[Beta] Asuswrt-Merlin 384.11 Beta is now available

[RMerlin]

Asuswrt-Merlin 384.11 Beta is now available for all supported models. This release features a number of significant changes.

May 2nd: Beta 2 is now available. Changes since beta 1:

fa828bc7b8 (tag: 384.11-beta2, master) Updated documentation
3e6c8760a1 webui: remove other dead symlinks for IPTV page
a79a4a3162 netool: enable Netool support for all models
b582bbaa7e (origin/master, origin/HEAD) rc: let router implicitly use dot w/o caching resolver
bcb7240f4b httpd: report BCM490x CPU as Cortex A53 instead of B53 to reduce confusion
f9ca291edf httpd: fix out-of-bounds read in handle_request()
b5d582b7a7 rom: removed seldom-used unfiltered Quad9 DNS, added secondary filtered servers for consistency
ce7c29c719 webui: format DFS elapsed time string
62f37c9119 webui: fix undefined element JS error on Netstat page
ecf0ff7095 webui: implement netstat-nat support to the new netool-based Netstat page
c59666eaef rc: fix traceroute path
08855d28a4 webui: add Netool-aware pages to the RT-AC86U
125c222cd5 webui: remove dead symlink in RT-AC86U sysdeps
33b3aac661 build: re-enable NETOOL for RT-AC86U
7d4abd8a17 httpd: fix incorrect mimetype for wcdma_list.js and help_content.js (fixes #305)
80a0f5a7f3 webui: only restart upnp if firewall isn't getting restarted
437ed37f87 rc: do not restart firewall when restarting time services
ef2ffc5403 webui: note that IPv6 is not supported by ntp redirection
e04bbf7a6c rc: use REDIRECT target instead of DNAT to intercept ntp traffic, as it's more efficient; fix incorrect nvram check
4eb08896e8 webui: hide option to disable scheduled new FW checks; fix contextual help
026561390d webui: hide ntpd settings if not supported
0a83fb9857 ntpd: implement option to redirect LAN requests to the router
43611e5586 rc: add ntpd flag to rc_support
6810e52f68 rom: Updated DoT presets
dbfbc26a18 rc: wanduck: fix possible name buffer overflow
bcae5f99bc Bump revision to beta 2
ff00c0baee kernel: fix squashfs false-positive decode error
21c1d0ed57 rc: rename stubby.add custom config to stubby.yml.add for consistency
37c0f140c6 rc: stubby: rely on openssl to locate the CA bundle
e8884dff07 rc: remove support for replacing stubby.yml

The highlights:

• New DNS Privacy feature, with DNS-over-TLS support. Configurable under WAN -> Internet Connection, this feature lets you connect with DNS servers that support DNS-over-TLS (DoT). DoT allows your DNS queries to be encrypted, preventing snooping from your ISP or anyone else in transit. Please visit https://dnsprivacy.org/wiki/ for more info on this protocol.

• Replaced the custom ntpclient with an ntp daemon. This daemon acts as a client (to sync your router's clock with the NTP servers configured on the router's System -> Administration page), but it can also be used as an ntp server for your LAN devices. Server functionality can be enabled on the System Administration page. Afterward, you can configure your LAN clients to use your router's IP as their NTP server.

• GPL merges: 384_5951 (RT-AX88U), 384_45713 (all other models). Note that the RT-AC87U and RT-AC3200 are still using the 384_45149 binary blobs for their closed source components.

• Component updates: nano (4.0), curl (7.64.1), dropbear (2019.78).

• Reworked the Firmware Upgrade page. The option to enable/disable automated checks are now on that page, and support for the Beta channel has been removed. Also, the popup reporting a new firmware release will now display that new firmware's version.

• Cleanups to the DDNS page (removed the annoying alert() popups, and moved the notification within the page itself)

• Moved some DNS settings (like DNSSEC) from the DHCP to the Internet Connection page

• Moved LED control to the System -> Administration page

• Editing devices on the Network Map will no longer restart your entire network, only dnsmasq itself. It means that blocking Internet access through it might not immediately come into effect, however the previous behaviour made it impossible to edit multiple clients.

• Custom config/script changes: added service-event-end (run at the end of an rc service event, same parameter as service-event), stubby.postconf/add support (for customizing the DNS Privacy configuration). pre-mount will now receive the filesystem as a second argument.

• Reboot Scheduler should be more reliable and less likely to corrupt plugged USB disks now

• Security issue CVE-2019-1543 resolved in OpenSSL 1.1.x

Please see the Changelog for the complete list of changes.


DNS Privacy:
To configure, simply go to the WAN -> Internet Connection page. Set DNS Privacy protocol to "DNS-over-TLS". Then select at least one server from the Preset drop-down to populate the fields below it, then click on the + button to add the server to the list. You can add multiple servers if needed, but two servers is generally sufficient. There are help popups available on most settings, by clicking on the label.

You can also manually add any desired server if it's not listed in the Presets (only some of the most popular ones are listed, as to keep the list to a manageable length).

DNS Privacy acts by replacing your WAN DNS servers on the router with those configured in the DNS-over-TLS server list. If you have OpenVPN Client set to enforce the use of the VPN server's DNS (Exclusive DNS mode on the VPN config page), or if you have LAN devices set to use a specific DNS server through DNSFilter, these will still go through their enforced server just like before. If you want to force client devices to use the DoT servers, then use DNSFilter in "Router" mode (either globally, or on a per client basis).

DNSSEC is fully supported as before, however note that due to a problem with Cloudflare's test method, their test sites will report failure when DNSSEC is enabled. This is because their test URLs refer to subdomains that are not properly DNSSEC signed, and the router's DNSSEC validation rejects them as invalid, which causes the test to fail. The only real way (known at this time) to fully test things is to use packet monitoring using something like tcpdump on your router (installable through Entware).


Things to test:

• DNS-over-TLS in general. Make sure you read the notes above first!
• NTP, NTPD, and the clock behaviour in general
• Beta 2: New option to redirect NTP client requests to the router's NTPD
• Beta 2: Updated Network Tools pages

Please keep discussions in this thread on this specific beta release.


Downloads are here.
Changelog is here.

 

[RMerlin]

Known issues:

• Providing a custom stubby.yml prevents the router from properly starting/setting clock at boot time. (that's because at boot time, stubby.yml must tell stubby NOT to enable TLS mode until the clock has been set. Support for stubby.yml replacement has been removed in beta2, ensuring users rely on .add or on .postconf to customize stubby)
• Squashfs errors on some models (Beta 2 contains a kernel level fix for the root issue.)
• Setting nvram through httpApi doesn't work for some models (Fixed in beta2).
• Traceroute returning weird results on routers using older kernels (probably compatibility issue with either kernel 2.6.36 or uclibc. Final release will revert Network Tools back to their former implementation except for RT-AC86U and RT-AX88U)
• QoS rule priorities (Adaptive QoS) are lost after a firmware upgrade (Bug in closed source components, already fixed upstream by Asus, have to wait for next GPL release with that fix)
• Toggling SSH settings do not apply (sshd isn't properly restarted when settings are changed)

 

[cybrnook]

Thanks for supporting DoT

 

[Swistheater]

Asuswrt-Merlin 384.11 Beta is now available for all supported models. This release features a number of significant changes.

The highlights:

• New DNS Privacy feature, with DNS-over-TLS support. Configurable under WAN -> Internet Connection, this feature lets you connect with DNS servers that support DNS-over-TLS (DoT). DoT allows your DNS queries to be encrypted, preventing snooping from your ISP or anyone else in transit. Please visit https://dnsprivacy.org/wiki/ for more info on this protocol.
• Replaced the custom ntpclient with an ntp daemon. This daemon acts as a client (to sync your router's clock with the NTP servers configured on the router's System -> Administration page), but it can also be used as an ntp server for your LAN devices. Server functionality can be enabled on the System Administration page. Afterward, you can configure your LAN clients to use your router's IP as their NTP server.
• GPL merges: 384_5951 (RT-AX88U), 384_45713 (all other models). Note that the RT-AC87U and RT-AC3200 are still using the 384_45149 binary blobs for their closed source components.
• Component updates: nano (4.0), curl (7.64.1), dropbear (2019.78).
• Reworked the Firmware Upgrade page. The option to enable/disable automated checks are now on that page, and support for the Beta channel has been removed. Also, the popup reporting a new firmware release will now display that new firmware's version.
• Cleanups to the DDNS page (removed the annoying alert() popups, and moved the notification within the page itself)
• Moved some DNS settings (like DNSSEC) from the DHCP to the Internet Connection page
• Moved LED control to the System -> Administration page
• Editing devices on the Network Map will no longer restart your entire network, only dnsmasq itself. It means that blocking Internet access through it might not immediately come into effect, however the previous behaviour made it impossible to edit multiple clients.
• Custom config/script changes: added service-event-end (run at the end of an rc service event, same parameter as service-event), stubby.postconf/add support (for customizing the DNS Privacy configuration). pre-mount will now receive the filesystem as a second argument.
• Reboot Scheduler should be more reliable and less likely to corrupt plugged USB disks now
• Security issue CVE-2019-1543 resolved in OpenSSL 1.1.x

Please see the Changelog for the complete list of changes.

DNS Privacy:
To configure, simply go to the WAN -> Internet Connection page. Set DNS Privacy protocol to "DNS-over-TLS". Then select at least one server from the Preset drop-down to populate the fields below it, then click on the + button to add the server to the list. You can add multiple servers if needed, but servers is generally sufficient. There are help popups available on most settings, by clicking on the label.

You can also manually add any desired server if it's not listed in the Presets (only some of the most popular ones are listed, as to keep the list to a manageable length).

DNS Privacy acts by replacing your WAN DNS servers on the router with those configured in the DNS-over-TLS server list. If you have OpenVPN Client set to enforce the use of the VPN server's DNS (Strict DNS mode on the VPN config page), or if you have LAN devices set to use a specific DNS server through DNSFilter, these will still go through their enforced server just like before. If you want to force client devices to use the DoT servers, then use DNSFilter in "Router" mode (either globally, or on a per client basis).

DNSSEC is fully supported as before, however note that due to a problem with Cloudflare's test method, their test sites will report failure when DNSSEC is enabled. This is because their test URLs refer to subdomains that are not properly DNSSEC signed, and the router's DNSSEC validation rejects them as invalid, which causes the test to fail. The only real way (known at this time) to fully test things is to use packet monitoring using something like tcpdump on your router (installable through Entware).


Things to test:

• DNS-over-TLS in general. Make sure you read the notes above first!
• NTP, NTPD, and the clock behaviour in general

Please keep discussions in this thread on this specific beta release.

Downloads are here.
Changelog is here.

is there away to add a slight delay between when the DoT custom scripts get applied--- I notice without me manually putting a delay, then they will not get applied properly and it results in no internet connection.

 

[RMerlin]

is there away to add a slight delay between when the DoT custom scripts get applied--- I notice without me manually putting a delay, then they will not get applied properly and it results in no internet connection.

Which script are you referring to exactly? The implementation should be 100% identical to every other services, so I see no reason for it to behave differently.

 

[Swistheater]

well if i override with a stubby.yml script even if i use the same parameters in the original it gives issues with establishing connection to the internet or if I use helper script to add lines using postconf I get the same outcome. if i add a sleep delay using postconf before it uses the helper script i do not have any issues. Note all these issues occur during when it gets applied after a reboot.

 

[Swistheater]

it is something that really needs to be tested to see what is going on to cause the issues.

 

[John Fitzgerald]

DNS Privacy:
To configure, simply go to the WAN -> Internet Connection page. Set DNS Privacy protocol to "DNS-over-TLS". Then select at least one server from the Preset drop-down to populate the fields below it, then click on the + button to add the server to the list. You can add multiple servers if needed, but servers is generally sufficient. There are help popups available on most settings, by clicking on the label.

Thank you for all your hard work!

I think a word is missing here from above paragraph, looking for clarification:
"but (one/two) server(s) is generally sufficient."

 

[vdemarco]

so does ipv6 work if i do the wan-start script with those settings that can be found here?

 

[skeal]

With regard to the AX88U. I flashed the Beta over the Alpha 4 and still the same reboot issue. With OVPN Server and/or Client set to start at boot, the router will not connect to the internet. I tried several different ways with and without DNSSEC and such and still no way will the time sync or the WAN connection come up. Also the reboot button on any page doesn't seem to work reliably. If you don'y have a NTP sync then the reboot button doesn't seem to work. If you disable both OVPN Server and Client starting at boot then the router comes up clean. You can then manually start the server and client, just don't reboot with the server running.

 

[Swistheater]

You might be able to make a script that starts and stops it that triggers after polling services. Just until this gets fixed.*reply to skeal*

 

[EmeraldDeer]

well if i override with a stubby.yml script even if i use the same parameters in the original it gives issues with establishing connection to the internet or if I use helper script to add lines using postconf I get the same outcome. if i add a sleep delay using postconf before it uses the helper script i do not have any issues. Note all these issues occur during when it gets applied after a reboot.

I have not had trouble with stubby.postconf although I do not use a VPN client

# cat /jffs/scripts/stubby.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
#
pc_delete "tls_query_padding_blocksize" $CONFIG
pc_delete "round_robin_upstreams" $CONFIG
pc_delete "tls_connection_retries" $CONFIG
pc_delete "tls_backoff_time" $CONFIG
pc_delete "timeout" $CONFIG
#
pc_append "idle_timeout: 9900" $CONFIG
#

 

[EmeraldDeer]

so does ipv6 work if i do the wan-start script with those settings that can be found here?

Yes

# cat /jffs/scripts/wan-start
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
#
#echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
#echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding
#

 

[Swistheater]

I have more success with postconf modifications than I do with replacing using /jffs/configs/stubby.yml

 

[truglodite]

Another dirty flash from a4 to b1... second flash today... same awesome result on my ac86u+diversion+pixelserv+skynet+yazfi. My vpn client and server are also still working well, and of course no issues with ntpd or dot. Love the new "Internet Status" page... overridden by privacy server... yeah baby, yeah!

Thanks Eric!!!

 

[bbunge]

384.11 Beta 1 running well with modified stubby.yml to enable DNSSEC in Stubby, set round_robin=0, store the root keys in /jffs and set min TLS to 1.3. Also added proxy_dnssec to dnsmasq.
Note to those to whom the above will confuse: you should run very well with the Merlin settings from the GUI. I've been testing DoT/DNSSEC for a while and am old and set in my ways. As I dig deeper into the inner workings of this firmware I plan to make other changes to suit my preferences.

 

[RMerlin]

Thank you for all your hard work!

I think a word is missing here from above paragraph, looking for clarification:
"but (one/two) server(s) is generally sufficient."

That meant to be "two servers".

 

[maxbraketorque]

The commits after April 23 are what's new compared to a4?

 

[Reinvented]

Hi Eric,

Great work! I've been very interested in this since you released it. I tried Alpha 4 a few days ago, but I was unable to access the GUI after a clean flash. Ended up having to do a recovery flash to stock to get it to work again. Would I experience the same problems with this Beta on my AC3100?

 

[Magnus33]

Humming along happily on the 86U with no issues to report so far.

Now if asus could get dual wan to work in anything but a flaky mode it would be xmas