What's new

[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

After running the Merlin code base for the last 2.5 years on my RT-AC68P, I am finding myself intrigued by some of the features of John's version (Stubby DoT integrated in, lack of Trend Micro code phoneing home), but have to ask, what might I lose in terms of securty updates? I know that this has probably been addressed before, but with Asus now frequently updating the firmware to patch security issues, and Merlins versions closely following those (well ok, within a month or two), are there any significant unpatched security risks that just can't be fixed in John's older code base? I do run Skynet and Diversion, so try to limit my exposure through those methods, and yes, I know that Stubby is on the verge of becoming simple to add on to the Merlin version, but it would be nice to have it just work out of the box. Are there any known examples of routers being compromised when running John's fork?
 
Never mind, I found the post where John addressed this security subject, on April 4, 2018 with the announcement of the release of 32E4/32L4.
Sorry, my bad...RTFM (and use the search function).
 
I found the post where John addressed this security subject,

Just to add a little more info...
As far as I remember, there have been two groups of 'significant' security updates released over the last year or so. About 1/2 of the ones in each group applied to this fork and were ported over. The other half applied uniquely to the token based authentication used in Merlin, vs the https auth used in the fork which I've reworked in several ways to make it more secure over the original release. So the big holes are definitely filled.

As far as overall security, the best advice I can give on either the fork or Merlin is to use common sense. Don't open up services to web. If you need to access the router remotely use OpenVPN, and even then use non-standard ports if you can.
 
Just had to pause on this auspicious occasion :D

I remember when I first started this fork I was surprised when there was enough interest that this thread got 1,000 views....was amazed when it hit 10,000 views....

Well today, 4 years later, it just passed 2,000,000 views!

My thanks to everyone who has contributed over the years, for providing help to other users as well as feedback and testing to help improve this fork. It is very much appreciated.
 
Congratulations for this excellent project [emoji6]

edit: don’t stop updating and improve this project :)
 
Last edited:
Many thanks to John, Colin, Rmerlin, and all the others working so hard for so little.

These firmware projects have upped the game for routers not just from ASUS, but from all manufacturers.

Getting your butt kicked by a handful of ragtag firmware programmers gets the machine rolling even at the corporate level. Bravo my dudes!
 
Version 36 borked openvpn servers for me. Not much to go by in the syslog just yet, I'll turn up the openvpn logging and see what I can find.

EDIT: Went back and stopped/started openvpn with verb set to 8 and got a bunch of configuration stuff in the log but nothing more about the fatal error.

Sep 29 21:34:22 openvpn[1407]: OpenVPN 2.4.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 27 2018
Sep 29 21:34:22 openvpn[1407]: library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.09
Sep 29 21:34:22 openvpn[1409]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sep 29 21:34:22 openvpn[1409]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
Sep 29 21:34:22 openvpn[1409]: Diffie-Hellman initialized with 2048 bit key
Sep 29 21:34:22 openvpn[1409]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep 29 21:34:22 openvpn[1409]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep 29 21:34:22 openvpn[1409]: TUN/TAP device tap22 opened
Sep 29 21:34:22 openvpn[1409]: TUN/TAP TX queue length set to 100
Sep 29 21:34:22 openvpn[1409]: updown.sh tap22 1500 1655 init
Sep 29 21:34:22 openvpn[1409]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Sep 29 21:34:22 openvpn[1409]: WARNING: Failed running command (--up/--down): external program fork failed
Sep 29 21:34:22 openvpn[1409]: Exiting due to fatal error
 
Last edited by a moderator:
@000111 Looks like the sever config file isn't being created properly, if at all.

I guess this is OpenVPN server #2? Check the config file with:

cat /tmp/etc/openvpn/server2/config.ovpn

Also check that your /jffs partition isn't full:

df -h /jffs
 
Cat reveals what appears to be a normal file for either server 1 or server 2 (I run both).
 
@000111
Confirmed the bug. I did a change to avoid having the 'script-security' statement entered twice in the config, and there was a case where it wasn't entered when it needed to be on MIPS.

Workaround is to add 'script-security 2' manually to the custom config section (or enable username/password auth)
 
Thanks for the workaround and help gentlemen!

Workaround applied and working.
 
The next release is out!
LATEST RELEASE: Update-36E4/36L4[/CODE]

Small problem:

I have ANOTHER router as internet gateway, set with these settings for the dhcp server:
DNS Server 1: IP1
DNS Server 2: IP2
WINS Server: IP3



I then have a device (N66U, with your firmware), used in "AP Mode".

In the LAN - LAN IP tab:
"Get LAN IP Automatically?" is set to "yes"

If I set "Connect to DNS Server automatically" to "Yes", then:

I would expect:
"DNS Server1" contains "IP1"
"DNS Server2" contains "IP2"

But I get:
"DNS Server1" contains "IP1 IP2 IP3" (strings are appended with a space between)
"DNS Server2" is empty



"Connect to DNS Server automatically" set to "No" works
 
Small problem:
Sorry, but not sure I understand. Normally, in AP mode the DNS server in Automatic mode will be pointed to the parent router as the DNS (just verified it). How is your DNS configured on the parent router?
 
Sorry, but not sure I understand. Normally, in AP mode the DNS server in Automatic mode will be pointed to the parent router as the DNS (just verified it). How is your DNS configured on the parent router?

parent router RMerlin 380.62:
"DNS Server 1" contains "195.130.130.9"
"DNS Server 2" contains "8.8.8.8"
"Advertise router's IP in addition to user-specified DNS" is set to "Yes" = 192.168.157.1
"Forward local domain queries to upstream DNS" is set to "No"
"Enable DNSSEC support" is set to "No"
"WINS Server" contains "192.168.157.1" = same as router address

I get a "195.130.130.9 8.8.8.8 192.168.157.1" string in the "DNS Server1" field of the AP (John's fork). It seems to me (as a novice) that somewhere the string "195.130.130.9 8.8.8.8 192.168.157.1 " should be split in the 3 ip's, and that that is not happening?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top