JFFS Format

[jjulez]

Asus Merlin and Mullvad VPN

How to setup your Asus router running Merlin to connect to the Mullvad VPN servers.

mullvad.net

You put the script in the wrong place.

Yes,thanks i do recall using putty for something few years ago, must have been this. I totally forgot

 

[GoldWing]

Formatting the JFFS partition will wipe out many of your router's settings and all of the "custom scripts and configs" stored there.

So any add-on scripts will either not exist anymore, or just fail to start until they are reinstalled.

Router settings like custom Client Names, icons, manual DHCP assignments, VPN settings, etc. will also be lost.

You will also lose things like Traffic Analyzer stats and web history.

Colin what do you mean by "many of your router's settings" and "custom scripts and configs" and "VPN settings"?

I'm no network guru! I apologize if answer is simple! The reason I'm asking the above question is fairly straight forward. As a user of Technology for a LONG time I wanted to minimize my network security risk, and maximize my backup capability of my RT-AX86U Pro router configuration and settings without compromising my security.

What I've done is disconnected the RT-AX86U from the internet by removing the coax cable to the modem. Afterward I've done a hard factory reset, and afterward installed the latest Asus firmware which was followed by the Asuswrt-Merlin version 388.1 update. With Asuswrt-Merlin uploaded I set all my settings in the router including setting up VPN client using NordVPN's OpenVPN file uploaded into the RT-86U Pro. I've backed up the router's settings, and JFFS partition. Afterward re-connecting the coax to the modem, and going online. I've installed AMTM, and Entware by SSH'ing into the router using Putty and RSA key.

I've installed "tcpdump" and verified DoT (i.e. port 853 being used)by SSH'into the router per the instructions at https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Privacy. IIRC Entware is installed on the USB attached to the RT-AX86U Pro. I'm not sure where the "tcpdump" is installed.

On the RT-86U Pro I've "Format JFFS partition at next boot" twice. Once with selecting the "Yes" radio button, and afterward hitting the "Apply" button. The "Yes" radio button did NOT persist after hitting the "Apply" button, then re-booting the router. The 2nd time I selected the "Yes" radio button and immediately rebooted the router. In both instances Skynet's "Inbound Blocks" were apparently reset to 0. Afterward I was also able to continue to verified DoT using "tcpdump". In both tests the "VPN Client" settings continued to work which I verified at https://nordvpn.com/ip-lookup/.

Since my results of my tests using the seem to be inconsistent with your statements above, I thought that I'd ask the question.

I'm kind of wonder whether the "Format JFFS partition at next boot" is only partially working on the RT-AX86U Pro, or what?

Possibly if I messed something up along the way. Is the best way then to make sure the firmware is sound that I have on the RT-AX86U Pro is to simply upload the saved Router Settings and the saved JFFS partition that I created before ever connecting to the internet, or simply do a hard factory reset and start all over again?

Thank You!

Goldwing

 

[ColinTaylor]

@GoldWing It does sound like the format option didn't do anything. If it had then you wouldn't have a working VPN client as the certificates and keys would have been deleted. You could check the VPN Director page, if it's still configured for your NordVPN client then the format didn't work.

TBH I'm rather surprised that you have the Format JFFS option available at all. RMerlin said recently that he removed that option for the newer router models, like you have. As the RT-AX86U Pro is rather new I suspect that option being visible in the GUI is a bug.

 

[Tech9]

I'm no network guru!

Keep it simple then. Everything you describe in your post is available in stock Asuswrt. What do you need Entware for?

 

[GoldWing]

You could check the VPN Director page, if it's still configured for your NordVPN client then the format didn't work.

I did check the VPN Director page, and the NordVPNs' are still configured. See the "VPNDirector_20230221_624PM.jpg" attached.

TBH I'm rather surprised that you have the Format JFFS option available at all. RMerlin said recently that he removed that option for the newer router models, like you have. As the RT-AX86U Pro is rather new I suspect that option being visible in the GUI is a bug.

Ok, your comments above makes sense now, and more consistent with the results that I've seen. The only thing is the JFFS format option DID DO something because Skynet's blocks count were reset.

Is the best way then to make sure the firmware is sound that I have on the RT-AX86U Pro is to simply upload the saved Router Settings and the saved JFFS partition that I created before ever connecting to the internet, or simply do a hard factory reset and start all over again?

I kind of misstated my objectives above. My first objective is to maximize my LAN's security. My 2nd objective is to restore in theory to a clean install of Asuswrt-Merlin's latest firmware by saving the router's settings and router's JFFS partition, and latter when something goes wrong to use both restore router settings and restore router JFFS partition funtionality without a hard factory reset. The question that I do not know the answer too is whether starting from a hard factory reset with all the setup is the same as using both the restore settings and restore JFFS partition? IOW will the router be in the same state as long as my settings are the same?

Thank You!

GoldWing

 

[Tech9]

This router doesn't have JFFS partition. Format, save/restore may not work.

 

[GoldWing]

Keep it simple then.

Yes the old KISS principle. Unfortunately I have objectives which may conflict with the principle. First I want to learn. Second I want to maximizing my router's security/privacy in which options maybe only available in Asuswrt-Merlin firmware.

Everything you describe in your post is available in stock Asuswrt. What do you need Entware for?

I wanted to install "tcpdump" which requires Entware to be installed. Why? I wanted to check if DoT is working with my WAN > DNS-over-TLS Server List setup.

See https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Privacy which requires to SSH into the router and use the "tcpdump -i eth0 -p port 853 or 53 -n" command to check which port is being used.

Thank You!

GoldWing

 

[Tech9]

Just block temporary port 853 and you'll know without amtm, ssh, Entware and tcpdump.

 

[ColinTaylor]

The question that I do not know the answer too is whether starting from a hard factory reset with all the setup is the same as using both the restore settings and restore JFFS partition? IOW will the router be in the same state as long as my settings are the same?

Sorry, my brain is having a hard time parsing those sentences. Let's try this:

If you want to create backup of your router's config once you've done your initial setup, so that you can restore back to that point, I would:

1) First install the Merlin firmware version that you intend to use.
2) After installation when it's booted up for the first time don't bother configuring it. Instead do a hard factory reset using the WPS method. This will reset everything to the new default values and erase the contents of JFFS partition.
3) Now when the router boots up go through the normal setup process to configure it how you want.
4) Once you've got to the point where you want to create your "baseline" backup go to Administration - Restore/Save/Upload Setting. Backup the "Router settings" and "JFFS partition".

If you need to return to this point in time perform a hard (WPS) reset. Do the bear minimum setup that allows you to log in to the router. Go to Administration - Restore/Save/Upload Setting and restore your settings file. The router will reboot. Log in again and now restore the JFFS partition. Reboot immediately. That's it.

 

[GoldWing]

Everything you describe in your post is available in stock Asuswrt.

Unless I missed it in the stock Asuswrt firmware I wanted to utilize the VPN Client settings in the Asuswrt-Merlin firmware per the "VPNClientSettings_20230221_710PM.jpg" attached image which aligns with my objective of maximizing my LAN's security/privacy.

Thank You!

GoldWing

 

[GoldWing]

Sorry, my brain is having a hard time parsing those sentences. Let's try this:

.... That's it.

When I'm learning I try to capture all the details. Sorry for all the verbiage!

Thank You!

GoldWing

 

[Tech9]

my objective of maximizing my LAN's security/privacy

I don't see much privacy and security in DoT and commercial VPN, but I hope you know what are you doing.

 

[GoldWing]

This router doesn't have JFFS partition.

In Colin's reference to RMerlin's post the model numbers are NOT mentioned.

Is there any way within the WUI to determine if UBIFS is being used?

Format, save/restore may not work.

If you are correct, then Colin's backup restore process that Colin posted earlier maybe incorrect unless the "Backup the JFFS partition" is really a backup and restore function pertaining to UBIFS per RMerlin's comments.

I don't know. Just thinking out loud.

Thank You!

GoldWing

 

[Tech9]

In Colin's reference to RMerlin's post the model numbers are NOT mentioned.

RT-AX86U Pro is very similar to GT-AX6000 hardware. I also believe "Format JFFS partition" option in firmware is a bug. The firmware you are running is the first Asuswrt-Merlin on 388 base and the first with your router support. Some things may not work as expected.

 

[ColinTaylor]

If you are correct, then Colin's backup restore process that Colin posted earlier maybe incorrect unless the "Backup the JFFS partition" is really a backup and restore function pertaining to UBIFS per RMerlin's comments.

All Asus_Merlin routers have a "JFFS partition". To be precise, there is a partition that is mounted at /jffs. This is what I am referring to.

Historically /jffs was formatted as a JFFS2 type filesystem (hence the name). In the more recent routers the format of this partition was changed to UBIFS, but the name of the mount point (/jffs) was left the same for compatibility reasons. This is what RMerlin was talking about.

 

[GoldWing]

I don't see much privacy and security in DoT and commercial VPN,

Why do you say this?

If I have all my Internet traffic is through my router's VPN client with the "Accept DNS Configuration" set to "Disabled" where the router ignores the DNS servers pushed by the remote VPN server and all the devices using the router have their setting to use the DNS servers provided by the router which are DoT enabled, I would think at a minimum the result would be pretty secure / private for the retail home market model.

I do recall reading a pretty eye opening thread in SnBForums which IIRC was dated a while back that I found searching for info which questioned the hardware and software used by the OEM's selling routers into the retail / home user market in regard to the product's security which also included some input by RMerlin and a spreadsheet that tracked the components of the different OEM's.

Or maybe you are referring to "commercial VPN" market not really being secure for whatever reason. I've read a number of articles in regard to this issue such as consolidation in the commercial VPN market questioning whether your data is really secure.

These days it is all about the data.

but I hope you know what are you doing.

I'm learning. For me learning is fun. If I crash and burn the router, I'll just start over. In the rebuild process I'll learn some more.

Thank You!

GoldWing

 

[Tech9]

Why do you say this?

Because you have read some things here and there and ended up paying for transferring your browsing history from one company to another. Using one of most popular commercial VPN services you'll see services refused, you'll be blocked, you'll have to authenticate yourself often, your Internet speed is limited by router hardware and your latency is increased. You perhaps understand commercial VPN exit points are well known, your ISP knows where you connect to and whoever you connect to knows it's a VPN server address. When your data is not going through the tunnel using DoT or not doesn't matter much - your ISP knows the IP addresses you connect to. They don't need to know the domain name and can recreate your browsing history quite accurate. Your chasing for privacy and security is actually hurting yourself and paying for it on top. You'll come to this conclusion sooner or later like many others.

These days it is all about the data.

What data? Google, Apple and Microsoft know more about you than your own wife including your location at any given moment. If you want privacy and security you have to cancel all services and move somewhere in the woods. Do you have IoT devices? Cameras and microphones you have voluntarily installed in your home? Doorbells with servers in China? Asus router with TrendMicro services? You already agreed to share your data in multiple places.

 

[GoldWing]

... Using one of most popular commercial VPN services you'll see services refused, you'll be blocked, you'll have to authenticate yourself often, your Internet speed is limited by router hardware and your latency is increased.

Service refused, or blocked. Sure. Has happened with some of the streaming service that I use such as PeacockTV. I have to turn the VPN off in those instances. Authentication not only accepted by me, but also use 2 factor authentication for banking/finances logins, insurances logins, health care network provider logins, etc. I WANT that. With my current router configuration using a VPN client on the router and ISP I just clocked a download speed of 220.91 Mbps per Speedtest.net which is faster than any purpose that I presently need.

You perhaps understand commercial VPN exit points are well known, your ISP knows where you connect to and whoever you connect to knows it's a VPN server address.

Sure we live in a time where you leave a digital trail pretty much ALL the time if you have a Smartphone on your person which is GPS capable.

When your data is not going through the tunnel using DoT or not doesn't matter much - your ISP knows the IP addresses you connect to. They don't need to know the domain name and can recreate your browsing history quite accurate. Your chasing for privacy and security is actually hurting yourself and paying for it on top. You'll come to this conclusion sooner or later like many others.

I don't care about my ISP. Yes I'm paying for the VPN, but I WANT that encrypted tunnel when logged into my banking/finance accounts, insurances accounts, health care network provider accounts, etc.

What data? Google, Apple and Microsoft know more about you than your own wife including your location at any given moment.

See my comment above.

If you want privacy and security you have to cancel all services and move somewhere in the woods.

Agree using a compass, and no digital devices! Nope not in the woods that I've been in because they are way to BIG. Like National Forest big. Years ago I used only a compass. After that I graduated to Garmin hand held devices loaded with Maps which worked great! After my Garmin handheld died in really bad rain storm, I moved on to GAIA GPS on my Smartphone which works great! Now the problem is battery life. So I bring a brick battery or a solar battery charger. Tradeoffs in every nook and cranny of our life. Does the benefits exceed the costs. Yes almost always.

Do you have IoT devices? Cameras and microphones you have voluntarily installed in your home? Doorbells with servers in China? Asus router with TrendMicro services? You already agreed to share your data in multiple places.

Agree!

However in those instances where I want privacy for such digital uses as my banking/finance accounts, insurances accounts, health care network provider accounts I'll pay for the VPN client service, and try to maximize my LAN's security/privacy to protect myself.

Thank You!

GoldWing

 

[Tech9]

banking/finance accounts, insurances accounts, health care network provider accounts, etc.

You don't need VPN for this. The traffic is encrypted already.

However in those instances where I want privacy

You only change your IP and they ask more questions to verify it's you.

 

[GoldWing]

You only change your IP and they ask more questions to verify it's you.

Never been asked any more questions when changing the remote VPN server for any of these accounts. The only thing that has occurred is in one instance I was not able to login with the 2nd authentication factor. When I documented the issue through the companies channels the company mentioned that they had implemented security which they felt caused the problem. In a phone call from their representative she inferred it was AI implemented to prevent fraud. If that was the case my thoughts who ever thought of the algorithm for the security should go back and think of their use case scenarios to insure the maximum potential of their customer base. Without that they are more likely to frustrate other customers. Computers are incredibly fast, and only as good as their programmers and IT project teams that implement newer systems thinking through all the scenarios in which the use case may apply.

Thank You!

GoldWing