I dont even know how to summarize that machine 😄

It is absolutely awesome.

Turris is a company by the czech TLD registrar CZ.NIC, which is ran as a nonprofit and invests a ton in open source network software.

The Origin

This talk summarizes it well:

https://www.youtube.com/watch?v=cB5OG_V3aSE

They wanted to build a device to analyze hacking attacks on the people in Czechia.

The device should be as close to the network as possible (i.e. a router) and have compelling and understandable hardware that could be upgraded over time.

So… they made a router. Originally using PowerPC, now on ARMv7 (poorly only their mobile MOX already is on ARMv8).

Where to get it

Originally they gave the devices away for free, under the agreement that the users contributed the Sentinel analysis data.

Then they opened an indiegogo campain, which far exceeded their expected amount of funding.

Afterwards they had their own webshop, which is now discontinued.

Instead, these stores are available:

Note: they sent me an additional Tshirt, ethernet cable and tube scarf, which is… interesting, but could be considered waste.

Tbh, I use the tube scarf daily :D

Poorly they didnt add any stickers!

Also, they dont have a good system to determine the recipient country, so I have an additional power supply cable for another country.

They also included a wall mount, with a set of perfectly fitting, longer screws.

All screws have regular phillips heads.

Software

They took OpenWRT, but extended it a ton. As they have 8GB of storage and 2GB of RAM, they can do stuff way above the minimum hardware requirements of OpenWRT.

They have a graphical package manager in the WebUI, and use BTRFS snapshots for atomic updates. Which is totally cool!

That was over 10 years ago and the first router they made is still supported with updates.

Hardware

The data sheet can be obtained here.

The “Omnia Wifi6” I got uses a bit outdated hardware, similar to my Thinkpad T430. They will very likelybswitch to m.2 slots and ARMv8, so you may want to wait for such a revised model.

The current Omnia has 3 mini-PCIe Slots, 2 USB-3 ports and a ton of pins accessible from the inside.

Picture of a disassembled Omnia Router

  • The left one supports USB, and below you can plug in a SIM card and use an 3G/4G/5G card. With an additional package, this can be used to automatically fallback to cell network, when the regular connection fails.
  • The middle one is just mini-PCIe
  • The right one supports mSATA so with a simple adapter you can use SATA SSDs for near-native speed. (I want to do that, but it may need an additional power supply)

Article picture of a mSATA to SATA adapter

And, of couse in the front it has fancy RGB LEDs. They are used as indicators for the running state, and for the action you do by pressing the “Reset” button.

In the back it has 4 ethernet sockets, 1 WAN ethernet socket to connect to the internet, one SFP socket for a fiber connection, a multi-purpose button and a power socket.

The button in combo with the LEDs is used for various things like reboot, reset, update, update from local file, update from internet.

Setup

To set it up, connect it to power and with one of the LAN (not WAN) sockets to a Laptop, using ethernet.

Right, before setup it doesnt open a wireless connection! This was confusing for me but really make sense.

In the browser enter http://192.168.1.1 and a very nice graphical WebUI guides you through the setup.

If you use it over LAN, accept the self-signed TLS certificate in your browser, then HTTPS should work.

Applications

It runs a highly extended variant of OpenWRT. There is a huge amount of software. It varies from preinstalled installable through packages, from Foris WebUI integrated to advanced, requiring the normal OpenWRT LuCI or requiring configuration through the terminal.

An incomplete and chaotic overview:

  • file server: SMB, DLNA, encrypted storage, mdadm
  • Transmission bittorrent client
  • OpenVPN server & client
  • Wireguard (advanced)
  • Nextcloud, Syncthing (both have acessible login pages from the main WebUI)
  • Tor
  • Adblock
  • Dynamic firewall
  • haas: honeypot as a service (needs a public forwarded IPv4 address)
  • Turris Sentinel: security data collection service, analyze incoming threats (the use they originally intended)
  • Librespeed: lightweight network speed test
  • support for LXC containers to run your favourite Linux distro
  • schnapps to manipulate BTRFS snapshots
  • LAN monitoring with PaKon and Morce

NOTE: the data collection service “Sentinel” is opt-in and disabled by default.

DNS

The DNS Server is not set, I used nic.cz with DNSSEC, other providers like Cloudflare and Quad9 are also available, just like manual setup.

DNSSEC works with a single button press, without any issues!

Configuration

You can configure things with a config file, that you insert over a USB stick.

Storage

You can plug in an external drive (USB of course, but I want to try mSATA to SATA) and it formats it and moves all data on there.

It sets up different RAID systems, I dont know if encryption is supported.

So, you have over 7 different ways to host a fileserver on there, up to a full instance of Nextcloud. This is crazy!

Wifi Routing

You can open 2 Wifis (no idea how that works) and each can also have a separated Guest network.

Security:

  • By default, WPA3 with WPA2 fallback is used. I changed it to WPA3-only, as WPA2 is vulnerable to attacks (see this video on how to sniff passwords with Kali Linux, which requires a custom kernel driver)
  • 2 Guest networks possible, I highly recommend to use those for everyone apart from Admins
  • VLANs are also supported, and need to be enabled.
  • Reminder: before first configuration, no Wifi is enabled. There is no initial password set.
  • you can have different passwords for the admin WebUI and ssh.

The reach is great, but roughly equal to the modern Fritzbox we already have, which only has a single, hidden antenna.

The time to connect to the Wifi is a bit longer than at the FritzBox.

Community & Support

Their code is all hosted on the CZ.NIC Gitlab.

The Turris team can be contacted via email and they respond pretty quickly.

The same contact is used for repairs.

They also have a Discourse Forum for a long time, where people can exchange bugs, issues, software and hardware mods, adapters etc.

Other fun stuff

The founder of Turris has a Blog

  • typhoon@lemmy.world
    link
    fedilink
    arrow-up
    12
    ·
    2 months ago

    Nothing against the project but the price seems a bit salty. $367 for a WiFi 6 router!?

    • taaz@biglemmowski.win
      link
      fedilink
      English
      arrow-up
      5
      ·
      2 months ago

      Yeah that has always been the downside, you have to pay for the “custom device you can geek out yourself”

    • boredsquirrel@slrpnk.netOP
      link
      fedilink
      arrow-up
      3
      ·
      2 months ago

      Thinking about this more… no not at all.

      They compile an OS with automatic, atomic OS updates. They have an advances package repo (afaik OpenWRT doesnt even support packages?).

      They deal with all the CVEs and stuff.

      They make a great WebUI, which is way better than the default one.

      They have a support forum and mail that is actually helpful with a short response time.

      They make a PCB, nice simple case etc.

      So yeah, I dont think doing that myself would be cheaper, at all.

    • boredsquirrel@slrpnk.netOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      2 months ago

      Yes it is. And mine was even more expensive I think.

      Especially as they have “a lot” of storage, but not really modern hardware.

      You pay for the 10+ years of support

      • brrt@sh.itjust.works
        link
        fedilink
        arrow-up
        5
        ·
        2 months ago

        but not really modern hardware

        That is kind of an understatement, I believe the hardware is now at least 8 years old if I’m not mistaken, and to me the biggest deterrent right now. If they updated the hardware to relatively modern standards I wouldn’t mind the price tag and probably buy one immediately. As it stands though, no chance.

        • boredsquirrel@slrpnk.netOP
          link
          fedilink
          arrow-up
          1
          ·
          2 months ago

          Yes, that is very true. I think it doesnt really matter? But I am not sure how well microcode and firmware updates go over the years.

            • boredsquirrel@slrpnk.netOP
              link
              fedilink
              arrow-up
              2
              ·
              2 months ago

              Yes that is true. That old hardware should cost less, to explain a potentially higher price once a model with recent hardware comes out.

              It is not mainly about the hardware though, but the software updates. If you think about the work that they invested here, it gets more reasonable.

              Buying opensource hardware is always just a service for users who cannot do that themselves. The schematics are opensource, the entire modified OpenWRT is opensource, and they also contribute to upstream OpenWRT (so there is another investment in the more general FOSS world here).

              I have not analyzed how much % they do in OpenWRT but that would be really interesting.

              • Possibly linux@lemmy.zip
                link
                fedilink
                English
                arrow-up
                1
                ·
                2 months ago

                I don’t see any benefit to buying specialized hardware. Why would you need “open source hardware?”

                OpenWRT replaces the old OS. I really don’t see the benefit of shelling out for such devices. If you want to help work on porting devices. Either port a new device or work on testing and bug fixing OpenWRT 21

              • Possibly linux@lemmy.zip
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                2 months ago

                Off the shelf devices are fine. You could even go used for cost savings. Just flash OpenWRT and you are done. A router shouldn’t be hosting services. That is a servers job.

      • manmachine@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        2 months ago

        If all you need is a router, Mikrotik also offer stellar support, lots of configuration options and are much cheaper for the same specs.

        • boredsquirrel@slrpnk.netOP
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          2 months ago

          Could you post a link?

          They have a ton of products and dont advertize their routers that much.

          Is RouterOS FOSS? I couldnt find source code, and an AI told me it is a Linux based proprietary OS.

          Are the routers just OpenWRT compatible? I see a lot of them are. But TurrisOS can do a ton more than OpenWRT!

          I found a big router with only 2,4GHz, a few small access points that would be totally fine for that job, this Wifi6 router but with way lower specs and less modularity

          I agree that this router is really expensive, the case is elegant but pretty primitive, and the hardware is very old.

          But I didnt see anything with 2GB RAM and such an advanced OS.

          • manmachine@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            2 months ago

            This one is more or less comparable I believe. No idea about FOSS though, if it’s important then my advice is invalid, of course. But if I personally was going for a FOSS router, I’d just get an old-ish computer with several NICs inside and install some BSD on it.

            • boredsquirrel@slrpnk.netOP
              link
              fedilink
              arrow-up
              2
              ·
              2 months ago

              No, their RouterOS is not FOSS.

              But if it is supported by OpenWRT, that may not be necessary. As long as you can update firmware and microcode even from a different OS. I have no idea if OpenWRT can do that.

  • cbarrick@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    2 months ago

    I love my Turris Omnia!

    I got the one with the WiFi 6 card. The cool thing is that you can easily open it up and replace parts.

    I run the upstream OpenWRT rather than the customized version by Turris. They are good about submitting patches upstream.

      • cbarrick@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 months ago

        Part of it is the community. I really like the OpenWRT community, but it’s harder to engage with them when you run a downstream distribution.

        But also I’m a bit of a hacker (in the traditional sense). I like to experiment with custom builds of OpenWRT. (And FWIW, their build system uses the same menuconfig as Linux.)

        • boredsquirrel@slrpnk.netOP
          link
          fedilink
          arrow-up
          2
          ·
          2 months ago

          Really cool!

          I would also be interested in hacking that router.

          For example move as many drivers as possible into userspace with FUSE, to reduce attack surface.

          You could even use USB for the network cards.

          This is a thing when people “harden” hardware, to contain nothing with direct access to the RAM.

    • boredsquirrel@slrpnk.netOP
      link
      fedilink
      arrow-up
      2
      ·
      2 months ago

      I will post an update once I manage to do the mSATA-SATA SSD mod, install Nextcloud, NoIP and Wireguard.

      Would love to have a small little box which also does my Nextcloud!

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    2 months ago

    I’m not sure I see the use case. Why would I want my router to also be a NAS and a server? I don’t like the all in one architecture. Also cost wise it doesn’t make sense either.

  • davel [he/him]@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    2 months ago

    Edit to add: It appears that the Wi-Fi 6 driver is open source:
    https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers#Status


    I was under the impression that there are no Wi-Fi 5 or 6 modules for which there are open source Linux drivers. Am I wrong?

    This code seems to be under an open source license (ISC), but I’m not a Linux kernel or driver developer, so I’m not sure if this represents the entire driver or if it’s just a stub for some binary blob.
    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/mediatek/mt76/mt7915

    I guess MediaTek is the designer and AsiaRF is the manufacturer of the Wi-Fi 6 11ax 4T4R Mini PCIe Module (AW7915-NP1).