[Beta 382] Asuswrt-Merlin 382.2 Beta is now available

[skeal]

I can't get rid of this...

Dec 31 21:41:41 kernel: ERR[update_qos_data_by_mac:3568] Failed to find udb entry by skb src-MAC!

Anyone know what this is. I know it's QOS but what is the problem.

 

[AmyGrrl]

Oh! Awesome! Thanks for this release. Have it installed on my RT-AC66U B1. Seems to be working ok so far. Did not have time to do a factory reset with it being New Years. I will do that tomorrow when I am hung over and have nothing better to do.

 

[RMerlin]

Anyone know what this is. I know it's QOS but what is the problem.

It's in Asus's proprietary code, so only them would know what this message means.

 

[RMerlin]

It turns out that the client 2 on my ac3100 is unable to connect to a ovpn server on a ac68u. I can however connect using the android ovpn app to the ac68u. I can import the server ovpn file to my phone and it works excellent. Same config on the router in client 2 or in client 3 it screws my whole router up if I connect. Sometimes I have to manual reboot. The weird thing is as the connection is being tried it kills the internet sometimes sometimes not. It always kills access to my router gui. My server on the ac3100 works great. Server on the ac68u works great. cannot connect router to router over ovpn.

I'm using Client2 and Client3 on this RT-AC66_B1 for my OpenVPN tests and they both connect fine. Please post your log output.

 

[RMerlin]

Oh! Awesome! Thanks for this release. Have it installed on my RT-N66U B1. Seems to be working ok so far. Did not have time to do a factory reset with it being New Years. I will do that tomorrow when I am hung over and have nothing better to do.

That's quite a feat, considering there's no RT-N66U_B1 382.2 beta firmware...

 

[skeal]

I'm using Client2 and Client3 on this RT-AC66_B1 for my OpenVPN tests and they both connect fine. Please post your log output.

Have you tried using one asus router as a server and the other as client?

 

[AmyGrrl]

Corrected my post. Meant to say RT-AC66U B1.

 

[skeal]

I'm using Client2 and Client3 on this RT-AC66_B1 for my OpenVPN tests and they both connect fine. Please post your log output.

View attachment 11415

Here is the connection logs please find something its driving me crazy!!!

Dec 31 22:32:27 rc_service: httpds 398:notify_rc start_vpnclient3
Dec 31 22:32:28 ovpn-client3[6787]: OpenVPN 2.4.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 29 2017
Dec 31 22:32:28 ovpn-client3[6787]: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.08
Dec 31 22:32:28 ovpn-client3[6788]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 22:32:28 ovpn-client3[6788]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 31 22:32:28 ovpn-client3[6788]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 31 22:32:28 ovpn-client3[6788]: TCP/UDP: Preserving recently used remote address: [AF_INET]70.64.208.255:1194
Dec 31 22:32:28 ovpn-client3[6788]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Dec 31 22:32:28 ovpn-client3[6788]: UDP link local: (not bound)
Dec 31 22:32:28 ovpn-client3[6788]: UDP link remote: [AF_INET]70.64.208.255:1194
Dec 31 22:32:28 ovpn-client3[6788]: TLS: Initial packet from [AF_INET]70.64.208.255:1194, sid=7979ce6f 8b363e77
Dec 31 22:32:28 ovpn-client3[6788]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Dec 31 22:32:28 ovpn-client3[6788]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Dec 31 22:32:28 ovpn-client3[6788]: VERIFY KU OK
Dec 31 22:32:28 ovpn-client3[6788]: Validating certificate extended key usage
Dec 31 22:32:28 ovpn-client3[6788]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 31 22:32:28 ovpn-client3[6788]: VERIFY EKU OK
Dec 31 22:32:28 ovpn-client3[6788]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Dec 31 22:32:29 ovpn-client3[6788]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Dec 31 22:32:29 ovpn-client3[6788]: [RT-AC68U] Peer Connection Initiated with [AF_INET]70.64.208.255:1194
Dec 31 22:32:30 ovpn-client3[6788]: SENT CONTROL [RT-AC68U]: 'PUSH_REQUEST' (status=1)
Dec 31 22:32:30 ovpn-client3[6788]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM'
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: --ifconfig/up options modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: route options modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: route-related options modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: peer-id set
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: adjusting link_mtu to 1625
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: data channel crypto options modified
Dec 31 22:32:30 ovpn-client3[6788]: Data Channel: using negotiated cipher 'AES-128-GCM'
Dec 31 22:32:30 ovpn-client3[6788]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Dec 31 22:32:30 ovpn-client3[6788]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Dec 31 22:32:30 ovpn-client3[6788]: TUN/TAP device tun13 opened
Dec 31 22:32:30 ovpn-client3[6788]: TUN/TAP TX queue length set to 100
Dec 31 22:32:30 ovpn-client3[6788]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Dec 31 22:32:30 ovpn-client3[6788]: /usr/sbin/ip link set dev tun13 up mtu 1500
Dec 31 22:32:30 ovpn-client3[6788]: /usr/sbin/ip addr add dev tun13 10.8.0.2/24 broadcast 10.8.0.255
Dec 31 22:32:32 ovpn-client3[6788]: /usr/sbin/ip route add 70.64.208.255/32 via 142.165.14.254
Dec 31 22:32:32 ovpn-client3[6788]: /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Dec 31 22:32:32 ovpn-client3[6788]: /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Dec 31 22:32:32 ovpn-client3[6788]: /usr/sbin/ip route add 192.168.1.0/24 metric 500 via 10.8.0.1
Dec 31 22:32:32 custom_script: Running /jffs/scripts/openvpn-event (args: tun13 1500 1553 10.8.0.2 )
Dec 31 22:32:32 ovpn-client3[6788]: Initialization Sequence Completed

 

[skeal]

Just to post this dropped my connection to the router but not the internet.
EDIT: Cannot login.
EDIT2: Worse cannot open the gui.

 

[skeal]

I'm using Client2 and Client3 on this RT-AC66_B1 for my OpenVPN tests and they both connect fine. Please post your log output.

View attachment 11415

Cannot show you this as when I engage the vpn it locks up ac3100.

 

[skeal]

The encouraging part is that I retried my client 2 and it works with the same settings as client 1.

 

[skeal]

Remember this only happens so far between asus routers. I'm going from ac3100 to the ac68u.

 

[RMerlin]

Have you tried using one asus router as a server and the other as client?

That would be a completely different issue from the inability to use client 2/ client 3 that you initially reported.

I have never done site-to-site tunnels, so I can't help you with that type of configuration, sorry.

 

[skeal]

That would be a completely different issue from the inability to use client 2/ client 3 that you initially reported.

I have never done site-to-site tunnels, so I can't help you with that type of configuration, sorry.

Strange this worked with the latest alpha.....hmmmm.

 

[MarkRH]

Put the 382.2_beta1 on my RT-AC68U and one thing I noticed was that all of my past Trend Micro Statistics data was gone. I also noticed the free memory went from around 190 MB to 145 MB on the Tools page. Turns out it must be due to changes in the Trend Micro Engine behavior. Since I lost all the data anyway, I decided to do a Factory Reset (Jan 1, 2018 good time to start over). I then noticed the memory drop from 190 MB or so to 145 MB after enabling Statistics again. So far everything seems to be OK. I don't have wireless enabled or use VPN stuff so no feedback on that. Thanks for all your work and Happy New Year.

 

[JMB64]

I loaded the latest 382.2 Beta1 firmware on my AC86U and AC68U and I am not seeing the new IPSec Tabs or options for an IPSec VPN. I have reset the caches in all my browsers (Chrome, Safari, Firefox) and did a power cycle on the routers after I loaded the firmware. Am I missing something or am I looking in the wrong areas? The VPN tab does not show any IPSec option under VPN server and there is no IPSec listed in the VPN Status tab.

 

[StefanoN]

[QUOTE="RMerlin, post: 368171, member: 10954"

The issue is caused by the following rule in the FORWARD chain which is blocking traffic before it can get accepted by the OVPN chain:

20  7730 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0

[/QUOTE]

Happy New Year to all
question stupid (but I'm still newbie): from the command line can I delete the drop?
RMerlin : thanks for your work.

 

[king006]

Relax, and breathe people... This is just OpenVPN-specific, no need to start panicking as if the sky was falling.

The issue is caused by the following rule in the FORWARD chain which is blocking traffic before it can get accepted by the OVPN chain:

20  7730 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0

Thank you! Fortunately, you have found the problem!
Can we solve this manually? or do we need beta 2 for this problem?

Happy newyear!

 

[JacquesR]

Hi, are u able to paste your iptables rule here.
iptables -S
I just want to see the order... thanks.
Anyone with a working openvpn in 382.2.beta... can paste the iptables for reference. Thx.

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N FUPNP
-N INPUT_ICMP
-N NSFW
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N default_block
-N logaccept
-N logdrop
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8082 -j DROP
-A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j logdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 32400 -j ACCEPT
-A FUPNP -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 49163 -j ACCEPT
-A FUPNP -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 4433 -j ACCEPT
-A FUPNP -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 49163 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A OVPN -i tun21 -j ACCEPT
-A OVPN -i tun11 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -i eth0 -m set --match-set Whitelist src -j ACCEPT
-A logdrop -i eth0 -p tcp -m multiport --sports 80,443,143,993,110,995,25,465 -m state --state INVALID -j DROP
-A logdrop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A logdrop -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A logdrop -i eth0 -m state --state INVALID -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -i eth0 -m state --state INVALID -j SET --add-set Skynet src
-A logdrop -j DROP

 

[JacquesR]

"Direct clients to redirect Internet traffic" works for you?

Yes (only 3 clients are redirected, with policy rules).