[Beta] Asuswrt-Merlin 384.11 Beta is now available

[skeal]

try using it and see what happens with your ovpn issues.

No change. Still the same. My initial clock set doesn't take place until 45 seconds before the last log entry of the reboot.

 

[skeal]

try using it and see what happens with your ovpn issues.

I too believe it is a race condition of sorts.

 

[joe68000]

This is a browser feature, unrelated to the router.

Setting the following in Firefox 66.0.3 (Mac) passes the test:
network.trr.mode = 2
network.security.esni.enabled = true

Setting network.trr.mode = 3, did not work for me, but 2 does. I'm not sure how else to verify ESNI.

 

[skeal]

Setting the following in Firefox 66.0.3 (Mac) passes the test:
network.trr.mode = 2
network.security.esni.enabled = true

Setting network.trr.mode = 3, did not work for me, but 2 does. I'm not sure how else to verify ESNI.

I think if you check this out the esni process in firefox products requires the DoH to work.

 

[joe68000]

I think if you check this out the esni process in firefox products requires the DoH to work.

It's interesting. When I enable these settings in Firefox and retest cloudflare DNS, I get "Using DNS over TLS (DoT)" now showing "Yes". Didn't make any changes to the RT-AC5300. I'm currently on 384.10_2 with Stubby 1.1.1 (Diversion, pixelserv-tls static w/ TLS 1.3) using the PIA VPN client with the router DNS.

 

[Mutzli]

I only have the one entry for time server, (pool.ntp.org) and no other NTP settings. See attached image.View attachment 17251

Did you ever try an NTP server that is closer to you. I configured one a few miles down the road from me and it syncs the time much faster than the generic pool.ntp.org. You can find ntp servers on a wiki list from ntp.org. Than test the latency with a ping for each server listed and choose the lowest one. I.e. mine went from 110ms for pool.ntp.org to 18ms with this one 64.113.44.54

 

[Mutzli]

It's interesting. When I enable these settings in Firefox and retest cloudflare DNS, I get "Using DNS over TLS (DoT)" now showing "Yes". Didn't make any changes to the RT-AC5300. I'm currently on 384.10_2 with Stubby 1.1.1 (Diversion, pixelserv-tls static w/ TLS 1.3) using the PIA VPN client with the router DNS.

I wouldn't use Firefox's implementation since its running through a proprietary DoH on Firefox's own servers circumventing your DNS implementation. I would wait with eSNI until its an accepted standard.

 

[joe68000]

I wouldn't use Firefox's implementation since its running through a proprietary DoH on Firefox's own servers circumventing your DNS implementation. I would wait with eSNI until its an accepted standard.

Ah, ok. Good advice. Thanks.

 

[win465]

Should I downgrade if I have 384.11 Beta 1 running on 87u? Everything is running fine for me since updating the firmware last night.

 

[Striker317]

Should I downgrade if I have 384.11 Beta 1 running on 87u? Everything is running fine for me since updating the firmware last night.

Why are you thinking of downgrading?

 

[win465]

Why are you thinking of downgrading?

EDIT: RT-AC87U and RT-AC3100 beta 1 builds were pulled, as the images seem to suffer from the same corruption issues that recently affected Asus's own RT-AC68U 384_45708 release.

 

[skeal]

@RMerlin Yahoo I figured out the OVPN and reboot conflict on my AX88U. If I rebooted with the OVPN Server, or Client, or both set to start at boot up, the router would fail to get it's NTP update and then of course the WAN wouldn't come up. It was caused by a race condition. The race with, I do not know. But if I run this ovpn-start script I dug up, from post-mount everything works perfect. Script location:

/jffs/scripts/ovpn-start

Script contents:

#!/bin/sh
#/jffs/scripts/ovpn-start
#Delay Openvpn Server1 and Client1 until NTP update is complete (auto start in webui must be set to no)
c=0
while [ $(date +%Y) -lt 2015 -a $c -lt 20 ]
do
c=`expr $c + 1`
logger "OVPN Waiting for Time Adjustment...."
sleep 1s
done
logger "Starting OVPN Services"
service start_vpnclient1
sleep 10s
service start_vpnserver1

This in post-mount:

sh /jffs/scripts/ovpn-start

I've tested this over and over and it works.

 

[RMerlin]

I have regenerated all the SDK6/SDK7 firmware images with the new compression option disabled. They should appear on Onedrive/Sourceforce in a little while. The ZIP filename will have beta1b . The firmware version will still show as beta1 - I haven't recompiled the code, simply rebuilt the .trx files with the mksquashfs change.

I recommend everyone to upgrade, just in case there might also be filesystem corruption issues with other models.

I haven't rebuilt the HND models (AC86U and AX88U) because they use ubifs, as well as a newer kernel, so in theory these should be fine.

Interesting thing is the corrupted images will read just fine on my Linux VM, but mounting them on a loopback on the routers themselves will generate read errors while accessing certain files. I suspect it could be a bug in the older kernel, or an incompatibility between mksquashfs and these kernel releases.

I'm not 100% sure this was the cause, but it's what made the most sense (unfortunately, I cannot reproduce the problem every time I build an image). Only testing in the long run will confirm this was the issue.

 

[RMerlin]

@RMerlin Yahoo I figured out the OVPN and reboot conflict on my AX88U. If I rebooted with the OVPN Server, or Client, or both set to start at boot up, the router would fail to get it's NTP update and then of course the WAN wouldn't come up. It was caused by a race condition

While this workaround might work, it won't resolve the root cause.

I haven't had time to look into that yet, was busy dealing with the corrupted image generation. I will do a more torough review of the boot time code to ensure that VPN instances get started as late as possible after ntp has been properly set (and ideally after DoT has also been established).

 

[Joey Crocker]

Recovery flash usually requires a stock firmware. You can use any of the official ASUS ones. That's what I used, and then flashed back to Merlin 384.10_2.



A few other people had this problem too. Please look into this!

Any tips on doing the flash as mine keeps failing around 81% using latest official asus firmware.

 

[elorimer]

The firmware version will still show as beta1

Embarrassed to ask this, but how could I tell if the B1b "took"? On Tools|System information I'm showing a Friday build--should that be Saturday?

 

[DonnyJohnny]

Any tips on doing the flash as mine keeps failing around 81% using latest official asus firmware.

Try to use lan and install via http and not https.
Also disable air protection and restart before reflash. (Sometime maybe due to lack of memory)

 

[win465]

Embarrassed to ask this, but how could I tell if the B1b "took"? On Tools|System information I'm showing a Friday build--should that be Saturday?

I would also like to know this.

 

[Joey Crocker]

Try to use lan and install via http and not https.
Also disable air protection and restart before reflash. (Sometime maybe due to lack of memory)

Kind of hard when the beta bugged up the ability to access the gui. I am talking about the rescue install

 

[Striker317]

EDIT: RT-AC87U and RT-AC3100 beta 1 builds were pulled, as the images seem to suffer from the same corruption issues that recently affected Asus's own RT-AC68U 384_45708 release.

I wonder if Merlin meant ac88u as that is a close variant of the Ac3100.

If you can get into the GUI on your ac87u, then you are probably fine.