Turris mobile app - Android

Tak výpis z netstat po 2 dvech provozu routru s instalovanou a spárovanou aplikací

# netstat -ntp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name 
tcp        0      0 192.168.155.254:80      192.168.155.XXX:49362   ESTABLISHED 6513/lighttpd   
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:45902 ESTABLISHED 2055/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:34143 ESTABLISHED 13961/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:51347 ESTABLISHED 4877/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:52184 ESTABLISHED 11894/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:33792 ESTABLISHED 31623/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:37722 ESTABLISHED 11190/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:46924 ESTABLISHED 28306/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:54064 ESTABLISHED 11163/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:48483 ESTABLISHED 19184/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:36525 ESTABLISHED 32243/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:60205 ESTABLISHED 12510/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:60344 ESTABLISHED 32594/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:39038 ESTABLISHED 31286/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:58860 ESTABLISHED 14722/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:55859 ESTABLISHED 26787/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:40181 ESTABLISHED 17905/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:54555 ESTABLISHED 25694/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:55572 ESTABLISHED 9104/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:42745 ESTABLISHED 458/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:43121 ESTABLISHED 7156/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:56132 ESTABLISHED 17008/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:56803 ESTABLISHED 12312/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:38162 ESTABLISHED 9400/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:43038 ESTABLISHED 13012/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:34820 ESTABLISHED 23762/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:37985 ESTABLISHED 32009/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:60943 ESTABLISHED 8456/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:54305 ESTABLISHED 21366/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:37793 ESTABLISHED 16909/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:46025 ESTABLISHED 17068/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:52021 ESTABLISHED 20151/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:59866 ESTABLISHED 30568/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:42868 ESTABLISHED 4984/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:44193 ESTABLISHED 7279/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:36480 ESTABLISHED 15673/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:41350 ESTABLISHED 3662/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:39029 ESTABLISHED 2715/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:40324 ESTABLISHED 14543/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:42234 ESTABLISHED 8938/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:37079 ESTABLISHED 3024/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:39463 ESTABLISHED 27275/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:60826 ESTABLISHED 8086/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:47757 ESTABLISHED 21416/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:49121 ESTABLISHED 9265/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:48641 ESTABLISHED 25860/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:33026 ESTABLISHED 22347/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:37437 ESTABLISHED 30730/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:45081 ESTABLISHED 8229/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:58080 ESTABLISHED 9913/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:59262 ESTABLISHED 8148/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:43977 ESTABLISHED 3687/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:54676 ESTABLISHED 19454/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:43233 ESTABLISHED 28296/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:35101 ESTABLISHED 10367/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:38674 ESTABLISHED 13561/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:44949 ESTABLISHED 23616/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:58771 ESTABLISHED 1602/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:41316 ESTABLISHED 32407/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:56853 ESTABLISHED 20459/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:39607 ESTABLISHED 10374/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:33241 ESTABLISHED 24619/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:33530 ESTABLISHED 388/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:57839 ESTABLISHED 11465/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:32834 ESTABLISHED 1768/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:48131 ESTABLISHED 18313/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:53386 ESTABLISHED 25946/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:48170 ESTABLISHED 10275/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:48749 ESTABLISHED 844/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:39722 ESTABLISHED 23449/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:52297 ESTABLISHED 12548/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:55938 ESTABLISHED 10095/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:41604 ESTABLISHED 20230/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:52019 ESTABLISHED 19255/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:58258 ESTABLISHED 5981/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:56266 ESTABLISHED 21221/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:39085 ESTABLISHED 30736/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:42906 ESTABLISHED 15812/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:54736 ESTABLISHED 29324/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:47430 ESTABLISHED 6140/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:42776 ESTABLISHED 11277/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:37961 ESTABLISHED 22682/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:36378 ESTABLISHED 29443/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:45586 ESTABLISHED 32166/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:50832 ESTABLISHED 2703/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:42684 ESTABLISHED 25600/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:46482 ESTABLISHED 5585/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:54729 ESTABLISHED 9192/socat
tcp        0      0 ::ffff:192.168.155.254:6513 ::ffff:192.168.155.10:59456 ESTABLISHED 2010/socat

EDIT: a je mi divný také styl toho výpisu jako by to byla IPv6 protože nahoře v prvním řádku je normální adresa IPv4

a v procesech visí toto stále dokola:
31286 root socat OPENSSL-LISTEN:6513,fork,method=TLS1.2,cert=/usr/share/nuci/tls/ca/nuci.cert,key= /usr/share/nuci/tls/ca/nuci.key,cafile=/usr/share/nuci/tls/ca/ca.cert,dhparam=/usr/share/nuci/tls/ca/dhparam.pem,reuseaddr,forever,pf=ip6,ipv6only=0 EXEC:/usr/bin/nuci

Tak jsem na tom na Omnii stejně, na IP mobilu(Nexus 4, android 7.1.1) spoustu spojení a mnoho neukončených procesů. Na IP tabletu( Lenovo s8-50f, android 5.0.1) nezůstává nic.

Která služba na straně turrisu má naslouchat na tom portu 6513?
Při pokusu o připojení z mobilní aplikace mi pouze probíhá animace “Připojuji se…” (vyzkoušeno i na HW Turris 1.0 i na Omnii) a podle netstat -tpln na portu 6513 nic nevisí, tak hledám kde začít s debugováním.

root@turris:~# netstat -tpln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      376/lighttpd
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      6480/smbd
tcp        0      0 0.0.0.0:8200            0.0.0.0:*               LISTEN      6444/minidlna
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      6480/smbd
tcp        0      0 0.0.0.0:58732           0.0.0.0:*               LISTEN      22185/python
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      376/lighttpd
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN      31232/uhttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      30329/unbound
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      5716/sshd
tcp        0      0 :::443                  :::*                    LISTEN      376/lighttpd
tcp        0      0 :::445                  :::*                    LISTEN      6480/smbd
tcp        0      0 :::9449                 :::*                    LISTEN      5905/ucollect
tcp        0      0 :::1449                 :::*                    LISTEN      5905/ucollect
tcp        0      0 :::139                  :::*                    LISTEN      6480/smbd
tcp        0      0 :::3692                 :::*                    LISTEN      5905/ucollect
tcp        0      0 :::80                   :::*                    LISTEN      376/lighttpd
tcp        0      0 :::1392                 :::*                    LISTEN      5905/ucollect
tcp        0      0 :::6513                 :::*                    LISTEN      323/socat
tcp        0      0 :::4497                 :::*                    LISTEN      5905/ucollect
tcp        0      0 :::9492                 :::*                    LISTEN      5905/ucollect
tcp        0      0 :::53                   :::*                    LISTEN      30329/unbound
tcp        0      0 :::22                   :::*                    LISTEN      5716/sshd

Díky za výpis, teď budu muset zjistit co konkrétně spouští ten konkrétní proces socat (nějaký socat mi v systému běží ale podle všeho je to nějaký univerzální tool používaný na více místech a ten můj se podle parametrů pouze připojuje k api.turris.cz, což nebude ta správná instance).
Mohl bych případně poprosit o výpis pstree -apl (pokud jej budete mít nainstalován) případně o ps | grep socat?
Díky!

není probém… tady je ten delší…
a tady:

root@turris:~# ps | grep socat
  323 root      3696 S    socat OPENSSL-LISTEN:6513,fork,method=TLS1.2,cert=/u
 2616 root      1536 S    grep socat
 7422 root      3776 S    socat STDIO OPENSSL:api.turris.cz:5679,cafile=/etc/s

Je to z Turris 1.0 s 3.6 verzí…

Díky… tak se pomalu dostávám k jádru problému…
/var/log/messages po restartu /etc/init.d/nuci-tls

2017-03-16T12:20:41+01:00 info nuci[]: Generating CA: lock acquired (pid 17606)
2017-03-16T12:20:41+01:00 info nuci[]: TLS CA ready
2017-03-16T12:20:41+01:00 info nuci[]: Generating CA: lock released
2017-03-16T12:20:46+01:00 info nuci[]: Generating CA: lock acquired (pid 17615)
2017-03-16T12:20:46+01:00 info nuci[]: TLS CA ready
2017-03-16T12:20:46+01:00 info nuci[]: Generating CA: lock released
2017-03-16T12:20:51+01:00 info nuci[]: Generating CA: lock acquired (pid 17632)
2017-03-16T12:20:51+01:00 info nuci[]: TLS CA ready
2017-03-16T12:20:51+01:00 info nuci[]: Generating CA: lock released
2017-03-16T12:20:56+01:00 info nuci[]: Generating CA: lock acquired (pid 17641)
2017-03-16T12:20:56+01:00 info nuci[]: TLS CA ready
2017-03-16T12:20:56+01:00 info nuci[]: Generating CA: lock released
2017-03-16T12:21:01+01:00 info nuci[]: Generating CA: lock acquired (pid 17655)
2017-03-16T12:21:01+01:00 info nuci[]: TLS CA ready
2017-03-16T12:21:01+01:00 info nuci[]: Generating CA: lock released
2017-03-16T12:21:06+01:00 info nuci[]: Generating CA: lock acquired (pid 17672)
2017-03-16T12:21:06+01:00 info nuci[]: TLS CA ready
2017-03-16T12:21:06+01:00 info nuci[]: Generating CA: lock released
2017-03-16T12:21:06+01:00 info procd[]: Instance nuci-tls::instance1 s in a crash loop 6 crashes, 0 seconds since last crash

Tak to vypadá, že problém je v souboru /usr/share/nuci/tls/new_ca, kolem řádku 110, kde se získává adresa rozhraní br-lan, jenže já takové rozhraní nemám (mám rozdělenu lan a wlan do různých sítí) a náhradní řešení s echo 'Turris' z nějakého důvodu zdá se nefunguje jak má…

                 ( ip addr show dev br-lan | grep 'inet ' | sed -e 's/.*inet \([^\/]*\).*/\1/' || echo 'Turris' ) | openssl req -new -newkey rsa:4096 -keyout nuci.key -nodes -out nuci.csr -config ../openssl.cnf

V mém případě jsem změnil br-lan na br-wlan a fungovalo to.

Zdravim, pri pokusu o sparovani mi app pise token nenalezen.Kdyz jsem rozpitval QR kod tak je tam adresa turris://192.168.1.1:81/get-token/xxx?scheme=http&hostname=turris&board_name=rtrs02 na ktery sem v prohlizeci normalne stahnul certifikat (samozrejme bez turris://)

Nejaky napady? Turris 1.1

Tak vyreseno, podsrcil jsem mu klic svym webserverem. Zrejme si to neumi najit kdyz mam furris na portu 81, hledal to na portu 80 kde bezi muj nginx

ja bych ocenil abych se mohl k turrisu prihlasit pres appku i zvenku. K cemu mi je info v baraku kde sem? Ja potrebuji statistiky kdyz sem pryc.

A co presne ti brani v tom pouzit treba OpenVPN?

proc bych mel krom aplikace pouzivat jeste vpn kdyz by stacilo do aplikace umoznit zadani IP adresy nebo DNS jmena routeru??? Na firewallu si povolim port a funguju. Tohle mi hlava nebere

Samozrejme, pokud by to aplikace umoznovala.

Z meho pohledu:

• je to uplne zbytecne dira dovnitr

• radeji bych uvital, aby mi kazda aktualizace nerozhasila X veci, nez tuhle funkcionalitu

Ano, je to díra dovnitř a díru nechceme. Udělat to bez díry i ven znamená přeprogramovat kus pozadí, na čemž pracujeme z mnoha důvodů.

Každou aktualizaci testujeme, ale nikdy nepůjde zaručit, že nerzhasí něco, co jste si do routeru přidali sami. Rozšiřujeme sadu automatických testů a budeme rozšiřovat sadu informací, které při vydání dáváme, abyste mohli zvážit včas a sami, že update s něčím nekoliduje. Za problémy se samozřejmě omlouváme.

Ono to asi problem neni, lecz je to stale ‘beta’ , takze nelze cekat ze to bude umet vse hned zkraje a ku spokojenosti vsech uzivatelu. A presne openvpn je celkem univerzalni reseni na pristup ke vsem sluzbam. Zvlast kdyz to ted jde nastavit ve Forisu na par kliknuti.

Další člověk co se diví, co se mu to množí za procesy v Omnii(Turrisu)

Tak se mi konečně podařilo spárovat Turrise s telefonem. Problém byl v tom, že jsem pro přístup do rozhraní turrisu použil hostname “turris”, které mám nastaveno jen v /etc/hosts na počítači. V QR kódu pak byla adresa “turris://turris…”, na kterou se ale telefon nebyl schopen připojit, protože ten neví, že turris je 192.168.1.1.

Takže jsem se připojil přes ip adresu, vygeneroval si nový token, QR kód už byl s ip adresou, se kterou si telefon věděl rady a konečně se připojil k turrisu.

Asi by bylo dobré dávat do qr kódu vždy ip adresu.

BTW: v záložce “O Aplikaci” je překlep -> “vyvýjena”. Chtěl jsem to nahlásit na gitlabu, ale uvedená url na zdrojáky nefunguje. Tak to snad nebude vadit takto.

Nevím, jestli jsem něco nepřehlédl, ale přijde mi, že kromě pár aproximovaných grafů ta mobilní aplikace prakticky nic neumí? Nebo se mi to jen nezobrazuje?