What don’t I like about MacBooks

  1. Highly glossy screen
    1. Difficult to see outside, reflects glare from lights
    2. Repairing or replacing the screen is unnecessarily complicated
  2. Thermal management
    1. thermal design and low fan speeds mean CPUs tend to run hot (not preferable for longevity of components)
    2. aluminum chassis acts as a heatsink and also gets very hot (noticeable when typing)
  3. Unibody design makes keyboard replacement extremely difficult (routine procedure when the keyboard gets damaged or worn out over time)
  4. On newer models, SSD is built in, so a failure (relatively rare, but it does happen) makes the machine useless/too costly to repair – not “green”!

Set up OpenVPN tunnel on pfSense


  • Log in to the client section of OpenVPN-AS as the user you want to use and download the “Yourself (autologin profile)” file.  If you don’t have this, log into the admin panel and enable autologin for the user.
  • Open up client.ovpn in notepad or similar.
  • Copy the contents of the <ca></ca> block into a new CA cert in pfSense.
  • Copy the contents of the <cert></cert> & <key></key> blocks into a new cert in pfSense.
  • Create a new OpenVPN Client.
  • Fill out the server and & port as appropriate.
  • Uncheck “Automatically generate a shared TLS key” and copy the contents of the <tls-auth></tls-auth> block into the box that appears.
  • Pick the CA & Cert you created in steps 3 & 4.
  • Set the encryption algorithm to whatever you’re using in OpenVPN-AS.  The default is BF-CBC unless you changed it.
  • Check the box for Compression if you enabled it in OpenVPN-AS.
  • Save the OpenVPN Client connection and verify that the tunnel comes up.
  • Create a new interface and assign the VPN tunnel to it.
  • Edit the interface, enable it, and make sure that None is set for IPv4 Configuration Type.
  • Add an outbound NAT rule for your new interface.
  • Assign the new gateway to whatever firewall rules you want to force through the VPN tunnel.

Copying the certificates is mostly self explanatory. Set up in the pfSense System> Cert Manager menu, CA and Certificate sections as appropriate.

The auto-login never worked for me. I had to use the regular profile, enter my username and password in the pfSense client setup, and most importantly, enable compression on the client! Without this, I kept getting “auth failed”. No settings in the “Tunnel Settings” section and below are required. Server port is most likely 1194, protocol is most likely UDP.

Now, for the routing – this is what sends your LAN traffic over the VPN tunnel.

If you do all of this and traffic is going over your regular internet connection rather than the VPN (i.e. you go to whatismyip.com/ipchicken.com and see your regular ISP address rather than the VPN’s public IP address), REBOOT PFSENSE. Trust me. 

Tunneling Specific Traffic over a VPN with pfSense

The key things are

1) setting up the OpenVPN interface/gateway

2) setting up the NAT rule

3) setting up the firewall rule to forward all LAN traffic to the OpenVPN interface/gateway – which can also be narrowed down to only forward certain protocols, ports, or hosts.

Raspberry Pi email notifier LED using Python

This needs a rewrite…


curl https://get.pimoroni.com/unicornhat  | bash

Python script to light all LEDs with random colors:

import time
import random
import unicornhat as uh


for x in range(8):
[tab]y in range(4):
[tab][tab]a = random.randint(0, 255)
[tab][tab]b = random.randint(0, 255)
[tab][tab]c = random.randint(0, 255)
[tab][tab]uh.set_pixel(x, y, a, b, c)

Put that into a python script; call it pilights.py or something. Then run sudo python pilights.py (it has to be run with sudo)

Set up the python library:

sudo pip install –upgrade google-api-python-client

Then go here: https://developers.google.com/gmail/api/quickstart/python

To set up API access to Google/Gmail, go here and create a project. Create the OAuth client ID, download the json file, rename it to client_secret.json, and upload it to the Pi (using scp)

Create the quickstart script using the Google quickstart link above. Run the script as quickstart.py –noauth_local_webserver and copy/paste the link into the browser on your PC. Choose the Google account, then copy/paste the verification code back into the SSH session.

Then make a copy of the quickstart script and delete everything after the main function. Replace it with this:

def checkUnread():

[tab]credentials = get_credentials()
[tab]http = credentials.authorize(httplib2.Http())
[tab]service = discovery.build(‘gmail’, ‘v1′, http=http)

[tab]results = service.users().labels().get(userId=’me’, id=”INBOX”).execute()
[tab]unread = results.get(‘threadsUnread’)
[tab]return unread


if __name__ == ‘__main__’:

Call it emailunread.py or similar.

Copy the lights script above to lights_unread.py. Add import emailunread to the top and declare a variable like z = emailunread.checkUnread()

Then do whatever you want with z to control the lights, e.g. replace the first for loop line with for x in range(z)

For a full list of API functions, https://developers.google.com/resources/api-libraries/documentation/gmail/v1/python/latest/gmail_v1.users.html

You may have to rename the credentials (.json file) and move it to /root/.credentials/ because running the script requires root privileges (to turn on the LEDs).

Upgrade nginx in Ubuntu 16.04 with official up-to-date package


  1. Uninstall nginx* (apt remove nginx*) to get rid of the Ubuntu version
  2. Add package source
    1. nano /etc/apt/sources.list.d/nginx.list

    2. deb http://nginx.org/packages/ubuntu/ xenial nginx
      deb-src http://nginx.org/packages/ubuntu/ xenial nginx

    3. Run apt update. If there is an error about the GPG key missing (replace the key with what shows up in the error, although it should be this):
      1. sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys ABF5BD827BD9BF62

    4. Apt update again and install nginx.
      1. sudo apt-get update
        sudo apt-get install nginx

    5. If prompted to overwrite config file, say N (for no).
    6. The service probably won’t start. If you try to start it, you’ll get this:
      1. root@ny:/etc/postfix# service nginx start
        Failed to start nginx.service: Unit nginx.service is masked.

    7. root@ny:/etc/postfix# systemctl unmask nginx.service
      Removed symlink /etc/systemd/system/nginx.service.
      root@ny:/etc/postfix# service nginx start

    8. That should do it.

Blog at WordPress.com.

Up ↑