77
Review: Turris Omnia, a FOSS wifi router, NAS and Server, based on a highly improved OpenWRT, with BTRFS! - SLRPNK
slrpnk.netUpdate: I am returning my Omnia. 500€ for a 32bit Router, that uses so old
hardware?? Realizing that the same company has the MOX, a modular router on
64bit ARM, still high specs, with a really cool puzzle-like system… this makes
no sense? The MOX is pretty hidden, I thought it was a mobile router or
something, but it is a competitor if not successor over the Omnia. You can
configure your MOX here [https://mox-configurator.turris.cz], or just buy the
parts you want. Ton of ethernet, mPCIe, USB, all modular. The MOX isnt even new,
so I really wonder why they still advertise the Omnia so much. I mean, it is way
more expensive, so that makes kind of sense… I will get the “MOX Classic Wifi6”,
which is a bit overpowered, but costs less than half of the Omnia! ---- picture
of router mounted to a wall
[https://slrpnk.net/pictrs/image/1736288d-ed15-45ca-9287-14b1e91d1ee3.jpeg] I
dont even know how to summarize that machine 😄 It is absolutely awesome. Turris
[https://www.turris.com] is a company by the czech TLD registrar CZ.NIC
[https://www.nic.cz/], which is ran as a nonprofit and invests a ton in open
source network software. ## The Origin This talk summarizes it well:
https://www.youtube.com/watch?v=cB5OG_V3aSE
[https://www.youtube.com/watch?v=cB5OG_V3aSE] They wanted to build a device to
analyze hacking attacks on the people in Czechia. The device should be as close
to the network as possible (i.e. a router) and have compelling and
understandable hardware that could be upgraded over time. So… they made a
router. Originally using PowerPC, now on ARMv7 (poorly only their mobile MOX
already is on ARMv8). ## Where to get it Originally they gave the devices away
for free, under the agreement that the users contributed the Sentinel analysis
data. Then they opened an indiegogo campain
[https://www.indiegogo.com/projects/turris-omnia-hi-performance-open-source-router#/],
which far exceeded their expected amount of funding. Afterwards they had their
own webshop [shop.turris.com], which is now discontinued. Instead, these stores
are available: - Rubytech DE [https://www.rubytech.de/turris-router/] (The
strangest signup method I ever had :) but all fine) - Discomp CZ
[https://www.discomp.cz/turris-omnia-wi-fi-6-silver_d116907.html?action=setcur&curid=14]
- Amazon
[https://www.amazon.com/-/de/stores/Turris/page/4EB82124-A160-4117-9404-00DA2DF8FE26]
Note: they sent me an additional Tshirt, ethernet cable and tube scarf, which
is… interesting, but could be considered waste. Tbh, I use the tube scarf daily
:D Poorly they didnt add any stickers! Also, they dont have a good system to
determine the recipient country, so I have an additional power supply cable for
another country. They also included a wall mount, with a set of perfectly
fitting, longer screws. All screws have regular phillips heads. ## Software They
took OpenWRT, but extended it a ton. As they have 8GB of storage and 2GB of RAM,
they can do stuff way above the minimum hardware requirements of OpenWRT. They
have a graphical package manager in the WebUI, and use BTRFS snapshots for
atomic updates. Which is totally cool! That was over 10 years ago and the first
router they made is still supported with updates. ## Hardware The data sheet can
be obtained here
[https://secure.nic.cz/files/Turris-web/Omnia/Omnia_wifi6_datasheet_EN.pdf]. The
“Omnia Wifi6” I got uses a bit outdated hardware, similar to my Thinkpad T430.
The CPU is a ARMv7 “Marvell Armada 385”, so 32bit. It clocks at 1,6GHz and has 2
cores, which is pretty powerful for routers and optimized server software. It
has 2GB of soldered DDR3 RAM, which is also plenty. The Power supply is a
typical brick like for a Laptop, with a barrel plug and an exchangeable 2-pole
cable to connect to the wall socket. The current Omnia has 3 mini-PCIe Slots, 2
USB-3 ports and a ton of pins accessible from the inside. Picture of a
disassembled Omnia Router
[https://slrpnk.net/pictrs/image/f0141886-6bc6-4146-aae1-3b5514311967.jpeg] -
The left one supports USB, and below you can plug in a SIM card and use an
3G/4G/5G card. With an additional package, this can be used to automatically
fallback to cell network, when the regular connection fails. - The middle one is
just mini-PCIe - The right one supports mSATA so with a simple adapter you can
use SATA SSDs for near-native speed. (I want to do that, but it may need an
additional power supply) Article picture of a mSATA to SATA adapter
[https://slrpnk.net/pictrs/image/4987f8ca-bcac-4844-b9e5-968661fc60da.webp] And,
of couse in the front it has fancy RGB LEDs. They are used as indicators for the
running state, and for the action you do by pressing the “Reset” button. In the
back it has 4 ethernet sockets, 1 WAN ethernet socket to connect to the
internet, one SFP socket for a fiber connection, a multi-purpose button and a
power socket. The button in combo with the LEDs is used for various things like
reboot, reset, update, update from local file, update from internet. ###
Revision in the future You see, ARMv7, DDR3, mPCIe is all pretty outdated tech.
It is already hard to find replacement parts, and energy efficiency will also
not be perfect. They plan to switch to m.2 slots and ARMv8 (already used in the
portable Turris MOX), so you may want to wait for such a revised model. ## Setup
To set it up, connect it to power and with one of the LAN (not WAN) sockets to a
Laptop, using ethernet. Right, before setup it doesnt open a wireless
connection! This was confusing for me but really make sense. In the browser
enter http://192.168.1.1 [http://192.168.1.1] and a very nice graphical WebUI
guides you through the setup. If you use it over Wifi, accept the self-signed
TLS certificate in your browser, then HTTPS should work. ## Applications It runs
a highly extended variant of OpenWRT. There is a huge amount of software
[https://docs.turris.cz/basics/apps/librespeed]. It varies from preinstalled
installable through packages, from Foris WebUI integrated to advanced, requiring
the normal OpenWRT LuCI or requiring configuration through the terminal. An
incomplete and chaotic overview: - file server: SMB, DLNA, encrypted storage,
mdadm - Transmission bittorrent client - OpenVPN server & client - Wireguard
(advanced) - Nextcloud, Syncthing (both have acessible login pages from the main
WebUI) - Tor - Adblock - Dynamic firewall - haas: honeypot as a service (needs a
public forwarded IPv4 address) - Turris Sentinel: security data collection
service, analyze incoming threats (the use they originally intended) -
Librespeed: lightweight network speed test - support for LXC containers to run
your favourite Linux distro - schnapps to manipulate BTRFS snapshots - LAN
monitoring with PaKon and Morce NOTE: the data collection service “Sentinel” is
opt-in and disabled by default. So you see, it supports everything one could
want, without needing a VM or container. I would avoid using one, to keep up
performance, even though this is totally possible. ## DNS The DNS Server is not
set, I used nic.cz [http://nic.cz] with DNSSEC, other providers like Cloudflare
and Quad9 are also available, just like manual setup. DNSSEC works with a single
button press, without any issues! ## Configuration The fancy “Foris” WebUI
guides you through the initial setup. Advanced features are accessed via the
regular LuCI OpenWRT WebUI, which is a bit more complex to use, but also fine.
You also get full root ssh access! Additionally, you can configure things with a
config file, that you insert over a USB stick. ## Storage You can plug in an
external drive (USB of course, but I want to try mSATA to SATA) and it formats
it and moves all data on there. It sets up different RAID systems, I dont know
if encryption is supported. So, you have over 7 different ways to host a
fileserver on there, up to a full instance of Nextcloud. This is crazy! ## Wifi
Routing You can open 2 Wifis (no idea how that works) and each can also have a
separated Guest network. Security: - By default, WPA3 with WPA2 fallback is
used. I changed it to WPA3-only, as WPA2 is vulnerable to attacks (see this
video on how to sniff passwords with Kali Linux, which requires a custom kernel
driver [https://www.youtube.com/watch?v=X49lIPHcurE]) - 2 Guest networks
possible, I highly recommend to use those for everyone apart from Admins - VLANs
are also supported, and need to be enabled. - Reminder: before first
configuration, no Wifi is enabled. There is no initial password set. - you can
have different passwords for the admin WebUI and ssh. The reach is great, but
roughly equal to the modern Fritzbox we already have, which only has a single,
hidden antenna. The time to connect to the Wifi is a bit longer than at the
FritzBox. ## Community & Support Their code is all hosted on the CZ.NIC Gitlab
[https://gitlab.nic.cz/turris]. The Turris team can be contacted via email and
they respond pretty quickly. The same contact is used for repairs. They also
have a Discourse Forum [forum.turris.cz] for a long time, where people can
exchange bugs, issues, software and hardware mods, adapters etc. ## Other fun
stuff The founder of Turris has a Blog [https://michal.hrusecky.net/]
That seems a bit rough combining all those into one, can’t upgrade anything separately.
I’m not sure on the security/safety of combining your gateway and NAS either.
Having a router as a NAS is pretty standard.
But you are right, it may be less secure.