[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[wbartels]

If it says "certificate is expired", then that's what it is: the certificate on the remote server is expired.

Thanks! Can the “certificate is expired” only be the server certificaat? I ask this because the same url is working perfectly on Ubuntu 18.04 with curl. See https://www.snbforums.com/threads/3...ficate-problem-certificate-has-expired.64455/

 

[dave14305]

I just tested and have same answer Merlin, seems problem is with afraig.org then?

See https://freedns.afraid.org/news/

if you have an out of date CA root store in your TLS client, automatic dynamic updates (over TLS only) may not be working for you starting today due to a upstream TLS provider chain key change.

The current keys are valid, and rigorously tested/verified to work for all modern updated installations, though the change is upstream in the signing chain.

If this affects you, in a pinch you could do plaintext updates, or update your TLS installation.

In light of a lot of legacy devices making updates unattended, I'm evaluating acquiring keys from a different TLS provider.

 

[john9527]

TypeError: staticstatsTableEntries[j] is undefinedAdvanced_VPNStatus.asp:288:1
parseStatus http://192.168.14.1/Advanced_VPNStatus.asp:288
initial http://192.168.14.1/Advanced_VPNStatus.asp:104
onload http://192.168.14.1/Advanced_VPNStatus.asp:1

What language setting are you using? And what locale set for your system?
Let's check the more likely things first...

 

[octopus]

What language setting are you using? And what locale set for your system?
Let's check the more likely things first...

I'm on " English" and locale (hope this is what you mean) Copenhagen, Stockholm, Oslo GMT+1

 

[octopus]

What language setting are you using? And what locale set for your system?
Let's check the more likely things first...

Did you see something that stands out in the configuration

 

[john9527]

Did you see something that stands out in the configuration

Not really....and I can't recreate it. I've only been able to come up with three possibilities...
(1) You aren't really connected, and OpenVPN is just returning a header without any data
(2) You are connected, but OpenVPN for some reason is only returning partial data
(3) There's something strange in the data that is leading to a parsing error (this is usually language/locale specific). By locale, I mean the language/number formats defined in your operating system (Windows?) that are picked up by the browser.

I'm inclined to think it's this last one....how are you using the debugging features of the browser console (set a breakpoint at the failure and examine variable contents). If your not comfortable with this, I can do a debug build that will throw some alerts with the data I need to see.

 

[octopus]

Not really....and I can't recreate it. I've only been able to come up with three possibilities...
(1) You aren't really connected, and OpenVPN is just returning a header without any data
(2) You are connected, but OpenVPN for some reason is only returning partial data
(3) There's something strange in the data that is leading to a parsing error (this is usually language/locale specific). By locale, I mean the language/number formats defined in your operating system (Windows?) that are picked up by the browser.

I'm inclined to think it's this last one....how are you using the debugging features of the browser console (set a breakpoint at the failure and examine variable contents). If your not comfortable with this, I can do a debug build that will throw some alerts with the data I need to see.

openvpn have this output:

May 31 17:50:32 openvpn[3488]: VERIFY OK: depth=1, C=SE, ST=Stockholm, L=Stockholm, O=octopus, OU=octopus xxxx@xxxxx.se, CN=octopus CA, name=EasyRSA, emailAddress=xxx@xxxxx.se
May 31 17:50:32 openvpn[3488]: VERIFY KU OK
May 31 17:50:32 openvpn[3488]: Validating certificate extended key usage
May 31 17:50:32 openvpn[3488]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 31 17:50:32 openvpn[3488]: VERIFY EKU OK
May 31 17:50:32 openvpn[3488]: VERIFY OK: depth=0, C=SE, ST=Stockholm, L=Stockholm, O=octopus, OU=octopus xxxx@xxxxx.se, CN=octopus, name=EasyRSA, emailAddress=xxxx@xxxxx.se
May 31 17:50:32 openvpn[3488]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
May 31 17:50:32 openvpn[3488]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
May 31 17:50:32 openvpn[3488]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 1024 bit RSA

# Automatically generated configuration
daemon
client
dev tun11
txqueuelen 1000
proto udp
remote octopus.xxxxxxx.xx 1194
resolv-retry infinite
nobind
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-GCM
auth none
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
up updown.sh
down updown.sh
tls-crypt static.key
ca ca.crt
cert client.crt
key client.key
status-version 2
status status 10

# Custom Configuration
remote-cert-tls server
fast-io
# log /tmp/vpnclient-1.log

Where can I read to set a breakpoint in browser?

 

[jrmwvu04]

I've put up a 44D6 release in the development folder
https://1drv.ms/f/s!Ainhp1nBLzMJiF2l3WjM46lSmxrH
which backports part of the tz updates from Merlin. It will allow you to set the DST times for some additional locations, including the new separate entry for Helsinki.
(A second part, which sets the default DST start and end times per location still needs to be backported, but will take some additional work. So please manually verify/set those values for your location).

To probably nobody's great surprise, US East is seemingly working properly.

 

[anotherengineer]

Not really....and I can't recreate it. I've only been able to come up with three possibilities...
(1) You aren't really connected, and OpenVPN is just returning a header without any data
(2) You are connected, but OpenVPN for some reason is only returning partial data
(3) There's something strange in the data that is leading to a parsing error (this is usually language/locale specific). By locale, I mean the language/number formats defined in your operating system (Windows?) that are picked up by the browser.

I'm inclined to think it's this last one....how are you using the debugging features of the browser console (set a breakpoint at the failure and examine variable contents). If your not comfortable with this, I can do a debug build that will throw some alerts with the data I need to see.

Just an off question since I'm no programmer.

Will OpenVPN be replaced by WireGuard at some point?

 

[john9527]

Just an off question since I'm no programmer.

Will OpenVPN be replaced by WireGuard at some point?

Not likely...I even double checked. They've come up with a 'compatibility' version going back to the 3.10 kernel. These older routers are based on the 2.6.x kernel.

 

[anotherengineer]

Not likely...I even double checked. They've come up with a 'compatibility' version going back to the 3.10 kernel. These older routers are based on the 2.6.x kernel.

So would Merlin/Asus be able to implement in their firmware in the future?

 

[ColinTaylor]

So would Merlin/Asus be able to implement in their firmware in the future?

These older routers are based on the 2.6.x kernel.

It might be technically possible for the newer routers but you'd have to ask Asus what their plans are. As for Merlin, he's already answered this question multiple times.

 

[john9527]

It might be technically possible for the newer routers but you'd have to ask Asus what their plans are. As for Merlin, he's already answered this question multiple times.

What he said

Actually, I think there is an opportunity here for someone. I was reading something a few days ago about using a Raspberry Pi as a Wireguard client/server which was said to work well (sorry, don't remember where I saw it). It would be great if someone would put together a tutorial about how to do that and integrate it with the router.

 

[RMerlin]

It would be great if someone would put together a tutorial about how to do that and integrate it with the router.

You need kernel support. And if you decide to fallback on an userland implementation, the performance will drop at the level of OpenVPN, but with a fraction of OpenVPN's features...

 

[octopus]

I'm inclined to think it's this last one....how are you using the debugging features of the browser console (set a breakpoint at the failure and examine variable contents). If your not comfortable with this, I can do a debug build that will throw some alerts with the data I need to see.

I tried to troubleshoot but don't really know what results I got. Can you do a debug build?
Thank you
Octopus
@john9527

 

[anotherengineer]

What he said

Actually, I think there is an opportunity here for someone. I was reading something a few days ago about using a Raspberry Pi as a Wireguard client/server which was said to work well (sorry, don't remember where I saw it). It would be great if someone would put together a tutorial about how to do that and integrate it with the router.

Thanks, was just curious. Not a programmer so.........

 

[Xan]

I had a similar issue way back when on an AC66 and nothing seemed to change it. I ended up using the command line nvram clear method to factory reset and that solved it for me. No idea why because the GUI reset should do the same thing but it did not help in my case. May want to try that and see if it helps.

the nvram reset briefly solved the problem.... shortly after the reset, the download speed shot back up to ~270 MB but after a few hours, it falls back to the cap of "70 MB" again...

Any ideas on what else to try next?

Many thanks

 

[john9527]

You need kernel support. And if you decide to fallback on an userland implementation, the performance will drop at the level of OpenVPN, but with a fraction of OpenVPN's features...

I was referring to setting it up on the pi...then setting up the appropriate firewall/forwarding on the router. The pi has kernel support.

 

[steelskinz]

Just to thank you for your support on N16.

It's old but still strong as i haven't a big bandwidth and no need of Wifi 5G. Thanks again john

 

[nephilim]

Not sure where to post it - here or in conmon or ntpmerlin... please tell me if I should move this question to a different thread.

My N66 (repeater mode) was running 43E6 w/o any issues. I had installed amtm, conmon and ntpmerlin and all of them worked flawlessly. Yesterday I upgraded to 44E5. After reboot I opened amtm and was asked to choose the theme. It then showed conmon and ntpmerlin but also a couple of syntax errors. Entware seemed to be missing as well. conmon and ntpmerlin could be started from within amtm but at the end I got several messages

Error: near line 4: database disk image is malformed

I uninstalled both & deleted databases, rebooted, installed via amtm (no errors) and waited a full day. The addons tabs are there but the plots remain empty. The syslog shows that the scripts are starting up fine and are invoked via cron as usual. The interesting thing is that e.g. on the uptime monitoring tab there is no version info next to conmon. A version check runs forever.

I saw in the changelog that amtm is now part of the firmware. Is there a conflict of my previous installation and the new version? How can I clean up this mess?