The Turris Omnia is actually a very good choice, because it is well supported by security updates.
The number one flaw of commercial routers/security devices is that they don't get updated or can't get updated.
If you don't want an Omnia, I would strongly advise building a low power computer that runs a mainstream Linux distro with excellent security support -- Debian is an excellent choice -- and spending a few days setting it up properly.
There are numerous systems that will run OpenWRT, which for dedicated networking gear I'd generally prefer to Debian (otherwise my first choice). Most annoying downside so far is no manpages. Low-power kit will shave a few bills off your ower budget (Turris draws about 12W).
As you mention, Turris updates automatically. For stock OpenWRT you've got to manage upgrades (and add'l pckg install and configs) yourself. The generous storage means you can add additional OpenWRT packages and apps as desired.
The Turris Omnia does update automatically but it runs an insanely old version of OpenWRT. Once TurrisOS 4 comes out it should fix that but it's taking a very long time to happen.
Auto-updating a plain OpenWRT installation is not hard to implement and allows you to stay up-to-date.
That said, the Omnia's hardware is pretty great and the fact that you can plug eMMC storage to run LXC containers is absolutely fantastic.
You can also install plain OpenWRT on it these days.
Auto-updating if you have storage space for opkg installs is reasonably sane, via opkg. Building a new firmware image is not. Updating via stock builds (LuCI or sysupgrade) leaves the matter of local configurations and package installs ... at best unclear.
A major set of problems are:
- Minuscule rewriteable storage on consumer networking kit.
- The need to create a firmware image, and not merely select and configure packages on disk.
- Bootloader fuckwittedness.
None of these are OpenWRT's fault. They do define the operating theatre, however. Unfortunately, in light of this, OpenWRTs tools and documentation are not up to the task. Yes, free software, volunteer project, etc., etc. I'm hoping my criticisms may be useful.
Many consumer devices (my ADSL modem comes to mind) have nanoscopic writable storage: 8 MB is not atypical.
OpenWRT's other upgrade opions are ... neither clearly stated nor readily achieved.
One of the higher-ranked HN OpenWRT submissions concerns why there is no autoupdate:
I've tried compiling from source. There's a hell of a lot of menuconfig, and my build failed after 9+ hours. Not newbie-friendly at all. (FWIW I don't consideer mysef a newbie.)
I've not yet tried the imagebuilder.
I'm very familiar (20+ years) with Febian, and both the familiarity and its APT package management make the process highly predictable (with much help from ample storage and open bootloader standards). OpenWRTx is a long way from that, yet.
If you've any illumination or advice to add beyond "Auto-updating a plain OpenWRT installation is not hard to implement and allows you to stay up-to-date", I'm all ears.
Yeah, that's what I was thinking. To me the computing power and the software support makes it better than a lot of the alternatives, and I don't see anything more powerful without going x86.
The number one flaw of commercial routers/security devices is that they don't get updated or can't get updated.
If you don't want an Omnia, I would strongly advise building a low power computer that runs a mainstream Linux distro with excellent security support -- Debian is an excellent choice -- and spending a few days setting it up properly.