[alpha] Asuswrt-Merlin 380.67 pre-beta test builds

[RMerlin]

Just updated to beta1 on my AC66U. Looks like it doesn't broadcast my 5Ghz network? All other networks are there.

I noticed that you pulled beta1. That should be the reason. Just flashed back to .67 alpha2

I pulled the early beta1 builds immediately after uploading it this morning because Asus just released new GPL tarballs, so I want to merge them first.

Turns out one of them is good, the other is missing every single closed source component...

 

[enserer]

i have no 5ghz with alpha1 and 2 on rt-ac66, EU-region.
same issue after resetting, no 5ghz-broadcast.

 

[Skywalker]

i have no 5ghz with alpha1 and 2 on rt-ac66, EU-region.
same issue after resetting, no 5ghz-broadcast.

I did have 5Ghz on alpha 1 and 2. After trying beta 1 it was gone. reverting to alpha 2 did not help and alpha 1 was no solution either.
Eventually I run on .66_4 now and all is fine.

 

[eak]

Thank you for your continued work on this firmware. A question: Will 380.67 include OpenVPN 2.4.3? They just released multiple security fixes in that version:

OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
the process several vulnerabilities were found, some of which are
remotely exploitable in certain circumstances. We recommend you to
upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible.

 

[RMerlin]

Thank you for your continued work on this firmware. A question: Will 380.67 include OpenVPN 2.4.3? They just released multiple security fixes in that version:

There will probably be a 380.66_6 security update for it, provided nothing major is broken with it.

Note that most of these security issues don't really apply to Asuswrt, as some of these vulnerable features aren't used.

 

[john9527]

There will probably be a 380.66_6 security update for it, provided nothing major is broken with it.

Let me know when you try it....it's causing some problems on my fork.

 

[RMerlin]

Let me know when you try it....it's causing some problems on my fork.

I got it to compile without any problem, however since I'm still at the office I don't want to chance flashing and testing it remotely. I should be able to do so tonight.

A few fixes in it related to auth-token, hopefully it will truly resolve the PIA issues (for the mean time, the workaround suggested by their tech support is to use auth-nocache).

 

[john9527]

I got it to compile without any problem, however since I'm still at the office I don't want to chance flashing and testing it remotely. I should be able to do so tonight.

A few fixes in it related to auth-token, hopefully it will truly resolve the PIA issues (for the mean time, the workaround suggested by their tech support is to use auth-nocache).

Compiled OK for me as well....it's an operational problem (if you want details, let me know....thought I wouldn't influence you for a first pass).

If they said to 'use' auth-nocache....it makes me doubt their support. I found it was don't use it and verified that by looking at the code.. See the first entry in the openvpn Changelog to see why...it's supposedly fixed in 2.4.3

 

[RMerlin]

Compiled OK for me as well....it's an operational problem (if you want details, let me know....thought I wouldn't influence you for a first pass).

I went ahead and remotely flashed it (since I won't be at the office much longer). I was able to reconnect to the OpenVPN server afterward without any problem, also reconnected my SSH session to my development VM through the tunnel.

Test tunnel to PIA is also connecting fine.

If they said to 'use' auth-nocache....it makes me doubt their support. I found it was don't use it and verified that by looking at the code.. See the first entry in the openvpn Changelog to see why...it's supposedly fixed in 2.4.3

It was a theory which they wanted me to test. They weren't sure of the root cause, but the log seemed to imply that an auth token was getting used when it shouldn't have (odd considering that their PUSH option does seem to enable auth-token use). Their suggestion actually works, tunnel no longer randomly fails re-authenticating when the 1 hour TLS renegotiation occurs (used to occur every 5-6 hours, with that change the tunnel held up for a whole 24 hours). I suspect that the actual bug was that the auth-token wasn't working properly, and auth-nocache might cause the token to not be reused.

Will be interesting re-testing with 2.4.3 without that setting (tho if they also run 2.4.x, they might need to update on their end as well).

 

[JohnNerd]

i have no 5ghz with alpha1 and 2 on rt-ac66, EU-region.
same issue after resetting, no 5ghz-broadcast.

Same here.

 

[RMerlin]

Same here.

A number of models are known to have issues due to Asus not releasing the necessary binary blobs for all models (as indicated in the original post).

 

[john9527]

It was a theory which they wanted me to test. They weren't sure of the root cause, but the log seemed to imply that an auth token was getting used when it shouldn't have (odd considering that their PUSH option does seem to enable auth-token use).

Actually, for me, auth-nocache caused the renegotiation to fail every time. Looking at the openvpn code, they are storing the auth-token in the memory location for the user password after the initial authentication. Then the auth-nocache would come along and flush the token......

 

[RMerlin]

Actually, for me, auth-nocache caused the renegotiation to fail every time. Looking at the openvpn code, they are storing the auth-token in the memory location for the user password after the initial authentication. Then the auth-nocache would come along and flush the token......

Odd. Maybe it depends on which server you connect to (tho in my tests I've used two or three different servers).


Which issue did you encounter with the 2.4.3 upgrade?

 

[JohnNerd]

A number of models are known to have issues due to Asus not releasing the necessary binary blobs for all models (as indicated in the original post).

Thank you so much for putting a new AC66U version out. Merlin you rock!!!

 

[RMerlin]

Thank you so much for putting a new AC66U version out. Merlin you rock!!!

Except I haven't yet... Development is currently being sidetracked by the OpenVPN security update.

 

[john9527]

Which issue did you encounter with the 2.4.3 upgrade?

I was seeing a hang in OpenVPN during boot....but of course, when I went to debug it, it went away and I haven't been able to recreate it again. Going to chalk it up to the 'gremlins' for now.

On the upside, the problem I described with auth-nocache has indeed been fixed in this release.

 

[JohnNerd]

Except I haven't yet... Development is currently being sidetracked by the OpenVPN security update.

I was thinking of the 380.66_6 you put in the test folder. Works great. Thanks again man.

 

[RMerlin]

I was seeing a hang in OpenVPN during boot....but of course, when I went to debug it, it went away and I haven't been able to recreate it again. Going to chalk it up to the 'gremlins' for now.

On the upside, the problem I described with auth-nocache has indeed been fixed in this release.

And on the PIA front, the TLS renegotation once again failed after a few hours when I remove auth-nocache :/

 

[john9527]

And on the PIA front, the TLS renegotation once again failed after a few hours when I remove auth-nocache :/

I'm running PIA too...and ran overnight (about 7 hours continuous) with auth-nocache without problems

Off topic....I've been having problems with PIA and their ip address shell game (one time it tried to reconnect to the 'last' address which had a weird name of some server in the UK). My subscription is up in Aug and I'm looking for another provider now.

 

[RMerlin]

I'm running PIA too...and ran overnight (about 7 hours continuous) with auth-nocache without problems

Yeah, auth-nocache is what's been fixing it so far (tho it causes the connection to be completely re-established from what I saw, rather than just renegotiating it. Not ideal. Maybe they also need to update OpenVPN at their end.)

Off topic....I've been having problems with PIA and their ip address shell game (one time it tried to reconnect to the 'last' address which had a weird name of some server in the UK). My subscription is up in Aug and I'm looking for another provider now.

Can't really comment there, the PIA account was provided for free for development purposes, I don't actively use it. Astrill would be one I might suggest, mostly because I've actually spoken with them a few times relative to their Asuswrt-Merlin plugin. I can't really comment on performance/stability/cost however, I've never used them.