The Turris Omnia Security-Focused Open Source Router

I recently bought the Turris Omnia router. It’s a security-focused router developed by the Czech NIC, a non-profit organization that controls the .cz TLD. It started as a research project for securing home networks. The organization has since launched a variety of hardware devices for secure home networking. At EUR 300, this router is not cheap, but it is indeed quite capable hardware, easy to setup and manage, and comes with the promise of automatic regular updates for the lifetime of the routers.

Thanks to the generous hardware specs, in addition to being a router, it can also work as a NAS server - running NextCloud, or making file systems available over the network via SMB/CIFS and NFS. It can also run LXC containers to host custom server workloads.

The OS in the router is based on OpenWrt, with custom UI options in addition to the LUCI interface for management. Both, the hardware specs, and the software are open and easily customizable.

Setting up the router was very easy. Setting up an external hard disk via the two USB3 ports, or via the mSATA interface is straightforward - and also recommended - to not wear out the internal eMMC chip. Even getting openvpn client as well as server configurations set up was a breeze via the ReForis WebUI.

Functionality like adblock, or file sharing, is configurable via the LuCI OpenWrt interface. So one has to deal with these multiple UIs to explore and manage the complete functionality of the router. There’s also an older Foris UI, that’s slowly being deprecated, but not all functionality from that UI is present in the newer ReForis one, leaving folks to explore yet-another option.

Some of the customizations on top of OpenWrt make it easy to manage and configure openvpn - both client and server configurations; setting up NAS drives to run Nextcloud; and the dynamic adaptable firewall configurations.

The dynamic firewall is an optional opt-in feature that relays certain external input traffic to the router to the Turris servers, where it is analyzed for new attack vectors. When a new vector is determined, firewall updates are pushed to all Turris devices.

The system has an interesting way of backing up data and settings: it uses a btrfs filesystem on the eMMC partition. Each backup operation is a new btrfs snapshot, which makes it a very fast operation and saves a snapshot of the entire system state. These snapshots can be triggered by the user at any time via the ReForis UI. They’re also automatically taken just before any system update operations - a cool way to ensure the router doesn’t get hosed in case of a bad update.

This device is a great router. But there are some shortcomings in this system, though. While the NAS functionality is well integrated, Nextcloud feels very slow to access for file storage and retrieval cases – especially as a media gallery. The set of packages doesn’t also have imagemagick built in. Also, the NextCloud version that ships with the the default package set is slightly old. For me, downloading apps via the admin interface didn’t work; I had to install apps via the cli, by first downloading the app via, copying it over to the router, untarring it, and then installing it. The first few steps of that procedure are routine; enabling the app is done via the command line like so:

sudo -u nobody /usr/bin/php-cli /srv/www/nextcloud/occ app:enable contacts

The documentation and community forums are a good source of information and help for any Turris-related issues. Since the base is OpenWrt, the excellent documentation and community support are readily available.

Overall, I’m quite pleased with the performance and functionality of the router. I’m already using it as my primary router, and have started using NextCloud on it. I’ve not set up custom LXC container workloads yet; but I may try out a couple. tt-rss is one application I’d like to try out soon.