Tailscale for Kobo

[dstaley]

This article is planned to be published on my blog, but I'm sharing it here a bit early to solicit feedback. Enjoy, and if you have any questions please let me know.

Last month, Rakuten finally released a reasonably-sized Kobo with USB C, the Kobo Sage. One of the most fascinating things about the Kobo eReaders (compared to the Kindle eReaders) is that they run a user-modifiable version of Linux, meaning you're free to do all sorts of weird and wild things with them.

So I decided to put Tailscale on my Kobo Sage.

Tailscale is distributed as statically-compiled binaries (thanks Go!), so getting Tailscale downloaded and running on Kobo Sage was as easy as downloading the binaries, copying them into a $PATH friendly folder, and running tailscaled.

Code:

wget https://pkgs.tailscale.com/stable/tailscale_1.16.2_arm.tgz
tar -xzf tailscale_1.16.2_arm.tgz
mv tailscale_1.16.2_arm/tailscaled /usr/bin
mv tailscale_1.16.2_arm/tailscale /usr/bin
rm -rf tailscale_1.16.2_arm
tailscaled

However, if you were to do this, you'll be greeted with this:

Code:

wgengine.NewUserspaceEngine(tun "tailscale0") error: exec: "iptables": executable file not found in $PATH
wgengine.New: exec: "iptables": executable file not found in $PATH

While the Linux 4.9 kernel used by Kobo Sage supports iptables, the actual binary is nowhere to be found on the device. Thankfully, acquiring a suitable binary isn't too terribly difficult.

Getting iptables

Unfortunately, there's no officially distributed pre-compiled binaries of iptables. So, we can either compile from source (either on a 32-bit ARM device or via cross-compilation), or we can yank the binary out of an image of a 32-bit ARM Linux distro. We need a distro that's old enough to be using glibc version less than 2.19, so the best choice I came up with was the July 5, 2017 release of Raspbian, the last to be based on Debian 8 (codename jessie).

Using 7zip for Windows, I extracted the following files from the disk image:

- /sbin/xtables-multi
- /lib/libip4tc.so.0.1.0
- /lib/libip6tc.so.0.1.0
- /lib/libxtables.so.10.0.0

Note: You can also extract these files on Linux, but it's a bit more complicated.

Now that we had a binary, it was time to put it on the device.

Installing iptables

Out of the box, Kobo Sage doesn't support ssh, but it does support telnet after enabliing dev mode. Since I couldn't use scp to copy files to the device, I ran a web server on my computer, and downloaded the files with wget:

Code:

wget http://callisto.localdomain:8000/xtables-multi
wget http://callisto.localdomain:8000/libip4tc.so.0.1.0
wget http://callisto.localdomain:8000/libip6tc.so.0.1.0
wget http://callisto.localdomain:8000/libxtables.so.10.0.0

Once I had the files, I was able to move them into the appropriate locations:

Code:

mv xtables-multi /sbin
mv libip4tc.so.0.1.0 /lib
mv libip6tc.so.0.1.0 /lib
mv libxtables.so.10.0.0 /lib

Since we need iptables in $PATH, I created a symlink in /sbin:

Code:

cd /sbin
ln -s xtables-multi iptables

We also need symlinks for the libraries, so I ran the following in /lib:

Code:

ln -s libxtables.so.10.0.0 libxtables.so.10
ln -s libip4tc.so.0.1.0 libip4tc.so.0
ln -s libip6tc.so.0.1.0 libip6tc.so.0
chmod 755 libxtables.so.10.0.0
chmod 755 libip4tc.so.0
chmod 755 libip6tc.so.0

Once I had the binary and libraries in the right spots, I was able to confirm that iptables worked:

Code:

iptables --version

Testing Tailscale

With the iptables binary working, confirming Tailscale works was the next step. By default tailscaled stores some state in /var/lib, which the Kobo doesn't like. So, for the purposes of testing, I just manually told tailscaled to store its state in a file at the root directory.

Code:

tailscaled --state=tailscaled.state

In another telnet session, I was able to bring Tailscale up with

Code:

tailscale up

After authenticating, the final step was to open a Tailscale-only URL in the Kobo's experimental web browser to confirm that I was, indeed, connected to my Tailscale network!



Staying Connected to Tailscale

Getting Tailscale up and running wasn't as smooth as on a typical Linux device, but staying connected to Tailscale is an even trickier thing to do. Kobo Sage doesn't have systemd, so we can't use the included service definition provided by Tailscale. To further complicate matters, if we try to hook into the lower levels of the OS and make a mistake, we can end up with a bricked device that's unable to be recovered. Thankfully, there's been a ton of exploration in this area by other developers (shoutout to the Kobo Developer's Corner on the MobileRead Forums), and the generally agreed upon way of running things at boot is by using the udev system. This allows us not only to hook into a startup event, but also into events that are triggered when Kobo Sage connects to and disconnects from WiFi. This allows us to run tailscale up when we have an internet connection, and tailscale down when we lose the connection.

To start, I defined the udev rules in a file named 98-tailscale.rules in /etc/udev/rules.d

Code:

KERNEL=="loop0", RUN+="/usr/local/dstaley/boot.sh"
KERNEL=="wlan*", ACTION=="add", RUN+="/usr/local/dstaley/on-wlan-up.sh"
KERNEL=="wlan*", ACTION=="remove", RUN+="/usr/local/dstaley/on-wlan-down.sh"

The KERNEL=="loop0" rule runs roughly at boot, so that's where I start tailscaled. The next two rules are for when the WiFi is brought up and torn down respectively.

The script for starting tailscaled is straightforward. The catch, though (and with Kobo there's always a catch), is that the OS will normally kill long-running tasks spawned by udev. To circumvent that, I used a combination of renice and setsid to ensure that tailscaled isn't killed off.

The boot.sh script contains the following:

Code:

#!/bin/sh

# Start by renicing ourselves to a neutral value, to avoid any mishap...
renice 0 -p $$

# Launch in the background, with a clean env, after a setsid call to make very very sure udev won't kill us ;).
env -i -- setsid /usr/local/dstaley/on-boot.sh &

# Done :)
exit 0

This script runs on-boot.sh in the background. That script contains:

Code:

#!/bin/sh

# make absolutely sure that iptables is in the PATH
export PATH=/usr/sbin:$PATH

case "$(pidof tailscaled | wc -w)" in
0) tailscaled --state=/tailscaled.state &
   ;;
esac
exit 0

Since we're not starting a long running process on connecting and disconnecting to WiFi, the scripts on-wlan-up.sh and on-wlan-down.sh only contain a single command: tailscale up and tailscale down respectively.

After placing these files in their new homes and rebooting, I can now access my Kobo Sage via my Tailscale network! This also means that I can access other devices on my network, which will come in handy in the future when I want to do things like backup my notebooks to my NAS at home.

[patrik]

Maybe it's obvious to your readers, but I would have liked an one sentence description of what Tailscale is in the beginning.

Also, mention something if this is for Sage only, or for any Kobo ereader. (That all Kobos are running the same firmware seems to be missed by most non-Kobo users (albeit with different hardware so there may be differences when doing something like this).)

[sherman]

Note, installing large binaries to the rootfs probably isn't a good idea. With the latest firmware versions, space is getting pretty tight on some devices. Tailscale looks to be pretty hefty.

Probably best to save the binaries to /mnt/onboard and symlink if necessary.

[mzel]

Why would I need that on a ereader?

[rtiangha]

Thanks for this. I'll probably just use the iptables part for myself since I think that all internet enabled devices should at least have a basic firewall and the only inbound port I need open (sometimes) is for ssh.

[davidfor]

Quote:

Originally Posted by rtiangha

Thanks for this. I'll probably just use the iptables part for myself since I think that all internet enabled devices should at least have a basic firewall and the only inbound port I need open (sometimes) is for ssh.

What ports are actually open? Or have something listening on them. If you enable developers mode, it will enable telnet. I'm not sure if it enables anything else. I haven't checked. But, if anything can get to a spot that can attack my ereaders, I think they will be at the bottom of their list of things to do.

[rtiangha]

Quote:

Originally Posted by davidfor

What ports are actually open? Or have something listening on them. If you enable developers mode, it will enable telnet. I'm not sure if it enables anything else. I haven't checked. But, if anything can get to a spot that can attack my ereaders, I think they will be at the bottom of their list of things to do.

No idea; I've never run a port scan and keep forgetting to. I used to have dev mode on to get invert screen mode working before NickelMenu existed, but I always felt uncomfortable having Telnet on by default too, especially since it allowed for root access. Not a big deal now, but it's a personal preference because even if I'm only on networks that I control, I can't guarantee that every device on there hasn't been compromised.

This is just my opinion, but I feel that the whole "what's the worse that can happen?" and "why would anyone want to attack my device?" and such is such a 1990's mindset to IT security and a big contributing factor as to why IoT security in general is such garbage right now. A firewall that drops or rejects all unexpected inbound traffic by default is one of those simple things that can be easily implemented, and if netfilter support is already baked into the kernel for free, why not use it? If they were really concerned about disk space, they should have stripped it out of the kernel config.

Anyway, not looking to get into a debate. That's just how I feel and I do have the expertise to implement this, so I think I will. If it eats up too much RAM though, I might reconsider, but there's only one way to find out.

[dstaley]

I want to thank everyone who provided feedback on the draft of this blog post! It's now published with the changes y'all suggested

[c10l]

Quote:

Originally Posted by mzel

Why would I need that on a ereader?

Not OP but in my case, it's so I can connect to a calibre instance or other services remotely. That allows me to download books to my reader without needing to connect it to my computer, without needing to open my services up to the public Internet.

[jaceygan]

Thanks for this article! Was looking specifically for this.