In January, we got a Turris Omnia. The Omnia is a Czech router which runs open-source software and is mostly made of open hardware components. In this article, we talk about network basics, install our Turris Omnia and improve the basic configuration.
- Network basics
- Installation of the Turris Omnia
- Basic configuration of the Turris Omnia
- Recommended reading
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
First of all, we want to talk about some network basics. You can skip this section if you know things like IP addresses, VLANs, WPA2-PSK and so on. On the contrary, this isn’t a full guide for all aspects of networks. Have a look at Recommended reading if you need further information.
A computer network consists of two or more devices that are connected. This enables communication within the network and devices can share components of your network like printers or storage devices. You can basically distinguish between your home network (also called LAN, local area network) and the internet. The most common setup is a single router that is connected with your internet service provider (ISP) and you connect your devices with the router. It may look like the network in the following picture:
Every device within the network needs a unique IP address which is most commonly provided by your router. These IP addresses are only internal IP addresses.¹ Your router actually has a second public IP address in order to communicate with the internet. It automatically gets this second IP address from your ISP.
¹This is true for IPv4-based networks. IPv6 setups can differ.
Let’s have a closer look at different components:
The router is a very versatile device within your network and provides several services like internal distribution of IP addresses, firewalls or VPN (virtual private network). This also means that your router is a single point of failure in terms of availability of your internet connection and your network security.
Do you use a router provided by your ISP or did you buy your own router? It is likely that its functionality is somewhat restricted and you have to hope that everything is correctly configured. The most important points to do here are:
- Regularly update the firmware of your router
- Change default passwords of your router, especially admin/root passwords
- Disable functionality that you don’t need (like UPnP)
- Check if you can restrict access to the router to LAN-only
- Check if your router supports HTTPS-only for connections to it
Instead of using your (restricted) router, you can also buy dedicated hardware and install one of many different open-source operating systems for routers. Well-known distributions are pfsense, OpenWrt and IPFire.
However, building your own router from scratch costs time and money and you need to know a lot about networks and Linux. This is why we make use of the Turris Omnia later.
Your LAN (we mean wired connections here) can be easily controlled when you are living in your own house or apartment. It is unlikely that attackers can directly connect to your network by wire because they need to break into your home first.
Several companies sell locks for network ports. If you use them, keep in mind that attackers can easily remove attached network cables and use these unlocked ports.
Your WLAN (we mean wireless connections here) can be easily attacked and it’s hard to control! The reason for this is that people always want a robust wireless connection. This means that most routers provide high transmission power by default even when it is unnecessary. The most important points to do here are:
- Disable weak encryption: WEP, WPA and WPA2-PSK-TKIP
- Regarding WPA2-PSK-TKIP: TKIP (Temporal Key Integrity Protocol) uses RC4 for encryption and is insecure! It was an interim solution to replace WEP and was deprecated more than five years ago.
- Enable strong encryption: WPA2-PSK-CCMP only (CCMP = Counter-Mode/CBC-MAC Protocol, sometimes also called WPA2-Personal/WPA2-AES)
- Disable WPS (Wi-Fi Protected Setup) which is like a backdoor
- Change your WLAN password—You can actually set up to 63 characters here and use QR codes for internal distribution
- Check if you can reduce the transmission power of your router (attackers can use better antennas, though)
Maybe your router allows you to choose between WPA2-PSK and WPA2-EAP. The difference is quite clear:
- PSK (Pre-shared key) uses the same password for every device. The actual key used for encryption is derived from this PSK using PBKDF2 afterwards. PSK-based networks are mostly used by private individuals and therefore sometimes called “WPA2-Personal”.
- EAP (Extensible Authentication Protocol) uses RADIUS servers for authentication. Network administrators can add and remove single devices without changing the rest of the network. EAP also provides different methods for authentication. EAP is mostly used by companies and therefore sometimes called “WPA2-Enterprise”.
We will update this section as soon as WPA3 devices are available for private users.
Installation of the Turris Omnia
Let’s have a look at the Turris Omnia now. It is a crowdfunded router and developed by CZ.NIC. It is so powerful that you can also use it as a home server. We bought the most expensive version which provides 2 GB DDR3 RAM and WLAN (RTROM01-2G) for about € 260 in the Czech Republic.
This package includes the Turris Omnia itself with 3 antennas, 1 network cable, several power adapters, instruction manual and wall mounting bracket:
The installation is very straightforward: Screw the antennas onto the Omnia, connect it to your former router and plug it into the wall socket.
Basic configuration of the Turris Omnia
You must connect a computer with the Omnia to open its router administration interface. Its software is based on OpenWrt, but the configuration is really simple. You have to complete several steps and you are done.
Please note that the following guide is based on Turris OS 3.10. Newer versions of Turris OS may introduce other features, or may change the default configuration.
- Change the password of the admin account
- One password is for “normal” access
- The second password is for advanced administration (including LuCI and SSH)
- Configure WAN/DHCP
- Conduct a connectivity test
- Set region for time synchronization
- Configure automatic updates
- Configure LAN settings (DHCP and router IP address)
- Configure WLAN settings (passwords, SSIDs etc.)
- We enabled the 5 GHz network and its guest network only
- Reboot and done
We mostly left the defaults unchanged.
Follow us on Mastodon:
Improve WLAN security
We noticed that our Omnia allowed insecure and deprecated TKIP for WLAN. You can turn this off using LuCI. You have to click on “Go to LuCI” to get there. OpenWrt users already know LuCI.
- Click on “Network” → “Wireless”
- Select your WLAN and click on “Edit”
- Select “Interface Configuration” → “Wireless Security”
- Set “Cipher” to “Force CCMP (AES)”
- Click on “Save & Apply”
You can also reduce the transmission power there.
Understand the purpose of the guest network
The benefit of using a guest network is that it uses a second VLAN which is separated from your normal network. Devices connected to your guest network can only access the internet. They can’t connect to devices in your “normal” WLAN and they can’t access your router. It is a very easy-to-use solution to allow your friends to connect to the internet without putting your home network at risk.
At this stage, your home network looks like this:
This article is part of the "Home network security" series.
Read other articles of this series.
Installation and configuration of the Turris Omnia is very easy and you don’t have to learn complex Linux commands or spend hours to get it to work. Its defaults allow fast integration in your home network.
We didn’t encounter any problems during the first four months of operation. The Omnia automatically updated its software several times and you can even enable e-mail notification for updates.
The next part of this series will be about improving the security of your HTTP connection to the router administration interface.
- see Recommendations