Asuswrt-Merlin 378.53 is now available

[xundas]

Hi,

I was using until yesterday the version 52_2 on my RT N66U, with a OpenVPN connected to a VPN provider and using the scripts on https://github.com/RMerl/asuswrt-merlin/wiki/How-to-Direct-Traffic-over-VPN-and-Drop-connections-if-VPN-goes-down
Everything was working OK, except that my openvpn server in the router stopped working. So, as this was not that urgent I left like that, but now, seeing the new version, I decided to give it a go.

I installed (without cleaning up NVRAM/reseting) the new version, erased the JFFS scripts and rebooted. Made the changes in the OpenVPN client in order to redirect traffic from a specific IP to the tunnel.

The problem seems to be that the VPN disconnects randomly and doesn't reconnect (seems like a DNS issue, in the syslog it shows that the name could not be found) then the whole network loses access to the Internet.
Before the VPN goes down, the tunnel works, the IP that I directed, connects via tunnel and all the others go out through WAN, but very slowly. It does look like some DNS issue. I didn't have the time yet to test which DNS this was using. I would like that the normal connection uses my ISP DNS, but whatever goes through the tunnel uses the VPN DNS..

I tried then reseting, reconfiguring and it still seem to be the same. When I reboot, and enable the VPN, it works, but if I reboot the modem, the VPN doesn't reconnect and I lose Internet connection everywhere.

Now (my wife wants to use internet), I disabled the VPN and everything else looks fine.

Anything that I can do to pinpoint the problem? I am not afraid of using SSH or other tools, but it seems like a lot of potential issues and I need some help..

Thanks a lot!

 

[vtol]

All other undefined traffic will not route through your tunnel.

This have been curious about. Apparently a website may display content hosted on a different IP than the one routed through the VPN policy. And thus the webpage breaks if blocked by the ISP. Is there any way to route all the traffic originating from an IP specified in the VPN policy? Else it would rather cumbersome to figure out on which IP website is hosted on, that short of routing all traffic through the VPN?

Also what happens to domains using IP distribution. like most of the larger corporations do, or the IP of a domain changes? It seems that the policy only accepts IP addresses but no domain names?

 

[Danny Sasmita Natapradja]

Hi again,

I have a 1000Mbit connection to my ISP so when passsing 380Mbit (download) my Core 1 util 100% and only 30% while uploading about 850Mbit. Could it maybe be why you are not getting 100% for Core 1...? What kind of connection do you got?

BR/Christian

Hi,
My connection is only 25Mbps maybe that is why our results are different.

 

[greg50]

Hi again,

I have a 1000Mbit connection to my ISP so when passsing 380Mbit (download) my Core 1 util 100% and only 30% while uploading about 850Mbit. Could it maybe be why you are not getting 100% for Core 1...? What kind of connection do you got?

BR/Christian

Do you have HW acceleration enabled?

 

[superkrups20056]

Whatever the source IP is for the device on your network you want to force through your tunnel, give it a name and enter the source IP, then add it. You may want to use a static DHCP assignment in your LAN settings to ensure consistency. All other undefined traffic will not route through your tunnel. If you want to test, get a device with a browser and enter it's IP address in the VPN client config section. Then access a site like ip chicken to see what your externally facing IP address is.

ASUS download Master IS the router though...

Does anyone know the answer to my question? Thanks.

 

[muzykcb]

Hello. Guest network shows full signal and the signal is really low. Is this error only on me, or General error System. Sorry Merlin that repeat.

View attachment 3716

 

[RMerlin]

The problem seems to be that the VPN disconnects randomly and doesn't reconnect (seems like a DNS issue, in the syslog it shows that the name could not be found) then the whole network loses access to the Internet.

I've had one similar report a few months ago, and I never succeeded in reproducing the issue. What did you configure for the DNS mode on the client (strict, exclusive, etc...?)

Do you have any custom dnsmasq configuration? Did you change any DNS-related settings on either the WAN page or the LAN -> DHCP page?

 

[RMerlin]

This have been curious about. Apparently a website may display content hosted on a different IP than the one routed through the VPN policy. And thus the webpage breaks if blocked by the ISP. Is there any way to route all the traffic originating from an IP specified in the VPN policy? Else it would rather cumbersome to figure out on which IP website is hosted on, that short of routing all traffic through the VPN?

The router has no way of knowing what URLs are in that webpage you are loading, so there's nothing the routing table can do about it.

Also what happens to domains using IP distribution. like most of the larger corporations do, or the IP of a domain changes? It seems that the policy only accepts IP addresses but no domain names?

You will have to define a whole subnet, or multiple rules. Domain names are not supported, because a routing table needs a specific IP or subnet - it has no way of doing any name resolution at routing time (which would be half-useless anyway, as your browser might have resolved a different IP than what the router would resolve, if that hostname uses a round-robin entry for instance).

 

[xundas]

I've had one similar report a few months ago, and I never succeeded in reproducing the issue. What did you configure for the DNS mode on the client (strict, exclusive, etc...?)

Do you have any custom dnsmasq configuration? Did you change any DNS-related settings on either the WAN page or the LAN -> DHCP page?

The DNS config is STRICT (as it was before). Now I changed to RELAXED and everything is working. Except that I have a DNS leak...

I didn't change (at least not on purpose) any information on DNS, the WAN DNS is received from my ISP, my router distribute its own IP as a DNS for the DHCP clients... pretty simple.

Does it help if I send you some info? (route, etc)

I will try changing the DNS mode and see what is the impact.

Thanks!

 

[xundas]

The DNS config is STRICT (as it was before). Now I changed to RELAXED and everything is working. Except that I have a DNS leak...

I didn't change (at least not on purpose) any information on DNS, the WAN DNS is received from my ISP, my router distribute its own IP as a DNS for the DHCP clients... pretty simple.

Does it help if I send you some info? (route, etc)

I will try changing the DNS mode and see what is the impact.

Thanks!

--------------

So, I got some info that may help to clarify what is the problem and I also noticed that when running the route command over ssh, in STRICT mode and EXCLUSIVE dns mode, the command takes up to 15 seconds to answer the routing table... when in RELAXED or DISABLED, it is instantenous.

-----------------------------------------------------------------
DNS in STRICT mode: (slow on DNS query over WAN and even slower over VPN)

Kernel IP routing table
Destination  Gateway  Genmask  Flags Metric Ref  Use Iface
193.105.134.81  62.178.91.1  255.255.255.255 UGH  0  0  0 eth0
10.10.40.17  *  255.255.255.255 UH  0  0  0 tun11
62.178.91.1  *  255.255.255.255 UH  0  0  0 eth0
192.168.0.0  *  255.255.255.0  U  0  0  0 br0
62.178.91.0  *  255.255.255.0  U  0  0  0 eth0
127.0.0.0  *  255.0.0.0  U  0  0  0 lo
default  62.178.91.1  0.0.0.0  UG  0  0  0 eth0

-----------------------------------------------------------------

DNS in EXCLUSIVE mode: (DNS not working over WAN or VPN)

Kernel IP routing table
Destination  Gateway  Genmask  Flags Metric Ref  Use Iface
91.236.116.46  62.178.91.1  255.255.255.255 UGH  0  0  0 eth0
10.10.40.5  *  255.255.255.255 UH  0  0  0 tun11
62.178.91.1  *  255.255.255.255 UH  0  0  0 eth0
192.168.0.0  *  255.255.255.0  U  0  0  0 br0
62.178.91.0  *  255.255.255.0  U  0  0  0 eth0
127.0.0.0  *  255.0.0.0  U  0  0  0 lo
default  62.178.91.1  0.0.0.0  UG  0  0  0 eth0

-----------------------------------------------------------------

DNS in RELAXED mode: (DNS working over VPN and WAN, but with DNS leak...)

Kernel IP routing table
Destination  Gateway  Genmask  Flags Metric Ref  Use Iface
91.236.116.46  chello062178791 255.255.255.255 UGH  0  0  0 eth0
10.10.40.5  *  255.255.255.255 UH  0  0  0 tun11
62.178.91.1  *  255.255.255.255 UH  0  0  0 eth0
192.168.0.0  *  255.255.255.0  U  0  0  0 br0
62.178.91.0  *  255.255.255.0  U  0  0  0 eth0
127.0.0.0  *  255.0.0.0  U  0  0  0 lo
default  chello062178791 0.0.0.0  UG  0  0  0 eth0

-----------------------------------------------------------------
DNS ins DISABLED mode: (DNS working over VPN and WAN, but with DNS leak...)

Kernel IP routing table
Destination  Gateway  Genmask  Flags Metric Ref  Use Iface
91.236.116.46  chello062178791 255.255.255.255 UGH  0  0  0 eth0
10.10.40.5  *  255.255.255.255 UH  0  0  0 tun11
62.178.91.1  *  255.255.255.255 UH  0  0  0 eth0
192.168.0.0  *  255.255.255.0  U  0  0  0 br0
62.178.91.0  *  255.255.255.0  U  0  0  0 eth0
127.0.0.0  *  255.0.0.0  U  0  0  0 lo
default  chello062178791 0.0.0.0  UG  0  0  0 eth0

-----------------------------------------------------------------
My openvpn config file:
--------------------------------------

remote se1.vpn.ac 6112 udp
dev tun
tls-client
persist-tun
persist-key
auth-user-pass
nobind
pull
redirect-gateway def1
route-delay 5
verb 1
explicit-exit-notify 1
remote-cert-tls server
setenv CLIENT_CERT 0
<ca>
-----BEGIN CERTIFICATE-----
   <CERT>
-----END CERTIFICATE-----
</ca>

--------------------------------------

My VPN provider informs something about forcing a update in resolv.conf when running openvpn from linux, does this have anything to do with Merlin ?

https://forum.vpn.ac/discussion/13/running-openvpn-in-linux-terminal-with-no-dns-leaks

Well, thanks again for any help!

 

[RMerlin]

The DNS config is STRICT (as it was before). Now I changed to RELAXED and everything is working. Except that I have a DNS leak...

I didn't change (at least not on purpose) any information on DNS, the WAN DNS is received from my ISP, my router distribute its own IP as a DNS for the DHCP clients... pretty simple.

Does it help if I send you some info? (route, etc)

I'll try again sometime next weekend to reproduce the issue with this specific configuration.

 

[NGRhodes]

Thanks RMerlin.
This build looks like a keeper on my AC56U.
Apart from one UI freeze changing Wifi settings (requiring a reboot), WiFi, Guest access, Adaptive QoS is doing a good enough job ( the issues with categorising everything as general and machine priorities having no effect in 378.50 are gone) and all the other Trend security features working fine

 

[Chrysalis]

Merlin I use john's fork as you know but a question.

Do you know if asus ipv6 dnsmasq implementation will send the right MTU to lan clients?

As you may possibly know that I noticed on shibby with dnsmasq MTU sent to lan clients was always 1500 regardless of the PPP MTU value.

 

[brill]

This have been curious about. Apparently a website may display content hosted on a different IP than the one routed through the VPN policy. And thus the webpage breaks if blocked by the ISP. Is there any way to route all the traffic originating from an IP specified in the VPN policy? Else it would rather cumbersome to figure out on which IP website is hosted on, that short of routing all traffic through the VPN?

Also what happens to domains using IP distribution. like most of the larger corporations do, or the IP of a domain changes? It seems that the policy only accepts IP addresses but no domain names?

Are you saying source traffic is getting different content that is tunnelled ? My understanding is that once tunnelled, the source traffic would all be subject to perhaps being geo-located depending on what your VPN service is like. I don't think it's a selective process, all or none. For domains, once translated to IP it would still route through your tunnel it shouldn't matter. The traffic is IP oriented, the lookup is local to your resolver.

 

[brill]

ASUS download Master IS the router though...

Does anyone know the answer to my question? Thanks.

Wouldn't it be the assigned IP of the router as the source then ?

 

[Danny Sasmita Natapradja]

I'll try again sometime next weekend to reproduce the issue with this specific configuration.

Hi RMerlin
When using vpn policy routing the client selected also seem to have dns leak. Even if I set public dns in wan setting the client keep using my isp dns.

 

[RMerlin]

Merlin I use john's fork as you know but a question.

Do you know if asus ipv6 dnsmasq implementation will send the right MTU to lan clients?

As you may possibly know that I noticed on shibby with dnsmasq MTU sent to lan clients was always 1500 regardless of the PPP MTU value.

No idea.

 

[RMerlin]

Hi RMerlin
When using vpn policy routing the client selected also seem to have dns leak. Even if I set public dns in wan setting the client keep using my isp dns.

Policy routing merely routes the traffic. It has no impact on the nameservers used by the clients.

 

[regular]

Hi RMerlin,

I am running 378.53 on a AC87U. I noticed a strange issue when using the VPN client policy to have my Synology NAS as source IP and 0.0.0.0 as destination.

When I enable adaptive QOS, the downloads cap out at my maximum upload (2.5 mbit) but when I disable all QOS and app analysis, I am able to saturate my downstream of 30 mbit on the same NAS. Before this latest firmware, I was also able to max out my downstream using the NAS to run the OpenVPN client.

 

[vtol]

Are you saying source traffic is getting different content that is tunnelled ? My understanding is that once tunnelled, the source traffic would all be subject to perhaps being geo-located depending on what your VPN service is like. I don't think it's a selective process, all or none. For domains, once translated to IP it would still route through your tunnel it shouldn't matter. The traffic is IP oriented, the lookup is local to your resolver.

Yes, traffic is getting different content other than the IP tunnelled, because the site is pulling content from another IP (which is not an uncommon concept) and thus the external content does not show if not being selectively stipulated in the policy. This apparent as the IPS is showing a designated logo for content they are blocking, which appears in places on the website the traffic is being tunnelled to.