Asuswrt-Merlin 380.65 is now available for all supported models.
This release introduces a number of important changes, which is why it went through a longer development cycle than usual (in addition to the issues involved with testing the GPL 4180 code, which had to be reverted).
Update - March 30th:
380.65_4 was uploaded, fixing two bugs.
Update - March 10th:
380.65_2 was uploaded, fixing two CVE security issues and two minor webui bugs.
More info on OpenVPN 2.4.0:
OpenVPN 2.4.0 is a major update over 2.3.x. The new GCM ciphers should in theory be a bit more efficient, by reducing the overhead of individual packets.
The new negotiation protocol (NCP) allow you to specify a list of supported ciphers, and both ends will communicate together to select the best matching cipher. If one of the two ends is still using an older version of OpenVPN, then the 2.4.0 end will fallback to using the former "cipher" parameter. This automatic fallback behaviour can be enabled/disabled through the webui.
Note that having a mixture of 2.3 and 2.4 endpoints, or using the legacy fallback might cause some warnings about inconsistent settings to show in your log, as your server will try to establish whether to use NCP or the old cipher operand. These warnings can safely be ignored.
2.4.0 also adds support for LZ4 compression, which should be more efficient than LZ0. This requires that both ends run 2.4.x.
tls-crypt is a new security layer that will allow OpenVPN to encrypt the content of the TLS control channel, helping in further obfuscating the protocol (potentially allowing it to go through firewalls blocking OpenVPN usage). The encryption is done using a static key, just like static authentication. Use the Static Key field to paste the key, which must be generated by OpenVPN itself (not by OpenSSL/easy-rsa.) Please consult the OpenVPN manual for more information on how to generate your own key.
If you enable server settings that are incompatible with a 2.4.0 client, you will be warned. In general you shouldn't need to re-export a new config file for your older clients provided you do not change your existing configuration.
A few parameters have been deprecated/removed in 2.4.0, so you might need to adjust any existing "custom" settings. Please refer to the OpenVPN manual.
One potential new issue seem to be specific to MIPS models (RT-N66U/RT-AC66U) and their older kernel. Starting with 2.4.0, OpenVPN expects the tun interface to support IPv6. That doesn't seem the case on this older kernel, so VPN servers that push back an ifconfig-ipv6 or route-ipv6 parameters might fail to connect. I haven't been able to test it myself (as I don't have a tunnel provider account), but I'd suggest trying to add these to your custom configuration if your client fail to connect with thhe system log reporting a failure on an "ip -6" command:
This is another sign that it might be time to retire these older models...
As usual, please try to keep posts in this thread specifically to this version. I strongly suggest starting a new thread if you have a configuration question.
Downloads are here.
Changelog is here.
This release introduces a number of important changes, which is why it went through a longer development cycle than usual (in addition to the issues involved with testing the GPL 4180 code, which had to be reverted).
- Upgraded to OpenVPN 2.4.0, and implemented support for various new features introduced with this major release. Asuswrt-Merlin fully supports the new GCM ciphers, negotiated ciphers, tls-crypt and more. This probably makes Asuswrt-Merlin one of the first to implement support for it
- Numerous issues related to OpenVPN were resolved.
- Updated Busybox to 1.25.1. This component provides a lot of the tools used by the router's shell environment.
- Other component updates include openssl, tor and nano which were updated to their latest versions.
- Some portions of Asus's 380_4180 GPL were merged. The rest wasn't, due to numerous issues introduced in this GPL release.
- Fix to IPv6 for newer router models, which were using an invalid MAC when requesting for a prefix.
- Various fixes to the Network Services Firewall
- Fixed rendering under Chrome 56
- Many other fixes and changes, please read the changelog for the complete list
Update - March 30th:
380.65_4 was uploaded, fixing two bugs.
Code:
- FIXED: Various LAN/WAN issues with the RT-AC3200 due to
incorrect GMAC state checks (Asus bug) (patch
by john9527)
- FIXED: Some models would sometime randomly fail to start one
of their wifi radio, possibly due to a hardware design
issue. Partly revert the 380.65 changes that removed
the automatic reboot if one radio was disabled at boot
time, but reduced the maximum number of reboots to 1.
Update - March 10th:
380.65_2 was uploaded, fixing two CVE security issues and two minor webui bugs.
Code:
- FIXED: CVE-2017-6549 (implemented temporary workaround,
until a proper fix from Asus)
- FIXED: CVE-2017-6548 (backport from GPL 7266)
- FIXED: WOL page fails to load if adding a client with a
quote in its name.
- FIXED: Couldn't add a DHCP reservation client if its name
contained a quote
More info on OpenVPN 2.4.0:
OpenVPN 2.4.0 is a major update over 2.3.x. The new GCM ciphers should in theory be a bit more efficient, by reducing the overhead of individual packets.
The new negotiation protocol (NCP) allow you to specify a list of supported ciphers, and both ends will communicate together to select the best matching cipher. If one of the two ends is still using an older version of OpenVPN, then the 2.4.0 end will fallback to using the former "cipher" parameter. This automatic fallback behaviour can be enabled/disabled through the webui.
Note that having a mixture of 2.3 and 2.4 endpoints, or using the legacy fallback might cause some warnings about inconsistent settings to show in your log, as your server will try to establish whether to use NCP or the old cipher operand. These warnings can safely be ignored.
2.4.0 also adds support for LZ4 compression, which should be more efficient than LZ0. This requires that both ends run 2.4.x.
tls-crypt is a new security layer that will allow OpenVPN to encrypt the content of the TLS control channel, helping in further obfuscating the protocol (potentially allowing it to go through firewalls blocking OpenVPN usage). The encryption is done using a static key, just like static authentication. Use the Static Key field to paste the key, which must be generated by OpenVPN itself (not by OpenSSL/easy-rsa.) Please consult the OpenVPN manual for more information on how to generate your own key.
If you enable server settings that are incompatible with a 2.4.0 client, you will be warned. In general you shouldn't need to re-export a new config file for your older clients provided you do not change your existing configuration.
A few parameters have been deprecated/removed in 2.4.0, so you might need to adjust any existing "custom" settings. Please refer to the OpenVPN manual.
One potential new issue seem to be specific to MIPS models (RT-N66U/RT-AC66U) and their older kernel. Starting with 2.4.0, OpenVPN expects the tun interface to support IPv6. That doesn't seem the case on this older kernel, so VPN servers that push back an ifconfig-ipv6 or route-ipv6 parameters might fail to connect. I haven't been able to test it myself (as I don't have a tunnel provider account), but I'd suggest trying to add these to your custom configuration if your client fail to connect with thhe system log reporting a failure on an "ip -6" command:
Code:
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
This is another sign that it might be time to retire these older models...
As usual, please try to keep posts in this thread specifically to this version. I strongly suggest starting a new thread if you have a configuration question.
Downloads are here.
Changelog is here.
Last edited: