability and reduces latency.

Device not showing in Wireless Display?

Ensure both devices support Miracast and are connected to the same network.

Frequently Asked Questions (FAQ)

Can I use a laptop as a second monitor without software?

Yes, Windows includes a built-in Wireless Display feature that allows screen projection without extra software.

Can I use a phone or tablet as a second monitor?

Yes, spacedesk supports Android and iOS devices as extended displays.

What is better: extend or duplicate display?

Extend mode is best for productivity, while duplicate mode is ideal for presentations.

Conclusion

Using your laptop as a second monitor is one of the simplest ways to expand your workspace without extra cost. Built-in Windows tools provide a quick setup, while spacedesk offers more flexibility across devices.

For most workflows, extend mode delivers the best results, helping you manage tasks efficiently and improve productivity.

How to Run AI Models on Your Own Computer with Ollama (No Cloud, No Subscription)

2026-04-06T11:19:00.002+05:45

You've probably noticed: AI subscriptions add up fast. ChatGPT Plus, Copilot Pro, Claude Pro before you know it, you're paying $60+ a month just to ask questions and get help with writing. And every prompt you type goes to someone's server.

There's a better way. Ollama lets you run full AI language models directly on your own computer no internet connection required, no API keys, no monthly fees. Your data never leaves your machine. And the setup takes about five minutes.

This guide walks you through exactly how to get it running, which model to start with, and how to actually use it for real work.

What Is Ollama?

Ollama is a free, open-source tool that handles everything involved in running a large language model locally: downloading the model, managing memory, and serving it through a simple interface. Think of it as a lightweight app store for AI models that runs entirely on your hardware.

It supports Windows, macOS, and Linux, and works with dozens of well-known open-weight models including Llama 3, Mistral, Gemma, Phi, and DeepSeek. Once you pull a model, it lives on your drive and runs offline.

What Hardware Do You Actually Need?

This is the part people overthink. You don't need a $3,000 workstation. Here's the honest breakdown:

8 GB RAM: Enough to run 7B models like Llama 3.2 or Mistral 7B. Comfortable for most tasks.
16 GB RAM: Opens up 13B models and gives you more breathing room for multitasking.
32 GB+ RAM: Needed for larger models like DeepSeek-R1 (32B) or Qwen2.5 (72B).

A dedicated GPU (NVIDIA with 8 GB+ VRAM, or Apple Silicon) makes things noticeably faster. But a modern CPU works fine for lighter use.

Operating system: Windows 10/11, macOS 12 or newer, or any modern Linux distro (Ubuntu 22.04+ recommended).

Step-by-Step: Installing Ollama

Step 1: Download Ollama

Go to ollama.com/download and grab the installer for your OS. On Linux, run this in the terminal:

curl -fsSL https://ollama.com/install.sh | sh

Step 2: Verify the Installation

Open a terminal and type:

ollama --version

You should see a version number. If you do, Ollama is installed and running.

Step 3: Pull Your First Model

Start with Llama 3.2 (3B) if you have 8 GB RAM, or Llama 3.1 (8B) if you have more:

ollama pull llama3.2

Ollama downloads the model file (around 2–5 GB). This only happens once — after that, it runs offline.

Step 4 : Start Chatting

Run the model in interactive mode:

ollama run llama3.2

You'll get a prompt. Type anything and hit Enter. To exit, type /bye.

A Real-World Example: Using It at Work

Say you're an IT admin and you need to write a PowerShell script to list inactive Active Directory accounts. You don't want to paste your domain details into ChatGPT. Here's what you'd do:

ollama run llama3.2
>>> Write a PowerShell script that queries Active Directory for accounts that haven't logged in for 90 days.

It generates the script locally. Your AD details, your prompts, your output all on your machine. Nothing goes anywhere.

Other things it handles well: drafting emails, summarizing documents, explaining error messages, writing regex patterns, and general IT Q&A.

Want a Chat Interface? Add Open WebUI

The terminal is fine, but if you want something that looks like ChatGPT, Open WebUI is a free, self-hosted frontend that connects to Ollama with one Docker command:

docker run -d -p 3000:80 --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui ghcr.io/open-webui/open-webui:main

Then open http://localhost:3000 in your browser. Full chat UI, conversation history, and model switching all local.

Common Mistakes to Avoid

Pulling a model too large for your RAM. If your system starts swapping heavily, the model is too big.
Expecting GPT-4 quality from a 3B model. Local models are useful, but not as capable as frontier models. Use them for drafts, summaries, and code help.
Forgetting to update models. Run ollama pull <model-name> periodically for newer versions.
Not trying different models. Mistral 7B is strong for code. Phi-3 Mini is fast and lightweight. Gemma 2 is good at instruction-following.

Useful Ollama Commands

ollama list shows all downloaded models
ollama rm <model-name> removes a model to free up disk space
ollama serve starts the Ollama API server manually
ollama show <model-name> shows model details and parameters

Wrapping Up

Running AI models locally used to be something you'd only attempt if you were comfortable with Linux and Python environments. Ollama has changed that. It's as simple as installing any other app, and the models available today are good enough for a wide range of real work.

If you care about keeping your data private, want to cut subscription costs, or just want an AI assistant that works offline give Ollama a try. Pull Llama 3.2, run it, and see how it fits into your day.

It's free. It's fast enough. And it's yours.

How to Automate Windows Admin Tasks with PowerShell (A Beginner's Guide)

2026-04-03T10:26:00.002+05:45

The Problem: Same Task, Every Day

If you've ever manually created the same folder structure for a new project, exported a list of installed software for an audit, or checked which machines on your network still need a Windows update you already have a use case for PowerShell. You're just doing it the slow way.

PowerShell is the scripting language built into every copy of Windows. It's been there since Windows 7, and yet a huge number of IT professionals have never written a single script. This guide is for those people.

What Is PowerShell, Exactly?

PowerShell is a command-line shell and scripting language built by Microsoft. Unlike the old Command Prompt, PowerShell works with objects structured data you can sort, filter, and pipe between commands. That's what makes it genuinely useful for IT work, not just running the occasional ipconfig.

Two versions exist: Windows PowerShell 5.1 (built into Windows 10/11) and PowerShell 7.x (the newer cross-platform version). For most everyday Windows admin tasks, 5.1 works fine. For new projects or anything cross-platform, download PowerShell 7 from Microsoft's GitHub releases page.

Opening PowerShell the Right Way

Right-click the Start button and choose "Windows PowerShell (Admin)" or "Terminal (Admin)." Running as Administrator matters tasks that touch services, user accounts, and system settings all require elevated privileges.

If you're on Windows 11, Windows Terminal is the better interface. It supports multiple tabs and handles PowerShell 7 cleanly. Worth installing if you haven't already.

Your First Useful Command

Before scripts, learn cmdlets. A cmdlet (pronounced "command-let") follows a consistent Verb-Noun structure:

Get-Process        # Lists running processes
Get-Service        # Shows services and their status
Get-ChildItem      # Lists files in a folder (like ls or dir)

Try this right now: open PowerShell and run:

Get-Service | Where-Object {$_.Status -eq "Stopped"}

You'll get every stopped service on your machine in one line, no clicking through the Services console. That's the idea.

4 Scripts You'll Actually Use

1. Find Files Modified in the Last 7 Days

Get-ChildItem -Path "C:\Users\YourName\Documents" -Recurse |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } |
Select-Object Name, LastWriteTime

Change the path to any folder. Great for auditing recent changes or tracking down what broke after a Friday deployment.

2. Export a List of Installed Software

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName, DisplayVersion, Publisher |
Export-Csv -Path "C:\installed-software.csv" -NoTypeInformation

Run this on any machine and you get a clean CSV of installed apps perfect for audits, comparisons, or pre-upgrade documentation.

3. Check Disk Space on All Drives

Get-PSDrive -PSProvider FileSystem |
Select-Object Name,
  @{N="Free(GB)";E={[math]::Round($_.Free/1GB,2)}},
    @{N="Used(GB)";E={[math]::Round($_.Used/1GB,2)}}

One command, all drives, formatted cleanly. No more clicking through File Explorer to check space on each partition.

4. Restart a Service If It's Stopped

$service = Get-Service -Name "Spooler"
if ($service.Status -eq "Stopped") {
    Start-Service -Name "Spooler"
        Write-Output "Print Spooler was stopped. Restarted it."
        } else {
            Write-Output "Print Spooler is running fine."
            }

Replace Spooler with any service name. Drop this into a scheduled task to run every 15 minutes for a service that keeps falling over.

How to Save and Run Your Scripts

Write your script in Notepad or VS Code, save it with a .ps1 extension (e.g., check-service.ps1), then run it from PowerShell:

.\check-service.ps1

If you get an execution policy error, run this once in an admin session:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

This allows locally-created scripts to run while keeping unsigned scripts from the internet blocked.

Common Mistakes to Avoid

Running without testing first. Always test scripts on dummy data or in a non-production environment. A loop that deletes or moves files won't ask twice.

No error handling. Wrap risky operations in try/catch blocks:

try {
    Remove-Item "C:\TempLogs" -Recurse -Force
    } catch {
        Write-Output "Failed to delete: $_"
        }

Hardcoding paths and usernames. Use variables instead it makes scripts reusable across different machines without editing the code each time.

No logging for unattended scripts. Add Start-Transcript -Path "C:\script-log.txt" at the top of any script that runs on a schedule. When something breaks at 3am, you'll be glad it's there.

Where to Go From Here

The best way to learn PowerShell is through real problems. Next time you find yourself doing something repetitive, search "how to do X in PowerShell" and adapt what you find. Start with one-liners, then save them as scripts, then run them on a schedule.

Microsoft's documentation at learn.microsoft.com is genuinely good and free. PowerShell 7 installs side-by-side with Windows PowerShell and doesn't replace it, so there's no risk in trying it.

The Bottom Line

You don't need to become a developer to get real value from PowerShell automation. Even five or six scripts targeting your most repetitive tasks can save hours each month. The examples above are real, working, and ready to copy. Start with one, adapt it to your environment, and build from there.

How to Set Up Your First AI Agent (And Actually Get Something Done With It)

2026-04-01T00:07:00.004+05:45

A year ago, most people used AI the same way: type a question, read the answer, close the tab. That was fine. But 2026 is a different story. AI agents systems that don't just respond but actually do things on your behalf are no longer an experiment. They're showing up in real workflows, real companies, and real people's daily routines.

If you've been watching from the sidelines, wondering when to actually start, this is your guide. No theory, no hype just a clear walkthrough of what AI agents are, how they work in practice, and how to get your first one running without spending a weekend in documentation hell.

What Makes an AI Agent Different From a Regular Chatbot

A chatbot answers. An agent acts.

The difference is tool use. When you give an AI agent access to tools like your file system, email, a browser, an API, or a database it can take a task and run with it, step by step, without you hand-holding every move. You say "summarize last week's support tickets and draft a report," and it reads the tickets, pulls the data, writes the report, and saves it somewhere useful. You come back and the work is done.

In my experience, the biggest mental shift isn't technical it's letting go of the idea that you need to micromanage every step. The whole point of an agent is that you define the goal, not the path.

What You Actually Need to Get Started

You don't need to be a developer. You don't need to host anything. Here's the realistic minimum:

An AI platform that supports agents Claude, ChatGPT with plugins, or an open-source option like LangChain or CrewAI if you want more control.
A clear, bounded task "Automate my entire job" will fail. "Summarize my daily emails and flag anything urgent" will work.
Access to at least one tool or data source This could be your Gmail, a folder on your computer, a spreadsheet, or a public API.
Some patience for iteration Your first agent won't be perfect. Neither was your first spreadsheet formula.

Step-by-Step: Setting Up Your First AI Agent

Step 1 Pick One Real Problem to Solve

Don't start with "I want to automate my workflow." Start with something specific. A few examples that actually work well for first agents:

Monitoring a folder for new files and summarizing their contents
Pulling data from a web page daily and logging it to a spreadsheet
Drafting responses to common customer emails based on a template
Checking a server log file for errors and sending a summary Slack message

The more specific the task, the easier it is to know when the agent is doing it right.

Step 2 Choose Your Platform

For non-developers: Claude's Cowork mode or ChatGPT with file and web tools are the easiest entry points in 2026. You connect tools through a UI and describe what you want in plain language.

For IT professionals or developers: CrewAI, LangGraph, or AutoGen give you more control over agent behavior, memory, and multi-agent orchestration. These require Python knowledge but aren't nearly as complicated as they used to be.

For enterprise environments: Most teams are now using platforms like Microsoft Copilot Studio or internal deployments that already have security review done. Check with your IT department before connecting any agent to company data.

Step 3 Define the Agent's Role and Tools

Think of this like writing a job description. You're telling the agent:

What it is "You are a monitoring assistant that checks server logs for errors."
What it can use File access, web search, email API, etc.
What it should output A summary? A file? A Slack message?
What it should NOT do This part is easy to skip and important not to.

The guardrails matter. An agent with no defined scope will hallucinate scope for itself. In my experience, agents that go off-script almost always do so because the original instructions left too much ambiguous.

Step 4 Test With a Small, Safe Dataset

Do not point your new agent at live production data on day one. Create a test folder, a dummy email account, or a sample spreadsheet. Run it. Watch what it does. Check the output before you trust it with anything that matters.

This sounds obvious but gets skipped constantly.

Step 5 Add Memory (Optional but Powerful)

Some agent platforms support memory the ability to remember context between runs. If your agent is doing a recurring task, memory lets it build on previous outputs instead of starting cold each time. This is especially useful for report generation, customer tracking, or anything where "what happened last time" is relevant.

A Real World Example: IT Incident Log Summarizer

Here's something a small IT team actually deployed earlier this year. They had engineers manually scanning through overnight system logs every morning a 20-minute job that nobody liked and that occasionally produced incomplete reports.

They set up an agent with access to the log directory, gave it a role ("You are a system health analyst. Each morning, scan the overnight logs, identify errors, warnings, and anomalies, then produce a plain-English summary with severity ratings."), and connected the output to a shared Slack channel.

First run took some prompt tuning. By day three, the morning report was more consistent than what humans were producing. Engineers still reviewed it they didn't remove the human layer but the grunt work disappeared.

Total setup time: about four hours across two days. No custom code, just configuration and iteration.

Mistakes That Will Waste Your Time

Starting too broad. "Automate my research process" is not a task. It's a dream. Break it down.
Skipping the output review step. An agent that's 90% accurate on a task that runs 100 times a day introduces errors at scale. Always build in a review stage until you've verified reliability.
Giving agents access to things they don't need. Minimum viable permissions same principle you'd apply to any system account.
Expecting zero maintenance. APIs change. Data formats change. An agent that worked perfectly last month may need a prompt update next month. Build in time for this.
Not documenting what the agent does. Six months later, you or a colleague will need to understand or modify it. Write it down.

A Quick Note on Security

This comes up less often than it should. If your agent is handling company data, emails, or any system with credentials, you need to think about:

Where the data goes (is the AI model storing your inputs?)
What happens if the agent makes an unintended API call
Who has visibility into the agent's actions and outputs

Most enterprise-grade platforms have audit logs now. Use them. For personal projects or solo use, just be careful about connecting agents to anything that has payment info or sensitive personal data until you fully understand the data flow.

The Honest Truth About AI Agents in 2026

They're genuinely useful. Not magic, not sentient, not a threat to your job if you know how to use them. They're more like a very capable intern that works at 3am and never forgets a step — but still needs clear instructions and occasional correction.

The professionals who are getting the most value right now aren't the ones with the most technical skill. They're the ones who know their own workflows well enough to explain them clearly. If you understand what you do, you can teach an agent to help with it.

Start with one task. Get it working. Then build from there.

How to Set Up Windows 11 with a Local Account (Bypassing Microsoft Sign-In)

2026-03-27T21:20:00.004+05:45

If you've been trying to install Windows 11 lately, you've probably noticed Microsoft has made it tougher to skip their online account requirement. The old trick of typing cxh:local during setup doesn't work anymore. But there's still a reliable workaround using a simple command script. This method lets you finish the Out-of-Box Experience (OOBE) with a traditional local account instead of linking everything to a Microsoft profile.

For the full technical breakdown and any updates, check out the GitHub repo here: github.com/BikramBhujel/bypassnro

Step-by-Step Guide

1. Get to the OOBE Screen

Boot into the Windows 11 installation and proceed until you hit the initial setup screens the ones asking for your region, language, or network connection. Stop there before it asks you to sign in.

2. Open Command Prompt

Press Shift + F10 on your keyboard. This pops open a Command Prompt window right from the setup environment no need to complete installation first.

3. Download the Bypass Script

In the Command Prompt, grab the script file using curl it's built into modern Windows setups. Run this exact command:

curl -L bikrambhujel.com.np/bypass -o skip.cmd

This downloads a small batch file called skip.cmd to your current directory.

4. Execute the Script

Now just run it:

skip.cmd

The script does the heavy lifting it tweaks a registry key to skip the network requirement and lets you create a local account on the next screens.

After that, you'll breeze through the rest of setup without needing an internet connection or Microsoft login. It's straightforward, reversible if needed, and works on the latest Windows 11 builds as of now.

Why Use a Local Account?

A local account keeps your data on your machine only. No syncing to Microsoft servers, no requirement for an internet connection to log in, and no Microsoft profile attached to your device. For privacy-conscious users, air-gapped machines, or enterprise environments where Microsoft accounts aren't appropriate, this is the right setup.

The bypass script only modifies a temporary registry entry during the OOBE phase. Once setup is complete it has no ongoing effect on your system.

Frequently Asked Questions

Does the cxh:local trick still work?

No. Microsoft patched it in recent Windows 11 builds. The command script method described above is the current working approach.

Will this work on the latest Windows 11 version?

Yes, as of the time of writing this works on current Windows 11 builds. Check the GitHub repo for the latest updates if something changes.

Is it safe to use this script?

The source code is fully open and available at github.com/BikramBhujel/bypassnro. It makes a single registry change to skip the network check during OOBE. Review it yourself before running if you want to be sure.

Can I switch to a Microsoft account later?

Yes. After setup is complete you can go to Settings → Accounts → Your info and sign in with a Microsoft account at any time. Starting with a local account doesn't lock you out of that option.

OpenAI Is Hiring 8,000 People and Apple WWDC 2026 Is Coming : What Both Mean for Regular Tech Users

2026-03-26T13:34:00.002+05:45

Two pieces of tech news dropped this week that seem unrelated on the surface but actually tell the same story. OpenAI announced plans to grow from around 4,000 employees to roughly 8,000 by the end of this year. And Apple confirmed that WWDC 2026, its annual developer conference, will take place June 8 to 12 at Apple Park. Both announcements are really about the same thing: the AI race is moving from research labs into the software and devices people use every single day, and it is moving fast.

What OpenAI Hiring 8,000 People Actually Signals

A lot of people heard this number and thought it just meant OpenAI is growing. But the more interesting detail is where those hires are going. The company is expanding its engineering teams, yes, but the bigger growth areas are enterprise sales, product delivery, and what they are calling technical ambassadorship, which is essentially a team of people who help businesses figure out how to actually use AI tools in their operations.

This tells you something important about where the AI industry is right now. The era of building impressive demos and impressing people at conferences is giving way to the harder, more mundane work of turning AI into software that businesses actually pay for and keep paying for. OpenAI surpassed 25 billion dollars in annualized revenue recently. Anthropic, the company behind Claude, is approaching 19 billion. These are no longer research projects. They are large enterprise software companies that happen to be built on AI models.

For regular users, this shift matters because it means the AI tools you interact with are being shaped increasingly by enterprise requirements, which tend to prioritize reliability, privacy controls, and integration with existing business software over flashy new capabilities. The ChatGPT you use at home is increasingly being designed with the corporate customer in mind alongside you.

Apple WWDC 2026 and What to Expect in June

Apple's developer conference is where the company announces what is coming to iOS, macOS, and all its other platforms for the rest of the year. This year's event on June 8 is particularly interesting because Apple has had what many people consider a slow start in the AI race compared to Google and OpenAI.

Apple Intelligence, the company's branded AI features, rolled out gradually over the past year and drew mixed reviews. Some features impressed people. Others felt half finished. The new version of Siri, which Apple has been building with on device AI and reportedly using Google's Gemini model in the background for more complex tasks, is expected to be a major focus at WWDC this year.

If Apple delivers a genuinely improved Siri that can do things like book appointments across apps, write emails with context from your calendar, and answer complex questions without shipping your data to a distant server, it would be a significant moment. Apple's advantage has always been that billions of people already have iPhones and trust the company with their data. The question at WWDC is whether Apple can finally translate that trust and installed base into AI features that people actually want to use.

Why Both of These Things Matter for People Outside the US

Tech news from Silicon Valley can feel distant when you are reading it from Nepal or anywhere else in South Asia. But both of these developments have practical implications that reach beyond American users fairly quickly.

OpenAI expanding its enterprise sales team means ChatGPT and other OpenAI tools will increasingly appear inside the business software used by companies globally, from Microsoft Office to customer service platforms to coding tools. If you work in tech, education, or any field that uses computers, AI tools shaped by OpenAI's enterprise push will reach you whether you seek them out or not.

Apple's WWDC announcements, meanwhile, affect every iPhone and Mac user on the planet. New iOS features announced in June typically reach all supported devices in September. If Apple delivers something genuinely useful in AI this year, hundreds of millions of people across Asia will have it on their phones a few months later.

The Bigger Picture Behind Both Stories

What both OpenAI's hiring spree and Apple's WWDC announcement reflect is that the AI technology being built in research labs over the past few years is now entering its commercialization phase. The question is no longer whether AI is impressive. It clearly is. The question is whether it is useful enough in everyday situations that people keep coming back to it, pay for it, and build their workflows around it.

That answer is still being written. The next six months, from now through the end of 2026, will tell us a great deal about which AI products people actually want to live with versus which ones they try once and forget about.

Common Questions

Will Apple Intelligence features work on older iPhones?

Apple Intelligence currently requires an iPhone 15 Pro or any iPhone 16 model. Older devices do not have the necessary chip performance to run on device AI features. Whatever Apple announces at WWDC in June will likely follow the same hardware requirements, meaning if you have an iPhone 14 or older, the new AI features will not be available to you without upgrading your device.

Is OpenAI profitable yet?

Not yet. OpenAI reported significant losses last year despite its massive revenue, largely because running and training large AI models is extraordinarily expensive. The company is betting that revenue growth from enterprise customers will eventually outpace the infrastructure costs. The hiring expansion is part of that bet, since more sales people and product teams should drive more enterprise contracts, but it also means higher costs in the short term before the revenue catches up.

Will ChatGPT stay free for regular users as OpenAI grows?

The free tier of ChatGPT is likely to continue, but with more limitations compared to paid plans. OpenAI's free users already see capability restrictions compared to ChatGPT Plus subscribers. As the company focuses more on enterprise revenue, the gap between free and paid features may widen further over time. The free version will not disappear since it drives awareness and eventual conversions to paid plans, but it will probably become more of a limited preview than a full product.

2026-03-25T23:08:00.004+05:45

🏢 Enterprise Network Infrastructure Upgrade
CIMMYT Nepal Office, Khumaltar

From a flat unmanaged network to a fully segmented enterprise-grade dual-VLAN architecture using existing hardware with zero budget.

📅 March 2026 📍 Khumaltar, Lalitpur, Nepal 🔧 FortiGate + Cisco ✍️ Bikram Bhujel ⏱️ 5 Days

6× Faster WiFi Speed

13 Devices Configured

0৳ Hardware Budget

Project Overview

The CIMMYT Nepal Office in Khumaltar, Lalitpur was running on a completely flat network with no VLANs, no segmentation and no guest isolation. All staff devices, guest WiFi and printers were sharing the same broadcast domain with zero security boundaries between them.

The goal was straightforward: upgrade the entire network to a properly segmented, enterprise-grade architecture. The interesting constraint was that no new hardware could be purchased. Everything had to be done with what was already sitting in the server rack.

💡 Key insight: The dramatic performance improvement you will see below came entirely from reconfiguration, not new equipment. The same firewall, switches and access points delivered 6x faster WiFi simply through proper design.

How It Unfolded

March 20, 2026

FortiGate 91G Reconfiguration

Started with a clean slate. Configured VLAN20 for corporate traffic and VLAN999 for guest, set up DHCP pools for both networks, configured SD-WAN with the Worldlink ISP connection and wrote all firewall policies from scratch.

March 20 to 21

Switch Infrastructure

All three Cisco Catalyst 2960-X switches were pulled from the rack and physically cleaned. The level of dust and rodent activity found inside was significant. After cleaning all three were reconfigured with proper VLAN trunk and access port design.

March 21, 2026

Wireless Deployment

All eight Cisco AIR-CAP2702I access points configured in autonomous mode. CIM-WiFi moved to 5GHz exclusively and cim-guest assigned to 2.4GHz. Channels planned using a 1, 6, 11 rotation across adjacent APs. First speedtest: 41.8 Mbps.

March 22 to 24

FortiAP 231F Integration

Integrating the FortiAP 231F into FortiGate management turned into a multi-day troubleshooting exercise. The AP was still registered to FortiEdge Cloud, CAPWAP was not enabled on the right interface and the native VLAN behaviour required some creative thinking. More on this below.

March 25, 2026

Documentation in NetBox

Full network documented in NetBox IPAM covering all devices, VLANs, prefixes, interfaces and IP addresses. The entire network is now properly recorded for future reference.

Before and After

❌ Before

Network DesignFlat / No VLANs

WiFi Download~7 Mbps avg

Jitter15 to 57 ms

Guest IsolationNone

WiFi Band2.4GHz congested

Channel PlanningNot optimized

Switch ConditionHeavily dusty

Server RackDisorganized

✅ After

Network DesignDual VLAN

WiFi Download41.8 Mbps

Jitter1 ms

Guest IsolationComplete

WiFi Band5GHz dedicated

Channel Planning1/6/11 rotated

Switch ConditionCleaned

Server RackOrganized

Hardware Involved

Every device below was already present in the office. Nothing was purchased new. Each one was reconfigured from scratch.

🔥

Fortinet FortiGate 91G

Internet gateway, VLAN routing, SD-WAN
Firewall policies and FortiAP controller

🔀

Cisco Catalyst 2960-X (×3)

48-port PoE switches
Core switch plus two access switches

📡

Cisco AIR-CAP2702I (×8)

Autonomous mode, dual radio
CIM-WiFi on 5GHz, cim-guest on 2.4GHz

📶

Fortinet FortiAP 231F

Managed by FortiGate via CAPWAP
Dedicated coverage for CCR area

Network Design

The topology follows a daisy-chain design with the FortiGate at the top and three switches cascading below it. Two VLANs carry all traffic with strict firewall policies controlling what can communicate with what.

ISP (Worldlink 50Mbps Dedicated) └── FortiGate 91G [Gateway and Firewall] └── Core Switch [48-port PoE] ├── Access Switch 2 [Office area] ├── Access Switch 3 [Office area] └── AP Trunk Ports [VLAN20 + VLAN999, native VLAN20]

🏢 VLAN 20 — Corporate

Subnetx.x.x.0/23

DHCP Poolx.x.x.50 onwards

SSIDCIM-WiFi

Band5GHz dedicated

PurposeStaff devices only

👥 VLAN 999 — Guest

Subnetx.x.x.0/24

DHCP Poolx.x.x.10 to .200

SSIDcim-guest

Band2.4GHz dedicated

PurposeVisitors only

FortiGate Configuration Highlights

A couple of things worth noting from the FortiGate side. SD-WAN must be configured before any firewall policies that reference it, otherwise FortiOS throws a node_check_object error. Also, VLAN IDs are immutable after creation — to change one you delete the interface and start over.

# VLAN interface for corporate network config system interface edit "VLAN20_Internal" set interface lan set type vlan set vlanid 20 set ip x.x.x.1 255.255.254.0 set allowaccess ping https ssh fabric next end

# Three policies cover all traffic scenarios # Policy 3: Guest internet access srcintf "VLAN999" dstintf "virtual-wan-link" action accept nat enable # Policy 4: Guest to corporate — hard deny srcintf "VLAN999" dstintf "VLAN20_Internal" action deny # Policy 5: Staff internet access srcintf "VLAN20_Internal" dstintf "virtual-wan-link" action accept nat enable

Wireless Network Setup

Moving CIM-WiFi to 5GHz was the single biggest factor in the speed improvement. The 5GHz band is faster and far less congested in an office environment. Eight access points were spread across the building with 2.4GHz channels carefully planned to use only non-overlapping channels rotating across 1, 6 and 11 so adjacent APs never interfere with each other.

AP-01

Static IP

2.4G Ch 1

AP-02

Static IP

2.4G Ch 6

AP-03

Static IP

2.4G Ch 11

AP-04

Static IP

2.4G Ch 1

AP-05

Static IP

2.4G Ch 6

AP-06

Static IP

2.4G Ch 11

AP-07

Static IP

2.4G Ch 1

AP-08

Static IP

2.4G Ch 6

📡 The FortiAP 231F covers the CCR area which had weak signal from the Cisco APs. It is managed directly by the FortiGate. Both SSIDs work in Bridge mode — CIM-WiFi uses VLAN ID 0 (untagged, routes via native VLAN to corporate) and cim-guest uses VLAN 999 tagged.

Challenges Worth Sharing

Problem

FortiAP CIM-WiFi Had No DHCP

Setting Optional VLAN ID to 20 on the Bridge mode SSID was not giving IP addresses to clients connecting to CIM-WiFi on the FortiAP.

Solution

Set VLAN ID to 0

VLAN ID 0 sends traffic untagged. The switch native VLAN routes untagged traffic to the corporate VLAN interface on FortiGate. DHCP works perfectly.

Problem

FortiAP Not Appearing in FortiGate

The FortiAP 231F was getting an IP and could ping the FortiGate but would not show up in Managed FortiAPs no matter what was tried.

Solution

Enable Security Fabric Connection

Since FortiOS 6.2, CAPWAP is grouped under Security Fabric Connection in the interface administrative access settings. Enabling this on the management VLAN interface fixed it immediately.

Problem

FortiAP Still Talking to FortiEdge Cloud

Even after pointing the FortiAP at the local FortiGate IP it kept trying to reach the cloud controller it was previously registered to.

Solution

Undeploy from FortiEdge Cloud First

The AP must be released from the FortiEdge Cloud portal before it will accept a local controller. Once undeployed it connected to the FortiGate within minutes.

Problem

FortiOS VLAN ID Cannot Be Changed

Attempted to modify an existing VLAN interface to change the VLAN ID. FortiOS does not allow this operation in place.

Solution

Delete and Recreate

The only way to change a VLAN ID in FortiOS is to delete the interface and create a new one. All firewall policies referencing it must be removed first.

What I Learned

💡 Native VLAN and FortiAP Bridge Mode

When a Cisco switch trunk port has a native VLAN configured, any traffic tagged with that same VLAN ID gets the tag stripped before leaving the port. This catches people out with FortiAP. The fix is counterintuitive set the SSID Optional VLAN ID to 0 instead of the VLAN number and the untagged traffic flows exactly where you need it.

💡 Performance Is About Design, Not Hardware

The jump from 7 Mbps average to 41.8 Mbps on the same access points came from three things: moving corporate WiFi to the 5GHz band, planning 2.4GHz channels using only the three non-overlapping channels and fixing the VLAN trunk configuration on the switches. No hardware replaced. Proper configuration is everything.

💡 SD-WAN Must Come Before Firewall Policies

If you try to create a firewall policy referencing virtual-wan-link before the SD-WAN zone is configured, FortiOS throws a node_check_object error. Always configure SD-WAN first then build firewall policies on top of it.

Final Results

Every test passed. The network is stable, fast and properly segmented. Staff on CIM-WiFi cannot reach the guest network and guests cannot reach any corporate resource. The FortiAP covers the previously weak CCR area and everything is documented in NetBox.

Test Performed	Result
FortiGate internet connectivity	✅ Passed
Wired PCs on all three switches	✅ Passed
CIM-WiFi on Cisco APs	✅ Passed — 41.8 Mbps / 1ms jitter
CIM-WiFi on FortiAP 231F	✅ Passed
cim-guest on Cisco APs	✅ Passed
cim-guest on FortiAP 231F	✅ Passed
Guest to corporate isolation	✅ Passed — completely blocked
All 8 Cisco APs reachable	✅ Passed
NetBox documentation	✅ Complete

Microsoft Is Finally Fixing Windows 11's Most Annoying Problems

2026-03-25T13:33:00.001+05:45

If you have been using Windows 11 for a while you probably have a mental list of things that drive you up the wall. The update notifications that will not leave you alone. The AI features that appear whether you asked for them or not. The Start menu that seems to have a mind of its own. The good news is Microsoft actually heard the complaints and made an official promise this month to fix the biggest ones.

This is not a rumor or a leak. Microsoft published a statement directly addressing user frustration with what many people have started calling AI slop in Windows, meaning features that feel pushed on users rather than genuinely helpful. Here is what is changing.

The Forced AI Features Are Getting Dialed Back

One of the most common complaints about recent Windows 11 updates is that Microsoft kept adding AI-powered features without asking users whether they wanted them. Copilot widgets appearing on the taskbar. AI-generated content in search results. The Recall feature that takes regular screenshots of your screen. People felt like their own operating system was being used to push a product agenda rather than serve them.

Microsoft's response this month acknowledged that feedback directly. The company said it is working on giving users clearer control over which AI features are active and which are not. New options are coming that let you turn off specific Copilot and AI behaviors without having to dig through obscure settings menus. This has been one of the most requested changes from Windows power users for months.

Windows Update Is Becoming Less Pushy

The other major change Microsoft is addressing is how Windows handles updates. The current behavior on many machines is that Windows will nag you repeatedly to restart, schedule restarts at inconvenient times, and in some cases apply updates automatically even when you would prefer to wait.

Microsoft confirmed this month that hotpatch updates, which apply security fixes without requiring a restart, will become the default for eligible devices starting with the May 2026 update. This is genuinely useful. Right now hotpatching requires enrollment through Microsoft Intune, which is an enterprise tool most home users never touch. Making it the default means your PC gets security updates in the background without the disruptive restart cycle that interrupts your work.

The company says this change can get devices to 90 percent patch compliance in half the usual time, which matters for security, while also eliminating most of the restart-related annoyance for everyday users.

The Start Menu and Taskbar Are Getting Cleaned Up

This one has been a long time coming. Since Windows 11 launched, the Start menu has included recommended apps, promoted content, and suggestions that most users never asked for and rarely want. The taskbar on many machines ships with widgets showing news and weather that auto expand when you hover near them accidentally.

Microsoft said this month it is simplifying both. The recommendations section in Start is being made easier to dismiss and configure. The taskbar widgets panel is getting better controls so it does not activate unintentionally. These sound like small things but they are among the most commonly mentioned frustrations from users who just want a clean working environment without promotional content in their way.

File Explorer Search Is Getting More Reliable

The March 2026 update that rolled out earlier this month already included fixes for File Explorer search reliability, which has been unreliable in certain situations for longer than it should have been. Searches that returned incomplete results or missed files in certain folder structures are now more consistent.

Microsoft also added a built in Sysmon monitoring tool as an optional Windows feature in the March update. This is primarily useful for IT administrators and security conscious users who want to monitor system activity in detail. You can enable it from Settings, System, Optional Features if you want to try it.

One Warning Before You Get Too Excited

Microsoft has made promises about fixing Windows behavior before and the delivery timeline has not always matched the announcement. Some of these changes are confirmed for specific upcoming updates. Others are described more vaguely as coming improvements without exact dates. The hotpatch change has a confirmed timeline of May 2026. The AI feature controls and Start menu cleanup do not yet have specific release dates attached to them.

That said, the fact that Microsoft is publicly acknowledging these issues and committing to changes is itself significant. The company is aware that Windows 11 has frustrated a meaningful portion of its user base, and the competitive pressure from macOS and ChromeOS gives them a real reason to act rather than just acknowledge the complaints.

Common Questions About the Windows 11 Changes

Do I need to do anything to get these improvements?

For the changes that are already in March updates, make sure your Windows Update is current and that you have installed KB5079473. For upcoming changes like the hotpatch default and the AI feature controls, they will arrive automatically through future Windows Updates, likely starting in May. No manual action needed beyond keeping your system updated.

Can I turn off Copilot in Windows 11 completely right now?

Yes, partially. You can remove the Copilot button from your taskbar by right clicking the taskbar, going to Taskbar Settings, and toggling Copilot off. On Windows 11 Pro and Enterprise editions you can disable it more thoroughly through Group Policy settings. On Home edition the options are more limited until the promised controls arrive in future updates.

Will these changes also come to Windows 10?

Windows 10 reached end of mainstream support in October 2025, so it no longer receives feature updates or improvements of this kind. Security patches continue under the Extended Security Updates program for organizations, but the experience improvements and new features Microsoft is rolling out are exclusively for Windows 11. If you are still on Windows 10, upgrading to Windows 11 is now the only path to getting these changes.

Bikram Bhujel

Troubleshooting SSO Authentication Failures: HTTP 404 on STS Endpoint

Troubleshooting SSO Authentication Failures: HTTP 404 on STS Endpoint

What Is Actually Happening

Root Causes: Three DNS Scenarios

1. Stale DNS Records

2. Firewall or Traffic Filtering Rules

3. VLAN Specific DNS Configuration

Confirming the Diagnosis

Step 1: The Network Swap Test

Action

Step 2: Clear the DNS Cache

Action

Step 3: Reset the Application Identity

Action

What IT Teams Need to Do

Flush DNS Cache on the Internal DNS Server

Verify the STS Hostname Resolution

Check Firewall and Proxy Rules

Review VLAN-Specific DNS Configuration

Quick Reference Table

Frequently Asked Questions

How to Install Windows 11 Without a Microsoft Account in 2026 (Working Methods)

What Changed in 2026

OOBE Command Bypass

1Open Command Prompt

2Run Command

3Disconnect Network

4Create Local Account

Script-Based Bypass (Recommended)

1Open Command Prompt

2Download Script

3Run Script

Why Network Disconnection Alone Fails

Common Issues

FAQ

Final Take

How to Install Windows 11 Over a Network Using an Ethernet Cable and Serva

How to Install Windows 11 Over a Network Using an Ethernet Cable and Serva

What You Need

How Network Installation Works

Step 1: Download and Extract Serva

Step 2: Set a Static IP on the Server Laptop

Step 3: Configure Serva TFTP and DHCP

TFTP Configuration

DHCP Configuration

Step 4: Add the Windows 11 Installer Files

Part A: Copy Windows 10 Files into WDS

Part B: Add the Windows 11 install.wim or install.esd

Step 5: Share the WDS Folder

Step 6: Create a Local User Account for Installation

Step 7: Configure Network Boot on the Target Machine

Step 8: Install Windows 11

Step 9: Initial Setup and Local Account

Troubleshooting Tips

Target machine does not get an IP address from Serva

Boot files load but installer cannot find the installation source

install.wim or install.esd is missing

Serva DHCP conflicts with home router

Frequently Asked Questions

Brave Origin Browser in 2026: Is It Worth $60 or Is There a Free Alternative?

Brave Origin Browser in 2026: Is It Worth $60 or Is There a Free Alternative?

Why Chrome Was Never Good Enough

What Is Brave Origin?

What Gets Removed in Brave Origin

Linux Users Get It Free FREE ON LINUX

Free Alternative for Windows: BraveDeBloat FREE

Syncing Across Devices

Activation Limits and Pricing Notes

What About Helium Browser? FOR GOOGLE-FREE USERS

Side by Side Comparison

Which Option Should You Choose?

The Right Choice Depends on Your Platform and Budget

Frequently Asked Questions

Best Privacy Browsers in 2026: Brave, Mullvad, LibreWolf and What to Avoid

Best Privacy Browsers in 2026: Brave, Mullvad, LibreWolf and What to Avoid

Why Your Browser Choice Matters

Browsers to Avoid: Chrome, Edge and Safari NOT RECOMMENDED

Microsoft Edge

Google Chrome