[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

Now that you mention it, I have seen some tunnel drops during key renegotiation. I wrote them off as flukes.

Looking at my tunnel right now though, it has been up for about 4 days. So maybe I am already outside of the "issues" window, as it has obviously renegotiated in the meantime.

Just to follow up on this one, I'd definitely recommend removing 'auth-nocache', and potentially any other 'auth-' statements from the custom config for now (the firmware automatically adds what's needed for 'auth' statements).

 

[cybrnook]

Just to follow up on this one, I'd definitely recommend removing 'auth-nocache', and potentially any other 'auth-' statements from the custom config for now (the firmware automatically adds what's needed for 'auth' statements).

Yep, I did that a while back. Currently these are my additional options (and I think everything is working okay as I have day(s) of uptime):
persist-key
persist-tun
tls-client
remote-cert-tls server
reneg-sec 0
keepalive 10 60
disable-occ
mute-replay-warnings
fast-io
verb 1

EDIT: thinking, maybe I should remove reneg-sec 0 and test again.

You use any keepalive parameters?

 

[tyspeed42]

This what I been using with good results with PIA, idk works.

persist-key
persist-tun
tls-client
remote-cert-tls server
reneg-sec 0
auth-nocache
mute-replay-warnings

--tun-mtu 9000
--fragment 0
--mssfix 0
--remote server
--cipher aes-128-cbc

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

 

[WhiteWestie]

Long time lurker, first time poster.
First, would like to thank Shibby, Merlin and John for their firmware support on the Buffalo and Asus routers i have used in my house. Have always liked using alternative firmware, as it gives better control over stock, and it was always worth flashing even if it was just to use a few small things.
Would also like to thank the various posters on these forums - their time and technical knowledge is excellent and a great source of learning for non network heads like me.

So now for my query - don't laugh, but my main router is an Asus RT-N16 running John's firmware 15E5, BB is cable, speed 120/12, and native ipv4 - can upgrade to 240 or 360 down but might have to use isp's modem/router.
Given the N16 limitations, anyone recommend a good stable version for this router?
Did see a comment from John that 13Ex was a well respected stable version, so was wondering is there another!

WW

 

[slobodan]

Long time lurker, first time poster.
First, would like to thank Shibby, Merlin and John for their firmware support on the Buffalo and Asus routers i have used in my house. Have always liked using alternative firmware, as it gives better control over stock, and it was always worth flashing even if it was just to use a few small things.
Would also like to thank the various posters on these forums - their time and technical knowledge is excellent and a great source of learning for non network heads like me.

So now for my query - don't laugh, but my main router is an Asus RT-N16 running John's firmware 15E5, BB is cable, speed 120/12, and native ipv4 - can upgrade to 240 or 360 down but might have to use isp's modem/router.
Given the N16 limitations, anyone recommend a good stable version for this router?
Did see a comment from John that 13Ex was a well respected stable version, so was wondering is there another!

WW

From a security viewpoint, go with the most recent build, always (keep it updated). I know that an RT-N16 handles pretty well a 200 Mbps connection.

 

[Uncle_Gadget]

Am I correct that there are no Android VPN clients that are compatible with the latest OpenVPN server (v2.40) included in the current release (23E4)? I used to have no issues connecting to my home server, but I get TLS negotiation errors with either OpenVPN Connect or OpenVPN for Android on the Google Play Store.

 

[InkyRag]

Am I correct that there are no Android VPN clients that are compatible with the latest OpenVPN server (v2.40) included in the current release (23E4)? I used to have no issues connecting to my home server, but I get TLS negotiation errors with either OpenVPN Connect or OpenVPN for Android on the Google Play Store.

Make sure you have protocol set to UDP.

 

[Uncle_Gadget]

Make sure you have protocol set to UDP.

Thanks, but I have always only used UDP. I'm thinking the issue is with the client I'm using since it doesn't appear to have been update since @john9527 updated the server to v2.40.

 

[john9527]

Thanks, but I have always only used UDP. I'm thinking the issue is with the client I'm using since it doesn't appear to have been update since @john9527 updated the server to v2.40.

Try this.....make sure that Cipher negotiation is set to Disabled on the VPN Details page, and add
ncp-disable
to the Custom configuration section.

EDIT: The need to make the add in the Custom config section is fixed in V24.....coming soon

 

[Uncle_Gadget]

Try this.....make sure that Cipher negotiation is set to Disabled on the VPN Details page, and add
ncp-disable
to the Custom configuration section.

EDIT: The need to make the add in the Custom config section is fixed in V24.....coming soon

Thanks, John! That, indeed, did the trick.

Now I'm off to find the perfect OpenVPN server configuration that offers the right balance between security and performance on my AC68U... generating my own certs and keys, of course.

 

[RMerlin]

Thanks, John! That, indeed, did the trick.

Now I'm off to find the perfect OpenVPN server configuration that offers the right balance between security and performance on my AC68U... generating my own certs and keys, of course.

If you control both client and server, go with AES-128-GCM (through NCP). If one end is limited to OpenVPN 2.3.x, go with AES-128-CBC with SHA1 hashing.

 

[YasharF]

Is NAT Loopback supported, or is there something that I need to manually add through shell to get it to work? I noticed it is not working for me when trying to access a NAT port using the public IP of the router from inside the network and wondering if it is something in my settings that need to be reset/added or if it is not part of the featureset.

Thanks

 

[ColinTaylor]

Is NAT Loopback supported, or is there something that I need to manually add through shell to get it to work? I noticed it is not working for me when trying to access a NAT port using the public IP of the router from inside the network and wondering if it is something in my settings that need to be reset/added or if it is not part of the featureset.

I just checked and it's working for me. (You do of course still need a valid port forwarding entry)

 

[YasharF]

I just checked and it's working for me. (You do of course still need a valid port forwarding entry)

Thanks.

 

[john9527]

@zon

Is NAT Loopback supported, or is there something that I need to manually add through shell to get it to work? I noticed it is not working for me when trying to access a NAT port using the public IP of the router from inside the network and wondering if it is something in my settings that need to be reset/added or if it is not part of the featureset.

Thanks

Also checked and it's working for me too. What firmware release and router?

Depending on what other options you are running, NAT loopback could have a problem on V17 and earlier on MIPS routers

 

[YasharF]

@zon

Also checked and it's working for me too. What firmware release and router?

Depending on what other options you are running, NAT loopback could have a problem on V17 and earlier on MIPS routers

Thanks. I had the version from January of this year, and a whole lot of custom settings including some custom routes and configs for an entware openvpn server that I no longer have installed or using. I just did an update to 23E4, followed with factory reset using WPS button and power cycle, and started to put the settings in one by one through the UI. So far the NAT loopback seems to be working.

Thanks for the great work.

 

[john9527]

Next release is out! (With a couple of new features since the last Beta )

Please take the time to review the first post full release notes.
And once again, thanks to all those who took the time to provide feedback.

LATEST RELEASE: Update-24E2
17-April-2017
Merlin fork 374.43_2-24E2j9527
Download http://bit.ly/1YdgUcP
============================

Following are the some of the major changes and fixed user issues/requests (full changelog is in the zip files)

• Updates to Busybox, OpenVPN, LZ4, WGET, Nano and ASUS Webstorage
• Basic support for exFAT USB drives on the AC56U and AC68U ARM routers (Tomato backport)
  Sorry MIPS routers, this is another case of MIPS kernel too old to support.
• New DNSCrypt capabilities - Random server and exclude logging servers
• Support for Host-Uniq on PPPoE connections (Vodafone Italy)
• Fast MAC Vendor lookups with included OuiDB
• Added support for moving SSH and OpenVPN certs to JFFS to free NVRAM space - @zonnebril @czekker
• Fix for DDNS 'account name cannot be blank' error during setup (Merlin backport) - @hgeorgescu
• Allow selecting encryption options for the PPTP client (Merlin backport) - @000111
• Fix OpenVPN server connected client status on the main server page - @atkinsom
• Free additional memory during firmware upgrades to help prevent the need for manual reboots - @zonnebril @Builder71
• Fix for OpenVPN to explicitly disable Cipher Negotiation when disabled in gui - @Uncle_Gadget

As always, a reminder to users with MIPS routers to have a backup of /jffs in case the jffs space needs to be reformatted due to increases in firmware size.

SHA256

311d0dc3ab0cceaa049195ef8f2d18e2d7230ed433fcfa1d1ab87b12ab7c2bf3  RT-AC68U_3.0.0.4_374.43_2-24E2j9527.trx
58c9ba48968bb140f3282827a00cd26ebc739576976165719c8f42e21355d156  RT-AC56U_3.0.0.4_374.43_2-24E2j9527.trx
98b6e08095eb98d5c6acba69139c1b9b71d87fbeaff0c1f611f79565c4454e1e  RT-N16_3.0.0.4_374.43_2-24E2j9527.trx
b1b563c1f9606b0c92cb014dd66c5a7598cee3c25af442aa33ebbb0313f82c30  RT-AC66U_3.0.0.4_374.43_2-24E2j9527.trx
335d9ed364262497d41b496c28eeb9c19e147779a35e9321915eadfdc037a16e  RT-N66U_3.0.0.4_374.43_2-24E2j9527.trx

 

[cybrnook]

Rockstar! Push to git?

 

[john9527]

Rockstar! Push to git?

Patience my friend

BTW....I think I will fix up some missing files in the git repo with this next push (I was experimenting with trying to bring in the new SDK for the AC68 and COMPLETELY hosed my local repo.....so started from scratch with a fresh pull and fixed things up)

 

[cybrnook]

When you publish, I might issue a small PR for your move certs to /jffs logic. Being silly I wanted to move my client1 ca to /jjfs, but entered server1 instead. The script made the "openvpn" and "server1" folder in /jjfs even though I don't have a server1 setup. Likely a few if / then statements to do some cursory checks before creating folders (just to keep things clean), unless you want to .

Other than that, after I realized what I did, issuing the client1 command worked like a charm. NVRAM is down to %66 from %70.