[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[jsbeddow]

After running the Merlin code base for the last 2.5 years on my RT-AC68P, I am finding myself intrigued by some of the features of John's version (Stubby DoT integrated in, lack of Trend Micro code phoneing home), but have to ask, what might I lose in terms of securty updates? I know that this has probably been addressed before, but with Asus now frequently updating the firmware to patch security issues, and Merlins versions closely following those (well ok, within a month or two), are there any significant unpatched security risks that just can't be fixed in John's older code base? I do run Skynet and Diversion, so try to limit my exposure through those methods, and yes, I know that Stubby is on the verge of becoming simple to add on to the Merlin version, but it would be nice to have it just work out of the box. Are there any known examples of routers being compromised when running John's fork?

 

[jsbeddow]

Never mind, I found the post where John addressed this security subject, on April 4, 2018 with the announcement of the release of 32E4/32L4.
Sorry, my bad...RTFM (and use the search function).

 

[john9527]

I found the post where John addressed this security subject,

Just to add a little more info...
As far as I remember, there have been two groups of 'significant' security updates released over the last year or so. About 1/2 of the ones in each group applied to this fork and were ported over. The other half applied uniquely to the token based authentication used in Merlin, vs the https auth used in the fork which I've reworked in several ways to make it more secure over the original release. So the big holes are definitely filled.

As far as overall security, the best advice I can give on either the fork or Merlin is to use common sense. Don't open up services to web. If you need to access the router remotely use OpenVPN, and even then use non-standard ports if you can.

 

[john9527]

Just had to pause on this auspicious occasion

I remember when I first started this fork I was surprised when there was enough interest that this thread got 1,000 views....was amazed when it hit 10,000 views....

Well today, 4 years later, it just passed 2,000,000 views!

My thanks to everyone who has contributed over the years, for providing help to other users as well as feedback and testing to help improve this fork. It is very much appreciated.

 

[ColinTaylor]

Well today, 4 years later, it just passed 2,000,000 views!

Congratulations, well done and thank you!

4 years! Good grief.

 

[blueshark]

Congratulations for this excellent project [emoji6]

edit: don’t stop updating and improve this project

 

[Deleted member 27741]

Many thanks to John, Colin, Rmerlin, and all the others working so hard for so little.

These firmware projects have upped the game for routers not just from ASUS, but from all manufacturers.

Getting your butt kicked by a handful of ragtag firmware programmers gets the machine rolling even at the corporate level. Bravo my dudes!

 

[Deleted member 27741]

Version 36 borked openvpn servers for me. Not much to go by in the syslog just yet, I'll turn up the openvpn logging and see what I can find.

EDIT: Went back and stopped/started openvpn with verb set to 8 and got a bunch of configuration stuff in the log but nothing more about the fatal error.

Sep 29 21:34:22 openvpn[1407]: OpenVPN 2.4.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 27 2018
Sep 29 21:34:22 openvpn[1407]: library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.09
Sep 29 21:34:22 openvpn[1409]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sep 29 21:34:22 openvpn[1409]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
Sep 29 21:34:22 openvpn[1409]: Diffie-Hellman initialized with 2048 bit key
Sep 29 21:34:22 openvpn[1409]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep 29 21:34:22 openvpn[1409]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep 29 21:34:22 openvpn[1409]: TUN/TAP device tap22 opened
Sep 29 21:34:22 openvpn[1409]: TUN/TAP TX queue length set to 100
Sep 29 21:34:22 openvpn[1409]: updown.sh tap22 1500 1655 init
Sep 29 21:34:22 openvpn[1409]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Sep 29 21:34:22 openvpn[1409]: WARNING: Failed running command (--up/--down): external program fork failed
Sep 29 21:34:22 openvpn[1409]: Exiting due to fatal error

 

[ColinTaylor]

@000111 Looks like the sever config file isn't being created properly, if at all.

I guess this is OpenVPN server #2? Check the config file with:

cat /tmp/etc/openvpn/server2/config.ovpn

Also check that your /jffs partition isn't full:

df -h /jffs

 

[Deleted member 27741]

Cat reveals what appears to be a normal file for either server 1 or server 2 (I run both).

 

[ColinTaylor]

Cat reveals what appears to be a normal file for either server 1 or server 2 (I run both).

Is the problem only effecting server #2?
Does your config file have the line "script-security 2"?
Is /jffs full?

 

[tyspeed42]

Congrats on the 4 yrs appreciate all your hard work, and help you have given with custom configs.

 

[john9527]

Cat reveals what appears to be a normal file for either server 1 or server 2 (I run both).

Are you running in TAP mode w/username/password auth?
Try following the error message, and add
script-security 2
to the custom config section.

 

[john9527]

@000111
Confirmed the bug. I did a change to avoid having the 'script-security' statement entered twice in the config, and there was a case where it wasn't entered when it needed to be on MIPS.

Workaround is to add 'script-security 2' manually to the custom config section (or enable username/password auth)

 

[Deleted member 27741]

Thanks for the workaround and help gentlemen!

Workaround applied and working.

 

[wimpie]

The next release is out!
LATEST RELEASE: Update-36E4/36L4[/CODE]

Small problem:

I have ANOTHER router as internet gateway, set with these settings for the dhcp server:
DNS Server 1: IP1
DNS Server 2: IP2
WINS Server: IP3



I then have a device (N66U, with your firmware), used in "AP Mode".

In the LAN - LAN IP tab:
"Get LAN IP Automatically?" is set to "yes"

If I set "Connect to DNS Server automatically" to "Yes", then:

I would expect:
"DNS Server1" contains "IP1"
"DNS Server2" contains "IP2"

But I get:
"DNS Server1" contains "IP1 IP2 IP3" (strings are appended with a space between)
"DNS Server2" is empty



"Connect to DNS Server automatically" set to "No" works

 

[ColinTaylor]

@wimpie Did this work with previous firmware versions? What is the "other" router that is providing DHCP?

 

[john9527]

Small problem:

Sorry, but not sure I understand. Normally, in AP mode the DNS server in Automatic mode will be pointed to the parent router as the DNS (just verified it). How is your DNS configured on the parent router?

 

[wimpie]

@wimpie Did this work with previous firmware versions?

I don't know, bought this N66, installed John's fork on it and got this...

@wimpie What is the "other" router that is providing DHCP?

Another N66 that I should upgrade (RMerlin 380.62)

 

[wimpie]

Sorry, but not sure I understand. Normally, in AP mode the DNS server in Automatic mode will be pointed to the parent router as the DNS (just verified it). How is your DNS configured on the parent router?

parent router RMerlin 380.62:
"DNS Server 1" contains "195.130.130.9"
"DNS Server 2" contains "8.8.8.8"
"Advertise router's IP in addition to user-specified DNS" is set to "Yes" = 192.168.157.1
"Forward local domain queries to upstream DNS" is set to "No"
"Enable DNSSEC support" is set to "No"
"WINS Server" contains "192.168.157.1" = same as router address

I get a "195.130.130.9 8.8.8.8 192.168.157.1" string in the "DNS Server1" field of the AP (John's fork). It seems to me (as a novice) that somewhere the string "195.130.130.9 8.8.8.8 192.168.157.1 " should be split in the 3 ip's, and that that is not happening?