What's new

[Discussion] Remove several OpenVPN clients from RT-AC68U to reduce high nvram usage

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

OK, so still nobody has actually explained why would someone need 5 OpenVPN clients. I would really like to see a real-life scenario explanation as for what and which and why... I guess some people just have enough time to argue about 2 vs 5, but don't have time for explaining this simple thing. I mean, @Yota ... seriously... grandma using 5 OpenVPN clients on her AC68U router in 2023? Grandma must be some very well-versed hacker or something.
 
Who wants a router with sluggish GUI in 2023? :)

 
Do you mind if I put these links you provided in #1 so more people can see them?
Sure. Spread them around so more people are aware of them.
 
BTW, I would prefer to increase the NVRAM from 64 to 128 KB, but if that's not achievable by Merlin
Not possible. Would require changes at the bootloader level, and since the RT-AC68U is on its last legs (after a 10 years run), I don't see Asus going through with this (assuming it`s technically possible, I don`t remember the flash layout of this older platform).

So I mean, when we talk about long-term updates, we have to distinguish whether the update is aimed at fixing bugs or fixing bugs + adding features?
I currently have no plans to add any new features to these AC models that are on the 386 code branch. I consider these to be mostly in maintenance mode from now on, unless Asus provides any significant 386 GPL updates in the future, but I doubt that such updates would add new features.

So, the primary goal of increasing available nvram is to reduce the (already high) risk of corrupted configuration, not to allow adding new features in the future.

I'm building on the assumption that removing a feature
I'm not removing any features. You will still be able to configure up to two OpenVPN clients (which is already two more than a lot of routers out there). I am simply reducing the limit from 5 to 2, just like over the years the number of allowed DHCP reservations has been reduced and increased as nvram storage space fluctuated.
 
I have a AC68U - now sitting in a box to be used in an emergency (e.g. if main router dies). At one point I did have it configured with 2 VPNs (Australia and UK). I have never 'really' needed more than 2 VPNs (especially running at the same time) - but I know I am only one data point :)

My vote/opinion is that reducing the # of VPN connections for this router is a good solution to the nvram limitation issue
 
It may be out of date maintenance wise but it is on the Asus-Merlin Wiki page. RMerlin has not removed it from his Wiki page despite that script being roughly three years since it was last maintained. Like indicated may or may not be relevant to the discussion on NVRAM.
It's not RMerlin's job to track the status of third party projects added to the Wiki by other people. That's down to the script's author or the community. I have now added a notice to that Wiki page to reflect its current status.
 
I currently have no plans to add any new features to these AC models that are on the 386 code branch. I consider these to be mostly in maintenance mode from now on, unless Asus provides any significant 386 GPL updates in the future, but I doubt that such updates would add new features.

So, the primary goal of increasing available nvram is to reduce the (already high) risk of corrupted configuration, not to allow adding new features in the future.
No, that sentence lacks context (that part was in the previous 386.10 thread) , meaning that the cause of the current high nvram usage is because of new features added by Asus in the past (like AiMesh).


My point is that a good hardware commodity should not provide feature updates for more than 1 year. This ensures the benefit of the company as they get more revenue from new hardware with new features, but I'm not against long-term security updates, feature updates and security updates are two different things.


I'm not removing any features. You will still be able to configure up to two OpenVPN clients (which is already two more than a lot of routers out there). I am simply reducing the limit from 5 to 2, just like over the years the number of allowed DHCP reservations has been reduced and increased as nvram storage space fluctuated.
I've done this on almost every router I've used supported by you: Import 5 different OpenVPN configs for 5 clients, they may be different locations (like France, Canada, Germany, Japan, UK) .

Then switch to that line when I need to get around geoblocks. Therefore, when the number of clients decreases, this switch will become difficult, because the previous configuration needs to be deleted and the configuration file of the new location needs to be uploaded again.

I don't use the RT-AC68U's OpenVPN anymore though, so I really don't have any impact on me from your change to remove the client, but I just wanted to get across that there might be someone out there who would be impacted by this.

Of course, I also understand that if the 3 OpenVPN clients are not removed for the special needs of a small number of people, it may cause nvram damage to most people, which will cause more problems, and I understand this very well. But I just want to explore more solutions, because it is difficult to determine whether Asus will continue to add new features to the RT-AC68U in the future, and if they do, which feature should we remove next?
 
As someone who is experiencing daily crashes due to NVRAM running out on RT-AC68U with 386.5_2, I'm fine with limiting OpenVPN and would encourage it (I use 1 OpenVPN server).

Stability above all else at this point with this old hardware, imo.
 
My point is that a good hardware commodity should not provide feature updates for more than 1 year. This ensures the benefit of the company as they get more revenue from new hardware with new features

This is exactly why AiMesh was squeezed in AC68U firmware. Most folks around SNB Forums know it's perhaps the worst AiMesh node (connection issues reported, lowest performance, no Smart Connect), but average consumers don't. And the router is popular. AiMesh support plus some marketing like this almost guarantees the same consumers will buy another Asus router. The strategy is genius! Some buy more "mesh" routers even when not needed. Do you realize now why this router got 10 years of support? It just sells more routers! Do you believe newer models will get 10 years of support?

I've done this on almost every router I've used supported by you: Import 5 different OpenVPN configs for 5 clients, they may be different locations (like France, Canada, Germany, Japan, UK) .

Core 1 is used for the main routing duties. VPN Clients 1-3-5 use Core 2. VPN Clients 2-4 use Core 1. Did you just see Core 1 twice? In all equal conditions your Canada and Japan Clients will hurt the overall router performance more than France, Germany and UK Clients. About using the available slots for simply storing VPN server information - why not make 10x VPN Clients on routers with enough NVRAM? Unused NVRAM is wasted NVRAM, no?
 
Last edited:
My two cents. I do still use AC68U as main routers on two different sites - they do everything I need and they are just the right size for me. Bigger/newer routers would require some mayor changes in my installation and there is no functionality gain I need right now. Also - everytime I check AC68U firmware is the MOST downloaded firmware from sourceforge.

Long story short - I would appreciate a reduction to 2 OpenVPN clients. I never used more than 2 OpenVPN clients so more free NVRAM would be more valuable to me than more OpenVPN clients.

Said that - maybe it could be set in as an option. I know this is MORE work but how cool would that be.
How many OpenVPN clients do you need?
You will have to restart your router for those changes to take effect!
 
Said that - maybe it could be set in as an option. I know this is MORE work but how cool would that be.
Not possible. This is a compile time thing, and after switching to a firmware with only 2 clients supported, you will still to manually clear nvram of the existing client 3-4-5 settings (I'm opting not to remove them automatically just in case someone failed to read the changelog, and needed to recover their content after the firmware upgrade).
 
You can have an infinite number of ovpn configs on the jffs or USB. Start from the command line when you need manually, or schedule a script

One server and client in the web gui is already more than enough
 
You could argue that Apple even offers updates for phones that are 11 years old (the iPhone 5s released in 2012 was last updated in January 2023). Compared to Google and Samsung, this is praised by many people.

But we all miss the point that providing long-term security updates and simultaneously introducing new features are two different things.

For example, enterprise-class routers, will provide long-term updates, but hardly any new features are added, and the equipment maintains the performance when it is purchased even ten years later.

But with the addition of new features, if you get an iPhone 5s running iOS 7 versus an iPhone 5s running iOS 12.5.7 today, you can see the performance gap.

These performance gaps are even introduced deliberately, which is a strategy.

Consumers don't have a choice there, they can't choose to only get security updates. (but member @john9527 does provide long-term support and backports security updates for some routers. Although I have never personally used his firmware, I appreciate it).

So I mean, when we talk about long-term updates, we have to distinguish whether the update is aimed at fixing bugs or fixing bugs + adding features.

If RT-AC68U has not added new features for so many years, its NVRAM may only be used for 35,000.
This is what I've been thinking for a while. Actually, I had to roll back some time ago with one of the upgrades because I started to suffer from the Low NVRAM issue as soon as updated to one of the newer firmware.

The router has been working like a charm for years, and as this user is telling us, Asus hasn't added new relevant features. However, the NVRAM size has increased drastically since 38x builds, from aroundish 40K to 60K, with no apparent reason. Now, with the latest builds, we are forced to disable features that we've always used with no problem at all. I'm talking about core basic features such as MAC filtering, DHCP reservations and so on.

So it's impossible not to think of obsolescence imposed by Asus for a 10 years router.
 
So it's impossible not to think of obsolescence imposed by Asus for a 10 years router.
That is not what is going on. Asus aren't just filling NVRAM with random data just to force you to buy a new router, obviously. Note that the stock firmware has more free NVRAM than Asuswrt-Merlin, which is why it's not an issue for them, but it is for us. Asus does not have 5 static OpenVPN clients NVRAM using 4.5 KB on its own, for instance. There`s no DNSFilter.

NVRAM usage has increased for many reasons:

- DHCP now allows you to store hostnames and DNS server in addition to the MAC and the IP
- Parental Control was rewritten to be more flexible
- The DDNS client now handles IPv6 (among other things), increasing nvram usage for these new settings
- Backend settings required for AiMesh and the mobile application

Asuswrt-Merlin needs more NVRAM than stock because of the 5 OpenVPN clients, having two OpenVPn servers instead of only one, having more settings available to OpenVPN, having DNS Director and VPN Director, SNMP support, Tor support, IPTraffic, NFS, NTPD and so on. The stock firmware still has room to breathe, but Asuswrt-Merlin with all of its additional features no longer does.

I just started counting how many NVRAM entries existed in Asuswrt-Merlin but not on stock firmware. I stopped counting at 250 because I couldn't see the end...
 
Now, with the latest builds, we are forced to disable features that we've always used with no problem at all. I'm talking about core basic features such as MAC filtering, DHCP reservations and so on.
You can still use manual DHCP reservations. To free up a little bit of NVRAM, one can move the DHCP manual reservations to a separate file (dnsmasq.conf.add) or by using YazDHCP.

For now, it appears most can get by with a hard factory reset and manual configuration; if they get the Low NVRAM warning, or start having weird issues happen because of low NVRAM. One can free up a little bit of that NVRAM when it comes to DHCP manual reservations as previously indicated. There are additional steps one can take beyond this to lower the NVRAM, but those steps may present other issues and may not survive router reboot.
 
You can still use manual DHCP reservations. To free up a little bit of NVRAM, one can move the DHCP manual reservations to a separate file (dnsmasq.conf.add) or by using YazDHCP.

For now, it appears most can get by with a hard factory reset and manual configuration; if they get the Low NVRAM warning, or start having weird issues happen because of low NVRAM. One can free up a little bit of that NVRAM when it comes to DHCP manual reservations as previously indicated. There are additional steps one can take beyond this to lower the NVRAM, but those steps may present other issues and may not survive router reboot.
I've gone through a Hard Reset some days ago and a manual scratch configuration limiting the set up to a few things, such as enabling QoS, setting up OpenDNS and avoiding DHCP reservations or MAC Filterings.

Nvram is close to 60K with only 5K free.

That is not what is going on. Asus aren't just filling NVRAM with random data just to force you to buy a new router, obviously. Note that the stock firmware has more free NVRAM than Asuswrt-Merlin, which is why it's not an issue for them, but it is for us. Asus does not have 5 static OpenVPN clients NVRAM using 4.5 KB on its own, for instance. There`s no DNSFilter.

NVRAM usage has increased for many reasons:

- DHCP now allows you to store hostnames and DNS server in addition to the MAC and the IP
- Parental Control was rewritten to be more flexible
- The DDNS client now handles IPv6 (among other things), increasing nvram usage for these new settings
- Backend settings required for AiMesh and the mobile application

Asuswrt-Merlin needs more NVRAM than stock because of the 5 OpenVPN clients, having two OpenVPn servers instead of only one, having more settings available to OpenVPN, having DNS Director and VPN Director, SNMP support, Tor support, IPTraffic, NFS, NTPD and so on. The stock firmware still has room to breathe, but Asuswrt-Merlin with all of its additional features no longer does.

I just started counting how many NVRAM entries existed in Asuswrt-Merlin but not on stock firmware. I stopped counting at 250 because I couldn't see the end...

Thanks so much for all the details provided. I do appreciate all the effort you have been putting into this.

I also don't understand whether the limited amount of NVRAM in this model is a hardware constraint since its conception with no feasible solution or if ASUS is not willing to increase it for unknown reasons.

Thanks again.
 
I also don't understand whether the limited amount of NVRAM in this model is a hardware constraint since its conception with no feasible solution or if ASUS is not willing to increase it for unknown reasons.
NVRAM size is determined by the Broadcom SDK. Upgrading NVRAM size requires making changes at the SDK level (assuming that change is possible), and also most likely requiring a factory default reset to upgrade to the new flash partition layout, and also prevent users from being aable to downgrade to a previous release, both of which are quite disruptive. And since Asus does not experience the same NVRAM pressure as Asuswrt-Merlin does, they have no incentive to go through the trouble of doing that kind of change.
 
NVRAM size is determined by the Broadcom SDK. Upgrading NVRAM size requires making changes at the SDK level (assuming that change is possible), and also most likely requiring a factory default reset to upgrade to the new flash partition layout, and also prevent users from being aable to downgrade to a previous release, both of which are quite disruptive. And since Asus does not experience the same NVRAM pressure as Asuswrt-Merlin does, they have no incentive to go through the trouble of doing that kind of change.
So, I guess our best (and only) real option to solve this issue is to move forward and get a new model with 128K NVRAM.
 
So, I guess our best (and only) real option to solve this issue is to move forward and get a new model with 128K NVRAM.
Or for me to save up on NVRAM usage and prolong the lifetime a bit further. For its price point the RT-AC68U/RT-AC66U_B1 are still very capable devices for people who just need something basic that won't break the bank.
 
Or for me to save up on NVRAM usage and prolong the lifetime a bit further. For its price point the RT-AC68U/RT-AC66U_B1 are still very capable devices for people who just need something basic that won't break the bank.
I'll try to go hardcore and limit the use of NVRAM as much as possible but after some days of delving into the issue and going through most of the helpful threads across these forums, I can't think of a way to save up more NVRAM usage.

I'm even thinking about disabling the Traffic Analyzer and the Parental Control, but that will drastically reduce the reasons why I originally bought this router.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top