An open source router built for security
Secure Networker

Home routers are known for weak security. Turris Omnia is an attempt to build a better router through the power of open source.
Hundreds of Internet routers inhabit the IT consumer marketplace. However, the little boxes that connect our home or work offices to the Internet are continually causing a stir. At the end of November 2016, 900,000 customers of a German telecom company were cut off from the Internet for hours – and even for days – because the Speedport router supplied by the company fell victim to a denial of service attack.
Strangely enough, the attack was not even intended for the routers. Instead, the attackers wanted to penetrate the vulnerable remote maintenance interface of a completely different device type. In order to exploit an existing vulnerability of the targeted routers, and thus integrate them into a botnet, the attackers indiscriminately flooded the Internet with port-knocking packets to open a communication channel to the affected systems.
An investigation revealed that the company had left port 7547/TCP wide open on the devices; customers had warned the company as early as 2014 of this potential and completely unnecessary vulnerability, but for whatever reason, many devices were still vulnerable.
The reward for this incredible sloppiness was the attack: The many incoming request packets to the remote interface maintenance that had needlessly been left open were unable to open the affected port and certainly unable to infect the basically immune systems. But the sheer mass of the packets caused the routers so much confusion that they entirely quit working.
This kind of negligence is, unfortunately, all too common with network device providers: Unneeded ports are left open, default passwords are active for far too long, and vulnerable system software remains unpatched. Users often don't even receive a warning, or if they do – as they did with the German telecom – they often ignore potential security problems until the disaster hits home.
As several studies have revealed, many home routers are incredibly insecure, with out-of-date firmware, open ports, and unpatched operating systems. Most business networks have an IT professional – or sometimes a whole team of professionals – overseeing the security system and interpreting event logs to look for signs of intrusion. On home networks, the only "admin" is the router owner, who is typically an amateur with neither the time nor the inclination to become an expert in the home router appliance.
The need for better security, and for ongoing monitoring of home router traffic to look for possible attacks, has led to an innovative program sponsored by CZ.NIC, the non-profit company that manages the Czech Republic's top-level domain. CZ.NIC designed its own router for users on its network. The Turris Omnia router [1], which was financed through a crowd-funding campaign, incorporates some best practices missing from many router designs and is intended to be very secure.
One of the more interesting features of the Turris Omnia is that it can collect data on incoming traffic to look for signs of an attack in progress. The data is forwarded back to CZ.NIC and can be used to warn other users and, ideally, develop a remedy for the attack.
The Turris Omnia, which uses open source software and open hardware wherever possible, is a good example of a real-world device built to harness the power of the OpenWrt Linux project [2] for residential gateways and other embedded devices. The Omnia is available now in Europe. FCC approval for use in the US is still pending (see the interview with head developer Bedrich Kosata at the end of this article). We decided to investigate the Turris Omnia because it seemed like an interesting approach for how to address the persistent problem of home router security.
High Tech in Plain Wrappings
The Turris Omnia router comes in two variants that only differ in terms of memory. Just EUR289 (a little over $300) will buy you the router with 1GB of RAM, and EUR329 (around $350) gets you twice the capacity. The Turris Omnia impresses with powerful hardware under the hood. A two-core 1.6GHz ARM CPU is at the heart of the machine, with 8GB of permanent SSD storage.
Thanks to the three mini-PCI Express slots, of which one supports the SATA protocol, hard disk storage can be extended with SSD blades. On delivery, two of the three slots are occupied with WiFi 802.11b/g/n and ac modules (Figure 1). You can also use the LTE modem or other WiFi modules in addition to the storage media. The router is prepared for use with cellular modules and features a SIM card slot on the motherboard.

The entire hardware of the Turris Omnia is fully supported by the current Linux kernel. With one exception, free drivers and documentation are available for all components; only the WiFi interface requires a binary from the manufacturer.
Visually the Turris Omnia is quite unobtrusive. The technology is encased in the kind of unadorned metal housing typical of (semi-)professional network technology. The 12 LEDs on the front deliver information on the current status; you can control the brightness and even color by using a switch on the right side. In addition to the LEDs, the unit has two ready-for-use USB 3.0 ports on the left front.
The back of the router is dominated by three WiFi antennas, which can easily be replaced depending on how you plan to use the device. When you look at the connections, the SFP port is quite a surprise: It can house various networking modules and is rarely found in devices in this price range (see the box titled "SFP").
SFP
The acronym SFP stands for Small Form-factor Pluggable. The SFP specification defines modular, hot-swappable optical or electrical transceivers for Gigabit Ethernet, Fibre Channel, and SONET. The original specification envisages a 5Gbps data rate, although SFP+ interfaces now exist with up to 10Gbps.
You can use the SFP interface (Figure 2) to integrate the router with the LAN or on the Internet with a high-end network medium such as glass fiber. Alternatively, the port will accommodate a modem for VDSL or other connection technologies. If you are already using a broadband modem, you can connect it with the Turris Omnia via the GbE-capable WAN interface and a network cable. Five Gigabit network sockets and a second USB 3.0 port complete the range of interfaces.

Open in the Positive Sense
The software of the system is based on the OpenWrt router's open source operating system; the hardware is almost completely documented and described. This open policy regarding information on the device means a user with sufficient skill could check the source code or even build a completely new router.
Even if you do not want to go that far, you could still expand and rebuild the installed system or replace the software with a different distribution.
The built-in distributed firewall is one of the outstanding and unique features of the router. The firewall is designed to protect the user against zero-day exploits. CZ.NIC wants to detect and analyze these attacks and evolve counter-strategies from the findings as soon as possible, transmitting the necessary fix directly to the consumer equipment.
To monitor the network for a possible attack, the manufacturer collects the data traffic between the client and the Internet. Turris Development Director Bedrich Kosata explains: "The fact that we are familiar with the traffic of many customers, who are anonymous for us, means that we have a large database; this large collection of data will ultimately benefit customers." CZ.NIC analyzes the data for unusual patterns. In case of conspicuous or even suspicious behavior in the traffic, it warns customers. In its delivered state, the firewall is disabled; the customer first needs to enable it. That is, CZ.NIC lets the users decide, said Kosata, whether they want to have their data traffic analyzed. CZ.NIC only uses the acquired data for traffic analysis, and this information is subject to very strict rules on data protection.
The auto-update feature is one of the additional security measures. During setup, the router asks whether you want to use the function. If you prefer mature software, you can do without the auto-updater. In view of recent IT security incidents, however, you are better off installing updates as soon as they are available.
Another indicator of the Turris Omnia's sophisticated security is that no Internet-facing ports are open in the factory defaults. Functions such as UPnP are disabled; you need to enable WiFi only during the initial setup, and you need to set all the access credentials yourself during guided commissioning.
Simple or Complex?
Installing the Turris Omnia is quick and easy. First, connect the device to the power supply and then connect the WAN port to a modem using a cable. Use a network cable to connect one of your own computers to one of the five Ethernet ports on the router for the initial setup. Then, call the router's web interface on the computer to access the homepage of a simple, but quite effectively designed, installation dialog. The installer guides you through the start-up in 10 steps.
You'll create the necessary access credentials and enable the well-secured WiFi network, among other things. The whole device is up and running within a few minutes. If the software needs to download many updates, this can take a little longer, depending on the bandwidth of your Internet connection. You can then access the simple web interface of Turris Omnia, where you can perform rudimentary settings. Although these are sufficient for general operation, they omit important functions, such as network-attached storage (NAS). All the options are described well.
Things look quite different in the advanced section: Regardless of the visually appealing design and good structure, the options offered here require in-depth expertise. The interface offers you the possibility to influence virtually every aspect of the router and the software – far beyond what even a demanding home user or small office will need (Figure 3).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.
-
OpenELA Releases Enterprise Linux Source Code
With Red Hat restricting the source for RHEL, it was only a matter of time before those who depended on that source struck out on their own.
-
StripedFly Malware Hiding in Plain Sight as a Cryptocurrency Miner
A rather deceptive piece of malware has infected 1 million Windows and Linux hosts since 2017.
-
Experimental Wayland Support Planned for Linux Mint 21.3
As with most Linux distributions, the migration to Wayland is in full force. While some distributions have already made the move, Linux Mint has been a bit slower to do so.