What's new

Release [Beta] Asuswrt-Merlin 384.19 beta is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Upgraded my RT-AC86U from 384.18 to 384.19 Beta 1. Although I properly ejected the USB drive the first upgrade failed after only a few percent: "Firmware upgrade unsuccessful. This may result from incorrect image or error transmission. Please check the version of firmware and try again.". Even though that error message already appeared at less than 10% the progress bar still slowly proceeded to 100%. Unfortunately the router was still at 384.18 then. A second attempt with the same firmware image was successful (free RAM memory seemed to be about the same in both attempts). No JFFS corruption here it seems (but I had plenty of free space).
Same happened on my routers, on the second try it worked also.
 
@RMerlin : Hi, First thanks for all your work.

I would like to ask if is possible to add VPN "uptime" feature into here? Thanks
1596568003432.png
 
Merlin's Firmware does not need the Call Stranger patch it's does not have that exploit.

Sorry but now I'm confused. The change log for AC68U says this:

- UPDATED: Merged bwdpi components from 385_20630 firmware
image for RT-AC68U.

And the ASUS website shows this related to 3.0.0.4.385.20630.
1596572219735.png

So RMerlin replaced the component that had the vulnerability? Just trying to understand the situation.
 
Sorry but now I'm confused. The change log for AC68U says this:

- UPDATED: Merged bwdpi components from 385_20630 firmware
image for RT-AC68U.

And the ASUS website shows this related to 3.0.0.4.385.20630.
View attachment 25159
So RMerlin replaced the component that had the vulnerability? Just trying to understand the situation.
They are referring only to the 88U
 
Asus also uses miniupnpd. Their changelog is wrong, the firmware was never vulnerable.
 
Hi all
THIS IS SOLVED...... SBS :rolleyes::mad::cool:
I have problem with "nslookup" in latest FW, Sometimes it's hit or miss if it working.
It can work "one" time and no more very strange. Is it working for you?
@dave14305 you helped me last time.....:cool:

Code:
CN="$(grep -E "CN" /tmp/vpnclient-3.log | tail -n 1 | cut -d '=' -f3)"                >>>>(from log "vpn01.prd.malmo.ovpn.com")
GROUP_IP="$(nslookup "$CN" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2')"         >>>( answere "185.86.106.132")

# GROUP_IP="$(nslookup "$CN" | awk 'NR>2&&$1=="Address"{print $3;exit}')"

Have tested both nslookup example here:
@RMerlin
When is the vpn log written, do I have my till / tmp just before the vpn comes up?
EDIT: seems to work if i wait some time...........
Code:
+ echo 3
+ grep -qwE [1,3]
+ grep -E VERIFY OK: depth=0, /tmp/vpnclient-3.log
+ tail -n 1
+ cut -d = -f3
+ CN=
+ awk NR>2
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ nslookup
nslookup: can't resolve ''
+ GROUP_IP=
I also had issues with nslookup not working too. I got it to work again by turning off local caching DNS in Tools -> Other Settings -> Wan: Use local caching DNS server as system resolver (default: No)
 
Last edited:
After a factory reset with this firmware I configured only one VPN client (DNS in 'exclusive' mode, no policy routing). I still have DNS leaks which is not normal.

Cannot reproduce here. I just tested all modes. I have one OpenVPN client configured with DNS set in Exclusive mode.

I set Force Internet Traffic through Tunnel to Yes, and dnsleaktest.com reports the VPN's DNS.

Then I switched to Policy Mode, added my test laptop to the VPN, and dnsleaktest still reports the tunnel VPN.

Switched to Force Internet Traffic to No, tested again: still reporting the VPN's DNS.

Turned tunnel off, tested one last time: back to ISP DNS.

Please post the content of /etc/openvpn/client1/dns.sh, /etc/openvpn/client1/config.ovpn, as well as the system log entries during the client connection.
 
Last edited:
I would like to ask if is possible to add VPN "uptime" feature into here? Thanks

OpenVPN does not provide that information, so the router would have no way of knowing if the client lost its connection and reconnected.
 
So RMerlin replaced the component that had the vulnerability? Just trying to understand the situation.

The latest GPL for the RT-AC68U is too old and contains binary components that are no longer compatible with the code I used for all other models. To be able to remain compatible, I needed to update the Trend Micro component to be on par with these models. I had to extract them from a firmware image, this is what the changelog entry is about.
 
Cannot reproduce here. I just tested all modes. I have one OpenVPN client configured with DNS set in Exclusive mode.

I set Force Internet Traffic through Tunnel to Yes, and dnsleaktest.com reports the VPN's DNS.

Then I switched to Policy Mode, added my test laptop to the VPN, and dnsleaktest still reports the tunnel VPN.

Switched to Force Internet Traffic to No, tested again: still reporting the VPN's DNS.

Turned tunnel off, tested one last time: back to ISP DNS.

Please post the content of /etc/openvpn/client1/dns.sh, /etc/openvpn/client1/config.ovpn, as well as the system log entries during the client connection.
I've been doing a lot of testing with all of the OpenVPN DNS settings during the past several days as I implement the required changes in x3mRouting for those who use the LAN Routing and OpenVPN Client Screen features. Everything working as you report above. The coding of the changes are completed. I did another round of testing this morning and all checks out. I will now update the x3mRouting installation menu to perform the necessary updates.
 
Last edited:
Cannot reproduce here. I just tested all modes. I have one OpenVPN client configured with DNS set in Exclusive mode.

I set Force Internet Traffic through Tunnel to Yes, and dnsleaktest.com reports the VPN's DNS.

Then I switched to Policy Mode, added my test laptop to the VPN, and dnsleaktest still reports the tunnel VPN.

Switched to Force Internet Traffic to No, tested again: still reporting the VPN's DNS.

Turned tunnel off, tested one last time: back to ISP DNS.

Please post the content of /etc/openvpn/client1/dns.sh, /etc/openvpn/client1/config.ovpn, as well as the system log entries during the client connection.

Here is the requested information. The router's logdata is attached in 'RT_AX88U_log.txt'.

/etc/openvpn/client1/dns.sh:
xxxxxxx@RT-AX88U-F5E0:/# cat /etc/openvpn/client1/dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN1
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN1
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN1


/etc/openvpn/client1/config.ovpn:
intrepid@RT-AX88U-F5E0:/# cat /etc/openvpn/client1/config.ovpn
daemon ovpn-client1
client
dev tun11
txqueuelen 1000
proto udp
remote netherlands-thehague-ca-version-2.expressnetw.com 1195
connect-retry-max 15
nobind
persist-key
persist-tun
compress
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-256-CBC
auth SHA512
route-noexec
tls-auth static.key 1
ca ca.crt
cert client.crt
key client.key
verify-x509-name "Server" name-prefix
auth-user-pass auth
up 'ovpn-up 1 client'
down 'ovpn-down 1 client'
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 1
status-version 2
status status 5

# Custom Configuration
fast-io
tun-mtu 1500
fragment 1300
mssfix 1200
verify-x509-name Server name-prefix


Update:

I was doing some more tests with 384.19b1 and I noticed something that might be of interest:

If an IP-address is specified, then there are no DNS leaks! The VPN provider's DNS server is used.
1596611725735.png

(172.16.1.11 is the LAN IP address of my PC)

When performing iptables --line -t nat -nvL DNSVPN1, I see this in the console:

intrepid@RT-AX88U-F5E0:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (2 references)
num pkts bytes target prot opt in out source destina tion
1 134 9094 DNAT all -- * * 172.16.1.11 0.0.0.0 /0 to:10.57.0.1





If a subnet is specified, then I have DNS leaks! The WAN's DNS server is used.
1596611864130.png


When performing iptables --line -t nat -nvL DNSVPN1, I see this in the console:

intrepid@RT-AX88U-F5E0:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (2 references)
num pkts bytes target prot opt in out source destination


In the above output, a rule is missing and I guess that's the reason I have these DNS leaks..
Why is this rule missing?? I don't know. Could this is be a timing-related issue? In that case it might be machine dependent.

In both scenarios individually tested, ipleak.net does report the VPN provider's IP-address. I don't see my ISP public WAN IP and this tells me that traffic is routed through the VPN tunnel.
 

Attachments

  • RT_AX88U_log.txt
    20.8 KB · Views: 115
Last edited:
In the above output, a rule is missing and I guess that's the reason I have these DNS leaks..
Why is this rule missing?? I don't know. Could this is be a timing-related issue? In that case it might be machine dependent.

I suspect it could be a problem caused by the format when a subnet is used.

Can you check what dns.sh contains if you try to use a subnet?
 
I suspect it could be a problem caused by the format when a subnet is used.

Can you check what dns.sh contains if you try to use a subnet?

This is the output when using a subnet:
xxxx@RT-AX88U-F5E0:/tmp/home/root# cat /etc/openvpn/client1/dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN1
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN1
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN1




This is the output when using a single IP-address:
xxxx@RT-AX88U-F5E0:/tmp/home/root# cat /etc/openvpn/client1/dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN1
/usr/sbin/iptables -t nat -A DNSVPN1 -s 172.16.1.11 -j DNAT --to-destination 10.70.0.1
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN1
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN1
 
Last edited:
Got a question for someone or anyone with some knowledge of the issue
im currently getting a speed issue, im posting here just to make sure its not a merlin firmware problem but it probably is not.

my question is this : i have a RT_AC88U and i just had my fiber internet regrade complete for 900mb download 120mb up
now here is the issue, im getting the correct upload speed 120mb but im only getting slightly over half my download speed can this router handle 1gbs fiber connection as i should be getting 900+ but im only getting 540mb down

my pc`s giga port and also tried killer port also are both when tested set to 1000mb full duplex and both the pc and the router show 1gbps full duplex so not sure whats going on here does anyone know if this router is even capable of these speeds.
 
Got a question for someone or anyone with some knowledge of the issue
im currently getting a speed issue, im posting here just to make sure its not a merlin firmware problem but it probably is not.

my question is this : i have a RT_AC88U and i just had my fiber internet regrade complete for 900mb download 120mb up
now here is the issue, im getting the correct upload speed 120mb but im only getting slightly over half my download speed can this router handle 1gbs fiber connection as i should be getting 900+ but im only getting 540mb down

my pc`s giga port and also tried killer port also are both when tested set to 1000mb full duplex and both the pc and the router show 1gbps full duplex so not sure whats going on here does anyone know if this router is even capable of these speeds.
if you have QoS or AiProtection enabled, that would be one possible reason
 
Does /jffs/scripts/ddns-start get called more than once after a router reboot?

I added sending a push notification with the new IP in that script and I received two notifications (4 minutes apart).
 
Posted Here:

I don't know how long it has been a bug but I have 2 issues:

I am not able to save anything on the Administration -> System page because my " Router Login Name " begins with a number.
I get " Only alphanumeric characters and dash symbol are accepted. The first character cannot be a dash - . "

And once changed to something w/o a beginning number I am able to save the settings but the next time I try to save any settings I get " This account already exists. Please enter a different name. "
 
Posted Here:

I don't know how long it has been a bug but I have 2 issues:

I am not able to save anything on the Administration -> System page because my " Router Login Name " begins with a number.
I get " Only alphanumeric characters and dash symbol are accepted. The first character cannot be a dash - . "

And once changed to something w/o a beginning number I am able to save the settings but the next time I try to save any settings I get " This account already exists. Please enter a different name. "
No need to cross post. This thread is for those who will give feedback for the .19 beta. Your issue seems to be unique to you and possibly well before .19 or .18. Wait for others to read your thread and if possible reply to it.
 
No need to cross post. This thread is for those who will give feedback for the .19 beta. Your issue seems to be unique to you and possibly well before .19 or .18. Wait for others to read your thread and if possible reply to it.
Why would the issue be unique to me?

If the logic check is wrong it is wrong for everybody...
The error clearly states only alphanumeric characters allowed and my username is only alphanumeric. Furthermore it was set by the webui once and a leading numeric digit was allowed at one time.

The error seems generic to the webUI code!!

and the cross post is because it is not unique to ver .19
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top