Asuswrt-Merlin 384.5 is now available for all supported models. In addition to new GPL merges, this release focuses on various things that had been waiting on the Todo list for a while. With this release, a lot of work has been done around the OpenVPN implementation in an attempt to simplify it a bit, removing rarely used or flat out broken settings.
The highlight of this release:
This is a summary of the changes made to OpenVPN:
Server changes:
Client changes:
Downloads are here.
Changelog is here.
The highlight of this release:
- Merged with GPL 384_20648.
- Merged binary blobs from 384_20648 for RT-AC86U, RT-AC68U and RT-AC5300.
Updated components: OpenVPN (2.4.6), Dropbear (2018.76), OpenSSL (1.0.2o), miniupnpd (20180503), nano (2.9.5). - Upgraded the RT-AC86U to the same Busybox release (1.25.1) as used by all other models.
- Revised Traditional QoS implementation. Downstream traffic for instance should no longer be incorrectly throttled.
- Added a new service-event script, executed before any service call (for example, restart_wireless). Note that this script will block the execution of the event until it returns, so be careful with it.
- Revised OpenVPN server and client options. Please see below for more details on these changes.
- Revised the System Log -> Connections page due to changes made by Asus to httpd. The new implementation removes the ability to resolve hostnames, and info is shown in a sortabled table (click on a header to sort by that field).
- Added ability to resolve hostnames to the Network Tools -> Netstat page.
- Changed Samba behaviour. From now on, enabling master browser and WINS support requires explicitely enabling SMB sharing.
- Changes to the Firmware Upgrade page layout. Beta Firmware channel selector moved to Tools -> Other Settings, where it will now behave more predictably like a standard setting that can be saved to nvram.
- Sending an empty DHCP option 252 (for WPAD) can now be disabled on the Tools -> Other Settings page.
- Blocking custom scripts (like pre-mount) will now wait a maximum of 120 seconds before returning control, to prevent permanent lockouts.
- Security fixes for dnsmasq (like CVE-2017-15107) were backported from upstream
This is a summary of the changes made to OpenVPN:
Server changes:
- Removed "TLS Reneg time" (rarely used, can manually be set as a custom option)
- Removed "Server Poll" (which didn't work properly), and reimplemented watchdog service as a cron job, hardcoded to 2 mins frequency.
- Removed "Push LAN" and "Redirect Gateway", replaced with new Client Access setting
- Removed Firewall setting (firewall rules are now always created, and the broken External mode was fixed and integrated into the new Client Access setting). You can now use the postconf script to override it.
- Removed option to respond to DNS queries - enabling the option to Push DNS will also handle it
- Added new Client Access setting to select between three types of access: LAN only, WAN only (will block access to the LAN, including the router itself) and LAN + WAN.
Keys and certificates can now be up to 7999 characters long.
Client changes:
- Reorganized settings into groups
- Removed "Poll Interval" (which didn't work properly), and reimplemented watchdog service as a cron job, with a hardcoded frequency of 2 mins.
- Removed Firewall setting (firewall rules are now always created). You can now use the postconf script to override it.
- Modified behaviour of Connection Retry. Instead of taking a value in seconds that only affected resolution failure, it now takes a number of attempts, and affects connection failures. Resolution failures will now retry for an infinite period of time (the default OpenVPN value).
- Added "refresh" link which can be clicked to re-query the public IP endpoint of the tunnel
- Keys and certificates can now be up to 7999 characters long.
Downloads are here.
Changelog is here.
Last edited: