Wipe and Remove USB drives on Ubuntu via the CLI

For some reason both Windows and macOS lack an easy method in wiping (old) hard disks (the ones with those spinning platters). So I had to do it on my headless Ubuntu server.

Before I forget; use the information below at your own risk. Wiping the data of the disk is pretty definite.

The disks I wanted to whipe were put in a cradle which identified itself as /dev/sdg. The steps I followed were;

Identify the correct drive by issueing the following command. This is the most important step, because selecting the wrong disk may cause significant data loss;
> lsblk -o NAME,SIZE,FSTYPE,MODEL,MOUNTPOINT
Wipe the current filesystem / partition table;
> sudo wipefs -a /dev/sdg
Overwrite the complete disk with random data and a final pass with zero’s;
> sudo shred -v -n 1 -z /dev/sdg
Remove the wiped disk safely;
> udisksctl power-off --block-device /dev/sdg

After step 4, the drive can be removed and a new drive can be inserted and the process repeated.

Posted on January 21, 2026 by Willem and filed under Linux, Tips'n Tricks and tagged ubuntu shred wipe.

Install FFMPEG on macOS (Sequoia)

Ffmpeg is one of those tools that’s quite handy when processing audio and or video. Unfortunately, it’s not included in macOS, so you need to install it yourself. There are numeral ways of doing this;

using a custom package manager like homebrew
building it from scratch (by compiling the source code
or just download the latest binary for macOS

I used the last one, but that requires some additional steps;

copy the ffmpeg binary file to a directory included in the PATH, so you can start the program from anywhere.
(sudo cp ffmpeg /usr/local/bin/.)
Remove Apple macOS protection for that file (mark it as trusted, by removing the quarantine flag).
(sudo xattr -d com.apple.quarantine /usr/local/bin/ffmpeg)

After that, it’s happy encoding.

DISCLAIMER; Only remove the quarantine flag of (executable) files when you’re sure that it doesn’t include any malware. So only download from trusted sources.

Posted on May 5, 2025 by Willem and filed under Tips'n Tricks and tagged ffmpeg macos sequoia.

Firewall redirect DNS traffic to internal DNS servers

With the arrival of IoT (Internet of Things) we are introducing unknown hardware and software to our networks. Many obey the rules we submit them to (custom IP addresses, limited Internet access, specific DNS Servers etc). But there are also devices that use DNS, but have DNS servers hardcoded. Blocking these IP addresses may result in sketchy behavior.

I place all of those devices in a separate VLAN where they have limited connectivity, and where I block outgoing DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) and direct DNS access to the Internet. Everything is supposed to use my internal DNS services. For those devices that have DNS servers hardcoded I created some special NAT and firewall rules to force them to use my internal DNS services.

OPNSense OpenVPN Instances and NordVPN Clients

Ever since I switched from a Juniper SRX to an Opnsense firewall, I was able to use a VPN provider to circumvent certain geofenced websites (mostly news outlets in other countries). Opnsense has the option to create OpenVPN client tunnels, and by creating (firewall) policies, you can direct traffic to a different destination (gateway).

My VPN provider (NordVPN) has a nice support page on how to achieve this, but it’s based on a relative old Opnsense version (v21). Since the release of v24, the configuration of (client) OpenVPN configurations can (also) be done through instances, and the old way is being depricated (and gone in v26.1)

Installing Windows 11 as Guest OS on VMare Workstation Pro

In case you do not want to Encrypt the Virtual Machine, then to bypass the TPM 2.0 requirements while installing Windows 11, Please follow the below steps:

While installing Windows 11, if your computer does not meet the hardware requirements, you will see a message stating, "This PC can't run Windows 11." Windows 11 setup blocked due to missing hardware requirements.
When you see the above message, press Shift+F10 (Or Shift+fn+F10) on your keyboard at the same time to launch a command prompt. At the command prompt, type regedit and press enter to launch the Windows Registry Editor.
When the Registry Editor opens, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\Setup, Right-click on the Setup key and select New > Key.
When prompted to name the key, Type LabConfig and press enter.
Now right-click on the LabConfig key and select New > DWORD (32-bit) value and create a value named BypassTPMCheck, and set its data to 1.
Once you configure the BypassTPMCheck key-value under the LabConfig key, close the Registry Editor, and then type exit in the Command Prompt followed by enter to close the window. You will now be back at the message stating that the PC can't run Windows 11. Click on the back button in the Windows Setup dialog, as shown below. Press the back button in Windows setup
You will now be back at the screen prompting you to select the version of Windows 11 you wish to install. You can now continue with the setup, and the hardware requirements will be bypassed, allowing you to install Windows 11.

source: https://kb.vmware.com/s/article/86207

If you don’t want to use an online account to login to Windows 11, you have to enter a regular username (e.g. poweruser) with a bogus password. The setup wizard will give an error that the account cannot be found/used etc and gives the option to use a traditional (local) account. Just give a username, password and the answer to 3 secret questions (for password recovery purposes in the future), and you’re ready to go.

source: https://www.techrepublic.com/article/how-to-create-local-account-windows-11/

Posted on February 21, 2024 by Willem and filed under Software, Tips'n Tricks, Operating Systems and tagged Windows 11 local account VMware TPM Bypass TPM Check Workstation.

Add CA Certificates To Python

Python checks SSL certificates when doing stuff over HTTPS. You want to make sure that the communications channel is secure. When you’re experimenting you might want to disable SSL verification (temporary), but there are scenarios where this is not possible. This happens when e.g. you need to install or update through pip, or when a library doesn’t offer a way to ignore or suppress certificate errors. This becomes a challenge in the following circumstances;

a company policy to check outgoing traffic by decrypting all outgoing https traffic,
or when you’re using tools like Burp Suite / OWASP ZAP Proxy to inspect content in API calls etc.

In these cases you’re only solution is to add the root certifcates of those MITM tools to the Python certificate bundle (or create your own bundle). In this case I’ll be adding my own Root CA certificates to the existing bundle. This is not a permanent solution, since they might get overwritten with (pip) updates. But it works for me for the time being.

Start a Python interpreter;

  
    >>> import certifi
>>> certifi.where()
<pythonpath>\lib\site-packages\certifi\cacert.pem
  

This cacert.pem file contains all root CA’s typically found in most browsers and operating systems. Just add your CA (in BASE64 format) at the end of the file and you’ll be good to go (until a next certifi update).

Posted on August 22, 2023 by Willem and filed under Programming, Tips'n Tricks and tagged python3 CA PKI MITM Certificates.

Convert Notations of Networks, Netmasks and CIDR (visa versa)

This post is basically a reminder for myself, since for some reason I run into this challenge over and over again.

The challenge is that I have to switch between the following notations:

10.1.2.0/24
10.1.2.0 255.255.255.0

This is because different programs/systems require different inputs, and I don’t always feel like using scripting (like Python) to transform the content.

Excel

So here are some Excel formulas that can be used.

Generate a netmask from a CIDR notation (e.g. 10.1.2.0/24) from cell A119:

  
    =(IF(ISNUMBER(SEARCH("/32",A119)),"255.255.255.255",
IF(ISNUMBER(SEARCH("/31",A119)),"255.255.255.254",
IF(ISNUMBER(SEARCH("/30",A119)),"255.255.255.252",
IF(ISNUMBER(SEARCH("/29",A119)),"255.255.255.248",
IF(ISNUMBER(SEARCH("/28",A119)),"255.255.255.240",
IF(ISNUMBER(SEARCH("/27",A119)),"255.255.255.224",
IF(ISNUMBER(SEARCH("/26",A119)),"255.255.255.192",
IF(ISNUMBER(SEARCH("/25",A119)),"255.255.255.128",
IF(ISNUMBER(SEARCH("/24",A119)),"255.255.255.0",
IF(ISNUMBER(SEARCH("/23",A119)),"255.255.254.0",
IF(ISNUMBER(SEARCH("/22",A119)),"255.255.252.0",
IF(ISNUMBER(SEARCH("/21",A119)),"255.255.248.0",
IF(ISNUMBER(SEARCH("/20",A119)),"255.255.240.0",
IF(ISNUMBER(SEARCH("/19",A119)),"255.255.224.0",
IF(ISNUMBER(SEARCH("/18",A119)),"255.255.192.0",
IF(ISNUMBER(SEARCH("/17",A119)),"255.255.128.0",
IF(ISNUMBER(SEARCH("/16",A119)),"255.255.0.0",
IF(ISNUMBER(SEARCH("/15",A119)),"255.254.0.0",
IF(ISNUMBER(SEARCH("/14",A119)),"255.252.0.0",
IF(ISNUMBER(SEARCH("/13",A119)),"255.248.0.0",
IF(ISNUMBER(SEARCH("/12",A119)),"255.240.0.0",
IF(ISNUMBER(SEARCH("/11",A119)),"255.224.0.0",
IF(ISNUMBER(SEARCH("/10",A119)),"255.192.0.0",
IF(ISNUMBER(SEARCH("/9",A119)),"255.128.0.0",
IF(ISNUMBER(SEARCH("/8",A119)),"255.0.0.0",
IF(ISNUMBER(SEARCH("/7",A119)),"254.0.0.0",
IF(ISNUMBER(SEARCH("/6",A119)),"252.0.0.0",
IF(ISNUMBER(SEARCH("/5",A119)),"248.0.0.0",
IF(ISNUMBER(SEARCH("/4",A119)),"240.0.0.0",
IF(ISNUMBER(SEARCH("/3",A119)),"224.0.0.0",
IF(ISNUMBER(SEARCH("/2",A119)),"192.0.0.0",
IF(ISNUMBER(SEARCH("/1",A119)),"128.0.0.0",
"")))))))))))))))))))))))))))))))))
  

Strip the netmask bits from the CIDR notation (in cell A2):

=LEFT(A2, SEARCH("/", A2) -1)

And to convert from network address and netmask to CIDR notation (combining cell B2 with C2):

  
    =CONCAT(B2,(
IF(C2="255.255.255.255","/32",
IF(C2="255.255.255.254","/31",
IF(C2="255.255.255.252","/30",
IF(C2="255.255.255.248","/29",
IF(C2="255.255.255.240","/28",
IF(C2="255.255.255.224","/27",
IF(C2="255.255.255.192","/26",
IF(C2="255.255.255.128","/25",
IF(C2="255.255.255.0","/24",
IF(C2="255.255.254.0","/23",
IF(C2="255.255.252.0","/22",
IF(C2="255.255.248.0","/21",
IF(C2="255.255.240.0","/20",
IF(C2="255.255.224.0","/19",
IF(C2="255.255.192.0","/18",
IF(C2="255.255.128.0","/17",
IF(C2="255.255.0.0","/16",
IF(C2="255.254.0.0","/15",
IF(C2="255.252.0.0","/14",
IF(C2="255.248.0.0","/13",
IF(C2="255.240.0.0","/12",
IF(C2="255.224.0.0","/11",
IF(C2="255.192.0.0","/10",
IF(C2="255.128.0.0","/9",
IF(C2="255.0.0.0","/8",
IF(C2="254.0.0.0","/7",
IF(C2="252.0.0.0","/6",
IF(C2="248.0.0.0","/5",
IF(C2="240.0.0.0","/4",
IF(C2="224.0.0.0","/3",
IF(C2="192.0.0.0","/2",
IF(C2="128.0.0.0","/1",
""))))))))))))))))))))))))))))))))))
  

The way it looks in Excel:

Some Python Code

>>> from netaddr import IPAddress
>>> print(IPAddress('255.255.255.0').netmask_bits())
24

or

>>> from ipaddress import IPv4Network
>>> print(IPv4Network('0.0.0.0/255.255.255.0').prefixlen)
24

or

>>> netmask = '255.255.255.0'
>>> print(sum(bin(int(x)).count('1') for x in netmask.split('.')))
24

or

>>> from ipaddress import IPv4Network
>>> net = IPv4Network("192.4.2.0/24")
>>> print(net.netmask)
255.255.255.0

Posted on July 28, 2023 by Willem and filed under Tips'n Tricks and tagged Excel network netmask CIDR conversion.

Raspberry Pi OPNsense Captive Portal Voucher Generation

When I received my new HP/Aruba iAP-305-RW access points I started to think about introducing a wireless guest network. Not a network with a pre-shared key, but something more secure and flexible. The HP/Aruba AP’s have the option for captive portal, but it doesn’t have a good integration with ACME/Let’s Encrypt certificates. My OPNsense firewall has very good integration with ACME/Let’s Encypt, and has the option of deploying a Captive Portal.

Configuring the Captive Portal on the OPNsense firewall is pretty straightforward. It’s well documented, and is up-and-running in minutes. The main challenge was creating a way to supply the credentials to the users. The default option is to generate voucher codes and print them. Not really an option, since I loose those pieces of paper before I even printed them.

The newer OPNsense software has a decent API, which also includes API options for captive portal. This opened up an option including a Raspberry Pi.

Vacation Photos of Norway

This year we went to Norway for a well deserved vacation. This wasn’t our first choice, but since there was a lot of problems on Schiphol Airport, we decided that we should go by car. Since the Canary Islands are not really reachable by car the obvious choice was Norway (mainly because of the excellent infrastructure for electric vehicles).

The photos can be found on my photo website.

Below are some samples.

Posted on October 28, 2022 by Willem and filed under Holiday, Personal and tagged vacation norway fujifilm leica nature.

Specific Windows DNS Client routing with Powershell

Recently I ran into an issue in regards to accessing internal company websites while using the corporate VPN. Turns out that Windows has its own ideas in regards to network connections (wired/wireless) and VPN’s metrics.

The internal website was only accessible by modifying the metric on the VPN adapter to a lower than 5 value. Reason is that the metric on the ethernet adapter has a lower metric than the VPN.
Modifying the metric setting on the VPN helped, but the VPN confgi is maintained by our IT department, and they (you already guessed it) may change settings and/or reset them back to the intended defaults.

By accident I ran into a more permanent solution by invoking the powers of PowerShell. It turns out that you can manipulate the DNS Client behavior and direct DNS queries for specific hosts an/or domains to specific DNS services.

Start PowerShell with local admin rights.

  
    Add-DnsClientNrptRule -DisplayName "My DNS Override"  -Namespace "<FQDN/domain>" -NameServers "DNSSERVER#1","DNSSERVER#2"
  

The minimum required number of DNS servers is 1.

This setting will survive reboots, so it’s pretty permanent.

Checking the current DNS Client settings:

Get-DnsClientNrptRule | more

Find the entry with the DisplayName giving while creating the override.
If you want to remove the entry you created you need the Name of the rule. This is represented by a GUID between curly brackets (e.g. {E5FA72F5-5575-4C15-9A2C-5F2D7B59845F}).

Remove-DnsClientNrptRule -Name "{E5FA72F5-5575-4C15-9A2C-5F2D7B59845F}"

Unfortunatelly, you cannot use the DisplayName (which is more user-friendly/readable)

Posted on August 1, 2022 by Willem and filed under Operating Systems, Tips'n Tricks and tagged powershell dns.