The Turris Omnia Security-Focused Open Source Router

I recently bought the Turris Omnia router. It’s a security-focused router developed by the Czech NIC, a non-profit organization that controls the .cz TLD. It started as a research project for securing home networks. The organization has since launched a variety of hardware devices for secure home networking. At EUR 300, this router is not cheap, but it is indeed quite capable hardware, easy to setup and manage, and comes with the promise of automatic regular updates for the lifetime of the routers.

Thanks to the generous hardware specs, in addition to being a router, it can also work as a NAS server - running NextCloud, or making file systems available over the network via SMB/CIFS and NFS. It can also run LXC containers to host custom server workloads.

The OS in the router is based on OpenWrt, with custom UI options in addition to the LUCI interface for management. Both, the hardware specs, and the software are open and easily customizable.

Setting up the router was very easy. Setting up an external hard disk via the two USB3 ports, or via the mSATA interface is straightforward - and also recommended - to not wear out the internal eMMC chip. Even getting openvpn client as well as server configurations set up was a breeze via the ReForis WebUI.

Functionality like adblock, or file sharing, is configurable via the LuCI OpenWrt interface. So one has to deal with these multiple UIs to explore and manage the complete functionality of the router. There’s also an older Foris UI, that’s slowly being deprecated, but not all functionality from that UI is present in the newer ReForis one, leaving folks to explore yet-another option.

Some of the customizations on top of OpenWrt make it easy to manage and configure openvpn - both client and server configurations; setting up NAS drives to run Nextcloud; and the dynamic adaptable firewall configurations.

The dynamic firewall is an optional opt-in feature that relays certain external input traffic to the router to the Turris servers, where it is analyzed for new attack vectors. When a new vector is determined, firewall updates are pushed to all Turris devices.

The system has an interesting way of backing up data and settings: it uses a btrfs filesystem on the eMMC partition. Each backup operation is a new btrfs snapshot, which makes it a very fast operation and saves a snapshot of the entire system state. These snapshots can be triggered by the user at any time via the ReForis UI. They’re also automatically taken just before any system update operations - a cool way to ensure the router doesn’t get hosed in case of a bad update.

This device is a great router. But there are some shortcomings in this system, though. While the NAS functionality is well integrated, Nextcloud feels very slow to access for file storage and retrieval cases – especially as a media gallery. The set of packages doesn’t also have imagemagick built in. Also, the NextCloud version that ships with the the default package set is slightly old. For me, downloading apps via the admin interface didn’t work; I had to install apps via the cli, by first downloading the app via app.nextcloud.com, copying it over to the router, untarring it, and then installing it. The first few steps of that procedure are routine; enabling the app is done via the command line like so:

sudo -u nobody /usr/bin/php-cli /srv/www/nextcloud/occ app:enable contacts

The documentation and community forums are a good source of information and help for any Turris-related issues. Since the base is OpenWrt, the excellent documentation and community support are readily available.

Overall, I’m quite pleased with the performance and functionality of the router. I’m already using it as my primary router, and have started using NextCloud on it. I’ve not set up custom LXC container workloads yet; but I may try out a couple. tt-rss is one application I’d like to try out soon.

SARS-COV-2: Why Do We Have the Pandemic Now?

Someone recently put the “what do we think about 2020” question differently, and very nicely: Many book readers like to skip to the end of books, and read the climax first, as they can’t stand the suspense. Had 2020 been a book, what would you have thought when skipping ahead, and reading about the last few days in December, back in early January 2020? Empty streets; not celebrating Christmas or New Years Eve with friends or family; shops closed, and travel all but coming to a halt. I’m sure many of us would’ve put that book down as some fantastical novel, one that talks about apocalypses or zombie outbreaks, and doesn’t talk about our world at all.

And yet it was real. And it not only felt normal and natural to not travel or meet friends and family for events, it even felt normal to stay home for long periods of time through the year. That’s mainly because we learned of the seriousness of the pandemic as the days rolled by.

One question that bothered me a lot during this time was “why is this happening now? Almost every country, almost every person living is affected by this pandemic. It’s something most of the living population has never experienced. Why now? And what makes this virus so special that it’s become this widespread?”

The last known pandemic was the one that started just as World War I was drawing to a close - in 1918. That’s more than a hundred years back. Since 1918, the world has actually shrunk. Mobility of people has increased, people travel across the globe in a matter of days, and yet this is the first virus to become a pandemic. SARS-Cov-2 was in fact already present in Italy and the USA in Dec 2019-Jan 2020, much before the virus was even known in the scientific or medical communities. Much before the resulting disease, COVID-19, became known. Well, in a way, we still don’t know what the disease does. We do not know of the long-term effects of this virus, and we continue seeing new studies being published on the long-term effects of having contracted the virus.

It’s not to say we’ve not had serious viruses during our lifetimes. HIV is the most well-known that has spread quite a bit. SARS and MERS from early 2000s were common as well. HIV doesn’t transmit via the air or casual contact; so that’s a category of its own. But SARS, or SARS-COV-1 was a coronavirus as well. Why didn’t that become a pandemic?

The answer seems to be that SARS-Cov-2 is far less lethal than the others, and in fact doesn’t even result in symptoms in a large population that gets infected with it. SARS-COV-1 or MERS were different: whenever someone contracted it, they quickly developed symptoms and had to be bed-ridden and receive care. That resulted in immediate isolation for the infected, and the spread was contained to small bubbles.

SARS-COV-2, on the other hand, doesn’t even manifest itself in all its hosts. Some people may not know for a long time that they had been infected by it. This meant that people continued to roam around, spreading the virus wherever they went. And that ended up infecting others. That led to the virus spreading far and wide, infecting many more people than is reported. Folks with other conditions, and vulnerable people bore most of the immediate ill-effects of the virus.

What made matters worse is that influential people reported this to be “just a mild virus, like the flu”. And many people believed that. That led to more carelessness, and more spreading of the virus.

The virus’s lethality, the way it manifests in individuals, and transmissibility - all came together in the worst kind of “sweet spot” only now, leading to the pandemic, and the widespread social, economical, and humanitarian effects of the lockdowns.

This is certainly not going to be the last such pandemic.

The more we rearrange the way we work and live to be compatible with this reality, the faster we can get to a new normal. This doesn’t have to mean we stop hugging friends, or stop chatting with strangers on streets. But it may mean we have to design masks that we can live with for all our outdoor presence, and we get much more mindful of our hands and fingers touching random objects, as well as taking proper precautions when gathering in closed spaces - which could also perhaps include mask-wearing.

Ten Years of KVM: Article on LWN.net

As promised in the earlier post, I've written an article on some of the history and the journey of the KVM project:

https://lwn.net/Articles/705160/

I was initially going to just do a writeup on this blog, but I asked the folks at LWN if they were interested.. and they were!  This is my first article for LWN.  I've followed the site and the excellent content for a really long time, and now I'm very thrilled to also be an author.

Ten Years of KVM

We recently celebrated 25 years of Linux on the 25th anniversary of the famous email Linus sent to announce the start of the Linux project.  Going by the same yardstick, today marks the 10th anniversary of the KVM project -- Avi Kivity first announced the project on the 19th Oct, 2006 by this posting on LKML:

http://lkml.iu.edu/hypermail/linux/kernel/0610.2/1369.html

The first patchset added support for hardware virtualization on Linux for the Intel CPUs.  Support for AMD CPUs followed soon:

http://lkml.iu.edu/hypermail/linux/kernel/0611.3/0850.html

KVM was subsequently merged in the upstream kernel on the 10th December 2006 (commit 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7).  Linux 2.6.20, released on 4 Feb 2007 was the first kernel release to include KVM.

KVM has come a long way in these 10 years.  I'm writing a detailed post about some of the history of the KVM project -- stay tuned for that. [Update 3 Nov 2016: I've written that article now at LWN.net: https://lwn.net/Articles/705160/]

Till then, cheers!

FOSSASIA 2016 talk: Virtualization and Containers

I did a talk earlier today at the wonderful venue of the Science Centre Singapore at FOSSASIA 2016, titled 'Virtualization and Containers.' Over the last few years, several "cool new" and "next big thing" technologies have been introduced to the world, and these buzzwords leave people all dazed and confused.

One of my aims for this talk was to introduce people to the concepts behind virtualization and containers, explain that these aren't really new technologies, and why there's so much interest in them of late.

I also think there's a lot of misinformation spread around these topics, so this was also an attempt to set some facts straight.

The slides are here, and I will post an update with the link to the video.

Edit: video is up.