Is Omnia private and easy to use?

I’m thinking of getting a Turris Omnia, but the reviews I’ve found so far say it has pretty bad documentation. This for example is the first review that shows up on Google. It’s a few years old, but it’s also pretty discouraging.

Has Omnia usability improved since that review? I know just enough linux to read shell scripts and follow tutorials but that’s about it. At the same time, I want an open-source VPN-capable router. Does the GUI include good documentation now? Is the omnia for someone like me?

And how good/bad is the Omnia’s privacy? I’ve read about the “adaptive firewall” and it’s also making me think twice about buying it. What else did Turris add to OpenWrt on the Omnia? Is it possible to turn off ALL telemetry on the Omnia?

Thank you!

That feature is not mandatory and can be removed. In its new version (sentinel) the user would have to agree to an EULA if to use the feature.

As far as I know there is no telemetry phoning home by default, except perhaps scheduled Netmetr, but that can be disabled as well.

There is a new(ish) documentation available for your perusal https://docs.turris.cz

Then there is the https://demo.turris.cz (albeit outdated) as showcase for TOS’s own UI, and then there is always the secondary UI (LuCI) from OpenWrt [OpenWrt Wiki] LuCI web interface

Only very few of the points appear discouraging to me (I read it quickly/sparsely), e.g. the unexplained with their WiFi clients or missing nice GUIs for some specific features present in that other router. On some points the author seems a bit confused or “weirdly negative” about some things. Perhaps you’d best ask about the particular points bothering you.

The “call home” connections from there seem like automatic update check (by the hostnames). Apparently the author would prefer a special button instead of the various modes (immediate, wait-for-approval, delayed, off – maybe some of these weren’t available two years ago).

When we’re on the topic - is it possible to use the adaptive firewall (Sentinel) in download-only mode, or is it a requirement that if you want to utilize its benefits, you have to be a part of the community that builds the rules?

Maybe the EULA https://gitlab.nic.cz/turris/sentinel/eula/-/blob/master/eulas/1.txt contents explains it.

Adaptive firewall is always download-only. EULA does not apply to it because of that. We highly suggest of course to participate. We are working on documentation for every component you can enable in Sentinel system to collect data. In short we have following components:

• firewall logs: those are logs about failed connection attempts from WAN side. That means what you are blocking (not what you allow).
• minipots: these are minimal honeypots we use to collect login attempts to various services. At the moment (Turris OS 5.1) there is HTTP, FTP, SMTP and telnet implemented. They again listen on standard ports on WAN.
• usage survey: this can be the only component you might have problem with. This is not used as data source for firewall but rather to maintain Turris OS. This collects OS version and list of installed packages. It is intended as source for internally used usage statistics to better allocate our manpower for distribution maintenance.

And beside Sentinel you can also use HaaS (that we use as data source to dynamic firewall as well). It is full honeypot but it runs on our servers while on router runs only proxy.

EULA also permits us (and we were doing so in the past) to collect some aggregated data flows from traffic. At the moment we are not doing that and in future we rather plan to use Suricata and collect only alerts it produces.

In short I hope you can see that while we collect some info that we are trying to not collect anything sensitive regarding our users. The only component that is truly “telemetry” (that is usage survey) can be disabled (in terms of fully removed from system) same as any other component.

Perhaps you’d best ask about the particular points bothering you.

From the review (the bold parts were bolded in the original article):

The advanced Omnia UI (Luci) is for Linux techies with a networking background. I might have included myself in that category, but no, I was mostly lost here. Not only is there no help or explanation of anything in Luci, there is not even a link to a page of documentation . A couple examples: The WAN interface has checkboxes for Masquerading and MSS clamping. The firewall section supports zones, a concept that was new to me, so of course I am clueless about inter-zone forwarding. Port Forwarding I know, but inter zone? You just have to know what these (and many other) things are. If you don’t, then the Omnia is not a good fit for you .

I could not figure out how to enable remote web administration using only HTTPS but on a non-standard port. So, I asked the forum. Someone suggested using SSH on a non-standard port instead or using OpenVPN. With Peplink this was trivially easy, I am not sure it is possible with the Omnia.

Turris documents how to disable Wi-Fi at night here WiFi off during night. This is much easier with Peplink, which offers a GUI interface. The Omnia uses a CRON script, the same approach Linux and Unix nerds were using 25 years ago.

The advanced Luci web interface does not offer LAN side restrictions for access to the router itself. It does not seem to be able to limit access to HTTPS or limit access by IP address or limit access at all.

And as for telemetry (@anon82920800) :

However, even with automatic updating disabled, the Omnia does phone home.
Below is an edited log file showing the outgoing connections initiated by the router for the router
(…)
The Omnia made secure HTTPS connections on port 443 to two different computers in the Czech Republic: 217.31.192.101 (api.turris.cz) and 217.31.192.69 (repo.turris.cz).
(…)
I asked about this in the forum. One person guessed that it might be configuration backups, data collection or netmetr. I don’t know what any of these things are. Someone from Turris said that it is an indented behavior and that there are several tasks that might cause this. The whole idea of using a router that does not require you to have an account with the hardware vendor is to avoid the router phoning home, so this is disappointing. He suggested it might be a certificate revocation check or one of several similar things, “containing no or minimal details about the router.”

All this is just a small part of the review, and honestly all of these points bother me. Why should I get the Omnia if I could spend $100 on another device, install OpenWrt, and get the same experience without the telemetry? Or, I could spend $200 on something like the Surf SOHO in that review, which is closed-source but has everything in the GUI and is easier to use?

I’m interested in the Omnia because I’m hoping to get the best of both worlds (open-source privacy + commercial ease of use), and this review implies I’ll instead get the worst of both worlds (corporate phoning home + open-source difficulty of use).

About the telemetry the review is unambiguous about it

Turris, like many other routers, can collect data about network activity, something that Peplink does not do. Turris collects data to research attacks. Data collection is optional and off by default. It is also disabled if automatic updating is disabled.

, notwithstanding the previous explanatory posts in this thread.

Alternatively you could opt for installing just OpenWrt instead of TOS, if that would lessen your privacy concerns.

As for the UI usability - LuCI’s codebase (and related documentation) is conceived/maintained in the OpenWrt distro and thus conceptually unrelated to the CZ.NIC hardware or CZ.NIC’s TOS distro.

“Data collection” is different from “phoning home”. Even if data collection is not occurring, connecting to your servers without my permission is still a problem.

And if you think the GUI and documentation is “conceptually unrelated” to the omnia, then that would explain the poor usability…

You seem to be missing the point - there is no phoning home unless the user installs/activates (which implies user consent) TOS specific service(s) that would contact the manufacturer’s server(s).

And as previously mentioned

If you are not comfortable with OpenWrt’s LuCI as UI there is TOS’s own re/Foris https://demo.turris.cz, unless that is neither to your liking and then it cannot be helped really.

I would respectfully argue that the omnia might not be the router for you then. IMHO it is a decent router with great support from team turris, with the automatic updates being one of its highlights IMHO, and that will not work at all without contacting its home-base.
Regarding the documentation, OpenWrt is a full fledged Linux distribution with its own unique configuration shim layer (UCI) created and maintained by volunteers. That for one shows the scope of what needs to be documented and also explains why the OpenWrt project’s documentation is not up to professional standards, a simple mismatch between amount of work and man-hours available for documentation. That is not to say that OpenWrt does not have documentation (and some of it quite good), but that it is a bit choppy and uneven and not expected to improve significantly any time soon. I for one do not expect team turris to create/improve the general OpenWrt documentation (they are IMHO doing a decent job with documenting their own additions though).

That is in the eye of the beholder I guess. It is not that proprietary/commercial routers are a panacea of well documented stadardized configuration and usability… Case in point my current zyxel dsl-modem’s VLAN are much simpler to configure than my OpenWrt router’s, but that is simply because the zyxel only allows one specific use-case for VLANs and does not aim to solve the general problem, so no wonder it is easier to configure…

I am remotely involved in the maintenance of sqm-scripts, where we do not do this at all, and boy, do I wish we had some usage numbers…
So I fully understand why you are doing that, and, since I trust you, I am more than happy to share that data with you.

Ok, I see there a lot of misunderstandings on that review. However, you need to read it very carefully and getting this is kind funny.

Screenshot from 2020-07-30 09-52-071920×1080 103 KB

I quickly look at the review and honestly, it is pointless. I can not compare it with Peplink as I didn’t know what is Peplink until now. Since Turris OS 4.0, we are based on top of OpenWrt releases with our feeds and patches. In review, you can find “advanced Omnia UI”, which I don’t blame at all, but I would say it is not correct. There is important detail missing about that. LuCI is developed by OpenWrt and the documentation provides as it is. People are doing something to share for others and you will see just blame and nothing else. This does not help motivate developers who are doing that in their free time. People to help them are trying to improve the documentation. Yeah, I would say that LuCI expects that you have some knowledge as you are root. It can be dangerous. (You know rm -rf meme, right? It is almost the same. You blame others for something you did wrong.). The example is in the review, where the reviewed hit his leg by himself and then complain. He installed Pakon in Foris and then in CLI he removed it. This is all documented and saying that he is clueless what is going on. C’mon. But the documentation of OpenWrt should be improved. OpenWrt applied for Google Season of Docs and hopefully we will see results soon.

I am going to use the same word as in the review and not everyone are “Linux and Unix nerds” and because of that, there is our web UI Foris, where you can decide if you want to use LuCI (become root) or not. If you want to use HTTPS for Foris, then fine, there is a documentation how you can do it.

If you want to change non-standard port, it means that you have some knowledge and with the help of the community you can do it or at least Google it. We are using lighttpd. Don’t remember that the forum is community driven and they are doing it just to help others with advanced setup. You can not expect miracles and sometimes it takes time or the answer isn’t sufficient/helpful sometimes.

How many people want to turn off Wi-Fi during the night? Some geeks want to do that and they are fine with CRON. I am not sure if this feature is provided by ISP routers (e.g. I can compare it with UPC - these days Vodafone or mobile broadband - LTE by T-mobile) and those do not have this feature and you can not do it anyhow. I agree that this is nice to have and the following documentation is not hard, right? But if you prefer a nice fancy UI, then you need to write it. It should be pretty simple.

In reForis, you can set your own DNS servers which you like since Turris OS 5.0 if you don’t want to use our provided list of DNS servers.

We have automatic updates and even though we were doing some mistakes in the past, we are trying it to narrow it down and the article is not reflecting that. I am aware that many vendors are releasing hardware with old SW and you will almost never see an update. When Turris project started it was a security research project to protect user’s home network and help all Turris users each other and the router was given to them for a symbolic price in return of data collection system and for Turris Omnia, there were some leftovers, which was pinging home, but it was just ping. Nothing else. We didn’t collect anything until user decides to be part of data collection system. We told it on multiple threads which are on the review and it was not possible to remove it faster or do it better an that time. If I remember correctly it was because of the registration code in Foris, but it is possible that I am mistaken. Some things were heavily hard coded. This is what is going on Turris OS 3.x, but new models of Turris Omnia (2019, 2020) are shipped with Turris OS 4.x, where we are doing things differently and in the latest release there is finally introduced Sentinel as it is quoted on that page. No more unwanted pings.

We have our official documentation https://docs.turris.cz/ and you can not expect that we will document everything and that we will show you how to hit the leg yourself and blame us that it is security vulnerable.

In the past, in the official documentation (now it is in community documentation), you can find the differences. This should help you: Turris Software [Turris wiki]

Oh, right. You can use OpenWrt on Turris Omnia or you can buy OpenWrt router, the entire choice is on you. Feel free to buy OpenWrt router and check each time yourself if there is an update to be protected against security threats. More details:

In OpenWrt 19.07, there are supported routers with 4 MB flash and 32 MB RAM. So, size matters and it depends on your usage and what are you planning to do. If you want to have all-in-one solution (router,nas together), there’s a pack for it.

Oh and about using self-signed certificate on api.turris.cz:

Parts of that forum posting are over my head, but it does not seem like it has a full conclusion. In addition, the forum user also complained that HTTPS requests to api.turris.cz were insecure because it used a self-signed certificate.

3 years old thread:

Searching is key (for almost everything…)

Thanks everyone for answering my questions. This has been really helpful.

I’m going to do a bit more research before coming to a decision. I do like the omnia, and I’m glad to hear the telemetry is not as bad as I was led to believe, but usability and documentation are also really important for me. Is LuCI in the omnia similar enough to the default OpenWrt LuCI that I could just use OpenWrt documentation instead?

Yes, it is the same LuCI as the OpenWrt version your respective TurrisOS is based on. As said above TurrisOS really is OpenWrt with a few add-ons and changes, so most things, including LuCI are identical. Please note that there are a few things like DNS where the OpenWrt UCI/LuCI configuration will by default exist but be ignored, as TurrisOS uses Knot as it’s DNS server/agent.