Brendan's Tech Ramblings

Tag: security

Testing the speed of an OCI VPN connection using iperf3 🏎️
I’ve been working with a customer to setup an OCI Site-to-Site VPN between their On-Premises environment and OCI tenancy.

One thing we wanted to do was test the actual speed of the VPN to ensure that it was sufficient for the customers needs. I found the easiest way to do this was using the splendid tool iperf3 🏎️.

I had a play with this in my home lab, where I have an OCI Site-to-Site VPN configured between a Dream Router 7 and my test OCI tenancy – this provides private access to a number of VM instances that I have hosted within my OCI tenancy.

To get started I needed to install iperf3 on a server within my tenancy (this will be the endpoint for the speed test). To install iperf3 on Ubuntu, the following command can be used:
sudo apt install iperf3
To install on Oracle Linux run the following command:
sudo yum install iperf3
Once iperf3 had been installed on the server within OCI, I then needed to install it on my client machine that sits On-Premises (my house!), iperf3 supports Windows and macOS. I installed on my mac using the instructions found here – https://iperf.fr/iperf-download.php.

Now that I have iperf3 installed on the client and server, the next thing I needed to do was open the ports used by the iperf3 (TCP 5201 by default) on both the Linux server itself and the Security List/NSG within OCI 🔐.

Here are instructions for opening a local port on Ubuntu. To open the port on Oracle Linux, use these commands:
sudo firewall-cmd --add-port=5201/tcp sudo firewall-cmd --runtime-to-permanent
Use these instructions to open a port in a Security List. To open a port in an NSG use these instructions.

In my case I’m only using Security Lists to secure access so have the configuration below, which permits traffic on TCP port 5201 from my home network (192.168.1.0) to the subnet containing my VM instance within OCI (172.16.1.0/24):

Now that the ports have been opened on the Linux server AND either the Security List or NSG (depending on what you use).

The next thing to do is to start iperf3 on the Linux server in listening mode, to do this I ran the following command.
iperf3 -s
I can now start the test from the client machine (macOS in my case) by running the following command, which connects to the IP address of my Linux VM instance – note, it’s using the private IP address so will route over the VPN tunnel:
sudo iperf3 -c 172.16.1.21
It will then run some speed tests and output the results:

From this I can see the transfer speed in MBit/s and MBytes/s for each of the 10 intervals and also the average send/receive speed.

In the example above, I was seeing ~30 Mbits/sec throughput.

This was super-helpful for me, hopefully you find it useful too.

Whilst I used it to benchmark VPN speeds, it can be used in other scenarios too, to understand the network throughput between two devices on the same or different networks.
February 13, 2026
Why isn’t DHCP working on the secondary VNIC of an OCI VM instance? ❌

Every day is a school day – especially with OCI!

I was recently playing around in my lab and needed to add a secondary VNIC to one of my VMs for some testing that I was doing.

I quickly set about adding a secondary VNIC and used the default option of assigning an IP address automatically using DHCP rather than specifying a static IP address (I’m lazy, I know!).

I gave the server a reboot, logged in and to my surprise the shiny new secondary VNIC had acquired a nasty APIPA address (169.x.x.x) rather than the dynamic IP address that OCI had assigned (10.0.1.69) ❌:

What is an APIPA address you may ask:

“An APIPA (Automatic Private IP Addressing) IP address is a self-assigned address in the 169.254.x.x range that a device uses when it cannot get an IP address from a DHCP server. This feature allows devices on a local network to communicate with each other even when the DHCP server is down, providing basic connectivity”

I deleted and re-added the VNIC, rebooted the server more times that I care to admit – but still nothing, I couldn’t get rid of this pesky APIPA IP address and get the “real” IP address that OCI had assigned (10.0.1.69).

After realising I’d sunk far too much time on this, I reached out to a colleague who is a networking whizz in OCI who informed me that OCI will only use DHCP for the primary VNIC on VM instances – for any secondary VNICs that you add to a VM instance, these must be configured with a static IP address (why oh why didn’t I ask them sooner 😫).

This is quite confusing as the OCI console allows you to add a secondary VNIC and specify DHCP – it just doesn’t work 🤦‍♂️.

It will even display the “dynamic” IP address that has been assigned to the instance in the console – it just won’t be picked up by the underling OS on the VM instance as DHCP doesn’t work:

Moral of the story, when adding a secondary VNIC (or tertiary for that matter) use static IP addressing ✅.

Note that whilst this affected a Windows Server in my case, this also applies to Linux too.

Hopefully my pain, will help somebody else in the future!

October 24, 2025
Unauthorized to use OML application error when trying to obtain an OML token from an Oracle Autonomous database with a private endpoint ❌

Probably the longest title I’ve ever had for a post!

I have an Oracle Autonomous Database that I created a private endpoint for and published via a public load balancer in OCI……my reason for this complexity – I wanted to use a custom vanity URL to access the database and this is the supported way to do this. If want to know more about setting this up, be sure to check out this step by step guide 📖.

Once I’d got this setup, everything worked as expected apart from one small issue – when trying to get a token via REST so that I could call an Oracle Machine Learning model within the database I received the following error ❌.

b'{“error_message”:”\’DEMO1USER\’ unauthorized to \’use OML application\’”,”errorCode”:0,”request_id”:”OMLIDMREST-955f999622584d33a70″}’

I was calling the REST API via Python, but other methods such as Curl returned the same error (further details on calling the REST API to get a token and authenticate can be found here). The user had the relevant permissions so it was definitely something else 🤔.

The trick to fixing this is to update the URL that is called to obtain the token, rather than using this:

https://oml-cloud-service-location-url/omlusers/api/oauth2/v1/token

The URL needs to be updated to include the OCID of the OCI tenancy and the name of the database to connect to, like this:

https://oml-cloud-service-location-url/omlusers/tenants/TenancyOCID/databases/DatabaseName/api/oauth2/v1/token

For example, I was originally using this URL:

https://adb.brendg.co.uk/omlusers/api/oauth2/v1/token

I had to update this to:

https://adb.brendg.co.uk/omlusers/tenants/ocid1.tenancy.oc1..aaaaaabbjdjwnd3krfpjw23erghw4dxnvadd9w6j2hwcirea22qrtfam24mq/databases/DemoDB/api/oauth2/v1/token

The reason for this, is that when using a custom (vanity) URL to access the REST endpoint, it doesn’t know which tenancy and database you are trying to obtain an authentication token for, therefore you need to specify this in the REST endpoint.

Once I’d done this, it worked like magic 🪄

December 5, 2024
How to create a free SSL certificate with Let’s Encrypt…and as a bonus use this certificate with Oracle Analytics Cloud 🔐
I needed an SSL certificate recently as wanted to make an instance of Oracle Analytics Cloud available publicly with a nice vanity URL, rather than https://demo1analyticscloud-lrmvtbrwx-ld.analytics.ocp.oraclecloud.com, something a little more memorable, such as https://oac.oci-demo.co.uk.

To do this I needed an SSL certificate and decided to use Let’s Encrypt as they provide free SSL certificates (with a validity period of 90 days).

It was relatively straightforward to create a certificate using the Certbot client for macOS, to do this I did the following:

Step 1 – Installed Certbot using the following command
```
brew install certbot
```
Step 2 – Created a directory to store the generated certificates
```
mkdir certs
cd certs
```
Step 3 – Create the certificate request using Certbot

This uses the DNS challenge type, which is ideal when you need to create a certificate for use on a system that doesn’t provide native integration with Certbot (such as Oracle Analytics Cloud). Replace “e-mail address” with a valid address to use for renewal reminders.
```
cd certs
certbot certonly --manual --preferred-challenges=dns --config-dir config --work-dir workdir --logs-dir logs --agree-tos -m e-mail address --key-type rsa
```
When this command has been run, it will ask for the hostname to create the SSL certificate for. In my case I requested a certificate for demo1oac.oci-demo.co.uk.

After hitting enter, it then provides a DNS record that needs to be created to validate domain ownership.

I host my DNS within OCI, so this was as simple as creating a DNS TXT record using the OCI Console (the process will vary depending on your DNS provider).

I then used the link within the instructions to validate the presence of the DNS TXT records that I had just created.

Once I’d verified that the DNS record was available publicly, I hit enter and the SSL certificates were created for me!

Step 4 – Configure OAC to use a custom hostname with SSL (example)

I then navigated to Oracle Analytics Cloud within the OCI Console and within Vanity URL selected Create.

I entered the hostname for the vanity URL – demo1oac.oci-demo.co.uk. I then uploaded the certificates that had just been generated.

The mapping between certificate types and the .pem files created is as follows:
- Certificate = cert1.pem
- Private Key = privkey1.pem
- Certificate Authority chain file = chain1.pem
I then hit Create to apply the configuration. A final step was for me to create a DNS entry to point demo1oac.oci-demo.co.uk to the public IP address of the OAC instance.

I then waited a few minutes for the DNS record to come to life and then browsed to https://demo1oac.oci-demo.co.uk and it worked!
November 25, 2024