Custom firmware build for R7800 v. 1.0.2.66.1SF/1.0.2.66.2SF (for testing)

[Voxel]

Release for testing.

WHY:

My current firmware is using OpenSSL v. 1.0.2. This version is still supported by OpenSSL team, but currently only security updates are included into this version. Moreover, version 1.0.2 is supported until the end of this year (2019). After that date: EOL for 1.0.2:

https://www.openssl.org/news/secadv/20190306.txt

Note
====
OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

So there are obvious plans to upgrade OpenSSL v. 1.0.2 to OpenSSL v. 1.1.1 in my build. The headline new feature of OpenSSL v. 1.1.1 is TLSv1.3 (not available in 1.0.2 and 1.1.0). You may google re: TLSv1.3. E.g.

https://kinsta.com/blog/tls-1-3/

Unfortunately I should keep (at least for a while) OpenSSL v. 1.0.2 (used e.g. by NG in ReadyCLOUD, net-cgi and some other NG applications, no source codes for them and I cannot change them) and even 0.9.8 (NG bug, v. 0.9.8 is still used in one prebuilt binary). So step-by-step migration to OpenSSL 1.1.1.

WHAT:

Test version of my custom firmware build: 1.0.2.66.2SF.

Changes (vs 1.0.2.66.1SF):

1. OpenSSL v. 1.1.1 config: WITH_CHACHA_POLY1305 option is added.
2. OpenSSL v. 1.1.1 config: PREFER_CHACHA_OVER_GCM option is added.
3. Issue with stubby (OpenSSL v. 1.1.1) is fixed (reported by Gar).
4. curl package is upgraded 7.64.1->7.65.0.
5. uci package is upgraded 2018-08-11->2019-05-17.

Test version of my custom firmware build: 1.0.2.66.1SF.

Changes (vs 1.0.2.66SF):

1. OpenSSL v. 1.1.1b package is added.
2. OpenVPN is changed to use OpenSSL v. 1.1.1.
3. unbound package (used in stubby) is changed to use v. OpenSSL v. 1.1.1.
4. getdns package (used in stubby) is changed to use OpenSSL v. 1.1.1.
5. Because of “3.” and “4.” stubby now should supports TLSv1.3.
6. wget package is changed to use OpenSSL v. 1.1.1.
7. transmission package is changed to use OpenSSL v. 1.1.1.
8. openssh-client add-on is changed to use OpenSSL v. 1.1.1.

What is expected when using OpenSSL 1.1.1:

Benchmarks:

OpenSSL 1.0.2
openssl speed aes-256-cbc

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256 cbc      57258.96k    60606.29k    63883.73k    63200.32k    63851.02k

OpenSSL 1.1.1
openssl speed aes-256-cbc

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256 cbc      55545.83k    62713.88k    65533.09k    65390.25k    65483.94k    65349.69k

OpenSSL 1.0.2
openssl speed –evp aes-256-cbc

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      46885.64k    54187.49k    57094.83k    57057.01k    57880.05k

OpenSSL 1.1.1
openssl speed –evp aes-256-cbc

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-cbc      47949.05k    60248.70k    65065.92k    65464.08k    65243.63k    65335.38k

So there are improvement of an encryption speed especially when “-evp” option is used (OpenVPN).

DOT (DNS over TLS) i.e. stubby. It has to support now TLSv1.3 so should work faster. See /etc/stubby/stubby.yml.default example config re: how to setup TLSv1.3.

Transmission. Maybe too for encrypted connections.

OpenSSH client add-on. Theoretically should be faster too (e.g. for Reverse SSH Tunneling).

Well, I am ordinary consumer of NG production and I do not have possibility to test everything. There should be various OpenVPN providers, different ISP with different speed plans, connection etc. under my hand... So I’d expect feedbacks from guys who are interested. Mainly interested are OpenVPN/DOT/Transmission users. But everyone is welcome too. Let us improve firmware together ;-)

The link is:

https://www.voxel-firmware.com (thanks to vladlenas for his help with hosting).

Folder OpenSSL 1.1.1

Voxel.

 

[Voxel]

I know you have a lot to do but would it be possible to compile stubby with OpenSSL 1.1.1 to get TLS 1.3 support?

Done.

Voxel.

 

[ajp2k14]

Done.

Voxel.

Impressive, thanks!

 

[eevanskiteboards]

I just updated to this FW. I can verify Dnscrypt2 and vpn are working. Thank you

 

[pege63]

You are the man Voxel who makes changes possible, thank you m8.

 

[Voxel]

I can verify Dnscrypt2 and vpn are working.

I know that they are working. I do use this version (including OpenVPN client and Dnsctypt2) and no doubts that changed packages are workable. What is interesting: speed. I hope, it should be faster. My internal tests confirm the increase of the speed, but interesting: practical usage.
Thank you.

Voxel.

 

[Gar]

This update working well for me. Thanks!

 

[Gar]

This update working well for me. Thanks!

I spoke too soon, can't get DoT to work and haven't changed a thing since update. No Telnet changes, just the update and reboot.

This is based on CF (1.1.1.1/help). I see yes, no, no instead of yes, no, yes. Does test build effect these results?

Thanks.


Edit: haven't tried a reset, that's next I guess, but did reconfigure stubby via telnet but it didn't help.

 

[Voxel]

I spoke too soon, can't get DoT to work and haven't changed a thing since update. No Telnet changes, just the update and reboot.

This is based on CF (1.1.1.1/help). I see yes, no, no instead of yes, no, yes. Does test build effect these results?

Thanks.


Edit: haven't tried a reset, that's next I guess, but did reconfigure stubby via telnet but it didn't help.

Thank you for your report. Should be fixed in 1.0.2.66.2SF.

https://www.voxel-firmware.com/Down...irmware/OpenSSL 1.1.1/R7800-V1.0.2.66.2SF.zip

Voxel.

 

[Gar]

Thanks, will try today

Edit: still haven't tried yet....working on it!

 

[GaselK]

Stubby up and running !
"
Stubby DNS Servers OK: v0.2.6. Servers ip4:1 (cloudflare-dns.com), ip6:1 (cloudflare-dns.com)"

 

[Tom Brough]

Which is the best these days?? Stubby or dnscrypt??

 

[Voxel]

Which is the best these days?? Stubby or dnscrypt??

Rather: what is better for you. Depends on your location, ISP and distance to DNS servers used by stubby/dnscrypt. Just check what is better/faster for you. Stubby in this version is set to use Cloudflare servers. Usually they are available in close distance to everybody.

https://www.snbforums.com/threads/r7800-stubby-vs-dnscrypt-proxy-performance.54987/


P.S.
For info: Default config of stubby in this version is set to use exclusively TLSv1.3 (OpenSSL 1.1.1).

Voxel.

 

[Sizzlechest]

I use OpenDNS to block scam sites and blacklist other sites I enter manually. Since OpenDNS only uses DNSCrypt, then that's what I use.

 

[Gar]

Finally tried .66.2SF but no luck. I'm beginning to think the 1.1.1.1/help link is useless as it never indicates DoT is working even when I use .66SF. My computer is set to look at 1.1.1.1. I see "yes, no, no" with any firmware version. Not sure I'm configured correctly.

Could someone link another test site for DoT plz? I have tried the other links I can find in the Netgear threads but none tells me whether DoT works. As you can tell, I'm not very experienced.

Have never used DNSCrypt but would try it if I knew how to test it.

All add-ons are off, cache cleared and tried different browsers.

Thanks all!


Edit: DNSsec test is good. Does that mean DoT works?