Release [Fork] Asuswrt-Merlin 374 LTS release 45EC

[atkinsom]

ASUS RT-AC66U
Rebooted, reflashed, booted again, displays EA!
Cleared all history and cache
Mozilla Firefox 68
no change!
Same EA displayed
Can I run a shell command to see if changed or not?
Should I use Firmware Restoration method again?

Disconnect all attached drives before the update as well..that has given me issues with my 68U in the past.

 

[Mircica]

Disconnect all attached drives before the update as well..that has given me issues with my 68U in the past.

Solved with Firmware Restoration, thank you!

 

[Mircica]

The GUI update should work. I would reboot the router, clear your browser cache and try again. Also you should post your router model and perhaps what browser you are using to further help with troubleshooting.

I'll keep an eye on logs... just to let you know how is working, thank you again for your great work John!

 

[john9527]

I'll keep an eye on logs... just to let you know how is working, thank you again for your great work John!

If you have a USB drive (especially a large USB drive) attached that was most likely the cause. It takes up memory and doesn't leave enough free for the upgrade.

 

[john9527]

The 5G wifi modular is added to PCI-E port on N16 PCB circuit (refer to attached picture) not USB port.

I had never heard of this 'upgrade' before.

I did a quick look through the code (both my fork and the last Merlin that supported the N16) and don't see how those nvram settings would be enough to enable 5G on the router. The first one (Ate_dev_status) is valid but is only a small part of what would need to be enabled. The second one (dual_band) doesn't even exist.

I can only guess that whatever code you were previously running was a 3rd party 'custom' build that someone put together.

 

[chongnt]

This is not a question on this particular release but a question on openvpn usage in this release.
I have been using openvpn for me to dial back to my home network. My setting is pretty much default. I created user account, generate openvpn file and import in my phone and laptop. So far they are working fine.

Just noticed few unusual attempt to establish openvpn connection to my RT-N66U. Attached screen capture of my openvpn configuration page. Is my configuration ok or any changes that I can make it more robust?

Dec 6 05:45:21 openvpn[2588]: 185.200.118.83:38289 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 05:45:21 openvpn[2588]: 185.200.118.83:38289 TLS Error: TLS handshake failed
Dec 6 07:28:48 openvpn[2588]: 167.248.133.22:53448 TLS: Initial packet from [AF_INET]167.248.133.22:53448, sid=4d658221 07fcfd52
Dec 6 07:29:04 openvpn[2588]: 167.248.133.39:50915 TLS: Initial packet from [AF_INET]167.248.133.39:50915, sid=00136074 dae9ce00
Dec 6 07:29:48 openvpn[2588]: 167.248.133.22:53448 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 07:29:48 openvpn[2588]: 167.248.133.22:53448 TLS Error: TLS handshake failed
Dec 6 07:30:04 openvpn[2588]: 167.248.133.39:50915 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 07:30:04 openvpn[2588]: 167.248.133.39:50915 TLS Error: TLS handshake failed
Dec 6 11:17:37 openvpn[2588]: 146.88.240.4:53722 TLS: Initial packet from [AF_INET]146.88.240.4:53722, sid=12121212 12121212
Dec 6 11:18:37 openvpn[2588]: 146.88.240.4:53722 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 11:18:37 openvpn[2588]: 146.88.240.4:53722 TLS Error: TLS handshake failed

 

[L&LD]

Reset the OpenVPN client to default and recreate the Server settings, then export the new file. Import the OpenVPN to your client devices, after you've deleted the old ones.

 

[chongnt]

My device can establish the connection no problem. What I notice is there is unauthorized attempt everyday from different source IP address. All these unauthorized attempt ends with TLS handshake failed. I guess this is ok. Is there anything I should be concern of?

 

[L&LD]

Not okay!

Re-do it as suggested and use a different username and password for the newly configured OpenVPN Server.

 

[chongnt]

Not okay!

Re-do it as suggested and use a different username and password for the newly configured OpenVPN Server.

Got it. Will redo the configuration. I am trying to generate secret key and try this setting.

 

[john9527]

My device can establish the connection no problem. What I notice is there is unauthorized attempt everyday from different source IP address. All these unauthorized attempt ends with TLS handshake failed. I guess this is ok. Is there anything I should be concern of?

Just the nasty folks on the internet trying to break in.....
To be safe, I'd do as @L&LD suggested and change your username/password. In addition, use a non-standard port (make yourself hidden a bit better )

 

[chongnt]

Just the nasty folks on the internet trying to break in.....
To be safe, I'd do as @L&LD suggested and change your username/password. In addition, use a non-standard port (make yourself hidden a bit better )

Thanks john and L&LD.
I did a 1194 port scan from internet and it appears closed. There is no log seen. I suppose when I see TLS handshake error is a security concern. I have change username/password and port as suggested. I have also try to change the cipher key from aes-128-cbc to aes-256-gcm.

What I noticed is with aes-256-cbc, sha is used.
Dec 6 13:04:33 openvpn[21189]: xx:27955 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1602'
Dec 6 13:04:33 openvpn[21189]: xx:27955 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Dec 6 13:04:33 openvpn[21189]: xx:27955 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 6 13:04:33 openvpn[21189]: xx:27955 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Dec 6 13:04:33 openvpn[21189]: xx:27955 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key

However, with aes-256-gcm, sha key is not used by the router even it is configured.
Dec 6 13:24:27 openvpn[25156]: xx:49561 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1550'
Dec 6 13:24:27 openvpn[25156]: xx:49561 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Dec 6 13:24:27 openvpn[25156]: xx:49561 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
Dec 6 13:24:27 openvpn[25156]: xx:49561 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 6 13:24:27 openvpn[25156]: xx:49561 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 6 13:24:27 openvpn[25156]: xx:49561 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA

Is this normal? Which one do you recommend to use? My device can connect with both configuration. Also, is there any text I can manually add in the client file regarding link and tun mtu size?

 

[ColinTaylor]

I did a 1194 port scan from internet and it appears closed.

That's because your port scan was using TCP but your OpenVPN server was listening on UDP. As @john9527 said, those messages are just normal scanning/hacking attempts that you see when using the default port/protocol. Change to a non-standard port and they will disappear.

 

[Martineau]

This is not a question on this particular release but a question on openvpn usage in this release.
I have been using openvpn for me to dial back to my home network. My setting is pretty much default. I created user account, generate openvpn file and import in my phone and laptop. So far they are working fine.

Just noticed few unusual attempt to establish openvpn connection to my RT-N66U. Attached screen capture of my openvpn configuration page. Is my configuration ok or any changes that I can make it more robust?

Dec 6 05:45:21 openvpn[2588]: 185.200.118.83:38289 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 05:45:21 openvpn[2588]: 185.200.118.83:38289 TLS Error: TLS handshake failed
Dec 6 07:28:48 openvpn[2588]: 167.248.133.22:53448 TLS: Initial packet from [AF_INET]167.248.133.22:53448, sid=4d658221 07fcfd52
Dec 6 07:29:04 openvpn[2588]: 167.248.133.39:50915 TLS: Initial packet from [AF_INET]167.248.133.39:50915, sid=00136074 dae9ce00
Dec 6 07:29:48 openvpn[2588]: 167.248.133.22:53448 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 07:29:48 openvpn[2588]: 167.248.133.22:53448 TLS Error: TLS handshake failed
Dec 6 07:30:04 openvpn[2588]: 167.248.133.39:50915 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 07:30:04 openvpn[2588]: 167.248.133.39:50915 TLS Error: TLS handshake failed
Dec 6 11:17:37 openvpn[2588]: 146.88.240.4:53722 TLS: Initial packet from [AF_INET]146.88.240.4:53722, sid=12121212 12121212
Dec 6 11:18:37 openvpn[2588]: 146.88.240.4:53722 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 11:18:37 openvpn[2588]: 146.88.240.4:53722 TLS Error: TLS handshake failed

Your screenshot shows 'Username/Password Auth ONLY=Yes' - this is not recommended and is highly insecure.

 

[ColinTaylor]

Your screenshot shows 'Username/Password Auth ONLY=Yes' - this is not recommended and is highly insecure.

It is not "highly insecure", it is "less secure". But yes, using certificates is much better.

 

[chongnt]

thanks @ColinTaylor and @Martineau. I have change to non-standard port and also change the setting of Username/Password Auth ONLY to no. So far those TLS handshake messages has gone.

 

[gmoller]

I had never heard of this 'upgrade' before.

I did a quick look through the code (both my fork and the last Merlin that supported the N16) and don't see how those nvram settings would be enough to enable 5G on the router. The first one (Ate_dev_status) is valid but is only a small part of what would need to be enabled. The second one (dual_band) doesn't even exist.

I can only guess that whatever code you were previously running was a 3rd party 'custom' build that someone put together.

You are right, the customized firmware is with 64K nvram, I assume this customized version was built with additional 5G codes

 

[john9527]

You are right, the customized firmware is with 64K nvram, I assume this customized version was built with additional 5G codes

I did a bit of searching and found a reference to the the code and a link to the source code on a Chinese site....unfortunately it's a dead link. Nothing I could even try.

 

[MON@H Rasta]

I have MicroSD card installed and several sh scripts running after router restart. My main concern is creating a /jffs/scripts/post-mount file like this:

#!/bin/sh

logger "post-mount: start"

. /jffs/addons/diversion/mount-entware.div # Added by amtm

# Run script now
sleep 5; /jffs/scripts/hosts-update-script.sh; sleep 5; /jffs/scripts/init_ipset.sh; sleep 5; /jffs/scripts/unblock_ipset.sh; sleep 5; /jffs/scripts/nat-start;

logger "post-mount: finish"

First script (hosts-update-script.sh) running quite long, like several minutes and second script is never started. My question is - have you changed timeouts in some way in latest releases? I had 0 issues running scripts on older releases. How can I prevent this problem?

The purpose of those scripts is to update hosts to block ads and to enable TOR to unlock sites blocked by ISP.

 

[john9527]

My question is - have you changed timeouts in some way in latest releases?

Last change was back in Jan with release 41. A 2 min timeout was added for blocking scripts (post-mount is a blocking script) so that you couldn't hang at boot with a bad/unresponsive script. This backported a change from Merlin's code.