Asuswrt-Merlin 3.0.0.4.372.31 is out

[RMerlin]

I found a CR and space after -----END CERTIFICATE-----. I removed the CR and space and hit Apply the router responded with and infinite loop of processing, the router still worked by the routers web server did not. I had to shut it down and start it up again.

I then tried to delete all the keys and the same thing happened.
I had also changed the port to 80.

BTW I could not load .28beta or .26. I had to use the rescue utility to make the downgrade
Merlin any suggestions?

Port 80 is used by the internal web server - you cannot use it for OpenVPN.

Please, make sure you use a port that does not conflict with any internal service. You CANNOT have two services listening on the same port. Most of the time you should stick with the default 1194 port. The more variables you introduce, the harder this will be to troubleshoot.

 

[VinceV]

This should do the trick:

nvram set "dhcp_staticlist=<00:11:32:16:XX:XX>192.168.1.140>Synology NAS<1C:6F:65:36:YY:YY>192.168.1.141>Samsung TV<74:A0:2B:3C:ZZ:ZZ>192.168.1.142>Canon Printer"
nvram set "dhcp_static_x=1"

Forgot to mention, you need:

nvram commit

to actually write the changes to NVRAM. Then reboot.

 

[RMerlin]

I found a way to make the httpd server crash when saving OpenVPN keys. This happens if you use keys that are too big - there is a limit of 3000 characters for each key. If you are using overly complex keys (i.e. 4096 bits), please reduce them to more reasonable values. 1024 bits should be more than enough for a secure connection, and it won't be as taxing on the router's CPU either, improving your VPN performance.

The webui was supposed to enforce the size limitation to avoid overflows - I will have to recheck that code. Could be that some parts of the firmware have a 3000 bytes limit that must include both the data AND the name of the variable, which could explain why it will even overflow at 3000 characters.

 

[Funroc]

Came back to 29 version

And it works fine
I will just wait for a new release, let me know if i can help

 

[RMerlin]

Came back to 29 version

And it works fine
I will just wait for a new release, let me know if i can help

A new release won't resolve your issue. If you are pasting anything beside the key/cert itself, you are overflowing the character limit. The only difference in future versions is that it will no longer crash, however your keys will be truncated. You will have to fix your keys.

 

[Funroc]

A new release won't resolve your issue. If you are pasting anything beside the key/cert itself, you are overflowing the character limit. The only difference in future versions is that it will no longer crash, however your keys will be truncated. You will have to fix your keys.

Understood.
Key is provided by HMA, i don't know how to reduce the size.
I tried to cancel all the text before the key but it crashed.

 

[RMerlin]

Understood.
Key is provided by HMA, i don't know how to reduce the size.
I tried to cancel all the text before the key but it crashed.

Make sure you only paste whatever is in the BEGIN/END block, including those two lines.

I tested with a 2048 bit key and the resulting file was still small enough to fit, so I'm not sure what they are doing if the required key is even larger.

 

[cubano_14]

Hello. So i had the 370 firmware and went to this. I didn't need to do any nvram did i? I read that all i had to do was just install the firmware then reboot and the router since it was 370 which was the lastest asus firmware. please let me know if i need to do another step since i jumped to merlin.

 

[RMerlin]

Hello. So i had the 370 firmware and went to this. I didn't need to do any nvram did i? I read that all i had to do was just install the firmware then reboot and the router since it was 370 which was the lastest asus firmware. please let me know if i need to do another step since i jumped to merlin.

You didn't specify which router you have, so I can't answer for certain. If you are using an RT-N66U, you might need to reset due to the wireless driver downgrade specific to that model - you'll see if you have wireless issues or not.

 

[cubano_14]

sorry about that. i do have the n66u. but i read that going from the latest asus firmware to this one just needed a firmware updated and then a router reboot and that was it? Is a reboot fine or did i need to do the nvram step? Hopefully this didn't mess anything up. Everything does seem to be running fine but i want to make sure i did it right. I appreciate the firmwares you release.

thanks,
gabe

 

[cmoskowitz]

I think the issue people are running into is when the key is created, it has a bunch of cert stuff above the beginning and end statements, you don't need that...removing this fixed my http hang and openvpn works 100% fine Tap & Tun on an nt66u using Merlin's latest.

 

[netware5]

Port 80 is used by the internal web server - you cannot use it for OpenVPN.

Please, make sure you use a port that does not conflict with any internal service. You CANNOT have two services listening on the same port. Most of the time you should stick with the default 1194 port. The more variables you introduce, the harder this will be to troubleshoot.

RMerlin, my OpenVPN TAP server is listening on TCP port 80 without any problems. Of course, the internal web server is disabled on WAN port. But for security reasons it should be disabled anyway except in some very special cases. It listens on 443 on LAN side.

I've been forced to use this configuration due to the very restrictive rules of some networks which are used by myself and my daughter during our travel. I am using this configuration since January 2013 and NEVER experienced any problems.

 

[WaVeR]

RMerlin,

Do you have time to check if the last firmware is vulnerable to:

http://forums.smallnetbuilder.com/showthread.php?p=76262


Regards,

 

[RMerlin]

RMerlin, my OpenVPN TAP server is listening on TCP port 80 without any problems. Of course, the internal web server is disabled on WAN port. But for security reasons it should be disabled anyway except in some very special cases. It listens on 443 on LAN side.

I've been forced to use this configuration due to the very restrictive rules of some networks which are used by myself and my daughter during our travel. I am using this configuration since January 2013 and NEVER experienced any problems.

You are freeing up port 80 by setting your server to https-only, that's why it's working for you. The httpd daemon doesn't specify on which interface it listens, so it will bind to all interfaces by default. If you don't set it to https-only, then it will prevent you from running any other daemon on port 80.

 

[RMerlin]

RMerlin,

Do you have time to check if the last firmware is vulnerable to:

http://forums.smallnetbuilder.com/showthread.php?p=76262

All it does here is crash acsd - it fails to start telnetd. Tested on both the RT-AC56U and RT-AC66U.

Why do "security experts" feel the need to test against old, obsolete versions rather than the latest version? The latter would be far more relevant, and more useful to know. Sensationalism, once again...

One thing to note: this wouldn't work remotely, since the firewall blocks connections to port 5916 from the WAN side. So in any case, it would NOT be remotely exploitable.

EDIT: According to the second CVE, one of the issues existed in versions BEFORE 372:

http://cxsecurity.com/cveshow/CVE-2013-4937/

EDIT2: That proof of concept would only work on 266 and only on the RT-AC66U, so it cannot be used to test on any other firmware version, where the library offset might be different. So all I can go by is the CVE information - and one of the two CVEs is still private. So I don't know. acsd is closed-source (so this should actually be brought to Broadcom, not Asus BTW). All I can say is it is NOT exploitable in any way over WAN.

 

[netware5]

You are freeing up port 80 by setting your server to https-only, that's why it's working for you. The httpd daemon doesn't specify on which interface it listens, so it will bind to all interfaces by default. If you don't set it to https-only, then it will prevent you from running any other daemon on port 80.

Does it mean that, for example, I can not use the TCP port 443 for OpenVPN server now? In GUI I've marked that web access is not permitted from WAN side and nobody listens on TCP 443 from WAN side -I've checked it!

 

[though]

i just moved to this from toastman's tomatousb build to try out and was wondering if you can see what version wireless driver is loaded like you can in toastman usb somewhere. at the top it says 3.0.0.4.372.31 (merlin build) but i don't know which wireless driver is on here. just want to confirm in case it didn't take for some reason...

 

[mikeg]

Here is what I get on my AC66U :


Tools - System Information
Router
Model RT-AC66U
Firmware Build Wed Jul 24 06:22:57 UTC 2013 root@929bcaa
Bootloader (CFE) 1.0.0.7
Driver version wl0: Jul 4 2013 20:58:53 version 6.30.102.9 (r366174)

i just moved to this from toastman's tomatousb build to try out and was wondering if you can see what version wireless driver is loaded like you can in toastman usb somewhere. at the top it says 3.0.0.4.372.31 (merlin build) but i don't know which wireless driver is on here. just want to confirm in case it didn't take for some reason...

 

[though]

found it thanks. i thought i saw it in there somewhere...

for you RT-N66U users, is this the correct wireless driver:

Driver version wl0: Jan 23 2013 15:25:28 version 5.100.138.20

Here is what I get on my AC66U :


Tools - System Information
Router
Model RT-AC66U
Firmware Build Wed Jul 24 06:22:57 UTC 2013 root@929bcaa
Bootloader (CFE) 1.0.0.7
Driver version wl0: Jul 4 2013 20:58:53 version 6.30.102.9 (r366174)

 

[Dusan]

Does it mean that, for example, I can not use the TCP port 443 for OpenVPN server now? In GUI I've marked that web access is not permitted from WAN side and nobody listens on TCP 443 from WAN side -I've checked it!

No, you can use 443 for OpenVPN. The HTTPS admin interface is by default on port 8443 (but you can change that). 443 is used by AiCloud, but that can be disabled too. I actually connect (due to corporate firewall) to both SSH *and* OpenVPN on port 443 (http://www.rutschle.net/tech/sslh.shtml, ryzhov_al was kind enough to add sslh to entware ).