Is Remote Desktop slow from you Windows Remote Desktop to Ubuntu. This change will help.

In the /etc/xrdp/xrdp.ini file, change crypt_level=high to crypt_level=low

sudo cp /etc/xrdp/xrdp.ini /etc/xrdp/xrdp.ini.bak
sudo nano /etc/xrdp/xrdp.ini

Change This:

; minimum security level allowed for client for classic RDP encryption
; use tls_ciphers to configure TLS encryption
; can be 'none', 'low', 'medium', 'high', 'fips'

To this:

; minimum security level allowed for client for classic RDP encryption
; use tls_ciphers to configure TLS encryption
; can be 'none', 'low', 'medium', 'high', 'fips'

Save changes and Reboot Ubuntu and enjoy.

Please note that this is for non production servers. Please do not change unless less security is needed, such as an internal server.

These error usually show up on an RDP / Windows Remote Desktop session to Ubuntu.

“Authentication is required to create a color profile“

“Authentication is required to create a color managed device“

You can click Cancel to these popups or enter your password to continue.

But, this article shows how to get rid of them permanently?

This issue is Polkit. Polkit, which is an application authorization framework that captures actions performed by a user to check if the user is authorized to perform certain actions.

Let’s create a new configuration file in /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla. This will tell Polkit to continue without requiring the authentication prompt over RDP.

sudo nano /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla

Paste in the following:

[Allow Colord all Users]

Save and exit.

Now reboot Ubuntu and try logging in again over RDP / Windows Remote Desktop and the popups should be gone.

In Ubuntu 21.04, you will not see and files at /etc/network/interfaces. Also, in checking /etc/neteplan/01-network-manager-all.yaml there is a message:

# Let NetworkManager manage all devices on this system
  version: 2
  renderer: NetworkManager

Change to static IP address if you use Ubuntu as a server. The interface name [enp1s0] is different on each environment, replace it to your own one.

Rename to disable default setting

# mv /etc/netplan/00-installer-config.yaml /etc/netplan/

Create new

root@localhost:~# vi /etc/netplan/01-netcfg.yaml


    # interface name
      dhcp4: no
      # IP address/subnet mask
      addresses: []
      # default gateway
        # name server to bind
        addresses: [,]
      dhcp6: no
  version: 2

# apply changes

root@localhost:~# netplan apply

Check networking

root@localhost:~# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:37:5a:11 brd ff:ff:ff:ff:ff:ff
    inet brd scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe37:5a11/64 scope link
       valid_lft forever preferred_lft forever

Install Wireguard

sudo apt update
sudo apt install wireguard

Now that you have WireGuard installed, the next step is to generate a private and public keypair for the server.

Use the following umask command to ensure new directories and files (in your current terminal session only) get created with limited read and write permissions:

umask 077

Now you can proceed and create the private key for WireGuard using the following command:

wg genkey | sudo tee /etc/wireguard/private.key

The next step is to create the corresponding public key, which is derived from the private key. Use the following command to create the public key file:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

When you run the command you will again receive a single line of base64 enpred output, which is the public key for your WireGuard Server. Copy it somewhere for reference, since you will need to distribute the public key to any peer that connects to the server.

Choosing an IPv4 Range

You can choose any range of IP addresses from the following reserved blocks of addresses: to (10/8 prefix) to (172.16/12 prefix) to (192.168/16 prefix)

For the purposes of this tutorial we’ll use as a block of IP addresses from the first range of reserved IPs.

Creating a WireGuard Server Configuration

Once you have the required private key and IP address(es), create a new configuration file using nano or your preferred editor by running the following command:

sudo nano /etc/wireguard/wg0.conf

Add the following lines to the file, substituting your private key in place of the highlighted base64_enpred_private_key_goes_here value, and the IP address(es) on the Address line. You can also change the ListenPort line if you would like WireGuard to be available on a different port:

nano /etc/wireguard/wg0.conf
PrivateKey = base64_enpred_private_key_goes_here
Address =, fd0d:86fa:c3bc::1/64
ListenPort = 51820
SaveConfig = true

Starting the WireGuard Server

sudo systemctl enable wg-quick@wg0.service

Now start the service:

sudo systemctl start wg-quick@wg0.service

Double check that the WireGuard service is active with the following command. You should see active (running) in the output:

sudo systemctl status wg-quick@wg0.service

Configuring a WireGuard Peer

You can add as many peers as you like to your VPN by generating a key pair and configuration using the following steps. If you add multiple peers to the VPN be sure to keep track of their private IP addresses to prevent collisions.

To configure the WireGuard Peer, ensure that you have the WireGuard package installed using the following apt commands. On the WireGuard peer run:

sudo apt update
sudo apt install wireguard

Creating the WireGuard Peer’s Key Pair

umask 077

create the private key for the peer using the following command:

wg genkey | sudo tee /etc/wireguard/private.key

Next use the following command to create the public key file:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Copy it somewhere for reference, since you will need to distribute the public key to the WireGuard Server in order to establish an encrypted connection.

Creating the WireGuard Peer’s Configuration File

sudo nano /etc/wireguard/wg0.conf
PrivateKey = base64_enpred_peer_private_key_goes_here
Address =
PublicKey = The base64 enpred public key from the WireGuard Server.
AllowedIPs =
Endpoint =

Adding the Peer’s Public Key to the WireGuard Server

Ensure that you have a copy of the base64 enpred public key for the WireGuard Peer by running:

sudo cat /etc/wireguard/public.key

Now log into the WireGuard server, and run the following command:

sudo wg set wg0 peer 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI= allowed-ips

If you would like to update the allowed-ips for an existing peer, you can run the same command again, but change the IP addresses. Multiple IP addresses are supported. For example, to change the WireGuard Peer that you just added to add an IP like to the existing, you would run the following:

sudo wg set wg0 peer 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI= allowed-ips,

Once you have run the command to add the peer, check the status of the tunnel on the server using the wg command:

sudo wg
interface: wg0
public key: 2KOvl8HbUz1rxTJ/l46o/Yz4G34Q6rfFsmvOROu9HAY=
private key: (hidden)
listening port: 51820

peer: 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI=
allowed ips:
latest handshake: 10 minutes, 58 seconds ago
transfer: 20.80 KiB received, 25.17 KiB sent

Connecting the WireGuard Peer to the Tunnel

To start the tunnel, run the following on the WireGuard Peer:

sudo wg-quick up wg0

You will receive output like the following:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0

You can check the status of the tunnel on the peer using the wg command:

sudo wg

You can also check the status on the server again, and you will receive similar output.

Verify that your peer is using the VPN by using the ip route command.

ip route get via dev eth0 src uid 0

If your peer has a browser installed, you can also visit and to confirm that your peer is routing its traffic over the VPN.

Once you are ready to disconnect from the VPN on the peer, use the wg-quick command:

sudo wg-quick down wg0


Set up the repository

Update the apt package index and install packages to allow apt to use a repository over HTTPS:

$ sudo apt-get update
$ sudo apt-get install \
 ca-certificates \
 curl \
 gnupg \

Add Docker’s official GPG key:

$ curl -fsSL | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Use the following command to set up the stable repository.

 echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install Docker Engine

Update the apt package index, and install the latest version of Docker Engine and containerd, or go to the next step to install a specific version:

$ sudo apt-get update
 $ sudo apt-get install docker-ce docker-ce-cli

Verify that Docker Engine is installed correctly by running the hello-world image.

$ sudo docker run hello-world

This command downloads a test image and runs it in a container.

Docker Engine is installed and running. The docker group is created but no users are added to it. You need to use sudo to run Docker commands. Continue to Linux postinstall to allow non-privileged users to run Docker commands and for other optional configuration steps.

Manage Docker as a non-root user. To create the docker group and add your user:

$ sudo groupadd docker

Add your user to the docker group.

$ sudo usermod -aG docker $USER

Log out and log back in so that your group membership is re-evaluated. If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect. On a desktop Linux environment such as X Windows, log out of your session completely and then log back in. On Linux, you can also run the following command to activate the changes to groups:

# newgrp docker 

Verify that you can run docker commands without sudo.

$ docker run hello-world

This command downloads a test image and runs it in a container.

Configure Docker to start on boot

sudo systemctl enable docker.service
sudo systemctl enable containerd.service

Configure where the Docker daemon listens for connections

By default, the Docker daemon listens for connections on a UNIX socket to accept requests from local clients. It is possible to allow Docker to accept requests from remote hosts by configuring it to listen on an IP address and port as well as the UNIX socket. For more detailed information on this configuration option take a look at “Bind Docker to another host/port or a unix socket” section of the Docker CLI Reference article.

Before configuring Docker to accept connections from remote hosts it is critically important that you understand the security implications of opening docker to the network. If steps are not taken to secure the connection, it is possible for remote non-root users to gain root access on the host. For more information on how to use TLS certificates to secure this connection, check this article on how to protect the Docker daemon socket.

Configuring Docker to accept remote connections can be done with the docker.service systemd unit file for Linux distributions using systemd, such as recent versions of RedHat, CentOS, Ubuntu and SLES, or with the daemon.json file which is recommended for Linux distributions that do not use systemd.

systemd vs daemon.json

Configuring Docker to listen for connections using both the systemd unit file and the daemon.json file causes a conflict that prevents Docker from starting.

Configuring remote access with systemd unit file.
Use the command sudo systemctl edit docker.service to open an override file for docker.service in a text editor.

Add or modify the following lines, substituting your own values.

    ExecStart=/usr/bin/dockerd -H fd:// -H tcp://

Save the file. Reload the systemctl configuration.

 $ sudo systemctl daemon-reload

Restart Docker.

$ sudo systemctl restart docker.service

Check to see whether the change was honored by reviewing the output of netstat to confirm dockerd is listening on the configured port.

$ sudo netstat -lntp | grep dockerd

Configuring remote access with daemon.json

Set the hosts array in the /etc/docker/daemon.json to connect to the UNIX socket and an IP address, as follows:

      "hosts": ["unix:///var/run/docker.sock", "tcp://"]

Restart Docker.

Check to see whether the change was honored by reviewing the output of netstat to confirm dockerd is listening on the configured port.

 sudo netstat -lntp | grep dockerd


How to update Ubuntu

$ sudo apt update
$ sudo apt upgrade

Info from man apt-get:

update is used to resynchronize the package index files from their sources. The indexes of available packages are fetched from the location(s) specified in /etc/apt/sources.list. For example, when using a Debian archive, this command retrieves and scans the Packages.gz files, so that information about new and updated packages is available. An update should always be performed before an upgrade or dist-upgrade. Please be aware that the overall progress meter will be incorrect as the size of the package files cannot be known in advance.

upgrade is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list. Packages currently installed with new versions available are retrieved and upgraded; under no circumstances are currently installed packages removed, or packages not already installed retrieved and installed. New versions of currently installed packages that cannot be upgraded without changing the install status of another package will be left at their current version. An update must be performed first so that apt-get knows that new versions of packages are available.

dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a “smart” conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. The dist-upgrade command may therefore remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.

The main distinction between apt-get upgrade and apt-get dist-upgrade is that in the former, none of the packages are removed. Software packages with newer versions are upgraded and none whatsoever are removed. In the latter, some newer packages are installed, and some are removed to satisfy certain dependencies.

Install Brave Browser on Ubuntu, MintDebian 9+, Ubuntu 14.04+ and Mint 17+

If you get gnutls_handshake() errors after adding the Brave repository on Debian 9, you may need to uninstall old conflicting packages.

# sudo apt install apt-transport-https curl gnupg
# curl -s | sudo apt-key --keyring /etc/apt/trusted.gpg.d/brave-browser-release.gpg add -
# echo "deb [arch=amd64] stable main" | sudo tee /etc/apt/sources.list.d/brave-browser-release.list
# sudo apt update
# sudo apt install brave-browser