[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[treboR2Robert]

In the thread on Reddit
https://www.reddit.com/r/GooglePixel/comments/9t0nh0/asus_routers_wifi_issues/
several folks posted that restricting the phone to 2.4GHz band solved the issue.

Interesting read there thanks john.
I haven't noticed any problems so far, I will have to keep my eye on it.

no need for fork, you could use Merlin on DSL-AC68U: https://www.snbforums.com/threads/dsl-ac68u-asuswrt-merlin-builds-for-dsl-routers.55985/#post-480028

Thanks for the link, it sounds interesting but I would worry about it being kept up to date.

I think I would rather stick with Johns fork tbh, I have been using it a long time now and it works very well plus John is very quick to fix any problems and is a pleasure to deal with.

Merlins firmware is another option for me i guess if i bought the AC86U, but the last time i checked it didn't support some features i use in johns fork like DNS over TLS.

 

[dave14305]

Regarding the SNTP server being enabled, I’m curious if anyone else sees ntpd only listening on what I assume is an ipv6 :: wildcard on 123/udp? I would have expected a 0.0.0.0:123 since I’m only ipv4.

Normal or wonky?

#  netstat -alnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
udp        0      0 :::123                  :::*                                4245/ntpd

 

[treboR2Robert]

So to answer my own question, kind of anyway.

Running openvpn server on your home router and using a client to connect to it when you are away from home, the speed is limited to whatever your upload speed is at home (in my case about 9mbs)

Obvious really but I had never thought about this before.

So anyway I have turned compression off on the server and client and will test my speed again to see if i can get the full 9mbs.

Turning compression off will not effect security in any way will it ?

 

[bbunge]

stubby-update-resolvers.sh is used to update the resolver list for Stubby.
Is there a script to go back to the "default" resolvers?

 

[dave14305]

stubby-update-resolvers.sh is used to update the resolver list for Stubby.
Is there a script to go back to the "default" resolvers?

/usr/sbin/stubby-update-resolvers.sh default

 

[bbunge]

/usr/sbin/stubby-update-resolvers.sh default

Thanks!

 

[dave14305]

Regarding the SNTP server being enabled, I’m curious if anyone else sees ntpd only listening on what I assume is an ipv6 :: wildcard on 123/udp? I would have expected a 0.0.0.0:123 since I’m only ipv4.

Normal or wonky?

#  netstat -alnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
udp        0      0 :::123                  :::*                                4245/ntpd

So it seems it's a result of BusyBox invoking the socket with a NULL address and we end up with an AF_UNSPEC. Which I think means you can get IPv4 or IPv6. Vaguely reminds me of @john9527's early days with debugging Stubby on MIPS. Still haven't come up with a simple way to test with the devices on hand at home.

 

[Grisu]

Thanks for the link, it sounds interesting but I would worry about it being kept up to date.

I think I would rather stick with Johns fork tbh, I have been using it a long time now and it works very well plus John is very quick to fix any problems and is a pleasure to deal with.

Merlins firmware is another option for me i guess if i bought the AC86U, but the last time i checked it didn't support some features i use in johns fork like DNS over TLS.

I think you didnt understand me, they both dont support any DSL-type! Some managed to convert their DSL to RT but high risc with problems as there is no WAN port and without modem functionality ...

 

[shawnpear]

@shawnpear I suggest you use the "E" builds instead of "L" unless you have a specific reason not to.

Will get the E build up and running tonight then.

And no john, Note 9. Will give it a whirl, don't really wanna limit my phone to my crowded 2.4 network which my other family members are already using

 

[BloodFX]

Could somebody help me please?

My n66u the last few weeks with the latest lts builds keeps locking me out if the router, when I try to login to the router it says the ip and port number have been updated or something and I have to reset the router to get back in, its set for https login was wondering if it might be something to do with that?

Its never been a problem before the past 2 weeks and nothing has been changed.

Settings have been updated. Web page will now refresh.
Changes have been made to the IP address or port number. You will now be disconnected from RT-N66U.
To access the settings of RT-N66U, reconnect to the wireless network and use the updated IP address and port number.

Discovery utility shows it at the same ip and subnet mask.

After reading a few posts I found I can login with https://router.asus.com:8443/index.asp but not the original ip address which is still the same in the router?

I have now found microsoft edge will login, but google chrome says connection refused, wtf is going on?

 

[john9527]

And no john, Note 9

Also been reported with devices running Android 9 (and maybe 8.1)

 

[john9527]

Its never been a problem before the past 2 weeks and nothing has been changed.

Settings have been updated. Web page will now refresh.

That message will come up if ANYTHING about the connection has changed (not just IP address and port number). For example switching a device between ethernet and wifi, or possibly changing wifi bands (although I haven't tested this one).

A couple of things to try....
- Clear your browser cache/cookies
- Try running without any browser addons
- Did you reformat/reload jffs when moving to V38 (much bigger code due to OpenSSL 1.1.1)

 

[dave14305]

That message will come up if ANYTHING about the connection has changed (not just IP address and port number). For example switching a device between ethernet and wifi, or possibly changing wifi bands (although I haven't tested this one).

A couple of things to try....
- Clear your browser cache/cookies
- Try running without any browser addons
- Did you reformat/reload jffs when moving to V38 (much bigger code due to OpenSSL 1.1.1)

I faced a similar problem a couple weeks ago when I had removed my Pixelserv CA cert from my iPad because I was no longer running Pixelserv-tls on the router. Eventually I realized that my router GUI SSL cert was signed by the Pixelserv CA cert and was needed for the GUI. But the only symptom I saw was the similar "Settings have been updated...".

Any changes to the root certificates on your browser?

 

[BloodFX]

That message will come up if ANYTHING about the connection has changed (not just IP address and port number). For example switching a device between ethernet and wifi, or possibly changing wifi bands (although I haven't tested this one).

A couple of things to try....
- Clear your browser cache/cookies
- Try running without any browser addons
- Did you reformat/reload jffs when moving to V38 (much bigger code due to OpenSSL 1.1.1)

I just used the guide to update to 39e1 and same for the 1 before that update, nothing different.

 

[BloodFX]

I faced a similar problem a couple weeks ago when I had removed my Pixelserv CA cert from my iPad because I was no longer running Pixelserv-tls on the router. Eventually I realized that my router GUI SSL cert was signed by the Pixelserv CA cert and was needed for the GUI. But the only symptom I saw was the similar "Settings have been updated...".

Any changes to the root certificates on your browser?

How would I check that?

 

[dave14305]

How would I check that?

You really just need to examine the SSL certificate that your router is using for https. Are you saying you can login with https://router.asus.com:8443/ but not https://192.168.1.1:8443/ ?

View the certificate in your browser when the site is up (generally by clicking on the padlock icon, but I use Firefox). Is it a self-signed cert that Chrome doesn't like? Lot of different ways this could go, but we need to understand how your certificate is signed.

 

[BloodFX]

You really just need to examine the SSL certificate that your router is using for https. Are you saying you can login with https://router.asus.com:8443/ but not https://192.168.1.1:8443/ ?

View the certificate in your browser when the site is up (generally by clicking on the padlock icon, but I use Firefox). Is it a self-signed cert that Chrome doesn't like? Lot of different ways this could go, but we need to understand how your certificate is signed.

Yea its seems to be chrome only, I can login with default ip with microsoft edge, not tried any other browsers.
With chrome I can only login by using https://router.asus.com:8443/index.asp
Just realised could it be that i have no cert installed at all?

 

[dave14305]

Yea its seems to be chrome only, I can login with default ip with microsoft edge, not tried any other browsers.
With chrome I can only login by using https://router.asus.com:8443/index.asp
Just realised could it be that i have no cert installed at all?

You would get a lot of complaints from Chrome logging into router.asus.com if you had no cert at all. Browsers will complain about certificate name mismatches with the URL hostname, so I would expect trouble when trying to browse https://192.168.1.1:8443/ when the router certificate is generated for https://router.asus.com:8443/. When logged into router.asus.com in Chrome, what do you see about the certificate when clicking on the security padlock?

If you run Diversion and Pixelserv, I would recommend following this wiki article to let Pixelserv sign your cert if you have already imported the Pixelserv CA on your devices.
https://github.com/kvic-z/pixelserv...ixelserv-CA-to-issue-a-certificate-for-WebGUI

Otherwise, there are alternative ways to sign a certificate in a way that satisfies all browsers. RMerlin and john9527 have both referred to XCA before as a good tool.
https://www.hohnstaedt.de/xca/

 

[john9527]

Just realised could it be that i have no cert installed at all?

If you didn't explicitly save a cert in the gui or install your own, the router will automatically generate a new cert every time it reboots.

 

[BloodFX]

You would get a lot of complaints from Chrome logging into router.asus.com if you had no cert at all. Browsers will complain about certificate name mismatches with the URL hostname, so I would expect trouble when trying to browse https://192.168.1.1:8443/ when the router certificate is generated for https://router.asus.com:8443/. When logged into router.asus.com in Chrome, what do you see about the certificate when clicking on the security padlock?

If you run Diversion and Pixelserv, I would recommend following this wiki article to let Pixelserv sign your cert if you have already imported the Pixelserv CA on your devices.
https://github.com/kvic-z/pixelserv-tls/wiki/[ASUSWRT]-Use-Pixelserv-CA-to-issue-a-certificate-for-WebGUI

Otherwise, there are alternative ways to sign a certificate in a way that satisfies all browsers. RMerlin and john9527 have both referred to XCA before as a good tool.
https://www.hohnstaedt.de/xca/

I don't see a padlock, it just says your connection is not secure?