Release Asuswrt-Merlin 386.3 is now available

[ColinTaylor]

Apologies. I enabled DNSFilter a couple days after update. The spurious DNS requests showed up at that point.

It sounds like your problem is unrelated to this thread then. It is not uncommon for some devices to have hard-coded DNS addresses.

 

[Lynx]

Actually just realised that 386_3 might not be handling OpenVPN config options like:

route 192.168.8.1 255.255.255.255 net_gateway

correctly, with force internet traffic through VPN (yes). The above line should set up a route over LAN. This worked in the previous firmware.
But now it does not work (and I cannot access my modem GUI on 192.168.8.1).
I see this line in the log file:

Jul 30 18:34:45 openvpn-routing: Add pushed route: /usr/sbin/ip route add 192.168.8.1/255.255.255.255 via 10.0.0.1 dev tun11   table ovpnc1

This does not seem right.
This is a standard config option for OpenVPN. And see e.g.:

http://www.snbforums.com/threads/exclude-site-going-from-vpn.71634/post-679197

If this is by design that would force me to use PBR, but I prefer the simplicity of everything defaulting to VPN.

Update: tried setting 'force internet traffic through tunnel: yes' and exception in VPN director, but this didn't work either (wrong order?):

admin@RT-AX86U-4168:/tmp/home/root# cat /tmp/syslog.log |grep -i openvpn
Jul 30 22:30:49 openvpn-routing: Clearing routing table for VPN client 1
Jul 30 22:30:49 ovpn-client1[32308]: OpenVPN 2.5.3 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 23 2021
Jul 30 22:30:50 custom_script: Running openvpn-event
Jul 30 22:30:51 openvpn-routing: Setting client 1 routing table's default route through the tunnel
Jul 30 22:30:51 openvpn-routing: Routing all traffic through ovpnc1
Jul 30 22:30:53 custom_script: Running openvpn-event
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing all traffic through ovpnc1

VPN director rule:

​

Enable	Description	Local IP	Remote IP	Iface

Enabled

Modem

192.168.8.1

WAN

VPN Director allows you to direct LAN traffic through specific OpenVPN tunnels.

• OpenVPN clients set to redirect all traffic have the highest priority
• WAN rules will have priority over OpenVPN rules
• OpenVPN 1 rules have higher priority than OpenVPN 5 rules
• Rules can be individually enabled or disabled by clicking on the first column

So should work, right?

 

[GHammer]

Apologies. I enabled DNSFilter a couple days after update. The spurious DNS requests showed up at that point.

My piholes report this as the most frequent request. Sony TV that REALLY REALLY wants to phone home.

events.cid.samba.tv     Hits in 24 hours- 3970

 

[dmolavi]

It sounds like your problem is unrelated to this thread then. It is not uncommon for some devices to have hard-coded DNS addresses.

Why didn't it appear previously then? The devices haven't changed, and regardless of whether they were on the main wifi or guest, I would have seen those requests.

This is just the router's address going to Google, the other devices are nowhere near as chatty.

 

[eightiescalling]

Thank you RMerlin for the updated release and seemingly never ending effort you put in to the firmware.

Are the QRCodes generated on the fly when clicking the option or held anywhere?

Use case - I have a guest network that gets enabled for 24 hour periods and (once the automation is hooked in to Google Assistant for voice control) will have updating passcodes. I'd like to grab the QR code image so I can send as attachment on a push notification sent when the guest network gets activated.

 

[ColinTaylor]

Why didn't it appear previously then? The devices haven't changed, and regardless of whether they were on the main wifi or guest, I would have seen those requests.

This is just the router's address going to Google, the other devices are nowhere near as chatty.

You're giving confusing information. You just said this only started happening when you enabled DNSFilter. If the request is originating from a client and being intercepted by DNSFilter then the PiHole will see the request as coming from the router instead of the client. That's how the DNSFilter works.

 

[RMerlin]

Are the QRCodes generated on the fly when clicking the option or held anywhere?

Generated on the fly as the web page is loaded.

 

[HTBruceM]

It sounds like your problem is unrelated to this thread then. It is not uncommon for some devices to have hard-coded DNS addresses.

I once had a Sony Blu-Ray player and discovered that is used a hard-coded DNS address for its FW update process. At that time I was using an EdgeRouter-X with a rule to drop any DNS that weren't using my selected DNS server. As a result, that Blu-Ray player would NEVER update its firmware. Everything else seemed to work except for firmware updates which always failed "unable to connect to the server" or something similar.

That Samba TV stuff looks way too intrusive to me. I disabled it in my Sony TV.

 

[HTBruceM]

Back on topic.... Installed the 386.3 last week and it has been rock solid.
Nice work Eric.

 

[tyspeed42]

Any chance openvpn 3 multi threaded will be added in the future or is that not viable for use on a router like the AX86U?

 

[L&LD]

Of course it will be added, in due course.

When, is the unknown.

 

[RMerlin]

Any chance openvpn 3 multi threaded will be added in the future or is that not viable for use on a router like the AX86U?

Highly unlikely. The OpenVPN 3 design doesn't work too well in a router scenario. No server support, limited client feature support, and it's just a C++ library that would require someone to write a C++ wrapper/client associated with it (as Asuswrt's rc daemon is written in C, not C++).

Also, that reference about multithreading is from a very, very old roadmap. The current OpenVPN3 library only uses a single thread according to their documentation.

 

[Lynx]

Actually just realised that 386_3 might not be handling OpenVPN config options like:

route 192.168.8.1 255.255.255.255 net_gateway

correctly, with force internet traffic through VPN (yes). The above line should set up a route over LAN. This worked in the previous firmware.
But now it does not work (and I cannot access my modem GUI on 192.168.8.1).
I see this line in the log file:

Jul 30 18:34:45 openvpn-routing: Add pushed route: /usr/sbin/ip route add 192.168.8.1/255.255.255.255 via 10.0.0.1 dev tun11   table ovpnc1

This does not seem right.
This is a standard config option for OpenVPN. And see e.g.:

http://www.snbforums.com/threads/exclude-site-going-from-vpn.71634/post-679197

If this is by design that would force me to use PBR, but I prefer the simplicity of everything defaulting to VPN.

Update: tried setting 'force internet traffic through tunnel: yes' and exception in VPN director, but this didn't work either (wrong order?):

admin@RT-AX86U-4168:/tmp/home/root# cat /tmp/syslog.log |grep -i openvpn
Jul 30 22:30:49 openvpn-routing: Clearing routing table for VPN client 1
Jul 30 22:30:49 ovpn-client1[32308]: OpenVPN 2.5.3 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 23 2021
Jul 30 22:30:50 custom_script: Running openvpn-event
Jul 30 22:30:51 openvpn-routing: Setting client 1 routing table's default route through the tunnel
Jul 30 22:30:51 openvpn-routing: Routing all traffic through ovpnc1
Jul 30 22:30:53 custom_script: Running openvpn-event
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing Modem from any to 192.168.8.1 through main
Jul 30 22:31:34 openvpn-routing: Routing all traffic through ovpnc1

VPN director rule:

​

Enable	Description	Local IP	Remote IP	Iface

Enabled

Modem

192.168.8.1

WAN

VPN Director allows you to direct LAN traffic through specific OpenVPN tunnels.

• OpenVPN clients set to redirect all traffic have the highest priority
• WAN rules will have priority over OpenVPN rules
• OpenVPN 1 rules have higher priority than OpenVPN 5 rules
• Rules can be individually enabled or disabled by clicking on the first column

So should work, right?

Is the latter aspect of the above not indicative of a glitch in VPN Director? VPN Director shows the redirecting all traffic, and states WAN rules will have priority, but setting single WAN bypass fails. In any case, it seems reasonable to me that it should be possible to create exceptions in this way. RMerlin I think you expected it would work this way from your suggestion on IRC?

Otherwise what is the procedure for setting up everything (including router itself, and hence e.g. all forwarded DNS requests) to go through VPN, but to specify one or more exceptions to go through WAN based on destination IP?

Previously this was possible using exception lines like:

route IP NETMASK net_gateway

placed in the VPN client config, but this no longer works. It seems from searches on this forum quite a few users made use of this.

Perhaps now instead there might be a way to set up VPN Director to direct all traffic including router to go through VPN, e.g. by setting source IP to 0.0.0.0?

 

[eightiescalling]

Generated on the fly as the web page is loaded.

I had a suspicion that might be the case.

I don't suppose the code that does it is easily(ish) portable to run from the CLI based on NVRAM data? Happy to have a crack at it myself if it's likely to be the case.

 

[Jack Yaz]

I had a suspicion that might be the case.

I don't suppose the code that does it is easily(ish) portable to run from the CLI based on NVRAM data? Happy to have a crack at it myself if it's likely to be the case.

it is with entware and qrencode

 

[Lee MacMillan]

I was on a 51 day uptime streak on 386.2_6 and was planning to wait on this update until I accidentally hit reboot instead logout. Went ahead with the 386.3 update and so far, so good.

 

[eightiescalling]

it is with entware and qrencode

Between that and realising the input to the QR code is much simpler than I thought it would be, that's me sorted .

Thank you both.

 

[shabbs]

So, apparently the OnePlus phone's camera does not pick up the QR code for joining wifi. Had an alarm technician in the house yesterday and he asked to join the wifi. Thought it was the perfect time for them to try our my custom made "join our guest wifi" picture frame. Had him point his camera to it. Nothing. Very odd. Works like a charm with Samsung and Apple devices.

 

[evlo]

After updating my usb drive with addons does not show up, what could be the cause?

rt-ac86u

VPN director is pretty awesome feature

 

[eightiescalling]

So, apparently the OnePlus phone's camera does not pick up the QR code for joining wifi. Had an alarm technician in the house yesterday and he asked to join the wifi. Thought it was the perfect time for them to try our my custom made "join our guest wifi" picture frame. Had him point his camera to it. Nothing. Very odd. Works like a charm with Samsung and Apple devices.

Was that with the default camera? Just tried on mine and while the default camera doesn't work the qr code scanner they tucked away under WiFi settings does (right hand side of the screen on the page with listed WiFi networks).