What's new

[Release] Asuswrt-Merlin 384.10 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Where do you find this setting?
Bottom area of VPN client page.
When everything went down, my OpenVPN status still said it was connected.
Ok then its likely not related to your VPN. What settings do you have for DNS?
 
Bottom area of VPN client page.
Oh, Im not using Policy rules. Its set to All.

Ok then its likely not related to your VPN. What settings do you have for DNS?
On the OpenVPN Client settings, Accept DNS Configuration is set to disabled.

In the WAN settings, its set to my router (I have Stubby installed).
 

Attachments

  • Screen Shot 2019-03-30 at 8.54.13 PM.png
    Screen Shot 2019-03-30 at 8.54.13 PM.png
    16.3 KB · Views: 296
Oh, Im not using Policy rules. Its set to All.


On the OpenVPN Client settings, Accept DNS Configuration is set to disabled.

In the WAN settings, its set to my router (I have Stubby installed).
Next time it goes down SSH into the router and check stubby:
Code:
/opt/etc/init.d/S61stubby check
and if it is down run this:
Code:
stubby -C /opt/etc/stubby/stubby.yml -i
And then run this to restart:
Code:
/opt/etc/init.d/S61stubby restart
Let us know how things work out.
 
stubby -C /opt/etc/stubby/stubby.yml -i
On this command you want to look at the bottom most line of it's output.
 
  • Like
Reactions: #TY
IKEv2 issue in RT-AC5300

VPN Server IPSec IKEv2 does not work for my since I upgraded to 384.10. My clients are iOS devices (iPhones and iPads). With prior version 384.9 all work perfectly. My custom scripts are same from here: https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/#post-473984

Downgrading to 384.9 makes IKEv2 works again.

384.10 upgraded to a much newer Strongswan version. You might need to update your configuration to match with the new version.
 
384.10 upgraded to a much newer Strongswan version. You might need to update your configuration to match with the new version.
Stooopid question time: Would I know I was using strongswan if I was? I have no clue what this is, but I know lots of stuff runs on the router that I have no clue what it is. :)
 
384.10 upgraded to a much newer Strongswan version. You might need to update your configuration to match with the new version.

Problem is with cyphersuite and OpenSSL version used. When an iOS device connects to VPN using IKEv2, Strongswan crashes and restart after negotiation.
 
384.10 stable for 3 days 19 hours 4 minute(s) 16 seconds.
Just as stable (for me/RT-AC86U) as 384.9 before.

:D
 
No biggie, but "Manually Assigned IP around the DHCP list FAQ" URL on LAN/DHCP Server page is now a dead one.
 
Last edited:
"Channel 0" usually indicates that the wifi radio is down/crashed/dead. Try power cycling your router.

The RT-AC86U driver is unchanged in 384.10.


I encountered that two days ago. The second 5 GHz radio of my development RT-AC5300 died :(
Thanks for the reply! The router went into a reboot loop. I was not able to get out of the loop so I had to do a RMA. Hopefully they can fix it. I ended up buying another AC86U.
 
Bottom area of VPN client page.

Ok then its likely not related to your VPN. What settings do you have for DNS?

I upgraded when beta2 came out. In last 2 weeks my VPN client connection stopped twice. At first I thought that VPN server could have been an issue. After restarting VPN client it started to work. Then 1 day ago it happened again. No Messages in syslog and just like you VPN client status said connected. I think we stumbled on the problem with VPN client.
 
I am looking to upgrade but want to do a clean install from scratch. All previous upgrades have been dirty.
Will the router loose the DDNS setting when I reset back to factory settings?
 
I am looking to upgrade but want to do a clean install from scratch. All previous upgrades have been dirty.
Will the router loose the DDNS setting when I reset back to factory settings?

Yes, but you can setup it again.
 
My primary connection is over VPN and with DNS strict all traffic goes through VPN. If for whatever reason VPN disconnects, Stubby takes over. This is how it works. Just because you have Stubby you dont need to set DNS too disabled.
This topic has come up a lot this past week. There are two settings that affect how DNS is handled by the OpenVPN Client - Accept DNS Configuration and Redirect Internet Traffic.

In the OpenVPN Client, if you set Accept DNS Configuration = Exclusive and use Policy Rules or Policy Rules (Strict), dnsmasq will be bypassed and the OPenVPN Client will "exclusively" use the DNS of the VPN Provider. The Diversion ad blocker written by @thelonelycoder will not work with this configuration as Diversion requires dnsmasq to work. Diversion will work if you set Redirect Internet Traffic to All.

If you want the OpenVPN client to use dnsmasq + Diversion, there are two options available to resolve the DNS and routing issues when using Policy Rules with Asuswrt-Merlin:
  1. Set Accept DNS Configuration to “Strict” and specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configuration section. Without the dhcp-option command, Diversion updates will fail, the Diversion email function will no longer work and the wget command will not able to resolve the domain name.
  2. My preferred recommendation is to install Stubby DNS over TLS. Stubby will encrypt DNS queries. To enable the OpenVPN Client to use Stubby, set Accept DNS Configuration to “Disabled”.
The definition of the Accept DNS Configuration field values are as follows:
  • Disabled: DNS servers pushed by VPN provided DNS server are ignored.
  • Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
  • Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don’t respond).
  • Exclusive: Only the pushed VPN provided DNS servers are used.
 
Last edited:
Yes, but you can setup it again.
ThanX

Hope to have some time alone at home to upgrade. something on my router is choking my internet.
I'll have to install each component and test as I move along.
 
ThanX

Hope to have some time alone at home to upgrade. something on my router is choking my internet.
I'll have to install each component and test as I move along.

You may want to follow the links in my signature to fully reset the router, network and client devices so that your debugging is as smooth and any possible fixes are as straightforward as possible. :)
 
This topic has come up a lot this past week. There are two settings that affect how DNS is handled by the OpenVPN Client - Accept DNS Configuration and Redirect Internet Traffic.

In the OpenVPN Client, if you set Accept DNS Configuration = Exclusive and use Policy Rules or Policy Rules (Strict), dnsmasq will be bypassed and the OPenVPN Client will "exclusively" use the DNS of the VPN Provider. The Diversion ad blocker written by @thelonelycoder will not work with this configuration as Diversion requires dnsmasq to work. Diversion will work if you set Redirect Internet Traffic to All.

If you want the OpenVPN client to use dnsmasq + Diversion, there are two options available to resolve the DNS and routing issues when using Policy Rules with Asuswrt-Merlin:
  1. Set Accept DNS Configuration to “Strict” and specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configuration section. Without the dhcp-option command, Diversion updates will fail, the Diversion email function will no longer work and the wget command will not able to resolve the domain name.
  2. My preferred recommendation is to install Stubby DNS over TLS. Stubby will encrypt DNS queries. To enable the OpenVPN Client to use Stubby, set Accept DNS Configuration to “Disabled”.
The definition of the Accept DNS Configuration field values are as follows:
  • Disabled: DNS servers pushed by VPN provided DNS server are ignored.
  • Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
  • Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don’t respond).
  • Exclusive: Only the pushed VPN provided DNS servers are used.

OpenVPN client confit DNS to strict. Policy is to route all traffic. Diversion works. Skynet works. I did not have to do anything else.
 
Stooopid question time: Would I know I was using strongswan if I was? I have no clue what this is, but I know lots of stuff runs on the router that I have no clue what it is. :)

Strongswan is the IPSEC server used by Asuswrt.

Problem is with cyphersuite and OpenSSL version used. When an iOS device connects to VPN using IKEv2, Strongswan crashes and restart after negotiation.

Which cipher is that?
 
Ok Guys , Here is a weird one...
I have had the RT-AC86U running current merlin firmware with amtm, diversion,skynet, 2 vpn servers , 1 vpn client etc, plus some custom scripts.
The router up time was 5 days last night without issues.
This morning i Woke up to a router powered up but totally wiped, "like factory reset wipe" even jffs was wiped!!!
according to logs the router first boot was a 5am.
As far as i know the only change overnite was the clocks change here in the uk.
In all my years of using asus routers i never came across such thing.
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top