[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[treboR2Robert]

35T2 does not work either

 

[HowIFix]

I am using 34E3 on my RT-N66R.
The only other thing I have running on it is Diversion ad blocker.

I did however notice the GUI in System Logs / Port Forwarding is bugged.

I'm using an android 8.0 Galaxy S9 running both OpenVPN clients Connect/For Android.

Maybe I will try and downgrade my FW.

You have an S9 and can not buy a cheap router like RT-AC68U.

 

[Deleted member 27741]

I think I may have found a bug in the DoT implementation. The order of DNS servers after reboot seems to follow a "top-down" structure. I say this because my router reboots every day and I notice every day that the adult filter DoT DNS server I use is no longer primary- my SECOND server choice (but first in the list from top to bottom) becomes the primary DNS server. I can tell this from the ability to see adult sites and also from the cloudflare-dns test site that it switches over to cloudflare. Of course- this may be the fault of cleanbrowsing servers as well perhaps they are dodgy and the router has had to move on to secondary, or some other reason.

Edit: just rebooted and DoT DNS servers are a-ok. Looks like my first inclination was wrong.

 

[treboR2Robert]

You have an S9 and can not buy a cheap router like RT-AC68U.

Perhaps he doesn't need an AC router.
I know i don't and the N66 is about as good as it gets when it comes to wireless N routers.
For my AC needs i have a bt hub 5 set up as an access point in the room i usually sit in.
I do this because 5ghz AC signal doesn't travel anywhere near the distance that 2.4ghz N does.
So my main router (n66) in the hall only puts out 2.4ghz N for most devices like phones etc to connect to.
Pretty much all tvs, sky boxes and raspberry pis etc... are hardwired.
Then the only thing that connects to the 5ghz AC access point is my laptop when im in the same room as the AP for faster internal network transfers to save the hassle of connecting a ethernet every time.
Why would I waste money on a AC68U when my network works flawlessly as it is with a N66.
Perhaps MarkyMarkMark has a similar setup and the reason he can afford a s9 is because he doesn't go around wasting his money on stuff he doesn't need.

 

[bbunge]

Perhaps he doesn't need an AC router.
I know i don't and the N66 is about as good as it gets when it comes to wireless N routers.
For my AC needs i have a bt hub 5 set up as an access point in the room i usually sit in.
I do this because 5ghz AC signal doesn't travel anywhere near the distance that 2.4ghz N does.
So my main router (n66) in the hall only puts out 2.4ghz N for most devices like phones etc to connect to.
Pretty much all tvs, sky boxes and raspberry pis etc... are hardwired.
Then the only thing that connects to the 5ghz AC access point is my laptop when im in the same room as the AP for faster internal network transfers to save the hassle of connecting a ethernet every time.
Why would I waste money on a AC68U when my network works flawlessly as it is with a N66.
Perhaps MarkyMarkMark has a similar setup and the reason he can afford a s9 is because he doesn't go around wasting his money on stuff he doesn't need.

I went to a RT-AC66U_B1 over a year ago and am please with it. Dual core processor and runs the same firmware as the RT-AC68U. There is also a new RT-N66U_C1 which has a dual core processor and may be able to run the same merlin firmware as the RT-AC68U but this is a guess as of now.

 

[treboR2Robert]

I went to a RT-AC66U_B1 over a year ago and am please with it. Dual core processor and runs the same firmware as the RT-AC68U. There is also a new RT-N66U_C1 which has a dual core processor and may be able to run the same merlin firmware as the RT-AC68U but this is a guess as of now.

Yh nice routers I looked at buying one myself but with my setup there is no need.
@john9527 's LTS fork on my N66 is perfect !
1 small bug with the latest firmware regarding reconnecting to the VPN but im sure @john9527 will have it sorted soon and for the time being it works fine on the previous release.

 

[ColinTaylor]

@john9527 Noticed a slight inconsistency in the VPN server config file (it's probably always been there). The Custom configuration lines are terminated with CR/LF instead of just LF (I haven't tried using a Linux-based browser).

Also the very last line doesn't have a terminating LF at all (some editors moan about this being an "incomplete file"), unless it's an empty line in which case it has a CR/LF.

Doesn't seem to have any negative effect so it's really only cosmetic.

# Custom Configuration
push "dhcp-option DOMAIN home.lan"^M
client-connect /jffs/scripts/openvpn-client-connect.sh
~
~
"config.ovpn" [noeol] 29L, 604C

 

[RMerlin]

Noticed a slight inconsistency in the VPN server config file (it's probably always been there). The Custom configuration lines are terminated with CR/LF instead of just LF (I haven't tried using a Linux-based browser).

This is usually caused by copy/pasting into the Custom box - your paste contained the CR/LFs.

 

[ColinTaylor]

This is usually caused by copy/pasting into the Custom box - your paste contained the CR/LFs.

Nope. It happens even when I type stuff from scratch.

# Custom Configuration
sadasdasdasdadas^M
423414322141414^M
5fsdfsdfsfsfs
~
~

 

[Deleted member 27741]

I thought maybe the issue I am seeing with my DoT DNS servers changing may have been the custom stubby-resolvers config file I had in the /jffs/configs folder. It is not (I deleted the file since it was no longer necessary). When I have these servers selected in this order:

cleanbrowsing-adult primary
cleanbrowsing-adult secondary
cloudflare primary
cloudflare secondary

My DNS keeps switching over to the cloudflare server (primary, I presume). It may be a cleanbrowsing issue, I will try using ONLY one cleanbrowsing server to see if their DoT servers are borked. If that is not the case I don't know the cause of the switch.

 

[ColinTaylor]

My DNS keeps switching over to the cloudflare server (primary, I presume). It may be a cleanbrowsing issue, I will try using ONLY one cleanbrowsing server to see if their DoT servers are borked. If that is not the case I don't know the cause of the switch.

This type of behaviour will be fixed (or at least improved) in release v35.

https://www.snbforums.com/threads/test-asuswrt-merlin-lts-fork-multiple-items.48642/#post-428118

 

[john9527]

@john9527 Noticed a slight inconsistency in the VPN server config file (it's probably always been there). The Custom configuration lines are terminated with CR/LF instead of just LF (I haven't tried using a Linux-based browser).

It's always been there. It's a quirk of the broadcom routines that take a 'textarea' html box and write the data into nvram. I remember trying a lot of things in the gui code to eliminate them without success. I do remove them when I populate the custom config gui, or else everything is double spaced.

I just wrote a test fix to try and eliminate them from within the openvpn code when it generates the .ovpn file. We'll see how it goes.

 

[john9527]

I just tried the latest test version 35T3 and it has the same VPN reconnect problem as 34E3.

33E7 works fine

I'm still at a loss here.....I took a different tac and generated the list of all changed files between 33E7 and 34E3 and went through each one. Still can't see anything that would cause a breakage. If you run 34E3 without DoT enabled and without strict DNSSEC, it's identical to 33E7.

The only other possibility is something in dnsmasq (although I don't see how that would play).

 

[john9527]

I did however notice the GUI in System Logs / Port Forwarding is bugged.

You do realize that a statement like this without any details goes directly into the bit bucket.....

 

[john9527]

I just wrote a test fix to try and eliminate them from within the openvpn code when it generates the .ovpn file. We'll see how it goes.

@ColinTaylor
Will be fixed in the V35 release

 

[john9527]

Catching up....

@john9527 I have these 4 questions:

01. VPN Client traffic bypass Traditional QoS?

VPN clients are subject to to 'global' min and max settings under Traditional QoS. Any other rules do not apply (the note about VPNs/Defaults on the QoS page is actually incorrect and will be removed in V35)

02. In DoT CleanBrowsing/Cloudflare, if I have DNSSEC enabled in Strict mode and restart the router, the internet work? (Because you are using dnsmasq v2.80)

If you are using DoT, the router comes up initially without TLS encryption until the router time is set. DNSSEC is tied to the server capability.....if the DoT server support DNSSEC it will work, if not, it won't.

03. You will wait for the stable version 2.80 of dnsmasq, for you to release the next update like @RMerlin? (for me it is a wise decision or maybe not)

It depends on what turns out to be the release schedule. I'm currently running 2.80test6 (it looks like they are getting close to a final release).

04. You add these security fix that releases sometimes in the latest version of ASUS Official firmware? (or is it not necessary?)

Remember, we don't get anything from Asus that says 'here's the code that fixes this problem'....we just get a code drop. So I make the attempt to look at the changed code in critical areas looking for what could be the fixes....sometimes it's easy to spot.....sometimes impossible (certainly impossible if the change is in closed source). Public documented CVEs I can usually find. Most of what I see being released lately is just previous fixes being applied to the different products and are already incorporated.

 

[HowIFix]

@john9527 Thank you!

 

[keeka]

I'm still at a loss here.....I took a different tac and generated the list of all changed files between 33E7 and 34E3 and went through each one. Still can't see anything that would cause a breakage. If you run 34E3 without DoT enabled and without strict DNSSEC, it's identical to 33E7.

The only other possibility is something in dnsmasq (although I don't see how that would play).

On the first failed connection (following disconnecting a successful session at the client), the router's openvpn log stops just short of logging the call to the auth plugin:

openvpn[548]: 192.168.0.53:57547 VERIFY OK: depth=0, CN=client1
openvpn[548]: 192.168.0.53:57547 peer info: IV_VER=2.5_master
openvpn[548]: 192.168.0.53:57547 peer info: IV_PLAT=android
openvpn[548]: 192.168.0.53:57547 peer info: IV_PROTO=2
openvpn[548]: 192.168.0.53:57547 peer info: IV_NCP=2
openvpn[548]: 192.168.0.53:57547 peer info: IV_LZ4=1
openvpn[548]: 192.168.0.53:57547 peer info: IV_LZ4v2=1
openvpn[548]: 192.168.0.53:57547 peer info: IV_LZO=1
openvpn[548]: 192.168.0.53:57547 peer info: IV_COMP_STUB=1
openvpn[548]: 192.168.0.53:57547 peer info: IV_COMP_STUBv2=1
openvpn[548]: 192.168.0.53:57547 peer info: IV_TCPNL=1
openvpn[548]: 192.168.0.53:57547 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.5
<!-- 2nd connection log stops here -->
openvpn[548]: 192.168.0.53:57547 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so

When I get a chance, I will try disabling auth-user-pass and use only client certs to see what happens.

 

[Deleted member 27741]

This type of behaviour will be fixed (or at least improved) in release v35.

https://www.snbforums.com/threads/test-asuswrt-merlin-lts-fork-multiple-items.48642/#post-428118

This is great. For the time being my solution will be to select only one DoT server considering the bounce around (it would be more correct to say switch it seemed to permanently switch over from cleanbrowsing servers to cloudflare) I get when I select more than one. I would like to know more about what is running under the hood for DoT... is there any way, for instance, to easily see what server is currently being used? I was able to tell it switched over to cloudflare because of the test website, without that information (in addition to the allowing of adult sites since my primary was cleanbrowsing) I would likely never have known.

I do not have any detectable (or at least detectable insofar as it works, I have no ability to look into it more closely) issues using only one DoT server, the same one that seemed to bork out and get switched to another when I selected two or more.

See post 8075 for the DoT server selection I used that seemed to bork out consistently.

 

[john9527]

openvpn[548]: 192.168.0.53:57547 peer info: IV_VER=2.5_master

Something I just noticed.....your client is running an unreleased version of openvpn, 2.5
Latest official release (and what is used for the server) is 2.4.6
OpenVPN levels have been somewhat finicky lately.

I still can't explain why the firmware level is making a difference, but do you have an older client pkg you can try?