New Turris Omnia, first configuration: DNS Server, secured DNS, secured NTP

Today, I got two ordered Omnia router. I get access by access to webinterface by run http://192.168.1.1 the Wan site is connected to my old working router. Its possible to surfe on internet.

I have found:

I didnt find:

  • How to install beta firmware
  • How to do feature requests

I am a little bit shocked about the menues of router. It was my plan to replace some old 10 to 50 € router by a semi pro router. A where the good known menues ? My hope was to get a actual hardware and firmware with easy to use webinterface with minimum features od DD-WRT or so on.

I am hoped to find follow absolute minimum features on Webinterface:

Secured DNS: I dont see on Webinterface menue for:

  • configure 1st, 2nd, 3`rd and 4. DNS server
  • secured DNS by DNS over TSL, DNSSec, DNScrypt or like this

Secured NTP:

Open VPN client:

  • Dont find menue for configure VPN Client.

############################
See also:
Turris Omnia, List of Software featurure requests:
Collecting Ideas for Hardware changings:
Improve Turris Omnia together and speak about:

1 Like

Search for advanced administration, there you will find good old Luci as interface to openwrt subsystem :wink:
“Turris OS”/“foris” (webinterface you’re currently exploring) is kind of “simple” access to some main functionality. It brings with it some benefits like the updater or parental control. If you don’t need those, you can uninstall foris and just work with normal openwrt.
I bookmarked the direct url to Luci in my browser and that way completely ignore Turris OS. The only thing I use it for is updater which is quite ok :slight_smile:

That is not available in the current stable release but in the upcoming update, latter of which the demo is based on.

That for some inexplicable reason is missing from the Foris GUI but there is package luci-app-openvpn that can be installed in the LuI Cinterface (advanced administration). Whilst that being a gui package it requires the openvpn-openssl nonetheless

The router comes with knot-resolver, which can be changed. Some DNS settings, mostly dnsmasq are availble through LuCI again but some settings can only be done through ssh login

You can install OpenVPN in Foris. On the Updater page there’s a checkbox. After checking the box approve the install on the Maintenance page (which is a pretty weird mechanic, usability-wise).

https://doc.turris.cz/doc/en/howto/openvpn_plugin

@MarcDiethelm That is for OpenVPN server (and the clients connecting to it) only but not the client for outbound VPN connections

Jup, just realized my mistake.

Hello,

NTP

If you want you can try our Turris OS 3.10, which is currently in RC.
If everything goes well we’d like to release it this week or next week to everyone.


VPN client

I’ll pass you feature request to our developers, but any pull requests are welcomed. Currently, we don’t have documentation how to set any of our routers as a VPN client, but I have it on my TO-DO list, so hopefully this or next week it will be published and it will be possible to do it via LuCI.


Secured DNS

This is something on which is @paja working, so it will be possible to change DNS servers in Foris.

For changing DNS servers first I need to explain it how it works.
Our routers use its own DNS resolver with DNSSEC support.

By default you can find check Use forwarding in Foris - DNS tab, which means all queries by default (can be changed) are sent to the DNS server of your provider and the advantage of forwarding is the fact that Turris will ask DNS servers, which a large number of clients ask, so there is a bigger change that the answer will be in cache.

After the Turris resolver gets an answer, it just checks signature validity, but it’s possible that providers like UPC (e.g. in the Czech Republic) they don’t support DNSSEC, which is a defense against a type of attack known as DNS spoofing, so you need to disable DNS forwarding (and then Turris asks for information directly from the authorritative servers), otherwise, Turris will receive answers without the signature in order to prevent the client getting counterfeit data, because this is a problem on the side of the ISP, who cannot differentiate Turris software and an attempted attack using DNS.

As I example you can remember recent DNS hijack to MyEtherWallet.com
English article: https://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/
Czech article: https://www.root.cz/clanky/krademe-kryptomeny-pomoci-bgp-aneb-proc-je-dobre-mit-https-a-dnssec/

For example, I asked why domain Glowing-Bear.org didn’t have DNSSEC on their IRC channel and I was quite surprised with their response and willingness to do something with it, so now they have DNSSEC enabled.

Any way to change DNS servers, there is no reason to use SSH, when you want to change DNS servers, but you need to have checked Use forwarding in Foris - DNS tab and then go to LuCI.
You can change DNS servers by two ways, but we can recommend only this way:

Log in to the LuCI ( by default can be found on this IP address http://192.168.1.1/cgi-bin/luci ) and from upper bar choose Network → DHCP and DNS. There is a field for DNS forwarding. To each field, you need to write only one DNS server and by this way, the clients didn’t ignore DNS resolver and they use DNSSEC and cache from the router.

We want to update dnscrypt to the latest version and also there should be DNSCrypt’s GUI for LuCI.


dnsmasq

Sorry as I don’t want to be rude to you, but it’s possible that users may not be experienced like you and of course any pull requests are welcomed.

Are you really sure that you recommend users change their resolver from knot-resolver to dnsmasq?
I can tell you many reasons, why you shouldn’t use dnsmasq (e.g. it doesn’t support DNS-over-TLS), but it is off-topic and we can discuss it privately or in other thread.
Still I need to remind you that this is no way supported and might break in future.

1 Like

The is luci-app-openvpn that can be installed in the LuI Cinterface and is pretty self-explanatory (at least for a user knowing what is doing). Whilst that being a gui package it requires the openvpn-openssl nonetheless but for some reason it is not marked as dependency to luci-app-openvpn. It does not make sense to have the GUI but not the underlying app.

Never made such recommendation, if any I would recommend unbound (albeit lacking proper documentation for TO) for perfromance, ease of configuration, support for dnscrypt, dns-over-tls, round robin, unlimited number of upstream dns-over-tls resolvers, local CNAME/DNAME support, cooperation with dnsmasq for lan.
Suppose it is matter of user’s flavor which DNS resolver to deploy.

There are also LuCI apps for knot and unbound in the upstream OpenWRT repo. The one for unbound at least does not seems to be working in TO, perhaps since TO implemented its own unbound configuration

I am one of the persons who recommend dnsmasq - but only for internal resolving and DHCP, just because OpenWRT web frontend is tightly bound to dnsmasq. If it is only used in the inside zone, DNS over TLS is not as important. However, for outside DNS requests one should use knot, as it is the default in TurrisOS. I have configured knot to forward requests in the .myhome.tld zone to dnsmasq, as it is explained in the wiki.
Just for clarifying this :wink:

Is there an update?

Time server is still missing from UI

DNS servers still can’t be manually added in Forris (cgi-bin/luci/admin/network/dhcp doesn’t work & no option allocated)

Still No dnscrypt v2 support either natively or with a LuCi package.

Still No openvpn client support in forris or LuCi (can’t upload .ovpn, can’t add username/password or upload User_password.txt)