Release Asuswrt-Merlin 3004.388.8_2 is now available

[iBest]

Just PM me. If it makes it easier, post the dumps to PasteBIn and provide links.

ifconfig
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
brctl show
ip rule
cat /tmp/etc/openvpn/client1/config.ovpn
cat /tmp/etc/openvpn/client2/config.ovpn
cat /tmp/etc/openvpn/client3/config.ovpn
cat /tmp/etc/openvpn/client4/config.ovpn
cat /tmp/etc/openvpn/client5/config.ovpn
cat /tmp/etc/openvpn/server1/config.ovpn
cat /tmp/etc/openvpn/server2/config.ovpn
cat /jffs/openvpn/vpndirector_rulelist
iptables -vnL
iptables -t nat -vnL


Man I did the logs .... but it's impossible to share all this info...
It's not about wan ip or mac addresses; it's also all ciphers from vpn, all profiles ... everything ...

I have logs from both fw now. If you can be more specific (you or any staff member), i can take data from logs, mask it, and share here.... but just can't upload this on internet.

I am sorry

 

[eibgrad]

I'm going to stir the pot here a little on WireGuard, but in my testing I found that running a WireGuard server on a computer works much better than using the application in the router. I get much higher throughput and do not have to rely on the router to handle the VPN load on the CPU.

If you have a Mac computer here are the complete instructions to roll your own server. It takes a little bit of file creation but once you get through it, it's stable as can be. This could help those of you with issues to solve them.

Wireguard Server on macOS

With this guide, you too can enjoy Wireguard VPN’s performance and security on macOS.

barrowclift.me

So true. As I often say, just because you *can* run something on the router doesn't mean you *should*! The router is an obvious convenience. But serious users are unlikely to use the router for such purposes. Look at the current trend in homelabs and mini PCs. I recently picked up a GMKtec G3 (8GB ram, 256GB NVMe) for $90 shipped off AliExpress. The thing is amazing for the price. I'd much rather run something like ProxMox and various servers there. IMO, it's even a better deal (and more flexible being x86) than a RPi.

 

[tnpapa]

So true. As I often say, just because you *can* run something on the router doesn't mean you *should*! The router is an obvious convenience. But serious users are unlikely to use the router for such purposes. Look at the current trend in homelabs and mini PCs. I recently picked up a GMKtec G3 (8GB ram, 256GB NVMe) for $90 shipped off AliExpress. The thing is amazing for the price. I'd much rather run something like ProxMox and various servers there. IMO, it's even a better deal (and more flexible being x86) than a RPi.

I am running WireGuard, a Channels DVR server, and Adguard Home all on a 2018 Mac mini. I can get over 400mb/s on WireGuard on my 1GB fiber connection. Plus I can access my device on my network like I am home.

 

[Cyberdev]

there is no ROG version in this update

i was kinda disappointed there was no rog version i prefer the rog version ofver the older version since the older version lack a lot of features my GT_AXE16000 router supports, and hearing the dev is dropping support for rog and the next release will be the final release is gonna be a big rip, at least he can fix the guest network issue

 

[bennor]

... and hearing the dev is dropping support for rog and the next release will be the final release is gonna be a big rip, at least he can fix the guest network issue

This is what RMerlin stated in post #4 of the thread RE the ROG version:

It was accidentally left disabled in my build script when I generated this release, so these images didn't get generated.

I don't really feel like going through the full rebuild + release process just to recreate all release archives with the missing images, so this release won't have ROG versions for the time being. Keep in mind that I initially mentionned that ROG releases were experimental and not fully supported, so they were never guaranteed to be alaways present or fully working. I am in fact dropping their support for the 3006 releases due to the amount of extra work involved in properly maintaining them.

If there is need for a 3004.388.8_2 point release at some point I will re-include them at that time.

 

[Dominua]

Dirty update AXE16000 from 388.7 - wifi and lan stopped working. But router was connected and can ping internet.
Reboot / power cycle dont help. Rollback to 388.7 and all worked again. Now will try again.

Very sad that there is NO ROG version. I am always use ROG version and have aesthetic pleasure so not share opinion that it is not needed. And thank you RMerlin for double working and making ROG version available!


Update: Tried 2 more times to make update from 388.7 rog to 388.8 without luck. No wifi or ethernet on clients. But router have connection.

Seems no update for me this time.

 

[iBest]

Some updates:

It's not about WireGuard anymore ...
Changed it with IPsec VPN but, guess what ... same problem. Can't access site A from Site B IPsec vpn ....

So, with or without logs, something must be reverted on a future test build ...
The changes done to the VPN connection on the last firmware have a bug on it...

I thank you all (devs, testers) who can fix this. (sooner or later)

 

[Purana]

In the case of the OpenVPN server, I don't see a CN (Common Name) specified for the 192.168.15.0/24 network. Is that because you blanked it out intentionally, or you just didn't specify it? Because you need it in order for the server to know which OpenVPN client (based on the CN of its cert) to which that route applies.

appreciate your message,
I masked the common name in the picture, there is a CN there.

 

[jerry6]

Read the changelog.

I don't get it my AXE1100 is working fine read nothing in the changelog that makes a difference , of course I just use the router s a simple router I run vpn on the clients if needed these weak cpu are not made to handle all the crap thrown at them

 

[RMerlin]

a lot of features my GT_AXE16000 router supports

All the GT-AXE16000 features are there. Which specific feature are you missing?

(I don't consider constantly pinging a bunch of random game servers to show their ping time on the webui to be a "feature")

 

[eibgrad]

ifconfig
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
brctl show
ip rule
cat /tmp/etc/openvpn/client1/config.ovpn
cat /tmp/etc/openvpn/client2/config.ovpn
cat /tmp/etc/openvpn/client3/config.ovpn
cat /tmp/etc/openvpn/client4/config.ovpn
cat /tmp/etc/openvpn/client5/config.ovpn
cat /tmp/etc/openvpn/server1/config.ovpn
cat /tmp/etc/openvpn/server2/config.ovpn
cat /jffs/openvpn/vpndirector_rulelist
iptables -vnL
iptables -t nat -vnL


Man I did the logs .... but it's impossible to share all this info...
It's not about wan ip or mac addresses; it's also all ciphers from vpn, all profiles ... everything ...

I have logs from both fw now. If you can be more specific (you or any staff member), i can take data from logs, mask it, and share here.... but just can't upload this on internet.

I am sorry

Nowhere is there a requirement for keys, certs, etc. It's all about the network interfaces, IP network used, routing tables, firewall rules, ip rules, etc. You can delete what's not relevant. And nothing about your keys, certs or crypto is relevant here. At least not at this point.

And for all the others in the same boat, unless you dump your internal data structures, we are at an impasse! There are no magical fixes. Sometimes we just have to see what's going on to find the culprit(s).

 

[eibgrad]

Hi all,

My setup is bi-directional LAN to LAN VPN via OpenVPN in TUN mode, without internet redirect.
Server side is a GT-AX6000 and client side is a RT-AX86u Pro.
After updating both routers to v388.8, the VPN connection became one-way,
client side can access server side normally, but server side failed to access client side.

Everything works fine after client side router rolling back to v388.7.

My VPN configuration are attached.

Please let me know if you have any comments.

A possible common theme here is that access from the OpenVPN server to the OpenVPN client is the problem. So let's verify the client's server's config file contains the necessary iroute directive.

cat /tmp/etc/openvpn/server1/ccd/client1

I'm assuming server #1, and a CN of client1 (change as necessary).

You should see something like the following:

iroute 192.168.15.0 255.255.255.0

Also, the server config file should point to the ccd directory in the client-config-dir directive.

grep client-config-dir /tmp/etc/openvpn/server1/config.ovpn

While we're at it, let's see the command line in the process table too.

ps | grep [o]penvpn

 

[Rob90]

Not necessarily. Some devices carry Windoze drivers and software on a partition that mounts as a cd-rom drive. That said, that is exactly what the problem is here.
@Rob90 I don't understand how you were ever able to use this dongle.

I can assure you that I've been using this dongle with Merlin firmware since mid 2022 without problems. The issue started when I installed 388.6, and immediately went away after I reverted back to 388.5. I've tried each beta and release since the issue started, but always have to revert back to 388.5 to be able to use my WAN fallback because of this problem.
I've also reported this a little over 6 months ago and I wasn't the only one with this issue back then: https://www.snbforums.com/threads/asuswrt-merlin-3004-388-6-is-now-available.88559/post-889357

I am still able to use this dongle today, both in Asus's latest stock firmware as wrt-Merlin 388.5, just not in newer wrt-Merlin versions.

 

[lgkahn]

Now if it's the case that you're attempting to access the GUI *remotely* over the WAN (which is NOT recommended), NOW you have a problem. Since the router uses a DNAT to redirect input from the WAN ip to the LAN ip of the router, any replies will come from the LAN interface of the router. And should the LAN ip of the router be included in your VPN Director rule(s), those replies will be directed over the VPN, and you'll lose remote access to the GUI.

not true. i use a site to site vpn and a directory rule and i WANT to be able to access the router via my other site over the wan.. in fact that is the only way to access it since it is behind cgnat!

 

[lgkahn]

Please let me know if you have any comments.

to make my tunnel two way in latest i had to add the client side network under the server custom config/ allowed clients

client is 192.168.50.x server net is 192.168.11.x

 

[bmwjavier]

I have a Rog Rapture GT-AX6000, Very sad that there is NO ROG version. Will there be a problem if I update from 388.7 rog to 388.8 no Rog? If I do, I have read that afterwards, it is recommended flushing the cache. How can I flush the cache? Sorry but I don't know how to do it.

 

[Purana]

A possible common theme here is that access from the OpenVPN server to the OpenVPN client is the problem. So let's verify the client's server's config file contains the necessary iroute directive.

cat /tmp/etc/openvpn/server1/ccd/client1

I'm assuming server #1, and a CN of client1 (change as necessary).

You should see something like the following:

iroute 192.168.15.0 255.255.255.0

Also, the server config file should point to the ccd directory in the client-config-dir directive.

grep client-config-dir /tmp/etc/openvpn/server1/config.ovpn

While we're at it, let's see the command line in the process table too.

ps | grep [o]penvpn

Hi eibgrad,

thanks for reply,
I have checked the all the stuff you said, all of them were correct and no missing.
everything work fine with v388.7, but v388.8.


Server OpenVPN config file:

daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp6
multihome
fast-io
port 11502
dev tun21
txqueuelen 1000
data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-CBC
auth SHA256
keepalive 15 60
verb 3
push "route 192.168.12.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
route 192.168.15.0 255.255.255.0
push "route 192.168.15.0 255.255.255.0"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

# Custom Configuration
tls-version-min 1.2 or-highest
ifconfig-pool-persist /jffs/openvpn/ipp.txt




Client OpenVPN config file:

daemon ovpn-client1
client
dev tun11
txqueuelen 1000
proto udp
fast-io
remote ****.com 11502
nobind
persist-key
persist-tun
data-ciphers AES-128-GCM
auth SHA256
route-noexec
ca ca.crt
cert client.crt
key client.key
auth-user-pass auth
up 'ovpn-up 1 client'
down 'ovpn-down 1 client'
route-up 'ovpn-route-up'
route-pre-down 'ovpn-route-pre-down'
script-security 2
route-delay 2
verb 3
status-version 2
status status 5

# Custom Configuration
resolv-retry infinite
float
data-ciphers AES-128-GCM
cipher AES-128-GCM
keepalive 15 60
remote-cert-tls server

 

[eibgrad]

not true. i use a site to site vpn and a directory rule and i WANT to be able to access the router via my other site over the wan.. in fact that is the only way to access it since it is behind cgnat!

I don't think you understood my point.

What I'm referring to is when you have a public IP on the WAN and you decide to access the GUI directly via that public IP. If that same WAN is behind CGNAT, that's not even an option. Use of a VPN is one way to reach the GUI if it's behind CGNAT. The site w/ CGNAT connects to another site w/ a public IP, and the remote site can access the GUI of the site behind CGNAT, but over its LAN network interface (or perhaps its IP on the tunnel). But none of this has anything to do w/ my initial point regarding a public IP on the WAN.

 

[Purana]

to make my tunnel two way in latest i had to add the client side network under the server custom config/ allowed clients

client is 192.168.50.x server net is 192.168.11.x

thanks,

I have done it

 

[eibgrad]

Hi eibgrad,

thanks for reply,
I have checked the all the stuff you said, all of them were correct and no missing.
everything work fine with v388.7, but v388.8.


Server OpenVPN config file:

daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp6
multihome
fast-io
port 11502
dev tun21
txqueuelen 1000
data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-CBC
auth SHA256
keepalive 15 60
verb 3
push "route 192.168.12.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
route 192.168.15.0 255.255.255.0
push "route 192.168.15.0 255.255.255.0"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

# Custom Configuration
tls-version-min 1.2 or-highest
ifconfig-pool-persist /jffs/openvpn/ipp.txt




Client OpenVPN config file:

daemon ovpn-client1
client
dev tun11
txqueuelen 1000
proto udp
fast-io
remote ****.com 11502
nobind
persist-key
persist-tun
data-ciphers AES-128-GCM
auth SHA256
route-noexec
ca ca.crt
cert client.crt
key client.key
auth-user-pass auth
up 'ovpn-up 1 client'
down 'ovpn-down 1 client'
route-up 'ovpn-route-up'
route-pre-down 'ovpn-route-pre-down'
script-security 2
route-delay 2
verb 3
status-version 2
status status 5

# Custom Configuration
resolv-retry infinite
float
data-ciphers AES-128-GCM
cipher AES-128-GCM
keepalive 15 60
remote-cert-tls server

Protocol udp6 on the server? I don't even think that's supported. And the client is using udp (which could be either udp4 or udp6). Are you actually using udp6 on your remote WAN?