[Dev] Asuswrt-Merlin 388.1 development

[Tech9]

or does @Tech9 have a link to the "insider" on this model

Is this a router? I installed 4 on my wife's Jeep.

It's teaser-time. Because why not.

Exactly. Thick ones with a metal grill and a yellow fingers chopping hazard sticker. Double stacked for the Pro Plus model: Only to deliver that pull plus push flow! Man I am excited!

www.snbforums.com

 

[DJones]

This question is more towards the OpenVPN people and not directly towards RMerlin:
Is there any QR client setup for OpenVPN, rather than importing/exporting certs?
I found client setup for the WG QR setup convenient.
client is setup, then client scans QR code, and up

No. Openvpn on mobile has two factor authentication which uses QR, but not for client configuration. Asuswrt-Merlin doesn’t use QR either except for I believe in network map to join wifi which isn’t related to vpn configuration.

 

[ZNP_83]

Not necessarily. It can be slightly faster than OpenVPN (which caps at around 220 Mbps on that router), however it will limit your WAN connection to somewhere around 300 Mbps.

ahh shucks.

encryption giveth, and encryption taketh away

really hoping that wireguard is implemented in a more cohesive way soon. it'd be a luxury for me, and i'd love to utilize it, but i don't feel it's quite at the point where i want to totally roll my own pfsense linux box setup

 

[SomeWhereOverTheRainBow]

Is this a router? I installed 4 on my wife's Jeep.

It's teaser-time. Because why not.

Exactly. Thick ones with a metal grill and a yellow fingers chopping hazard sticker. Double stacked for the Pro Plus model: Only to deliver that pull plus push flow! Man I am excited!

www.snbforums.com

Here is an article on those hubcaps!

ASUS launches RT-AXE7800 WiFi 6E Tri-Band Router

ASUS RT-AXE7800 is a WiFi 6E router offering up to 7800 Mbps of bandwidth and robust network security. Geared up with the new 6 GHz band, it's designed to scale to the connectivity demands of those w...

www.guru3d.com

 

[Clark Griswald]

No. Openvpn on mobile has two factor authentication which uses QR, but not for client configuration. Asuswrt-Merlin doesn’t use QR either except for I believe in network map to join wifi which isn’t related to vpn configuration.

@shabbs and his Guest WiFi QR Sign started me down this QR path

 

[shabbs]

@shabbs and his Guest WiFi QR Sign started me down this QR path

You know you love it!

 

[unsynaps]

Wait. Wireguard is replacing OpenVPN?

Bah, never mind. Did not see the 'other tab'.

 

[RMerlin]

WireGuard routing code mostly done now. For now I decided to keep it simple(r), so just like stock firmware only works with VPN Fusion, Asuswrt-Merlin WireGuard routing will only work through VPN Director, and will also always use DNS handling similar to OpenVPN set to "exclusive" mode.

Next step is to implement field validation on the WireGuard client page, as the old "experimental" page I reused from Asus' code had no validation done in it, and the validation they implement on the VPN Fusion page will require a good bit of adjustments to work on that page I'm using.

 

[DJones]

WireGuard routing code mostly done now. For now I decided to keep it simple(r), so just like stock firmware only works with VPN Fusion, Asuswrt-Merlin WireGuard routing will only work through VPN Director, and will also always use DNS handling similar to OpenVPN set to "exclusive" mode.

Next step is to implement field validation on the WireGuard client page, as the old "experimental" page I reused from Asus' code had no validation done in it, and the validation they implement on the VPN Fusion page will require a good bit of adjustments to work on that page I'm using.

So well I haven’t used it because I don’t need a vpn client. I was wondering if it’s possible to have vpn director do something similar with vpn server. Here’s what I mean from your router you run a vpn server anyone connecting to this can access your whole network, but it would be interesting if director could isolate per user to have access to only specific devices or lan ports. That way when they connect and access your network only that specific LAN device or port would be accessible to them. Kind of like a vpn firewall where you “port forward” a user to a device.

My thought is if you want to run a vpn server to be safer at connecting at remote location, but don’t necessarily want them to have access to all devices. Sure you could properly firewall all your devices individually or run a vpn server from say your server on your network but a “vpn firewall” from the router would make the connection not as direct to those devices.

 

[visortgw]

So well I haven’t used it because I don’t need a vpn client. I was wondering if it’s possible to have vpn director do something similar to vpn server. Here’s what I mean from your router you run a vpn server anyone connecting to this can access your whole network, but it would be interesting if director could isolate per user to have access to only specific devices or lan ports. That way when they connect and access your network only that specific LAN device or port would be accessible to them. Kind of like a vpn firewall where you “port forward” a user to a device.

My thought is if you want to run a vpn server to be safer at connecting at remote location, but don’t necessarily want them to have access to all devices. Sure you could properly firewall all your devices individually or run a vpn server from say your server on your network but a “vpn firewall” from the router would make the connection not as direct to those devices.

You should definitely be able to designate which devices on your network a remote network can access as well as from which devices using VPN Director -- I do it now.

 

[DJones]

You should definitely be able to designate which devices on your network a remote network can access as well as from which devices using VPN Director -- I do it now

yeah but isn’t vpn director client only. Meaning your router is the client that connects to a vpn server. I’m looking for the opposite where the devices that connect will be pc’s with a open vpn client.

I mean sure if I had two Merlin routers I could figure something out but it’s overkill and I’d rather not have the remote side be able to configure what they see if they enter their router.

 

[RMerlin]

I was wondering if it’s possible to have vpn director do something similar with vpn server.

No. What you want in your case isn't a routing table configuration but a firewall configuration rather.

 

[DJones]

No. What you want in your case isn't a routing table configuration but a firewall configuration rather.

Yeah as I was explaining it it sounded more and more like a firewall configuration. No idea how to easily do that but yeah.

 

[Martineau]

Yeah as I was explaining it it sounded more and more like a firewall configuration. No idea how to easily do that but yeah.

Whilst the OP was about restricting inbound OpenVPN USERs, this might help?

It further describes how I used the OpenVPN event (triggered when a client connects inbound) to apply custom ACL type rules

e.g. see lanonly directive which restricts access to only certain LAN devices using appropriate firewall rules

VPN Server: How to allow only one active connection per user?

Hello everyone, I have set up the VPN Server and so far everything works fine. How ever, I noticed that multiple clients can connect with one OpenVPN User credential at the same time. This means I create one user "Thomas" and if he shares his login+client file, then several other users can...

www.snbforums.com

 

[Damit1]

so, are we any close to a alpha version or something?

 

[RMerlin]

so, are we any close to a alpha version or something?

Not yet. All the recent efforts were on WireGuard, after which I need to go back and finalize some 388 merge portions that I initially skipped.

 

[fearz]

Still no love for RT-AC5300

 

[muffintastic]

I think RT-AC86U has had it days hasn't it?

No love for the RT-AX86U in the last update.

 

[princi]

VPN Director mostly done. Just need to clean up the backend code a bit, as I don't like the current implementation.

View attachment 44583

Looks good.

And the choice of dev platforms (AX88U & AX11000) are the two routers I’m most interested in at the moment.

Now, for the all important question, using VPN Director and Merlin 388.1 on an AX88U, can I have more than 2 concurrent WireGuard sessions? Eg. 3 or 4?

That would be a game changer.

 

[RMerlin]

Now, for the all important question, using VPN Director and Merlin 388.1 on an AX88U, can I have more than 2 concurrent WireGuard sessions? Eg. 3 or 4?

5 WireGuard clients are supported. I haven't tested with more than two however (one to a local RT-AX86U_Pro and one to a VPS).