[Release] Asuswrt-Merlin 384.6 is now available

[Zastoff]

EDIT : Just happened again today
VPN has stopped but i still have internet access on my PC showing my ISP address details on IPleak.net

ive attached a small relevant section of syslog.txt when it happens (Aug 3rd)...well I would have done but the forum wouldn't allow me to upload a txt file of 17kb !

Maybe worth a try..
I had a simular problem some time ago, lost vpn ip adress and somehow tunnel was still up so killswitch did not go in..
I contacted my vpn provider and they told me it could be a routing issue and asked me to change vpn server(different city) and port to 1194 (1195 before)
And set TLS Renegotiation Time to 0
Changed back to old server some days after
Killswitch and vpn works fine now

 

[dabears]

Unfortunately, my original, detailed reply to you was deleted by the mods---c'est la vie. You can Google the instructions for the needed steps to manually upgrade to 384.5 using Putty and WinSCP, which, as mentioned, allowed me this go-round to upgrade to 384.6 without issue.

Try" recue mode" it works for me.

 

[pusb87]

Maybe worth a try..
I had a simular problem some time ago, lost vpn ip adress and somehow tunnel was still up so killswitch did not go in..
I contacted my vpn provider and they told me it could be a routing issue and asked me to change vpn server(different city) and port to 1194 (1195 before)
And set TLS Renegotiation Time to 0
Changed back to old server some days after
Killswitch and vpn works fine now

Thanks for your suggestion
However my understanding is that port 1194 only uses Blowfish-CBC encryption and is no longer supported by PIA
Also TLS Renegotiation Time of 0 is my current setting

another observation is that if i stop the VPN client manualy via the merlin GUI then i cannot establish an internet connection until i reboot the router, although i belive this is the default position.

 

[Zastoff]

Thanks for your suggestion
However my understanding is that port 1194 only uses Blowfish-CBC encryption and is no longer supported by PIA
Also TLS Renegotiation Time of 0 is my current setting

another observation is that if i stop the VPN client manualy via the merlin GUI then i cannot establish an internet connection until i reboot the router, although i belive this is the default position.

Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 5 10:43:14 ovpn-client1[15901]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 5 10:43:14 ovpn-client1[15901]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
on port 1194
But maybe just try one between 1194-1197 see what happens and a server change.
Or try TCP port 443 if they have that option can work better sometimes.
It seems really weird that you need to reboot the router if you turn vpn off in GUI to get internet back. Maybe a full reset and config from scratch

 

[D_Day]

Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 5 10:43:14 ovpn-client1[15901]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 5 10:43:14 ovpn-client1[15901]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
on port 1194
But maybe just try one between 1194-1197 see what happens and a server change.
It seems really weird that you need to reboot the router if you turn vpn off in GUI to get internet back maybe a full reset and config from scratch

I have the same issue when the VPN client is switched off, no internet and it will only come back up with a reboot.
It was fine in 384.4 but it changed in 384.5 final and has been the same ever since.
I’m currently on 384.7 alpha1 and I have reset every update. Something must have changed.

 

[Zastoff]

I am on 384.6_alpha1-gc644a0c
I dont have that problem

 

[D_Day]

I am on 384.6_alpha1-gc644a0c
I dont have that problem

Maybe it’s model specific, I have the AC68U.
I have tried everything I can think of to get to the bottom of it, it’s so frustrating.

 

[Zastoff]

Rules for routing client traffic through the tunnel
If you use the All clients (192.168.1.0/24 VPN) make sure you put Router 192.168.1.1 on WAN
@D_Day @pusb87

 

[D_Day]

Rules for routing client traffic through the tunnel
If you use the All clients (192.168.1.0/24 VPN) make sure you put Router 192.168.1.1 on WAN
@D_Day @pusb87

I’m running 1 device through strict policy rules with exclusive DNS, however I do get dns leaks with exclusive and have to use dns filter rules to.

 

[Zastoff]

I’m running 1 device through strict policy rules with exclusive DNS, however I do get dns leaks with exclusive and have to use dns filter rules to.

If you only want 1 device on vpn:
All 192.168.1.0/24 0.0.0.0 WAN
Your 1 Device 192.168.1.50 (if thats your ip for that device) 0.0.0.0 VPN
Dont know why you get DNS leaks.. i have Policy rules(strict) and Accept DNS Configuration Strict and get no dns leaks
what site do you use to check your DNS leak? and you do the DNS leak test from that device?

 

[Marin]

If you only want 1 device on vpn:
All 192.168.1.0/24 0.0.0.0 WAN
Your 1 Device 192.168.1.50 (if thats your ip for that device) 0.0.0.0 VPN
Dont know why you get DNS leaks.. i have Policy rules(strict) and Accept DNS Configuration Strict and get no dns leaks
what site do you use to check your DNS leak? and you do the DNS leak test from that device?

What if you want ALL but 1 device to go through VPN? Would setup look like this?

All devices——192.168.1.0/24—-0.0.0.0—-VPN
Device X ——192.168.1.XX ——0.0.0.0—-WAN

Or does the top rule override the bottom one?

You could check your DNS leaks at:

dnsleaktest.com




Sent from my iPhone using Tapatalk

 

[D_Day]

If you only want 1 device on vpn:
All 192.168.1.0/24 0.0.0.0 WAN
Your 1 Device 192.168.1.50 (if thats your ip for that device) 0.0.0.0 VPN
Dont know why you get DNS leaks.. i have Policy rules(strict) and Accept DNS Configuration Strict and get no dns leaks
what site do you use to check your DNS leak? and you do the DNS leak test from that device?

I use ExpressVPN and they have a link on their homepage to check for dns leaks and yes I do it through the device.
Is there a better dns leaks check tool available?

 

[wallyg8r]

I use ExpressVPN and they have a link on their homepage to check for dns leaks and yes I do it through the device.
Is there a better dns leaks check tool available?

you can try using https://ipleak.net/

 

[XIII]

When doing an experiment for @kvic I noticed that the USB 3.0 port of a RT-AC68U was set to 2.0 mode. After changing it to 3.0 mode the (SanDisk UltraFit USB 3.0) stick is no longer detected in the 3.0 port no matter what I do, while it is still detected in the 2.0 port.

EDIT: It's detected again after a lot of reboots. No clue why...

 

[HowIFix]

I use ExpressVPN and they have a link on their homepage to check for dns leaks and yes I do it through the device.
Is there a better dns leaks check tool available?

• Test: DNS server, DNSSEC and WebRTC

 

[john9527]

Would setup look like this?

Some general VPN Policy routing guidelines on Merlin...

• By default, everything is routed through the WAN
  • if you want everything routed through the VPN you need to add a rule for 192.168.1.0/24 through the VPN (adjust for your configured subnet)
• WAN rules always take precedence over VPN rules
• The rules defined for WAN are processed in the order they are entered, top to bottom
• The rules defined for VPN are processed in the order they are entered, top to bottom
• With DNS Exclusive mode
  • DNS for VPN clients are sent directly to the first DNS server pushed by the VPN provider.
  • In addition, any hardcoded DNS lookups in apps running on the VPN clients are forced through the VPN DNS server
  • VPN Client DNS lookups bypass dnsmasq on the router, so things like ABSolution will not work on VPN Clients, but will work on WAN clients.
• With DNS Strict mode
  • The DNS servers pushed by the VPN provider are added to your current DNS servers in dnsmasq at the top of the list of DNS servers
  • This means the VPN provider DNS servers will be tried first, but if they are slow or have errors, DNS leaks to your WAN DNS servers can occur.
  • Hardcoded DNS lookups will go to the hardcoded location.
  • ABSolution will work on both VPN and WAN clients
• If you are testing for DNS leaks, make sure you have cleared all the levels of DNS caching which can occur. After any DNS configuration changes:
  • Completely close any browsers
  • Disconnect/reconnect any clients
  • Flush the system level DNS cache (under windows, ipconfig /flushdns)
  • or reboot your VPN client

 

[eastavin]

So I installed 384.6 an hour ago. Then I thought I would check the traffic analyzer statistic. Not sure if this is to be expected but I found 6 days of data.. starting July 30. Today is Aug 5. Would updating the firmware cause it to loose the history going back to the first day 384.5 was installed which also happens to be the first day it was posted for download? I did not do any resets of any kind.

 

[Zastoff]

What if you want ALL but 1 device to go through VPN? Would setup look like this?

All devices——192.168.1.0/24—-0.0.0.0—-VPN
Device X ——192.168.1.XX ——0.0.0.0—-WAN

Or does the top rule override the bottom one?

You could check your DNS leaks at:

dnsleaktest.com




Sent from my iPhone using Tapatalk

Yes and I recommend putting the Router-192.168.1.1-0.0.0.0-WAN there also or you can get problems.
Like @D_Day and @pusb87 are experiencing when they turn off vpn and lose all Internet and only rebooting works to restore Internet access until it happens again.
That's what i think

 

[HowIFix]

• With DNS Exclusive mode
  • DNS for VPN clients are sent directly to the first DNS server pushed by the VPN provider.
  • In addition, any hardcoded DNS lookups in apps running on the VPN clients are forced through the VPN DNS server
  • VPN Client DNS lookups bypass dnsmasq on the router, so things like ABSolution will not work on VPN Clients, but will work on WAN clients.
• With DNS Strict mode
  • The DNS servers pushed by the VPN provider are added to your current DNS servers in dnsmasq at the top of the list of DNS servers
  • This means the VPN provider DNS servers will be tried first, but if they are slow or have errors, DNS leaks to your WAN DNS servers can occur.
  • Hardcoded DNS lookups will go to the hardcoded location.
  • ABSolution will work on both VPN and WAN clients

I always had these questions and I do not know if you or someone can help me.

1. If I am using DNSCrypt, which is more secure the DNS servers of DNSCrypt or the DNS servers of my VPN Client?
2. If I am using DNSCrypt, is it better to disable the DNS servers of my VPN Client and only use the DNS servers of DNSCrypt?

• VPN -> VPN Client -> Accept DNS Configuration: Disabled

3. Or What do you recommend?

 

[Marin]

Some general VPN Policy routing guidelines on Merlin...

• By default, everything is routed through the WAN
  • if you want everything routed through the VPN you need to add a rule for 192.168.1.0/24 through the VPN (adjust for your configured subnet)
• WAN rules always take precedence over VPN rules
• The rules defined for WAN are processed in the order they are entered, top to bottom
• The rules defined for VPN are processed in the order they are entered, top to bottom
• With DNS Exclusive mode
  • DNS for VPN clients are sent directly to the first DNS server pushed by the VPN provider.
  • In addition, any hardcoded DNS lookups in apps running on the VPN clients are forced through the VPN DNS server
  • VPN Client DNS lookups bypass dnsmasq on the router, so things like ABSolution will not work on VPN Clients, but will work on WAN clients.
• With DNS Strict mode
  • The DNS servers pushed by the VPN provider are added to your current DNS servers in dnsmasq at the top of the list of DNS servers
  • This means the VPN provider DNS servers will be tried first, but if they are slow or have errors, DNS leaks to your WAN DNS servers can occur.
  • Hardcoded DNS lookups will go to the hardcoded location.
  • ABSolution will work on both VPN and WAN clients
• If you are testing for DNS leaks, make sure you have cleared all the levels of DNS caching which can occur. After any DNS configuration changes:
  • Completely close any browsers
  • Disconnect/reconnect any clients
  • Flush the system level DNS cache (under windows, ipconfig /flushdns)
  • or reboot your VPN client

Thank you @john9527!

Couple more questions on the “Strict” vs “Exclusive” DNS choices. How do these two options work with WAN DNS settings (Connect automatically or not)? I was always taught that when you select Exclusive as an option you should leave the WAN DNS option as Yes. However, others have stated that this doesn’t make any difference. However I have noticed that this does make any difference in VPN speeds.

Also, some VPN’s state in their setup tutorials that you must select No in the WAN DNS settings and enter their server IP addresses there. According to them (NordVPN, for example) you should then proceed to choose “Strict” in the VPN client settings. However, this option again doesn’t always give the best speeds.

Some users have stated in other threads that another option would be to select “No” under the WAN DNS settings but leave the IP spaces blank. If you do this, what do you pick for configuration on the VPN client side? Exclusive or strict?


Again, what is the best combination of these options to ensure optimal performance?

Thanks so much!


Sent from my iPhone using Tapatalk