Hello,
NTP
If you want you can try our Turris OS 3.10, which is currently in RC.
If everything goes well we’d like to release it this week or next week to everyone.
VPN client
I’ll pass you feature request to our developers, but any pull requests are welcomed. Currently, we don’t have documentation how to set any of our routers as a VPN client, but I have it on my TO-DO list, so hopefully this or next week it will be published and it will be possible to do it via LuCI.
Secured DNS
This is something on which is @paja working, so it will be possible to change DNS servers in Foris.
For changing DNS servers first I need to explain it how it works.
Our routers use its own DNS resolver with DNSSEC support.
By default you can find check Use forwarding in Foris - DNS tab, which means all queries by default (can be changed) are sent to the DNS server of your provider and the advantage of forwarding is the fact that Turris will ask DNS servers, which a large number of clients ask, so there is a bigger change that the answer will be in cache.
After the Turris resolver gets an answer, it just checks signature validity, but it’s possible that providers like UPC (e.g. in the Czech Republic) they don’t support DNSSEC, which is a defense against a type of attack known as DNS spoofing, so you need to disable DNS forwarding (and then Turris asks for information directly from the authorritative servers), otherwise, Turris will receive answers without the signature in order to prevent the client getting counterfeit data, because this is a problem on the side of the ISP, who cannot differentiate Turris software and an attempted attack using DNS.
As I example you can remember recent DNS hijack to MyEtherWallet.com
English article: AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet • The Register
Czech article: Krademe kryptoměny pomocí BGP aneb proč je dobré mít HTTPS a DNSSEC - Root.cz
For example, I asked why domain Glowing-Bear.org didn’t have DNSSEC on their IRC channel and I was quite surprised with their response and willingness to do something with it, so now they have DNSSEC enabled.
Any way to change DNS servers, there is no reason to use SSH, when you want to change DNS servers, but you need to have checked Use forwarding in Foris - DNS tab and then go to LuCI.
You can change DNS servers by two ways, but we can recommend only this way:
Log in to the LuCI ( by default can be found on this IP address http://192.168.1.1/cgi-bin/luci ) and from upper bar choose Network → DHCP and DNS. There is a field for DNS forwarding. To each field, you need to write only one DNS server and by this way, the clients didn’t ignore DNS resolver and they use DNSSEC and cache from the router.
We want to update dnscrypt to the latest version and also there should be DNSCrypt’s GUI for LuCI.
dnsmasq
Sorry as I don’t want to be rude to you, but it’s possible that users may not be experienced like you and of course any pull requests are welcomed.
Are you really sure that you recommend users change their resolver from knot-resolver to dnsmasq?
I can tell you many reasons, why you shouldn’t use dnsmasq (e.g. it doesn’t support DNS-over-TLS), but it is off-topic and we can discuss it privately or in other thread.
Still I need to remind you that this is no way supported and might break in future.