Blog | Orange Kao

2021-04-102021-04-10

EdgeRouter IPsec site-to-site config example – one site static IP, another site dynamic Internet IP and behind NAT

I’ve been using OpenVPN for years and enjoy the convenience that OpenVPN only require one TCP or UDP port, which is fairly easy to set up even when one of the site is behind NAT or having dynamic IP. In comparison, setup IPsec is more complicated in this case.

However, EdgeRouter hardware offloading does not support OpenVPN. In this example, we will set up IPsec site-to-site using EdgeRouter, with one site having static IP, another site is using dynamic Internet IP and behind a NAT device (e.g. ISP-provided router). In my case, the ISP-provided router is an Optus/Sagemcom router, and the example config is available in another article. If your environment is not that complicated, refer to Ubiquiti help articles.

2021-04-102021-04-10

Optus (Sagemcom) router config example for forwarding IPsec VPN traffic

This article illustrates how to set up Optus router to forward UDP 500, UDP 4500, ESP and AH to the VPN gateway. This is required when setting up IPsec VPN gateway (e.g. EdgeRouter) behind NAT device (e.g. Optus router).

2021-04-052021-04-10

Dynamic DNS using Route 53 and Lambda

This article illustrates how to use Route 53 and Lambda to setup single-tenant DDNS service, with code examples.

It’s technically possible to use a Python script as a DDNS client to update the DNS record on Route 53 directly. However, an AWS access key and secret access key need to be loaded to that node. If that node is compromised, other DNS records in that hosted zone may get tempered because IAM policy does not allow fine-grained permission on a single DNS record. The risk can be mitigated using AWS Lambda.

2020-01-172021-04-05

Amazon S3 object lock (retention period) in Python with IAM policy example

S3 object lock is a feature to prevent permanent deletion on S3 objects, by accident and deliberate. This article focus on retention period in governance mode. For legal hold, please refer to another article.

2020-01-172020-01-18

Amazon S3 object lock configuration on buckets and objects

S3 buckets and objects have their own object lock configuration. This article explains how it works.

2020-01-172021-04-05

Amazon S3 object lock (legal hold) in Python with IAM policy example

S3 object lock is a feature to prevent permanent deletion on S3 objects, by accident and deliberate. This article focus on legal hold. For setting the retention period in governance mode, please refer to another article.

2019-01-282019-03-04

Asus ZenFone 5 ZE620KL (2018) review – two months after purchase

Update: I strongly against updating to Android 9 due to a bug in adaptive brightness.

I’ve purchased Asus ZenFone 5 model ZE620KL (4GB RAM, 64GB storage) in November 2018 in Taiwan at 8,800 NTD (~400 AUD). I’ve been using it for two months – it is reliable and offers good value of money.

2019-01-252019-01-26

Banking in Australia

This is part of the note I took after I started at Macquarie University in 2016.

2019-01-242019-01-26

Safety in NSW National Parks – it’s beautiful but could be dangerous

I don’t have a car so sometimes I make a day trip to NSW National Park by taking public transport. This is what I learned by visiting different parks and checking news on those areas.

2019-01-232019-01-30

Tips for people new to Australia

This was part of the note I took in 2016 after I stared in Macquarie University. These notes are not Macquarie-specific.

2019-01-222019-01-30

Tips for whom just started at Macquarie University

Here’s the note I took while I started at Macquarie in 2016. These notes are specific to Macquarie University.

2019-01-212019-01-21

Mifare Classic is supported on Asus ZenFone 5 ZE620KL

Mifare Classic read/write is supported on Asus ZenFone 5 model ZE620KL. Tested with

Mifare Classic Tool (MCT) for binary read/write
NXP TagWriter for writing NDEF
NXP TagInfo for reading binary / NDEF

2019-01-072019-08-08

Cisco Aironet 2800 installation checklist

In most of the small and medium-sized enterprises (SMEs), we don’t have IT department and sometimes hire third-party for installation and setup. This post provides a checklist for things need to be aware while setting up Cisco Aironet 2800 access points.

2019-01-052019-08-08

Upload file larger than 5GB to Amazon S3 with Ruby

Several days ago I noticed one of my backup to Amazon S3 was failed because the file is larger than 5GB and I didn’t use multipart upload. Code snippet as below. Works on AWS SDK for Ruby v3.

2018-12-292019-07-31

Safe deposit box comparison 2017 – Sydney CBD

This is a safe deposit box comparison I composed in December 2017 by comparing Guardian Vaults, Custodian Vaults, Westpac and Commonwealth Bank safe deposit boxes. Be aware that my purpose is to store A4 sized documents so I cannot use the smallest box.

Continue reading “Safe deposit box comparison 2017 – Sydney CBD”

2018-12-282019-08-08

Data integrity – why I choose Btrfs (silent data corruption)

Not every file system do data block checksumming. And the most popular one on Linux ecosystem – ext4 file system – is one of them. That means if there is a silent data corruption occur on the disk, it may not get noticed. The corrupted data may get backed up to the off-site storage device, and by time, the backup will get corrupted after it’s been replaced by up-to-date (corrupted) version. This is potentially dangerous if the data need to be stored for a long period of time.

2018-12-272019-08-08

Changing Cisco Aironet 2800 SSH password on every AP

While changing the password on Cisco Aironet 2800 controller over web-based management interface, it will update the password for the web interface and SSH login of the controller. However, it will not update the SSH login on every access points. This post provides a solution to change the SSH login for all the access points.

Continue reading “Changing Cisco Aironet 2800 SSH password on every AP”

2018-07-312019-08-08

VLAN config generation with Ruby for Cisco Catalyst 3750

VLAN configuration is very different between HP and Cisco switches. HP is VLAN centred and Cisco is based on physical port. While managing Cisco switches, using a script to generate the config may ease the task. This post proposes a simple script to generate the config.

Continue reading “VLAN config generation with Ruby for Cisco Catalyst 3750”

2018-07-302019-08-08

HP ProCurve Switch 5400zl timezone and daylight saving configuration in Sydney

Only two lines

time timezone 600
time daylight-time-rule user-defined begin-date 10/01 end-date 04/01

Continue reading “HP ProCurve Switch 5400zl timezone and daylight saving configuration in Sydney”

2018-07-302019-08-08

Cisco ASA timezone and daylight saving configuration in Sydney

Only two lines

clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00

Continue reading “Cisco ASA timezone and daylight saving configuration in Sydney”

2018-07-292019-08-08

Difference between Markdown and Discount

Discount is a C implementation of Markdown, and Markdown a text-to-HTML converter written in Perl. They are pretty similar but different in the following behaviours

Discount will replace double quote "" with “” and single and double quote ' with ’. Where Markdown will keep the single and double quote as-is.
To have a second level indentation on bullet points, Discount require two spaces, where Markdown only require one.

Continue reading “Difference between Markdown and Discount”

2018-07-282019-08-08

Prevent accidental erasure of internal drive while using dd to write USB flash drive

It is risky to issue a command like sudo dd if=image of=/dev/sdb bs=1M due to the risk of typing sdb to something else (e.g. internal drive). If an error has been made, the internal hard drive may get erased. This post proposes a solution by using udev rules, which will allow read/write access to USB drive without sudo and no password required. These udev rules does not affect SATA-based storage devices.

2018-07-272019-08-08

Precision brightness control on X280 running Ubuntu 18.04 (bionic)

ThinkPad X280 running Ubuntu 18.04 allows a brightness level from 0 to 1515. However, the Fn+F5/F6 hotkey only allows 21 levels of control. This post provides a solution and easy-to-use script for brightness control, best use with Guake.

2018-07-272019-08-08

Prevent unwanted wake up for ThinkPad X280 running Ubuntu 18.04 (bionic)

There is an issue that X280 may wake up while it’s connected to the ThinkPad USB-C hub. Here is the workaround for this issue.

2018-07-232019-08-08

ThinkPad X280 CPU load and throttling test on Ubuntu 18.04 (bionic)

Before purchasing ThinkPad X280, I was concerned about the CPU throttling bug. It’s a bug which will throttle the CPU performance once it’s been triggered and will not restore the performance without a reboot.

I’ve developed a Ruby script for this test, and run it on X280 with i5-8250U processor. I did not reproduce the throttling issue that requires a reboot to restore the performance – whether the machine is powered by battery or connected to the power supply. However, I did discover a symptom which will under-clock the process to 123MHz under the certain load.

Continue reading “ThinkPad X280 CPU load and throttling test on Ubuntu 18.04 (bionic)”

2018-07-222019-08-08

Review for ThinkPad X280 running Ubuntu 18.04 (bionic)

I’m an everyday Linux (Ubuntu) user moving from X201s to X280. This is my review after installing Ubuntu 18.04 (bionic) on X280.

2018-07-192019-08-08

Improved Let’s Encrypt certificate renewal on Bitnami WordPress

I’ve followed the instructions from Bitnami for installing Let’s Encrypt certificate on Amazon Lightsail instance with Bitnami WordPress preloaded. The guide is very user-friendly and easy to follow. However, there is room for improvement in step 5 in certificate renewal.