[Discussion] Remove several OpenVPN clients from RT-AC68U to reduce high nvram usage

[Yota]

Background:

Many members using RT-AC68U/RT-AC1900P/RT-AC66U_B1 may have noticed high nvram usage since 386.9 firmware.

For example, on 386.7_2, my nvram usage was around 55,000 bytes, but upgrading to 386.9 hit 60,000 bytes, and 386.10 remained around 60,000 bytes.

And some members with multiple OpenVPN clients and long static DHCP lists may see more nvram usage.

RT-AC68U only has a total of 65,536 bytes nvram space (can be seen in the Tools - System info page of the Merlin firmware), which is half less than other routers.

nvram is used to store system settings. When the space is filled, new settings cannot be written, causing system exceptions and crashes, and those truncated settings may also cause the router to fail to start.

Third-party developers cannot resize the nvram space because it is closed source, only Asus or Broadcom can resize it.

So in order to avoid possible problems with the system as nvram continues to grow, there is now a mitigation:

According to @RMerlin, moving from the original 5 OpenVPN clients to 2 would leave around 2,700 bytes of free nvram:

Removing OpenVPN clients 3, 4 and 5 would recover 2700 bytes of nvram,

Since other nvram settings are not controlled by RMerlin, it looks like we can currently only reduce nvram usage by removing redundant OpenVPN.



Background on this thread:

This thread is a topic forked from the 386.10 firmware release thread to avoid further off-topic discussions under that firmware release thread.

At present, members led by @Yota advocate to think more before removing OpenVPN to take care of those who may use 5 clients.

Members led by @Tech9 and @RMerlin advocate removing 3 OpenVPNs in future releases as a mitigation measure.

Read the previous discussion here:

Spoiler

https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827614
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827622
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827701
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827781
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827796
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827811
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827812
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827814
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827857
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827979
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827981
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827983
https://snbforums.com/threads/asuswrt-merlin-386-10-is-now-available-for-ac-models.83966/post-827989

Some advices:

For those who want to reduce nvram usage with some cleanup commands can see here.

After updating the router a factory reset and reconfigure everything (don't import the backup config) is recommended to remove those invalid nvram settings.

[FAQ] NVRAM and Factory Default Reset

A lot of questions related to nvram keep popping up on the forums, usually always the same coming back again and again. This post is an attempt to at least clear up a lot of recurring questions. What is nvram? NVRAM stands for Non-Volatile Random Access Memory. It's a small portion of the...

snbforums.com

Some useful links provided by member @bennor:

Asus RT-AC68U 386.2_6 low on free nvram

I upgraded my RT-AC68U from 384.19 to 386.2_6 but i'm getting the following warning. Your router is running low on free NVRAM, which might affect its stability. Review long parameter lists (like DHCP reservations), or consider doing a factory default reset and reconfiguring. Any idea how I can...

snbforums.com

Related Discussion:

[SOLVED] High nvram usage

I was playing with my RT-AC56U running RMerlin 384.5 and I noticed by accident that the nvram usage is a bit high: NVRAM usage: 65545 / 65536 bytes It seems I am 9 bytes over the limit and yet the router *appears* to be running fine. I do use long wifi passwords, have 30+ static dhcp bindings...

snbforums.com

rt-ac68u nvram running low how to reset and steps after reset to configure

asus rt-ac68u just updated to latest firmware 386.9 getting message low nvram. after doing the reset what are the steps to reinstall latest firmware and reconfigure settings. please give details. thank you , gio

snbforums.com

RT-AC68U NVRAM Low Warning

Hi, I have an Asus RT-AC68U and I'm getting an NVRAM low warning. I found this thread and it looks like there are a couple of helpful things here. https://www.snbforums.com/threads/solved-high-nvram-usage.56848/ I just don't know where to start as far as running the script on the router...

snbforums.com

Approved ways to free up NVRAM space...

I've got a RT-AC68U that is using a lot of nvram. I noticed recently that when I set the https_cert_file, my port forwarding table disappeared. I have seen data disappear before on older routers with smaller nvram setups when I wrote past the size limit, but thought I'd never run into this...

snbforums.com

Any discussion on this please do so below:

 

[Yota]

Latest Asuswrt runs just fine with the feature set offered. Irresponsible behavior to provide support for 10 years?

You could argue that Apple even offers updates for phones that are 11 years old (the iPhone 5s released in 2012 was last updated in January 2023). Compared to Google and Samsung, this is praised by many people.

But we all miss the point that providing long-term security updates and simultaneously introducing new features are two different things.

For example, enterprise-class routers, they will provide long-term updates, but hardly any new features are added, and the equipment maintains the performance when it is purchased even ten years later.

But with the addition of new features, if you get an iPhone 5s running iOS 7 versus an iPhone 5s running iOS 12.5.7 today, you can clearly see the performance gap.

These performance gaps are even introduced deliberately, which is a strategy.

Consumers don't have a choice there, they can't choose to only get security updates. (but member @john9527 does provide long-term support and backports security updates for some routers. Although I have never personally used his firmware, I really appreciate it).

So I mean, when we talk about long-term updates, we have to distinguish whether the update is aimed at fixing bugs or fixing bugs + adding features?

If RT-AC68U has not added new features for so many years, its nvram may only be used to 35,000.

 

[KrypteX]

So, before arguing whether 2 or 5 OpenVPN clients is the ideal for AC68U (I mean, why not reduce it to 3 if 5 is too large and 2 is too small ?), it would be nice to know why do we need multiple OpenVPN clients at all and what are some real-life use case situations for 2 or 5 or whatever the number.
Asking this because not everybody is a VPN genius and would like to see a down to earth explanation for multiple OpenVPN client usage.

BTW, I would prefer to increase the NVRAM from 64 to 128 KB, but if that's not achievable by Merlin (still haven't heard his version of the "closed source" story), then I guess we should all buy a better router with more NVRAM and call it a day.

 

[Tech9]

At present, members led by @Yota

 

[Yota]

still haven't heard his version of the "closed source" story

RMerlin has been mentioning Broadcom's stupid limitations on this forum over the years, but for some reason I can't find you a direct quote. You may need to ask him to explain again. Here's an indirect quote:

Low NVRAM.. despite factory defaulting etc

Hi, I've had the "low NVRAM" warning on my RT-AC3200 for a while now, always assumed this to be likely a product of having been lazy for a few code upgrades and not factory defaulting etc. So today I tried to tackle it, but with no success: First I backed up using the NVRAM Save/Restore tool...

snbforums.com

 

[bennor]

From another thread on NVRAM issues, RMerlin offers the following:
https://snbforums.com/threads/asus-rt-ac68u-386-2_6-low-on-free-nvram.73158/post-695283

If you ever used OpenVPN servers or clients, go through each of them, and click on "Default" to erase old settings.

Also if you have been running your router for many years without a factory default reset, you might have some very old certificate leftovers in memory. Create the following script then run it on your router:

#!/bin/sh

echo "Removing unused cert/key from nvram..."

for i in 1 2 3 4 5
do
    nvram unset vpn_crt_client$i\_ca
    nvram unset vpn_crt_client$i\_extra
    nvram unset vpn_crt_client$i\_crt
    nvram unset vpn_crt_client$i\_key
    nvram unset vpn_crt_client$i\_crl
    nvram unset vpn_crt_client$i\_static
done

for i in 1 2
do
    nvram unset vpn_crt_server$i\_ca
    nvram unset vpn_crt_server$i\_dh
    nvram unset vpn_crt_server$i\_ca_key
    nvram unset vpn_crt_server$i\_extra
    nvram unset vpn_crt_server$i\_client_crt
    nvram unset vpn_crt_server$i\_crl
    nvram unset vpn_crt_server$i\_crt
    nvram unset vpn_crt_server$i\_key
    nvram unset vpn_crt_server$i\_static
    nvram unset vpn_crt_server$i\_client_key
done

# SSH also migrated host keys to jffs a while back
nvram unset sshd_dsskey
nvram unset sshd_ecdsakey
nvram unset sshd_hostkey

nvram commit

echo "done."

 

[Yota]

View attachment 48487

Hahaha, that's funny.

First of all, I think we all know this, I chose the other side not even for myself, (my RT-AC68U is in AP mode, not running OpenVPN at all as the previous thread said), I just wish there was more when doing the subtraction consider potential users.

This is not a troll topic, sincere and rational discussion, my arguments have been made before:

But I'm trying to convey a point here, that is, I don't agree that cutting existing functionality is a good idea for potential users.

Some people don't even have a account in this forum, so they can't come here to express their views, I hope their concerns can be taken into account.

Maybe I'm just thinking too much, I don't know.

 

[bennor]

Some other past discussion topics on NVRAM and the RT-AC68U (and other AC series routers):
[SOLVED] High nvram usage
rt-ac68u nvram running low how to reset and steps after reset to configure
RT-AC68U NVRAM Low Warning

 

[Tech9]

Hahaha, that's funny.

Not funny at all. One single person liked so far your opinion on the subject in the release thread.

At the end of the day whatever @RMerlin decides is what it is going to be. He knows better than anyone what fits in this old hardware and what will eventually allow him to release few more updates. The easiest action is to drop the support and move on. This is the only model causing issues.

 

[Yota]

Not funny at all. One single person liked so far your opinion on the subject in the release thread.

At the end of the day whatever @RMerlin decides is what it is going to be. He knows better than anyone what fits in this old hardware and what will eventually allow him to release few more updates. The easiest action is to drop the support and move on. This is the only model causing issues.

I've stated my point of view, as to whether someone actually uses it like this, I can only leave it to them to reply to this thread, I can't speak for them, because I don't use it that way.

It's worth pointing out that no matter what RMerlin chooses, it doesn't matter to you or me, since we don't use routers that way.

But maybe this thread can be seen by Asus to increase the nvram size? I don't know.

 

[bennor]

Another (very old) discussion thread on NVRAM.
Approved ways to free up NVRAM space...

 

[Yota]

Another (very old) discussion thread on NVRAM.
Approved ways to free up NVRAM space...

Do you mind if I put these links you provided in #1 so more people can see them?

 

[Tech9]

because I don't use it that way.

Basically, no one really needs 5x VPN clients so far and you are using the option to store your different VPN client settings. Is that it?

 

[Yota]

Basically, no one really needs 5x VPN clients so far and you are using the option to store your different VPN client settings. Is that it?

There is no OpenVPN page on AP mode. I do, but not on the RT-AC68U.

I do have a couple of AC68U's, in fact I'm collecting old classic routers, AC68U's, R7000's, I have them all.

But there is only one RT-AC68U that I am actually running, it is only used as an AP, WiFi settings + SSH + some static client names are imported via SSH to show the same client information as the main router, other than no other settings were changed.

 

[bennor]

May or may not be relevant to the discussion.
Asus-Merlin.com Wiki: NVRAM Save Restore Utility

 

[Yota]

May or may not be relevant to the discussion.
Asus-Merlin.com Wiki: NVRAM Save Restore Utility

But that script author @Xentrk hasn't been on the forums for a long time, and it needs active maintenance to match the variables added and removed in the current firmware.

 

[Tech9]

There is no OpenVPN page on AP mode. I do, but not on the RT-AC68U.

So if no one needs 5x VPN clients so far including you - what's the discussion about? Who runs 5x VPN clients on AC68U anyway?

 

[Yota]

So if no one needs 5x VPN clients so far including you - what's the discussion about? Who runs 5x VPN clients on AC68U anyway?

I'm building on the assumption that removing a feature might have an impact on some people who depend on it. I don't rely on it, but I'm looking to validate my assumptions with this thread, and wait for those who use it to elaborate on their thoughts, rather than complaining after a change.

As I said, I use 5 OpenVPN clients on other routers, but they are not limited by nvram, is that because I have other routers, and suppose someone only has RT-AC68U?

For me, that would mean buying a new router, or continuing to use old firmware that is a security risk.

But if a family still uses the RT-AC68U as their main router in 2023, they may be grandma, or they may not have enough budget to replace the existing router.

So, when this change happens, they will be affected, and there's nothing they can do.

 

[bennor]

But that script author @Xentrk hasn't been on the forums for a long time, and it needs active maintenance to match the variables added and removed in the current firmware.

It may be out of date maintenance wise but it is on the Asus-Merlin Wiki page. RMerlin has not removed it from his Wiki page despite that script being roughly three years since it was last maintained. Like indicated may or may not be relevant to the discussion on NVRAM.

 

[Tech9]

But if a family still uses the RT-AC68U as their main router in 2023, they may be grandma, or they may not have enough budget to replace the existing router.

Right... May I ask what scripts is your grandma using on her running 3rd party firmware router? On USB stick or SSD?

If you check Asuswrt-Merlin release notes over last 2 years you'll find other features altered or even removed from firmware due to various limitations. Not only for oldest supported AC68U, but for the entire series firmware or router model. AdaptiveQoS with fq_codel as an example - technical limitation. Memory graph was removed from the GUI as another example - space limitation. I'm pretty sure there were people who liked the old way better.

For me, that would mean buying a new router, or continuing to use old firmware that is a security risk.

Your choice. Or use stock Asuswrt on it - it runs fine with no issues. Your router is miraculously still supported by the manufacturer. When @RMerlin dropped support for the original MIPS N(AC)66U - Asus released firmware after. It was newer and an option for whoever still uses MIPS models.