This documentation applies only Turris OS 3.x that is no longer present in newly sold routers. The new documentation is located at https://docs.turris.cz/.
If you have a public IP address available from your internet provider and your router is therefore accessible from the internet, you have the possibility to remotely manage your router. This manual contains information on how to allow remote access, but also information about the security hazards, which you should take into consideration if you decide to configure remote access. It will also provide you with alternatives for remote control, which offer better security.
We strongly recommend to take security warnings and notifications seriously – otherwise you not only put your router in danger but also all devices in your local network.
Remote control comprises of three parts – access to the console through SSH, access to the web interface Foris and advanced web interface LuCI. It isn't necessary to permit access to all of these services. If you have experience with working with the command line, permiting access through SSH is enough because you can tunnel through to the web interfaces.
As far as the operating system is concerned, access isn't restricted in any way – the above-listed services listen from all IP addresses. Access is only restricted by firewall. It is only necessary to allow respective ports and the services will be accessible from outside.
Before discussing the measures, which should be undertaken when allowing certain services, we will discuss the general method of allowing a certain port in firewall.
In LuCI, enter the section Network → Firewall, then continue onto the tab Traffic rules. There you will find the form Open ports on router.
We will look at how to allow a service, taking SSH (that is 22/TCP) as an example:
Nameis for any description, which will help you in the future – for example
Protocoldepends on the service, in the case of SSH select
External portalso depends on the type of service, in the case of SSH write
In order to restart firewall and for the changes to take effect, click the button
Save & Apply at the bottom of the page. From this moment on, the selected service should be accessible from an outside network.
These two interfaces are accessible through the protocol HTTP (80/TCP) or HTTPS (443/TCP). (Note.: In the former version of the Turris interface, LuCI was accessible separately through port 8080. If you have performed a factory reset, it will be necessary to wait for the updates.)
The use of the unsecured HTTP protocol for configuring the router from an external network is certainly not recommended. Your password can easily be taken. That is why you should always use the secure protocol HTTPS.
Use strong passwords.
As part of the updates, the package
https-cert is installed, which allows the web server to use HTTPS for port 443 and also after installation performs the generation of the self-signed certificate. That means that the certificate is not installed as a document, which would be a serious security breach, but is generated by your device.
Please be prepared that when opening the page, the browser will inform you that the certificate is not in order. The first issue is that the browser cannot authenticate the signature for the certificate because it is not signed by a recognized authority but by an authority created by your router and which the browser cannot know. Th second issue is the access to the device. Certificates are generated for a specific domain name, which either doesn't exist (you are only using an IP adress) or the installation script doesn't and cannot know.
Our solution is a simple tool, which we have prepared for less experienced users so that they have the opportunity to securely access the router. There is always the possibility to buy a domain, create corresponding DNS records and have a certificate authority generate a certificate. A better solution depends on the knowledge and requirements of the user.
The SSH service can be found on port 22/TCP. Securing the SSH service on Turris doesn't require any extra steps. Just adhere to the general principles. That means where possible do not allow login via password, but via keys and etc.
As far as the general SSH security is concerned, please have a look at the relevant materials for running a Linux server.
An interesting external access alternative is to ensure that the router serves as a server which provides VPN. In that case, it is not necessary to open any port to the internet and the router is only accessible to a user with the correct certificate. After connecting, the client must fulfill the same conditions to appear in the local network and that means also identical access to services. If you need help setting up the VPN on Turris, see the article OpenVPN. If you want general information about VPN, read these materials: Správa linuxového serveru.