Recent content by RMerlin

That is incorrect. The GPL code I receive is almost always newer than what most of their last firmware releases were based on. At worst it will be the very same version. But it will never be older than their latest firmware release.

Asus posted a fairly lengthy page on their website listing all the features introduced in Wifi 8. There are a lot more than I initially expected. https://www.asus.com/ca-en/content/what-is-wifi8/ Now, how much of these features will actually end up in most consummer-grade devices remain to be...

It's not. In Asuswrt, you can get OpenVPN working for remote access with just a few clicks. 1) Set access to LAN, LAN + Internet or Internet. 2) Add a user/password 3) Enable it 4) Export the config file Everything else can be left to the default setting - they are only there for people...

Key/certs that are required will be. The static key will only be generated if : 1) You enable a mode that requires one (tls-auth/tls-crypt/tls-crypt-v2 2) There isn't already an existing static key of the correct type Key/certs are generated at server start. That's why the server must...

You could do that. After decrypting it, write the decrypted key through the webui in the "Server Key" field. The PEM header should NOT mention "encrypted".

Your error message complains about server.key. That's your RSA (certificate) Server key, not your tls-crypt-v2 key (which is called secret.key). Your issue is unrelated to tls-crypt. You cannot use encrypted key/certificates, since you have no way of typing a password to decrypt them as the...

The tls-crypt-keys are not password-protected. They must also be generated by OpenVPN --genkey (which is what the router does automatically), not by EasyRSA.

Based on the CVE, you need to be already connected within the network to be able to exploit this.

You could, but you're not supposed to. It`s part of the security enhancement that it brings. Otherwise, you might as well just use tls-crypt v1.

No.

Those CSRF security flaws are not trivial to exploit. There is no real need to panic over them. You would need to be actively logged into the router webui at the same time that you access a malicious link that would then inject code into your logged webui.

CIsco and Juniper also had their share of security issues over the years, so it`s not fair to single out Ubiquiti here as if they were suddenly worse than everyone else. pfsense? They also have quite a list of past CVEs of severity up to 9.x...

Since the thread is turning into a generic support thread, I am locking this down.

Yes. Up to you. TLS Crypt V2 helps protect against bots trying to port scan your OpenVPN server by requiring TLS encryption even to connect with that port, but it will also be more complex to manage as you need to generate a key for every client that you intend to connect with. SHA1. HMAC is...

MLO in general appear problematic.