[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[keeka]

Something I just noticed.....your client is running an unreleased version of openvpn, 2.5
Latest official release (and what is used for the server) is 2.4.6
OpenVPN levels have been somewhat finicky lately.

I still can't explain why the firmware level is making a difference, but do you have an older client pkg you can try?

Certifcate only connection work fine.
I tested the following OS/openvpn/auth clients against openvpn server on 34E3 using similar client configs.
I disabled vpnclients on the router. Then attempted to connect each client (via LAN).

Android 6.0.1, OpenVPN for Android 0.7.5 (Openvpn 2.5-icsopenvpn)
certificates only: all good.
certificates and user-pass-auth: 1st session OK, subsequent sessions don't get past user auth (according to server log)

Ubuntu 16.04, OpenVPN 2.3.10
certificate only: all good.
certificates and user-pass-auth: same results as with the android client.

In both instances, the failed connections progress as far as:

AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: keeka

Whereas a successful connect would then continue with:

AUTH-PAM: BACKGROUND: my_conv[0] query='Password:' style=1
Wed Sep 12 09:18:00 2018 us=902168 192.168.0.35:48527 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Sep 12 09:18:00 2018 us=902389 192.168.0.35:48527 TLS: Username/Password authentication succeeded for username 'keeka'

Deliberately entering incorrect credentials on what would otherwise be a successful first connect, results in the same failure in subsequent connection attempts, until you restart the openvpn server.

 

[jeff288]

Does "traditional QoS" actually work for anyone or am I doing something wrong? It seems it's always been this way on my N66U. Bandwidth limiting tends to work better but if traditional QoS would work I'd use it so I don't have to keep changing QoS for varying devices at varying times. Uploads especially on one device gives me enough buffer bloat to make the rest of the devices unusable on the network. Iphones are bad to do this on upload to iCloud and Xbox's are bad to hog all the download they can get.

Other than that, no complaints here. I also realize this is Asus' own code and fault if it doesn't work well.

 

[ColinTaylor]

@jeff288 In my own testing QoS does work but there are limits to what is possible. On my old N66U I found that the router's CPU couldn't handle download speeds above about 100Mbps. Apart from that the biggest problem is trying to differentiate between types of traffic because so much stuff is now sent over HTTPS. So it's hard to differentiate between a Netflix stream or a Steam download for example. Of course this is the advantage of adaptive QoS, being able to drill down into the traffic types.

 

[Deleted member 27741]

Jeff228- I came to the same conclusion that "QoS doesn't work" but instead found out something important about QoS and buffer bloat. It cannot overcome latency issues over wifi unless signal is perfect (and even then wifi still has latency issues anyhow). Using QoS over ethernet cable is a much better test of how the QoS is working, since some of the latency and possibly throughput issues are caused by imperfect wifi signal and that cannot be corrected with QoS.

Moral of the story- test QoS over ethernet to really test QoS and not your wifi, or at least test QoS over wifi in the same room as the router.

Second moral of the story- if you want less buffer bloat- go ethernet. There is not substitute.

Third and last observation- to minimize (when I say minimize I mean almost eliminate) buffer bloat about the fastest I could make the max download speed is 60 MB/s even though my cable is capable of about 150 MB/s. So you could try decreasing the maximum download/upload speed if buffer bloat/latency is an issue.

Fourth and really, really last observation- make sure you add some rules, my rule is simple- put one computer above everything else. It sounds like at the very least you should consider lowering the priority of packets from the offending device(s) that is/are buffer bloating the system.

To change priority for everything from an ip (can be useful if you use static ips) or mac address-
Service name- whatever you like
Source IP or MAC- source ip or mac address of desired device
Destination port- blank
Protocol- any
Transferred- blank
Priority- whatever you like

Remember that QoS rules are processed in a top down fashion, so if a packet is processed by a rule higher in the list, it won't be processed by any of the rules below that one. For example- if you put internet traffic as the first rule with highest priority all internet traffic will have highest priority (potentially circumventing rules for devices lower in the list for internet traffic), so be aware of that.

 

[john9527]

@keeka @treboR2Robert

Since I'm still at a loss on the OpenVPN server reconnect, it's time for the process of elimination....
I've put up a test build, 34X3, with the only change being rolling back dnsmasq to the 33E7 level.
https://1drv.ms/f/s!Ainhp1nBLzMJkEFTnFp4Sh2wvQva

If one of you could give it a try, I'd appreciate it. Please run without having DoT enabled, then if it works enable DoT and try again. Thanks.

 

[HowIFix]

@jeff288 @000111 I'm testing these settings of @miau1 and they work great, I do not have lag when I play and he explains how to use each priority and rule!

• QoS Settings of @miau1

Traditional QoS in the Fork version works, but in the Asuswrt-Merlin version it is broken, it's also broken adaptive QoS and VPN traffic and full of bugs all the firmware, spyware, etc, Asus I do not understand what you are doing with your firmware.

 

[MarkyMarkMark]

@keeka @treboR2Robert

Since I'm still at a loss on the OpenVPN server reconnect, it's time for the process of elimination....
I've put up a test build, 34X3, with the only change being rolling back dnsmasq to the 33E7 level.
https://1drv.ms/f/s!Ainhp1nBLzMJkEFTnFp4Sh2wvQva

If one of you could give it a try, I'd appreciate it. Please run without having DoT enabled, then if it works enable DoT and try again. Thanks.

I will give it a go when I get off from work.

 

[jeff288]

@jeff288 @000111 I'm testing these settings of @miau1 and they work great, I do not have lag when I play and he explains how to use each priority and rule!

• QoS Settings of @miau1

Traditional QoS in the Fork version works, but in the Asuswrt-Merlin version it is broken, it's also broken adaptive QoS and VPN traffic and full of bugs all the firmware, spyware, etc, Asus I do not understand what you are doing with your firmware.

Thanks, will give it a shot and update this post if it works better. I like how he uses the term "Creator" though perhaps John is benevolent and deserving of the title.

Edit: He's showing queing discipline options that I don't have so not a N66U. The newer routers have better implementations of that while the N66U doesn't and I suspect that's the big difference. N66U is limited to older kernel version, afaik, without the good qos.

 

[Deleted member 27741]

Jeff288 I am confident you can find settings that will even out your interwebs with the QoS implementation on the N66U with John's firmware. Feel free to message me for questions you might have beyond the basic stuff I hit upon in post #8088.

 

[HowIFix]

Edit: He's showing queing discipline options that I don't have so not a N66U. The newer routers have better implementations of that while the N66U doesn't and I suspect that's the big difference. N66U is limited to older kernel version, afaik, without the good qos.

I do not notice difference when I use both queuing discipline options SQM or FQ_CODEL. (I always get A+, A and A+ with both)

I think you have this problem, about a Dynamic IP.

Before my game ping was unstable, disconnect me from the games, even if only connect the xbox or ps4 or computer directly to the modem and nobody else will use the internet.

That happened because I was using an Dynamic IP and after I hired a Static/Dedicated IP with my ISP, my problem was solved and I have a stable connection/ping. (I had to add the IP manually to the router)

• Information about WAN Static IP

Something like this:

Dynamic IP

WAN Static IP

 

[treboR2Robert]

@keeka @treboR2Robert

Since I'm still at a loss on the OpenVPN server reconnect, it's time for the process of elimination....
I've put up a test build, 34X3, with the only change being rolling back dnsmasq to the 33E7 level.
https://1drv.ms/f/s!Ainhp1nBLzMJkEFTnFp4Sh2wvQva

If one of you could give it a try, I'd appreciate it. Please run without having DoT enabled, then if it works enable DoT and try again. Thanks.

Sorry for the late reply john i was busy this evening.

Anyway thanks for the new test build, I just tried it and unfortunately it didn't work.

I installed 34X3 and disabled all DNS options then connected to the VPN, disconnected, waited for the "VPN Status" page to show nothing is connected then tried reconnecting and got exactly the same result as 34E3, 35T2 and 35T3.

I then mistakenly installed 34E3 again instead of 33E7 and got the same result.

Once i realized I installed 34E3 instead of 33E7 i installed 33E7 and straight away it connected, disconnected and reconnected without any problem.

I then enabled DNScrypt and DNSSEC with strict enforcement. After this I could not connect at all.

I disabled DNScrypt but left DNSSEC and strict enforcement enabled and this works fine ( connects, disconnects and reconnects )

I'll have a bit more of a play with DNScrypt and see if I can get it working ( i'm thinking it may have broken my asus DDNS)

 

[Grisu]

I think you have this problem, about a Dynamic IP.
Before my game ping was unstable, disconnect me from the games, even if only connect the xbox or ps4 or computer directly to the modem and nobody else will use the internet.
That happened because I was using an Dynamic IP and after I hired a Static/Dedicated IP with my ISP, my problem was solved and I have a stable connection/ping. (I had to add the IP manually to the router)

In my country, ISPs offer Static IPs at 5 Dollars, if I do not contract that service this happens:
I can not use this Broadband Quality Monitor (shows all red)

Can it be that your ISP offers different quality?

So not dynamic IP is your problem, but additional features included to this 5$-package?
Would be the only way for me to understand your problem with dynamic IP.
I think as they offer Broadband Quality Monitor in same breath they give you better service quality too.

 

[ColinTaylor]

Can it be that your ISP offers different quality?

So not dynamic IP is your problem, but additional features included to this 5$-package?
Would be the only way for me to understand your problem with dynamic IP.
I think as they offer Broadband Quality Monitor in same breath they give you better service quality too.

Agreed. There's nothing intrinsically different between a dynamic and static IP address, other than one of them can change. However changing packages might involve different routing, quality of service, etc.

In the example linked to by @HowIFix his "dynamic" IP address was actually a private address (172.30.66.xx) which would completely explain his problems (BQM shows as red, NAT/forwarding issues). Changing his package resulted in him getting a public IP address. Neither of these things have anything to do with QoS.

 

[keeka]

@keeka @treboR2Robert

Since I'm still at a loss on the OpenVPN server reconnect, it's time for the process of elimination....
I've put up a test build, 34X3, with the only change being rolling back dnsmasq to the 33E7 level.
https://1drv.ms/f/s!Ainhp1nBLzMJkEFTnFp4Sh2wvQva

If one of you could give it a try, I'd appreciate it. Please run without having DoT enabled, then if it works enable DoT and try again. Thanks.

I flashed 34X3. I see the same results as with 34E3 and 35E5.
Previously, I'd never enabled DNSSEC or DNSCRYPT. I left these features disabled but I did try vpnserver again with the new DoT option enabled (a single server selected). Same results.

Had this only affected me, I would have certainly put it down to an issue with my hardware or config. I am still somewhat inclined to do so.
I may have this router in an inconsistent or unintended state. Clients, of the routers vpnserver, are not able to reach any LAN clients that are being tunnelled through the router's vpnclient. I am sure this used to work!
FYI before testing, I did disable the router vpnclients and rebooted the router.
For the time being, I've turned off the router's openvpn server and instead run an instance of openvpn on another machine with relevant ports forwarded to that box.

 

[HowIFix]

@Grisu @ColinTaylor everything has to do, today remove the Static IP in the router and let my ISP give me a Dynamic / Private IP

• WAN Connection Type -> Automatic IP

My ping increased in games Fortnite to 150 to 200 and disconnects, all port close (Consoles NAT Type 3 and Double NAT) and bufferbloat test was B, C, and B, then I went back to add the static IP and my ping was reduced to 50 and maximum peaks that I got was 60, all ports open (Consoles NAT Type 1 and Open NAT) and bufferbloat test was A+, A and A+...

The Dynamic IPs of my ISP are a piece of junk, they are over saturated, they force you to hire a Static IP, the same technician that came to my house said that I had to hire a Static IP and I did it and goodbye to the problems of lag when I play.

 

[Grisu]

@Grisu @ColinTaylor everything has to do, today remove the Static IP in the router and let my ISP give me a Dynamic / Private IP

• WAN Connection Type -> Automatic IP

My ping increased in games to 150 to 200 and disconnects, then I went back to add the static IP and my ping was reduced to 50 and maximum peaks that I got was 60...

The Dynamic IPs of my ISP are a piece of junk, they are over saturated, they force you to hire a Static IP, the same technician that came to my house said that I had to hire a Static IP and I did it and goodbye to the problems of lag when I play.

But its not the dynamic IP or static one what makes the difference to your router!

Its only as they offer just different products and give you better quality only for extra money combined with static IP.
And marketing named it static IP, they could say high quality connection too but decided first.

I got dyn.IP and A+/A/A+ on my line. No change if I would order static IP.

 

[HowIFix]

I just tell my problem and how to solve it, if you do not believe me or doubt it is not my problem.

 

[jpedty]

I have observed the same openvpn problem noted by others of only the original connection succeeding until openvpn is restarted. An additional bit of information: I did not clear nvram on upgrade, and observed that the username/password in the openvpn screen was combined as one string in the user field. I was unable to connect at all until deleting/recreating the user, and then observed the issue of having to restart openvpn after closing the original successful connection. Others have noted this appears to specifically affect when user logins are enabled in openvpn and the screen corruption I observed might possibly be a clue of some sort, possibly.

 

[Grisu]

I just tell my problem and how to solve it, if you do not believe me or doubt it is not my problem.

we believe you every word that you see this difference!

But why wont you believe us that its not the cause but the symptom.

For your router all is the same and wont work different.
Its the ISP changeing things together with static IP.

Please make an easy test:
Change to dynamic IP on ISP side. Query this temporary IP and set it as fix IP on your router.
Then the router is set up identically, but due to ISP changing to low profile you will get slow connection again.

 

[ColinTaylor]

@jpedty I've not been able to recreate this problem on my AC68U. What model router do you have? Maybe it's specific to the N66U/AC66U.

EDIT: You should probably have done a factory reset after you noticed the initial corruption.