[Beta] Asuswrt-Merlin 382.1 Beta is available

[dr_lucas]

@AM17
Can you post a screenshot of your OpenVPN settings page (client) from top to bottom? (hide/mask any personal data)

 

[RMerlin]

Ops sorry It is an AC88u

New Trend Micro engine for starter, so I wouldn't be surprised if memory usage would be a bit higher. I've never paid any attention to it on my own RT-AC88U.

 

[RMerlin]

After more testing I'm not able to get reliable speed reading files from my usb 3 attached drive over SMB or FTP.

Tried a few different settings, AI protection disabled, QOS disabled, but almost always transfers are slow, around the 15MB/s mark.

This must be a bug right?

Wired or Wireless? What router model?

Left the router connected to an OpenVPN client for almost a day, resulted no internet after a while. Had to disconnect OpenVPN to restore internet access. Could reconnect to OpenVPN right afterwards and still have internet access.

Check your System Log for any error message regarding your tunnel.

2) While a client is connected, entering the page or switching to any other page via the 5 clients drop down menu can take almost 2 minutes. When the client is disconnected - these pages are loading instantly.

HTTP or HTTPS?

Cant get OpenVPN Client working and not clear why. Straight copy of settings from my current live, working Tomato USB setup doesnt work. PIAs settings for Tomato dont seem to work. Found some threads dealing MerlinWRT + PIA (like this https://www.privateinternetaccess.com/forum/discussion/comment/50644/#Comment_50644) but cant make it work yet.

PIA works fine for me. Make sure you did enter the CA and the CRL, they're not included in PIA's ovpn config file. All I did was import the .ovpn file, enter CRL and CA, then apply.

 

[dr_lucas]

Check your System Log for any error message regarding your tunnel.

Will do and get back to you with the details as soon as it re-occurs.

HTTP or HTTPS?

HTTP
Oddly, it seems to happen only when Client 1 is connected.
I have 2 more clients configured (client 2 and client 3) and when I am connected using either one of them, it doesn't happen.

 

[dr_lucas]

Actually, I compared the 3 clients and noticed that the first one has "Redirect Internet traffic" set to "All" while the others are set to Strict.
Changing it to strict remedied the issue, but I need to set it to All.
Selecting either "All" or "No" (EDIT: specifically on client 1) seems to be causing this.

 

[RMerlin]

Actually, I compared the 3 clients and noticed that the first one has "Redirect Internet traffic" set to "All" while the others are set to Strict.
Changing it to strict remedied the issue, but I need to set it to All.
Selecting either "All" or "No" (EDIT: specifically on client 1) seems to be causing this.

Thanks, I'll see if I can reproduce it.

 

[dr_lucas]

Update: further testing this and it's also happening on Client 2.
The common thing between 1 and 2 is they are both from the same VPN provider, while 3 is another, so it must be a combination of more conditions.
I can send you one of my .ovpn files for debugging, would make it easier for u

 

[AM17]

@AM17
Can you post a screenshot of your OpenVPN settings page (client) from top to bottom? (hide/mask any personal data)

Reset Client 1 to double check... after importing .ovpn and changing specifics - I got a cert error in log - Options error: You must define CA file (--ca) or CA path (--capath)

Checking back - the CA I'd just pasted in was now missing. Went back and forth a few times - cant seem to get it to stick against Client1 with the following config;

Going back to Client2 config (same other than a few more Ciphers in negotiation list... and CA saved correctly) - I get the Verify Error again

Both attempts above have custom config like this:

tls-client
remote-cert-tls server
reneg-sec 0
disable-occ
cipher aes-128-cbc
auth sha1
nobind
persist-key
persist-tun​

 

[AM17]

Wired or Wireless? What router model?



Check your System Log for any error message regarding your tunnel.



HTTP or HTTPS?



PIA works fine for me. Make sure you did enter the CA and the CRL, they're not included in PIA's ovpn config file. All I did was import the .ovpn file, enter CRL and CA, then apply.

Fresh config on Client 5.

• upload .ovpn
• add username and password
• add CA and CRL (hadnt done this previously.. but doesnt seem to make any difference)
• no other config

Result:
1) First pass: Verify Error as above
2) Second pass (attempting to replicate) - got same issue with CA / CRL not saving on "save" --> "apply" --> toggle service "on" = fails with Options error: You must define CA file (--ca) or CA path (--capath)

 

[Gingernut]

Wired or Wireless? What router model?.

Wired connection and it's a RT-AC86U

Edit: Idle CPU load average is around 3.76 3.79 3.82 which seems high.

 

[djrm]

New Trend Micro engine for starter, so I wouldn't be surprised if memory usage would be a bit higher. I've never paid any attention to it on my own RT-AC88U.

OK, it could be the reason even if aiprotection is Off the same memory is used. Anyway my concern is more about the wifi speed than the memory usage itself... I have tested today again both firmwares 380.68_4 and 382.1 b3 and I got a difference in both down and upload of about 20Mbs from my 300Mb line, where with 380.68_4 I got 300Mb on both down/upload (even bit more) and with 382.1 I reached 280/260 aprox.....
Any advise?

 

[vwsplitty1980]

Fresh config on Client 5.

• upload .ovpn
• add username and password
• add CA and CRL (hadnt done this previously.. but doesnt seem to make any difference)
• no other config

Result:
1) First pass: Verify Error as above
2) Second pass (attempting to replicate) - got same issue with CA / CRL not saving on "save" --> "apply" --> toggle service "on" = fails with Options error: You must define CA file (--ca) or CA path (--capath)

Hi just wondered if I could ask you a couple of questions regarding openvpn?

First of is your 86u Asian,European,USA?
Mine was from gearbest and is a china version by I can change to English and select Europe on the Wi-fi options for correct Wi-fi channels as I’m in uk.

Additionally I am having trouble using the open vpn server section. Using the current settings that are working on my old n66u but no matter what settings I put in to either server 1 or server two when I go to the keys section/option nothing has been generated ie blank boxes. Could I ask a favour and would you be able to check yours at all?
I’m also using beta.3

 

[RMerlin]

Idle CPU load average is around 3.76 3.79 3.82 which seems high.

Normal for the RT-AC86U.

 

[AM17]

First of is your 86u Asian,European,USA?
Mine was from gearbest and is a china version by I can change to English and select Europe on the Wi-fi options for correct Wi-fi channels as I’m in uk.

gearbest hardware here too - set to english + US

Additionally I am having trouble using the open vpn server section. Using the current settings that are working on my old n66u but no matter what settings I put in to either server 1 or server two when I go to the keys section/option nothing has been generated ie blank boxes. Could I ask a favour and would you be able to check yours at all?
I’m also using beta.3

Worked fine for me - I added another user account as part of test... Not sure if that helped or not. Maybe try the same?

 

[RMerlin]

Fresh config on Client 5.

• upload .ovpn
• add username and password
• add CA and CRL (hadnt done this previously.. but doesnt seem to make any difference)
• no other config

Result:
1) First pass: Verify Error as above
2) Second pass (attempting to replicate) - got same issue with CA / CRL not saving on "save" --> "apply" --> toggle service "on" = fails with Options error: You must define CA file (--ca) or CA path (--capath)

Still unable to reproduce here. I just re-imported the PIA US-Chicago config file on Client 5, added CA and CRL, entered username/password, applied, then I started it - it connected just fine.

add CA and CRL (hadnt done this previously.. but doesnt seem to make any difference)

You absolutely HAVE to manually add them, your router will not be able to connect without at least the CA.

 

[AM17]

My earlier post was unclear - I've always added CAs, but had not used a CRL (either in current e3200 tomato/shibby OVPN setup, or AC86u testing) until I tried to replicate your test.

Will try and replicate using Chicago .ovpn; and will also disconnect my other active PIA link (dont think it's an issue, but it does use same credentials... will disconnect it to be safe)

 

[Pir8pete]

should the router still be reaching out to "fwupdate.lostrealm.ca" even though I have check for firmware updates disabled?

 

[djrm]

OK, it could be the reason even if aiprotection is Off the same memory is used. Anyway my concern is more about the wifi speed than the memory usage itself... I have tested today again both firmwares 380.68_4 and 382.1 b3 and I got a difference in both down and upload of about 20Mbs from my 300Mb line, where with 380.68_4 I got 300Mb on both down/upload (even bit more) and with 382.1 I reached 280/260 aprox.....
Any advise?

I have tested this a bit more and the problem with the max speed is due to the CPU 1 hitting 100% at 260Mb download while with 380.68_4 it is just at aprox 50% for 310Mb. I made a config reset and after that I tested again and exactly the same happened. Also is confirmed that new Trend Micro is the cause of the memory use increase in this version and I think it is probably the root cause of the extra cpu which is causing the issue with the speed as well. So just after the config reset, aiprotection is disabled and the memory use is about 25% and performance tests seems to be ok, but just after enable aiprotection the memory reach 35% and the problem with performance appears.....The problem is that it seems that even disabling aiprotection later, the router doesn't back working normally as before, so it remains with the same memory use and same behaviour with the performance..

After back to 380_68_4 router back to normal in all aspects...

 

[RMerlin]

should the router still be reaching out to "fwupdate.lostrealm.ca" even though I have check for firmware updates disabled?

Only if you click on the Check button. This is only for the scheduled check.

 

[AM17]

Still unable to reproduce here. I just re-imported the PIA US-Chicago config file on Client 5, added CA and CRL, entered username/password, applied, then I started it - it connected just fine.

Progress I think. Turned off other VPN and double checked all my assumptions. The "working" cert on old is different to the current in the fresh .ovpn pack... I'd been copying and pasting it as "known good". Not sure how scared I should be about that.

Using .ovpn (including as source for CA and CRL) - I now get different errors:

openvpn[30315]: TCP/UDP: Preserving recently used remote address: [AF_INET] <xxx>
openvpn[30315]: UDP link local: (not bound)
openvpn[30315]: UDP link remote: [AF_INET] <xxx>
openvpn[30315]: VERIFY ERROR: CRL not loaded
openvpn[30315]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
openvpn[30315]: TLS_ERROR: BIO read tls_read_plaintext error
openvpn[30315]: TLS Error: TLS object -> incoming plaintext read error
openvpn[30315]: TLS Error: TLS handshake failed
openvpn[30315]: SIGUSR1[soft,tls-error] received, process restarting​

Checking back on cert screen to make sure it kept config - both CA and CRL appear to be there. Included incase I'm doing something do dumb its visually obvious:

and

Saved config, booted router... still no good.

Went to Client 2. Used Default button to clear settings, uploaded chicago .ovpn settings, CA and CRL from fresh .ovpn and my user/pass. This time I got the same error as before, but after a couple of loops, it gave me something different:

openvpn[1410]: Re-using SSL/TLS context
openvpn[1410]: LZO compression initializing
openvpn[1410]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
openvpn[1410]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
openvpn[1410]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
openvpn[1410]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
openvpn[1410]: TCP/UDP: Preserving recently used remote address: [AF_INET]31.24.226.132:1198
openvpn[1410]: Socket Buffers: R=[278528->278528] S=[278528->278528]
openvpn[1410]: UDP link local: (not bound)
openvpn[1410]: UDP link remote: [AF_INET]31.24.226.132:1198
openvpn[1410]: UDP WRITE [14] to [AF_INET]31.24.226.132:1198: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
openvpn[1410]: UDP READ [26] from [AF_INET]31.24.226.132:1198: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
openvpn[1410]: TLS: Initial packet from [AF_INET]31.24.226.132:1198, sid=4aa35b2d 4b4ded6b
openvpn[1410]: UDP WRITE [22] to [AF_INET]31.24.226.132:1198: P_ACK_V1 kid=0 [ 0 ]
openvpn[1410]: UDP WRITE [182] to [AF_INET]31.24.226.132:1198: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=168
openvpn[1410]: UDP READ [1200] from [AF_INET]31.24.226.132:1198: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1174
openvpn[1410]: UDP WRITE [22] to [AF_INET]31.24.226.132:1198: P_ACK_V1 kid=0 [ 1 ]
openvpn[1410]: UDP READ [1187] from [AF_INET]31.24.226.132:1198: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1173
openvpn[1410]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=10266cbcd3f7195ed4a6d8a309ce79a9, name=10266cbcd3f7195ed4a6d8a309ce79a9
openvpn[1410]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
openvpn[1410]: TLS_ERROR: BIO read tls_read_plaintext error
openvpn[1410]: TLS Error: TLS object -> incoming plaintext read error
openvpn[1410]: TLS Error: TLS handshake failed
openvpn[1410]: TCP/UDP: Closing socket​

then back to the error loop above (openvpn[30315]).

Running out of ideas.. I think firmware should be ok (checked checksum, direct cable connect upload etc...) - but other than a reflash, not sure what else to try. Weird that it "loses" the CRL.. but dont think that in itself should stop the connection. Any ideas very welcome.