{"id":1868,"date":"2018-02-10T15:49:40","date_gmt":"2018-02-10T13:49:40","guid":{"rendered":"https:\/\/einstein.amsterdam\/?page_id=1868"},"modified":"2018-02-14T19:07:29","modified_gmt":"2018-02-14T17:07:29","slug":"toon-mods","status":"publish","type":"page","link":"https:\/\/einstein.amsterdam\/?page_id=1868","title":{"rendered":"Toon mods"},"content":{"rendered":"<p>###########################################################################<br \/>\nHardening toon (complete exclusion of Eneco, for non-Eneco users only)<br \/>\n###########################################################################<\/p>\n<p>Requirements:<\/p>\n<p>1: toon with dropbear installed<br \/>\n2: connection with private network (no WAN)<\/p>\n<p>When toon is set up completely, in the tab \u201cInternet\u201d toon states to<br \/>\nbe connected to the service center. The service center consist of a<br \/>\nbunch of websites and other services, accessed through a VPN tunnel,<br \/>\nmanaged by Quby, under the flag of Eneco. Each toon connects to the<br \/>\nservice center through an OpenVPN tunnel, with TLS security<br \/>\nenhancement. Even if you do not have an Eneco account, toon will send<br \/>\ndata to Eneco on a regular basis. According to Eneco, no energy usage<br \/>\n(gas and electricity) data are uploaded \u2013which is true\u2013 but boiler<br \/>\nsettings are transmitted every hour. No idea why, by the way. Besides<br \/>\nthrough the OpenVPN connection mentioned earlier, toon phones home<br \/>\nwith ping and the chrony daemon.<\/p>\n<p>##### Disabling OpenVPN: #####<\/p>\n<p>The OpenVPN connection is disabled by simply not starting OpenVPN,<br \/>\nthrough commenting out the openvpn line in \/etc\/inittab:<\/p>\n<p>#ovpn:2345:respawn:\/usr\/sbin\/openvpn \u2013config \/etc\/openvpn\/vpn.conf \u2013verb 0 >\/dev\/null 2>&#038;1<\/p>\n<p>This shuts off openvpn effectively. In the internet tab you will now<br \/>\nget the message \u201cConnected to the internet\u201d or something along these<br \/>\nlines. You will also get a warning message that internet has not been<br \/>\nset up correctly or setup has not yet been completed. You can safely<br \/>\nignore these warnings.<\/p>\n<p>After toon has been rebooted (don\u2019t do that yet!), if you have a toon<br \/>\nwith qt-gui, you can suppress the warnings issues by toon, about not<br \/>\nbeing able to reach the service center, as follows (thank you, al_n!):<\/p>\n<p>Locate the file<br \/>\n\/HCBv2\/qml\/apps\/internetSettings\/InternetSettingsApp.qml, and look for<br \/>\nthe following code (line 365 or thereabouts):<\/p>\n<p>onNotificationReceived : {<br \/>\nvar statemachine = message.getArgument(\u201cstatemachine\u201d);<br \/>\nif (statemachine) {<br \/>\nvar prevSmStatus = smStatus;<br \/>\nsmStatus = parseInt(statemachine);<br \/>\n\/\/ add the following two lines of code:<br \/>\n\/\/ added by al_n (20151220):<br \/>\nif(smStatus == _ST_INTERNET) {<br \/>\nsmStatus = _ST_TUNNEL;<br \/>\n}<br \/>\n\/\/<br \/>\n\/\/ continuation of original file:<br \/>\n\/\/ Trigger the internetStateChange signal, used by the internet settings overview screen<br \/>\ninternetStateChange(smStatus);<\/p>\n<p>\u2026. etc.<\/p>\n<p>This will interpret a working internet connection as a connection to<br \/>\nthe service center, and thus warnings are suppressed.<\/p>\n<p>##### Disabling the time service access to time.quby.nl: #####<\/p>\n<p>Toon keeps track of time through the chrony daemon. To set the clock<br \/>\nat startup, and to keep it synchronized with the rest of the world,<br \/>\ntoon uses the time server of quby: time.quby.nl. This server name is<br \/>\nset in \/etc\/chrony.conf<br \/>\nLocate the following two lines in chrony.conf:<\/p>\n<p>server time.quby.nl minpoll 8<br \/>\nand<br \/>\ninitstepslew 30 time.quby.nl<\/p>\n<p>and replace the server name by another time server. I use<\/p>\n<p>wwv.nist.gov instead of time.quby.nl<\/p>\n<p>since it has the same (short) server name length (you never know if<br \/>\nand how the chrony code was hacked by quby), is accessed by many clients<br \/>\nacross the globe, and has proven to have a good level of stability<br \/>\nover many years of service.<\/p>\n<p>Note: the time protocol (tcp\/udp port 37) is something else than the<br \/>\nnetwork time protocol (ntp, udp port 123). You will need a time<br \/>\nserver, not an ntp-server.<\/p>\n<p>##### Disabling pinging quby.nl: #####<\/p>\n<p>Toon pings the quby ping server every so many seconds. This is done in<br \/>\n\/HCBv2\/sbin\/hcb_netcon. The ping server address is unfortunately<br \/>\nhard-coded in hcb_netcon, so to disable this, you will need to reroute<br \/>\nping requests to another machine. You can\u2019t switch it off easily.<\/p>\n<p>To reroute, edit the file \/etc\/hosts.template and add the line<\/p>\n<p>127.0.0.1 ping.quby.nl<\/p>\n<p>at the end of the file, and save it.<\/p>\n<p>Test whether your rerouting works by pinging quby:<\/p>\n<p>eneco-001-xxxxxx:\/# ping ping.quby.nl<br \/>\nPING ping.quby.nl (127.0.0.1): 56 data bytes<br \/>\n64 bytes from 127.0.0.1: seq=0 ttl=64 time=1.108 ms<br \/>\n64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.738 ms<br \/>\n64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.658 ms<\/p>\n<p>This indicates that the ping requests for quby are redirected to<br \/>\nlocalhost (IP 127.0.0.1). Thanks, RDNZL, for pointing this out!<\/p>\n<p>Reboot toon for good measure. Now you can go edit the service<br \/>\nInternetSettingsApp.qml file, as explained above.<\/p>\n<p>All done. You have now severed all connections between toon and Eneco<br \/>\n(quby), and can safely connect it to your wireless network again.<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>########################################################################### Hardening toon (complete exclusion of Eneco, for non-Eneco users only) ########################################################################### Requirements: 1: toon with dropbear installed 2: connection with private network (no WAN) <a class=\"mh-excerpt-more\" href=\"https:\/\/einstein.amsterdam\/?page_id=1868\" title=\"Toon mods\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/pages\/1868"}],"collection":[{"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1868"}],"version-history":[{"count":2,"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/pages\/1868\/revisions"}],"predecessor-version":[{"id":1912,"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/pages\/1868\/revisions\/1912"}],"wp:attachment":[{"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}