11-15-2021, 08:52 PM | #1 |
Member
Posts: 12
Karma: 10
Join Date: May 2020
Device: Kindle Voyage
|
Tailscale for Kobo
This article is planned to be published on my blog, but I'm sharing it here a bit early to solicit feedback. Enjoy, and if you have any questions please let me know.
Last month, Rakuten finally released a reasonably-sized Kobo with USB C, the Kobo Sage. One of the most fascinating things about the Kobo eReaders (compared to the Kindle eReaders) is that they run a user-modifiable version of Linux, meaning you're free to do all sorts of weird and wild things with them. So I decided to put Tailscale on my Kobo Sage. Tailscale is distributed as statically-compiled binaries (thanks Go!), so getting Tailscale downloaded and running on Kobo Sage was as easy as downloading the binaries, copying them into a $PATH friendly folder, and running tailscaled. Code:
wget https://pkgs.tailscale.com/stable/tailscale_1.16.2_arm.tgz tar -xzf tailscale_1.16.2_arm.tgz mv tailscale_1.16.2_arm/tailscaled /usr/bin mv tailscale_1.16.2_arm/tailscale /usr/bin rm -rf tailscale_1.16.2_arm tailscaled Code:
wgengine.NewUserspaceEngine(tun "tailscale0") error: exec: "iptables": executable file not found in $PATH wgengine.New: exec: "iptables": executable file not found in $PATH Getting iptables Unfortunately, there's no officially distributed pre-compiled binaries of iptables. So, we can either compile from source (either on a 32-bit ARM device or via cross-compilation), or we can yank the binary out of an image of a 32-bit ARM Linux distro. We need a distro that's old enough to be using glibc version less than 2.19, so the best choice I came up with was the July 5, 2017 release of Raspbian, the last to be based on Debian 8 (codename jessie). Using 7zip for Windows, I extracted the following files from the disk image: - /sbin/xtables-multi - /lib/libip4tc.so.0.1.0 - /lib/libip6tc.so.0.1.0 - /lib/libxtables.so.10.0.0 Note: You can also extract these files on Linux, but it's a bit more complicated. Now that we had a binary, it was time to put it on the device. Installing iptables Out of the box, Kobo Sage doesn't support ssh, but it does support telnet after enabliing dev mode. Since I couldn't use scp to copy files to the device, I ran a web server on my computer, and downloaded the files with wget: Code:
wget http://callisto.localdomain:8000/xtables-multi wget http://callisto.localdomain:8000/libip4tc.so.0.1.0 wget http://callisto.localdomain:8000/libip6tc.so.0.1.0 wget http://callisto.localdomain:8000/libxtables.so.10.0.0 Code:
mv xtables-multi /sbin mv libip4tc.so.0.1.0 /lib mv libip6tc.so.0.1.0 /lib mv libxtables.so.10.0.0 /lib Code:
cd /sbin ln -s xtables-multi iptables Code:
ln -s libxtables.so.10.0.0 libxtables.so.10 ln -s libip4tc.so.0.1.0 libip4tc.so.0 ln -s libip6tc.so.0.1.0 libip6tc.so.0 chmod 755 libxtables.so.10.0.0 chmod 755 libip4tc.so.0 chmod 755 libip6tc.so.0 Code:
iptables --version With the iptables binary working, confirming Tailscale works was the next step. By default tailscaled stores some state in /var/lib, which the Kobo doesn't like. So, for the purposes of testing, I just manually told tailscaled to store its state in a file at the root directory. Code:
tailscaled --state=tailscaled.state Code:
tailscale up Staying Connected to Tailscale Getting Tailscale up and running wasn't as smooth as on a typical Linux device, but staying connected to Tailscale is an even trickier thing to do. Kobo Sage doesn't have systemd, so we can't use the included service definition provided by Tailscale. To further complicate matters, if we try to hook into the lower levels of the OS and make a mistake, we can end up with a bricked device that's unable to be recovered. Thankfully, there's been a ton of exploration in this area by other developers (shoutout to the Kobo Developer's Corner on the MobileRead Forums), and the generally agreed upon way of running things at boot is by using the udev system. This allows us not only to hook into a startup event, but also into events that are triggered when Kobo Sage connects to and disconnects from WiFi. This allows us to run tailscale up when we have an internet connection, and tailscale down when we lose the connection. To start, I defined the udev rules in a file named 98-tailscale.rules in /etc/udev/rules.d Code:
KERNEL=="loop0", RUN+="/usr/local/dstaley/boot.sh" KERNEL=="wlan*", ACTION=="add", RUN+="/usr/local/dstaley/on-wlan-up.sh" KERNEL=="wlan*", ACTION=="remove", RUN+="/usr/local/dstaley/on-wlan-down.sh" The script for starting tailscaled is straightforward. The catch, though (and with Kobo there's always a catch), is that the OS will normally kill long-running tasks spawned by udev. To circumvent that, I used a combination of renice and setsid to ensure that tailscaled isn't killed off. The boot.sh script contains the following: Code:
#!/bin/sh # Start by renicing ourselves to a neutral value, to avoid any mishap... renice 0 -p $$ # Launch in the background, with a clean env, after a setsid call to make very very sure udev won't kill us ;). env -i -- setsid /usr/local/dstaley/on-boot.sh & # Done :) exit 0 Code:
#!/bin/sh # make absolutely sure that iptables is in the PATH export PATH=/usr/sbin:$PATH case "$(pidof tailscaled | wc -w)" in 0) tailscaled --state=/tailscaled.state & ;; esac exit 0 After placing these files in their new homes and rebooting, I can now access my Kobo Sage via my Tailscale network! This also means that I can access other devices on my network, which will come in handy in the future when I want to do things like backup my notebooks to my NAS at home. |
11-16-2021, 04:51 AM | #2 |
Guru
Posts: 657
Karma: 4568205
Join Date: Jan 2010
Location: Sweden
Device: Kobo Forma
|
Maybe it's obvious to your readers, but I would have liked an one sentence description of what Tailscale is in the beginning.
Also, mention something if this is for Sage only, or for any Kobo ereader. (That all Kobos are running the same firmware seems to be missed by most non-Kobo users (albeit with different hardware so there may be differences when doing something like this).) |
11-16-2021, 06:02 AM | #3 |
Guru
Posts: 856
Karma: 2676800
Join Date: Aug 2008
Location: Taranaki - NZ
Device: Kobo Aura H2O, Kobo Forma
|
Note, installing large binaries to the rootfs probably isn't a good idea. With the latest firmware versions, space is getting pretty tight on some devices. Tailscale looks to be pretty hefty.
Probably best to save the binaries to /mnt/onboard and symlink if necessary. |
11-16-2021, 11:51 AM | #4 |
Connoisseur
Posts: 92
Karma: 10
Join Date: Apr 2016
Device: Kobo Forma
|
Why would I need that on a ereader?
|
11-16-2021, 07:59 PM | #5 |
Evangelist
Posts: 496
Karma: 356531
Join Date: Jul 2016
Location: 'burta, Canada
Device: Kobo Glo HD
|
Thanks for this. I'll probably just use the iptables part for myself since I think that all internet enabled devices should at least have a basic firewall and the only inbound port I need open (sometimes) is for ssh.
|
11-17-2021, 12:01 AM | #6 |
Grand Sorcerer
Posts: 24,907
Karma: 47303748
Join Date: Jul 2011
Location: Sydney, Australia
Device: Kobo:Touch,Glo, AuraH2O, GloHD,AuraONE, ClaraHD, Libra H2O; tolinoepos
|
What ports are actually open? Or have something listening on them. If you enable developers mode, it will enable telnet. I'm not sure if it enables anything else. I haven't checked. But, if anything can get to a spot that can attack my ereaders, I think they will be at the bottom of their list of things to do.
|
11-18-2021, 12:05 PM | #7 | |
Evangelist
Posts: 496
Karma: 356531
Join Date: Jul 2016
Location: 'burta, Canada
Device: Kobo Glo HD
|
Quote:
This is just my opinion, but I feel that the whole "what's the worse that can happen?" and "why would anyone want to attack my device?" and such is such a 1990's mindset to IT security and a big contributing factor as to why IoT security in general is such garbage right now. A firewall that drops or rejects all unexpected inbound traffic by default is one of those simple things that can be easily implemented, and if netfilter support is already baked into the kernel for free, why not use it? If they were really concerned about disk space, they should have stripped it out of the kernel config. Anyway, not looking to get into a debate. That's just how I feel and I do have the expertise to implement this, so I think I will. If it eats up too much RAM though, I might reconsider, but there's only one way to find out. |
|
12-30-2021, 02:51 PM | #9 |
Junior Member
Posts: 1
Karma: 10
Join Date: Dec 2021
Device: Kobo Aura ONE
|
Not OP but in my case, it's so I can connect to a calibre instance or other services remotely. That allows me to download books to my reader without needing to connect it to my computer, without needing to open my services up to the public Internet.
|
09-12-2022, 02:15 AM | #10 |
Enthusiast
Posts: 26
Karma: 10
Join Date: Aug 2022
Device: Kobo Clara 2E
|
Thanks for this article! Was looking specifically for this.
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Thinking of buying a Kobo Aura H20 Edition 2 ... looking for insight from Kobo owners | FulciLives | Which one should I buy? | 27 | 05-05-2019 11:05 PM |
Kobo Touch N905C lukt niet om met Kobo account in te loggen | LotusElise | Kobo Reader | 2 | 11-05-2018 06:30 AM |
Kobo H2O Question - [Post moved out of a thread and forum unrelated to Kobo] | Millie1366 | Kobo Reader | 10 | 03-20-2016 12:35 PM |
New Kobo User becomes burned EX-Kobo user aka KOBO is horrible | tvuongpham | Kobo Reader | 140 | 09-18-2015 08:42 AM |
Changing fonts issue on Kobo Aura HD/Kobo Glo [PROBLEM SOLVED] | Dr. Drib | Kobo Reader | 19 | 05-13-2014 04:35 PM |