How to switch wifi networks with Keyboard Maestro

In a recent blog post I explained how I secure my home network with a VPN. In that article, I also explained how I enabled external access to my home network, using the Slink software running on a Mac mini server, whose primary network interface is wifi connected to my ISP router, and second network interface is ethernet connected to my home gigabit switch.

This setup works great, but it did require solving a tricky problem:

My home wifi network (created by the AirPort Extreme) is called “Hacienda”, and the wifi network created by the ISP router is called “HaciendaOlive”. Since I want all my home devices connected to Hacienda, that network is given first priority over all other known networks on my iPhones, iPads, etc.

The problem is that that network priority list propagates to the Mac mini (and all my devices) via iCloud, and so anytime there’s a network interruption or the machine reboots, the Mac mini connects to the Hacienda wifi network (instead of HaciendaOlive)—which of course kills my external access to that machine.

What I need is that the mini, and only the mini, has HaciendaOlive set as its highest priority wifi network. But this doesn’t see to be possible, unless I’d be willing to disable iCloud on that machine.

My solution to this problem was a Keyboard Maestro macro which runs every five minutes, checking whether the computer is connected to the HaciendaOlive network, and if not, switching it to that network. This required researching some obscure AppleScript code, and so I thought I’d post the macro here for the benefit of others searching for how to switch wifi networks using Keyboard Maestro. The blurred text in the image, is the wifi network password.

Enjoy!

How to protect your home network with a VPN router

In this article, I describe how I added security to my home network by installing a router that directs all internet traffic through an encrypted VPN connection. The adventure includes my experience with the FlashRouters company, the Tomato router firmware software, an OpenVPN connection to the Cloak network, the Linksys E2500 router and the Netgear Nighthawk R7000 router.

Continue reading How to protect your home network with a VPN router

Using WordPress redirection plugins to create easy-to-remember social links

I’ve never been good at remembering my social media URLs. Am I “dafacto” there or “mhenders”? At Facebook, where neither was available, what was that URL stub I chose? And doesn’t LinkedIn include something like /i/ or /in/ in their URLs?

Well today I solved that problem by using the Yoast SEO Premium WordPress plugin’s “redirect” feature (also available in the free alternative, Redirection). Now, all my social URLs are easy to remember:

Woot!

Authenticating support requests

I experienced something today that’s frustratingly becoming quite common. I emailed the support address of a financial institution I use, and they replied that they can only provide support if I contact them from the email address registered to my account.

The problem here is that as the owner of my own domain, I can receive email sent to [email protected], and I take advantage of that by using unique email addresses for most services I sign up for. (If for nothing else, this makes it easy to determine who’s passing on my email address to spammers.) But I can not easily send emails from all those different addresses, since that would require adding each one manually to Mail.app.

What I find irritating, is the company’s assumption that the “from” address serves as any kind of authentication, since it’s dead easy to spoof the from address on an email!

Any company that wants to provide authenticated support must provide a mechanism to initiate the conversation only from within a logged-in authenticated session at their website (or app). After that, it’s fine to continue the conversation outside the authenticated session—e.g. using ZenDesk, HelpScout or whatever support tool they use—because regardless of the email address I use from that point forward in the conversation, I wouldn’t be in a position to even respond if I hadn’t been the one who securely initiated the conversation in the first place.

How to disable root login on a DigitalOcean droplet

When you create a droplet (virtual private server) at DigitalOcean, the service sends you an email containing the login password of the root user. The problem with this setup is the risk that your server gets compromised through a brute-force password-guessing login attack.

DigitalOcean provides a more secure alternative, if you first add your SSH public key to your DigitalOcean account settings. In this case, when DigitalOcean creates your droplets, it will disable root login with password, and configure the server so that you can login as root using only your ssh key.

I only learned about this safer option after having created my droplet, and so I spent a little time trying to figure out how to rectify things — i.e. I wanted to add my SSH key to the server, and disable root login with password.

Surprisingly, I had to piece together instructions from a couple of articles, as well as getting some support from our company’s system administrator, and so I thought I’d post a summary here for the benefit of others:

Step 1: Copy your SSH key to the DigitalOcean server. (You do this from your local computer, and this assumes you already have an ssh key locally.)

cat ~/.ssh/id_dsa.pub | ssh [email protected][your_server] "cat >> ~/.ssh/authorized_keys"

Step 2: Edit the file /etc/ssh/sshd_config, setting the PermitRootLogin setting to “without-password”. I used Transmit’s “Edit in Transmit” feature to do this. Also, don’t, as I did, confuse this file with the similarly-named “ssh_config”.

PermitRootLogin without-password

Step 3: Login to the server as root, and restart sshd:

service ssh restart

After sshd restarts, you should be able to login as root without entering a password, and your server should now be a bit more secure.