Disable All Phone Home Activity

user123 · May 8, 2021, 6:07pm

Hey Everyone

Does anyone know if there’s a documented procedure anywhere that details how to disable ANY AND ALL phoning home that is performed by the Turris Omnia? From what I’ve researched it sounds like you can disable certain functionality but it still performs some outbound requests which could reveal the device type to a snooping third party. This could be accomplished either by snooping on DNS requests or by looking at the destination IP and determining it is used by Turris (This would be the method used in the event that encrypted DNS is in place and running over the public internet).

The thread I am referencing is here: Why does router phone home?

The product sounds great and I realize that some sort of centralized connectivity is necessary for certain functionality, however, after the Solarwinds and Ubiquiti incidents, I’d personally prefer to have my device operate autonomously and receive updates locally without needlessly revealing device information with unnecessary phone home calls related to some old code.

Does anyone know if there is a documented procedure at this point to disable this phone home functionality? The post mentioned disabling scripts that run in both /etc/init.d and /etc/cron.d. Does anyone know which scripts should be disabled? Also it looks like the post was kind of old, could this have been worked out in a recent update?

Thank you

0regano · May 9, 2021, 7:07pm

Why don’t you buy a device with OpenWRT only?
Isn’t the whole thing about Turris products, that they’re connected (adaptive firewall) or learning about attack schemes and reporting that back to Turris servers?

ssdnvv · May 9, 2021, 8:18pm

Actually this is not correct.
If you buy a device you not necessarily buy it for what it is advertised for
If reduced to its physical features, the Turris Omnia is a perfect device for tinkerers - and for this you do not need the turris software. And you can uninstall all the custom rules, scripts and packages if you want or even install vanilla OpenWrt instead (but to be honest I do not know the current state of that image, in the past there were various issues).
On the other hand I personally really like schnapps in combination with hardwarekeys - that saved me various times.

user123 · May 9, 2021, 11:45pm

Hey 0regano

I was originally trying to buy the best consumer router I could to get the best Openwrt feature set. My current router runs Openwrt with the LUCI interface but has a limitation with its’ switch chip that doesn’t allow for vlan tagging. Either that or I’ve just not yet stumbled upon the solution (could also be a PICNIC or Id10t error as well). Then I stumbled upon the Omnia and figured that if the hardware was good enough for the folks at Turris to run their forked code, it probably does a pretty good job with Openwrt. Then I started reading about Turris OS and figured it might be a lot less painless to just go with a product like this.

Since this is a consumer router marketed towards super users where we get root access I figured modifying things like this may be relatively simple and encouraged in the community, perhaps even documented either by the community or the developers themselves. Because of this I wanted to ask here, before I try to figure it out.

ssdnvv · May 10, 2021, 6:19am

You are completely right and it will be a little bit tinkering, but in the end you will succeed in what you describe.

0regano · May 10, 2021, 6:33am

I thought it would be easier to get a good supported OpenWRT device instead of a device which would require more work disabling features than adding them.

But nevertheless, it’s free/open software - every usage is reasonable.

Pepe · May 11, 2021, 11:28am

I see. You referenced one phoning phone, and there are multiple ones. To be honest, it is a pity that you referenced a thread that is 3 years ago as it reminds me… here we go again… We tried to respond in them as many times as we could.

If you noticed the thread, it mostly applies for Turris OS 3.x as we started with the Project:Turris. Routers Turris 1.x were given under contract to people as part of the research project initially, and many people agreed and applied it and exceeded our expectations. Then we started to manufacture and sell the Turris Omnia router with the same data collection system, and in some time, we decided no, we can not do it anymore like this. Our infrastructure is not enough, and there is no possibility to do it scalable anymore. What are we going to do that? By the way, this is a few years old. We could choose paths - drop remedies, refactor it, throw it away, start it from scratch, and learn from our mistakes.

As some of you already know, we decided that we will learn from our mistakes and prepare a new solution, which will be scalable and fits modern needs. The software is evolving, and that’s why there is no ucollect since Turris OS 4.x. Which devices come preinstalled by Turris OS 4.x? Take a look at our documented factory versions. Nowever from retail shops, you should not get a router with Turris OS 3.x anymore.

This solves almost everything what is stated in the referenced thread:

We have the first part, and I need to add that when you buy Turris Omnia router, Turris MOX modular router, by default, there are no automatic updates either enabled/installed data collection system as both things requires to agree with agreements (EULA).

So, let’s get to your part “phoning home”. If you agree with automatic updates, how do you want to have your router updated? I would bet on it that other companies you referenced are checking for updates on their device. If you don’t want to have snooping on DNS requests, you can use DNS-over-TLS, DNS-over-HTTPS. Also, it makes me wonder how you could install packages if you don’t phone home, I mean, use repositories, and that’s what could be count as phoning home, right?
Same as you would be using vanilla OpenWrt.

If you want to receive updates locally, you will need to use medkit each time there is an update.

I hope that I answered all these questions regarding phoning back and avoid misunderstandings of it.

user123 · May 11, 2021, 11:45pm

Hey Pepe

Thank you for taking the time to respond. Sorry to open an old wound. It sounds like things have come along nicely with the Omnia. So is it safe to say that with the latest code, if you opt out of the EULA, the device will not initiate any requests to Turris’ infrastructure unless the user manually performs an update?

I have no issue with downloading updates as long as I initiate the update. I just don’t like the idea of a device as critical as a router reaching out to a central server periodically for something like data collection for which I have no need or desire.

AreYouLoco · May 12, 2021, 3:20pm

I had similar worries when I started using Omnia and I wanted to flash vanilla OpenWRT but the more time I use TurrisOS the more I realize that its more supported and fixes for bugs are faster than waiting for the upstream OpenWRT to accept a fix and release it.

Also updating mechanism of openwrt is not that nice as TurrisOS thats the whole point of Turris Team making a ‘pkgupdate‘ program to do the updates seamlessly. Also when you go with pure openwrt the rollback mechanism is not working so in case you F-something up you need to reflash the router and with TurrisOS you simply rollback to previous snapshot and in 60s you are back operational. Please consider that before you opt-out. And I fully understand that you might want to anyway.