Release Asuswrt-Merlin 386.3 is now available

[Visiondejavu]

OpenVPN modifications in 386.3 on Asus AC5300 no longer allow ExpressVPN to hide IP address. Connects, but IP is leaked. Worked fine in previous versions, but had to revert back to 386.1 to work properly.

 

[SomeWhereOverTheRainBow]

**Potential GUI Bug**
@RMerlin

Any time changes are made to the Administrator page, this error pops up.

Even though no attempts were made to change the Router Login Name.

 

[kernol]

**Potential GUI Bug**
@RMerlin

Any time changes are made to the Administrator page, this error pops up.

View attachment 35296
Even though no attempts were made to change the Router Login Name.

No such problem on my 386.3 - can mod any items on that page without getting the error you refer to.
Make sure your browser cache [or form fill] is not auto filling the Router Login Name over what is/was there. That may cause the error?

 

[SomeWhereOverTheRainBow]

No such problem on my 386.3 - can mod any items on that page without getting the error you refer to.
Make sure your browser cache [or form fill] is not auto filling the Router Login Name over what is/was there. That may cause the error?

Did all that, issue seems to go away when I unmount the harddrive.

 

[RMerlin]

OpenVPN modifications in 386.3 on Asus AC5300 no longer allow ExpressVPN to hide IP address. Connects, but IP is leaked. Worked fine in previous versions, but had to revert back to 386.1 to work properly.

Your client isn't correctly configured. You need to set Redirect Internet traffic to Yes or to VPN Director and configure rules.

 

[RMerlin]

Did all that, issue seems to go away when I unmount the harddrive.

Old, known issue - the disk sharing user list is invalid. There are a few posts on the forum explaining how to fix it/reset it.

 

[SomeWhereOverTheRainBow]

Old, known issue - the disk sharing user list is invalid. There are a few posts on the forum explaining how to fix it/reset it.

Fixed it but I had to manually do it. It turns out

nvram set acc_num="1"
nvram set acc_list="$(nvram get http_username)>$(nvram get http_passwd)"
nvram set acc_webdavproxy="$(nvram get http_username)>1"
nvram commit
reboot

will not work if your http_username has - in it such as admin-name or some-name

it turns out if it does have a dash in the name the nvram get value would be as follows

nvram get acc_list="Some%2DName>encryptedpassword"
so
nvram set acc_list="$(nvram get http_username)>$(nvram get http_passwd)"

cannot be used in this case because that variable actually holds a dash versus the disk sharing user name uses %2D for dashes.

and

nvram set acc_webdavproxy="$(nvram get http_username)>1" cannot be used either since %2D is used in the naming and not a dash.

 

[jeden]

Router advertisement in 6in4 tunnels still broken after a reboot.

 

[DJones]

Just curious RMerlin will you be implementing the security patches released by Asus in a recent stock fw update? Or do you avoid updating base code until their is a major revision change to keep it more in line with LTS?

Question might have already been asked apologies if it was.

==============

2021/07/08 66.29 MBytes
ASUS GT-AX11000 Firmware version 3.0.0.4.386.44266
1. Improved connection stability.
2. Modified the DNS setting and router's DNS can be assigned to the LAN side DNS.
3. Fixed DoS vulnerability from spoofed sae authentication frame. Thanks to Efstratios Chatzoglou, University of the Aegean, Georgios Kambourakis, European Commission at the European Joint Research Centre, and Constantinos Kolias, University of Idaho.
4. Fixed envrams exposed issue. Thanks to Quentin Kaiser from IoT Inspector Research Lab contribution.

 

[Jakem]

To test the VPNClient killswitch you need to open a SSH session on your router. To do that you need to go to the Administration > System tab after logging in with your browser to the router. Half way down the page under "Service" - Enable SSH for LAN only - do not allow SSH Port Forwarding and choose a non-default port [say 222] and allow password login.

I use MobaXterm on my Windows 10 workstation as a terminal for SSH and several other useful remote tools. Use that or Putty or any other terminal of your choice to login to your Router under SSH terminal using your admin username and password.

At the command prompt you can issue those commands that I pointed out to you.
So if you have configured OpenVPN Client No 1 to route certain Local IP's through a VPN service provider - then with that OVPN1 enabled you would type this command at the Terminal prompt ...

killall vpnclient1

[Change the 1 to a 2, 3 ,4 or 5 .... depending on which VPNClient you want to test].
Check whether the Local IP's that you had directed through the VPN Tunnel have now lost internet connection - and if so - the killswitch is working as designed. Now to bring the VPN Tunnel back up again issue this command at the terminal prompt ...

service start_vpnclient1

Now check that the Local IP's that you had directed through the VPN tunnel have had their internet connection restored.

If my explanation above is "overkill" - sorry ... but I have no idea of your skills level ... but do remember all too well when I first joined this forum as a non-coder noob ... first posts are not always easy given the high skill levels of so many members .

PS - If you are a noob like I was - then if not done already - at that SSH command prompt - type "amtm" and open Pandora's Box to a huge array of awesome add-ons [like those in my signature]. Just follow the prompts and read here if stuck ...

kernol you are the best. I am a noob (newbie), such a noob I had to look that up. Followed your very detailed instructions, operated the kill switch thus stopping all access to the internet. Ran your second command and restored internet service. You made it easy. I was certain the kill switch would work because rmerlin turns out only premium firmware. I just had to see it work for myself. You are a good person kernol for helping a stranger.

 

[Robert Tickle]

Dirty upgrade from 386.2_6 to 386.3 on router and node. All 40 wifi clients reconnected immediately without issue.

 

[Hawk]

Just curious RMerlin will you be implementing the security patches released by Asus in a recent stock fw update? Or do you avoid updating base code until their is a major revision change to keep it more in line with LTS?

Question might have already been asked apologies if it was.

==============

2021/07/08 66.29 MBytes
ASUS GT-AX11000 Firmware version 3.0.0.4.386.44266
1. Improved connection stability.
2. Modified the DNS setting and router's DNS can be assigned to the LAN side DNS.
3. Fixed DoS vulnerability from spoofed sae authentication frame. Thanks to Efstratios Chatzoglou, University of the Aegean, Georgios Kambourakis, European Commission at the European Joint Research Centre, and Constantinos Kolias, University of Idaho.
4. Fixed envrams exposed issue. Thanks to Quentin Kaiser from IoT Inspector Research Lab contribution.

Merlin get GPL directly from Asus so most likely they will included in next GPL Asus send to Merlin.

 

[RMerlin]

Router advertisement in 6in4 tunnels still broken after a reboot.

Define "broken".

 

[jsbeddow]

Merlin get GPL directly from Asus so most likely they will included in next GPL Asus send to Merlin.

This is true, but @RMerlin has mentioned that there is some sort of GPL build problem with recent releases, and this is why we seem to have a relatively large gap (both in time and version number) between official Asus releases and Merlin's versions at the moment. Perhaps he could update us on that situation, please?

 

[jeden]

Define "broken".

If you set up a 6in4 tunnel with RA on (default) and then reboot the router, RA stops working. You have to disable it, apply settings, then enable it again so it works until the next reboot. It's an upstream bug actually.
In ipv6 router advertisements are necessary every x minutes or devices lose their ip address(es). Therefore after 10 minutes of booting the router ipv6 connectivity is lost forever.

 

[RMerlin]

Perhaps he could update us on that situation, please?

Latest news I got today was: "No ETA, recently generated a new test GPL for one model, awaiting validation".

So basically, no news for the time being.

 

[RMerlin]

It's an upstream bug actually.

Can you see if the issue still exists in newer stock firmware? If it was fixed upstream since 42095, then we just have to wait for a new GPL release for me to merge in.

 

[anotherengineer]

Flashed
Rebooted
Then formatted jffs and reboot
Then factory defaults/wipe reboot
Then set up and reboot

seems to be ok. Need to give it a few weeks and see if that random disconnect is cured.

 

[guho]

Hi,
Can you please explain in a bit more detail as to which files I need to copy/ create in which folders - some sample content of the file would be very helpful.


All I mainly want to achieve is change the default IPSec ikev2 range from 10.10.10.0/24 to 192.168.2.0/24 as specified in the line rightsourceip=

@guho
What additional file(s) do I create where and what do I modify in the existing /etc/ipsec.conf to achieve this? Many thanks...

Please read https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-config-files

In your case, enable custom scripts and create /jffs/scripts/ipsec.postconf containing:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "rightsourceip=10.10.10.0/24" "rightsourceip=192.168.2.0/24" $CONFIG

 

[Asher]

Thanks Merlin
Updated to 386.3
having a few problems with openvpn authentication, had to delete all credentials and re-add them again

FYI Spelling mistake on Initializing