[Test build] Asuswrt-Merlin 380.65 alpha 2 - with OpenVPN 2.4.0

[RMerlin]

As Busybox 1.25.1 looks to be working fine, the next stage in the 380.65 development has been completed. A new early test build has been uploaded to Mediafire, this time with OpenVPN 2.4 RC2. Support for the main new features (NCP cipher negotiation, LZ4, GCM ciphers) has been integrated into the webui. For best results, make sure both ends of the tunnel run OpenVPN 2.4. 2.3 is backward compatible, so you will still be able to connect a 2.3 endpoint with a 2.4 endpoint. Note that if you are exporting a client config .ovpn file, you must ensure that either the client is running 2.4, or that you disable any new features before exporting the ovpn file (that means disabling NCP, and using Adaptive, Disabled or None as the compression mode).

For more information on OpenVPN 2.4, consult the release notes:

https://github.com/OpenVPN/openvpn/blob/master/Changes.rst

The manual also contains more information:

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Please limit any feedback in this thread to OpenVPN.

For those wondering about the performance of AES-128-GCM versus AES-128-CBC + SHA1: in scenarios where performance is limited by the router's CPU, I couldn't find any improvement. However, I suspect that in scenarios where the Internet connection is the bottleneck (a scenario I haven't tested), GCM might provide better performance, as it has lower overhead per packet than CBC + HMAC. If you guys can test this scenario, please post your results.

 

[RMerlin]

This build also includes various OpenVPN fixes developed by @john9527 . The complete list of changes since alpha 1:

b94acd8 openvpn: re-add local definitions of TUN ioctl values that were only added in kernel 2.6.23 headers, but used to be defined here in OpenVPN 2.3
5f1958d build: OpenVPN fails to build on MIPS because of strict ANSI (disabling the __u64 def), switch from c99 to gnu99
86d718d Updated documentation
32e0b6d openvpn: set up firewall before starting openvpn server
e920e9e updown: remove unnecessary restart of dnsmasq
1ffc4b2 openvpn: remove unnecessary restart of dnsmasq when starting clients
45b6448 openvpn: shutdown all running servers/clients on wan stop and remove tunnel modules
73c9b47 openvpn: fix multiple issues in stopping vpn services
dcd506c Updated documentation
2e150ce openvpn: Use sha256 for key/certs generated by Easy-RSA (used by key/certs auto-generated by the firmware)
6cb9c00 openvpn: Format client.ovpn file for DOS, so Windows's notepad (the default OpenVPN GUI editor) can edit it.
5efb1d9 openvpn: client config must not contain the client option when using pre-shared key auth
9c32ab1 openvpn: Added LZ4 and NCP support to the webui and the ovpn import function.  Replace tls-remote option that was removed in 2.4.
9491635 openvpn: merge with OpenVPN 2.4.0 RC2, to begin testing and integration ahead of the final release
50e2359 build: give .sha256 file extension to the checksum file included in the distribution
0ca3fd4 rc: give priority to user-configured hostname rather than the hardcoded Asus ones when generating the hosts file (closes #1147).

 

[stambeccuccio]

I'm testing these two options in in my two servers:

Server1
dev tun
proto udp
remote xx.xxx.xxx.xxx 1194
float
ncp-ciphers AES-128-GCM
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
Cosoq3Fti+ZbZCGirmNCGDcmUzHPdIRtRRsCNq ....

Server2
dev tun
proto udp
remote xx.xxx.xxx.xxx 1195
float
ncp-ciphers AES-256-GCM
compress lz4
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
Cosoq3Fti+ZbZCGirmNCGDcmUzHPdIRtRRsCNq ....

All seems ok, all is faster and rock solid. Very, very good!




PS: Now we only wait the merged with 380_4180 GPL

 

[stambeccuccio]

the only thing I do not understand is this message in syslog:

Dec 25 21:36:07 openvpn[920]: Could not determine IPv4/IPv6 protocol. Using AF_INET6

 

[LouisvilleUK]

For those wondering about the performance of AES-128-GCM versus AES-128-CBC + SHA1: in scenarios where performance is limited by the router's CPU, I couldn't find any improvement.

I'm not seeing any performance improvement either. Tested as a client, still in the 25-30 download range with AES-128-GCM unfortunately. On the positive side, I'm not seeing any errors in logs. Nice work and very much appreciated!

EDIT: Tested on RT-AC68U with factory default restore after flash and manual reconfig

 

[XIII]

What version of OpenVPN does their iOS App in the App Store offer?

 

[stambeccuccio]

I do not know if this is the best configuration for speed and security, but after various tests everything rows away smoothly and faster. These are my settings on Server1:

server1
dev tun
proto udp
remote xx.xxx.xxx.xxx 1194
float
ncp-ciphers AES-256-GCM
auth SHA1
compress lz4
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
...
fX8aufA8ftZpcVTeYO1lKUPTuT9pa65VOdghqigjrRQYf/KOqAChmLD7+VTm7IQE
...frQkuwLwkYA=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
F40E5J/M9f2DCTfcKMQDK7eGgTSZtpgeZCNAhtDkZsJ0OAi/TK3kJDO02Fsl1B2i
...FYma3/rMB/
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
BFambLppxl9MnneL3ALM2s9+Zwq5RDo76VkJcZL115u49+cppVwegu38C5V6c2Dx
...su0=
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
e2adf19c3d81872e77700a472a479bd4
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind

What do You think about?

 

[LouisvilleUK]

For iOS OpenVPN app: settings > OpenVPN > under "Advanced Settings" DISABLE "Force AES-CBC ciphersuites" this will allow cipher negotiation with server @AES-128-GCM (assuming it's an option on server). At least that's how it worked with my VPN provider. Here is FAQ link from OpenVPN explaining options within settings. It's toward the bottom of the page, 5th question from the bottom.

https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html

 

[LouisvilleUK]

I've noticed a couple of things this morning and they may be related (?) which I haven't experienced before.

OpenVPN Client Settings Tab:
1. With Service state set to "OFF", when I update rules for routing client traffic with Policy Rules then Apply to save, the client is immediately rerouted to VPN DNS, even when VPN tunnel is not connected causing no internet since I have it set to block traffic is tunnel is down.

2. I must click Service state twice (2) before it turns on. I click once, applying settings page appears then page is reloaded with service state "OFF". I click again, applying settings page appears then page is refreshed with Service state "ON".

Happy to provide more information if needed.

 

[sfx2000]

Just as an FYI - with this release, double check your client if using OpenVPN as a server (e.g. connecting in to one's LAN from remote)... I was still running Tunnelblick 3.6.3 (which is quite old and has some OpenSSL security bugs) - so this was a good nudge to check and update the client software...

For Tunnelblick... if one wants to test Remote Access with rMerlin's 2.4 integration, one will need to update the client SW...

3.6.9 is latest stable build
3.6.10 is still in Beta, but does include OpenVPN 2.4_rc2 support (along with OpenVPN 2.3.14)

 

[WBV]

Updated to Alpha-2 on my RT-AC3200. It immediately started complaining about low NVRAM (62551/65536). I had to go back to factory defaults and re-input all settings. Not fun. Took me all morning. NVRAM now shows 58816/65536.

 

[Xentrk]

I do not know if this is the best configuration for speed and security, but after various tests everything rows away smoothly and faster. These are my settings on Server1:

server1
dev tun
proto udp
remote xx.xxx.xxx.xxx 1194
float
ncp-ciphers AES-256-GCM
auth SHA1
compress lz4
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
...
fX8aufA8ftZpcVTeYO1lKUPTuT9pa65VOdghqigjrRQYf/KOqAChmLD7+VTm7IQE
...frQkuwLwkYA=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
F40E5J/M9f2DCTfcKMQDK7eGgTSZtpgeZCNAhtDkZsJ0OAi/TK3kJDO02Fsl1B2i
...FYma3/rMB/
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
BFambLppxl9MnneL3ALM2s9+Zwq5RDo76VkJcZL115u49+cppVwegu38C5V6c2Dx
...su0=
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
e2adf19c3d81872e77700a472a479bd4
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind

View attachment 8075

What do You think about?

With the exception of one new setting and the Manage Client Specific Setting option, configs are very similar to yorgi's vpn server setup guide over in the VPN forum:

http://www.snbforums.com/threads/how-to-setup-a-vpn-server-with-asus-routers.33638/

As you stated, you tried different settings and this one works best for you. This will also help others. Thanks for sharing!

 

[swetoast]

been running now for a couple of days and no issues with the vpn client running smooth.

 

[RacerRon]

On my Ac88u, my android devices can connect to the VPN server but I can not access anything including internet. I went back to the beta 1 and all is well again.

Sent from my Nexus 5X using Tapatalk

 

[visortgw]

On my Ac88u, my android devices can connect to the VPN server but I can not access anything including internet. I went back to the beta 1 and all is well again.

Sent from my Nexus 5X using Tapatalk

What are you using for the client on your Android devices? I am successfully using OpenVPN Client v2.15.10 (colucci-web.it) without issue. It appears to work in backward compatibility mode (OpenVPN v2.3.13).

 

[RacerRon]

What are you using for the client on your Android devices? I am successfully using OpenVPN Client v2.15.10 (colucci-web.it) without issue. It appears to work in backward compatibility mode (OpenVPN v2.3.13).

I have been using OpenVPN connect from app store although I believe my android version natively supports VPN on its own. Android 7.1.1 on this phone. The app just gives a convenient front end.

Sent from my Nexus 5X using Tapatalk

 

[RacerRon]

I have been using OpenVPN connect from app store although I believe my android version natively supports VPN on its own. Android 7.1.1 on this phone. The app just gives a convenient front end.

Sent from my Nexus 5X using Tapatalk

My bad....OpenVPNconnect is actually built by OpenVPN. It is their official Android build. I am good on older version for now.

Sent from my Nexus 5X using Tapatalk

 

[sfx2000]

What version of OpenVPN does their iOS App in the App Store offer?

OpenVPN on the Apple app store for iPhone/iPad has always been a bit sketchy here... so one has to be a bit careful...

I can't even vouch for this one...

 

[Xentrk]

OpenVPN on the Apple app store for iPhone/iPad has always been a bit sketchy here... so one has to be a bit careful...

I can't even vouch for this one...

View attachment 8082

That looks like right to me. I use the OpenVPN app on my iPad to connect to Torguard servers when I am away from home.

 

[Naftali Oziel]

flashing with this release, do you need to perform factory reset? I heard it has some low level changes? Currently on the latest version