Asus Merlin Firmware: Supported Feature Set.

  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.

SirLoinOfSteak

Occasional Visitor
I’m new to the latest Asus Merlin firmware and trying to understand what it can and can't do.

Does Asus Merlin firmware support the following functionality or feature set?

UI Interface
Quagga ( OSPF )
StrongSwan / IPSECv2/1
OpenVPN
Firewalld / Iptables
SSH
DDNS
DNSMasquerade

Is this something the product can currently do?

As an aside, is it possible to deploy this product on Raspberry PI 4 if not on standard wireless routers?

Thinking not but going to throw that out there.

Thx,
 

ColinTaylor

Part of the Furniture
I’m new to the latest Asus Merlin firmware and trying to understand what it can and can't do.
Have you installed it on your router yet? Some features vary depending on which model of router your have. The answer to most of your questions should become apparent when you install it. Otherwise there's more information in the main post.

As an aside, is it possible to deploy this product on Raspberry PI 4 if not on standard wireless routers?
No, it's only compatible with specific Asus routers.
 

SirLoinOfSteak

Occasional Visitor
I was searching for the features but couldn't find some so I asked instead.

Asus RT-AC68U

IPSECv2/1 is particularly handy with today's cloud providers. Need XFRM, IPSEC, OpenVPN and OSPF.

( I've stopped using the router in Gateway mode while using another WRT software years ago. Using OSPF instead which works much better. But that WRT doesn't support IPSEC hence why I'm visiting and asking here. )
 
Last edited:

ColinTaylor

Part of the Furniture
The RT-AC68U doesn't support IPSEC, which seems to be your main focus. It does support OpenVPN though.
 

Jeffrey Young

Regular Contributor
The RT-AC68U doesn't support IPSEC, which seems to be your main focus. It does support OpenVPN though.
The 68U does not support IPSec natively, but you could install entware, followed by SoftEtherVPN. That package supports IPSec, as well as OpenVPN, L2TP, MS-SSTP.

I use this software as my VPN as I can punch through my double NAT situation via SoftEtherVPN's Azure relay service.

Been using it now for the last couple of weeks (have used it in both IPSec and MS-SSTP). I have it running on a 86U, but I just loaded it on my 68U and ran the system test - which all passed, so should work.

I am sure there are other packages out there as well.

Just a thought....
 

SirLoinOfSteak

Occasional Visitor
So using the Asus Merlin firmware I could enable Entware via SSH, load the modules and I'm good then? That sounds like it can support IPSECv2/1 . Have same Azure, AWS, GCP needs.

This would indicate that the Asus Merlin FW has kernel hooks for the following modules otherwise none of the other needed XFRM modules will load for Strongswan to make outbound connections to VLAN's on the Azure end:

./net/ipv4/xfrm4_policy.c
./net/ipv4/xfrm4_state.c

I've managed to load all of Kong's old modules on DD-WRT for Strongswan however xfrm xfrm_user.ko fails to load due to the above missing kernel hooks. Command I used to load are as follows:

for mods in $(echo tunnel4.ko ip_tunnel.ko xfrm_algo.ko xfrm4_tunnel.ko xfrm_ipcomp.ko esp4.ko ah4.ko xfrm4_mode_beet.ko xfrm4_mode_beet.ko xfrm4_mode_transport.ko xfrm4_mode_tunnel.ko xfrm_user.ko); do insmod $mods; done

If these are compiled right into Asus Merlin, I won't have any issues running Strongswan w/ Azure VPN GW's.

https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

I've Strongswan installed via Entware on DD-WRT right now. VLAN access works from Azure down but not from DD-WRT w/ Strongswan up due to the missing kernel hooks above.

---------------------------------

On a separate topic, OSPF is really the main component I need. I've switched to using this instead of Gateway mode. Works great with the other switches and I no longer have to add in any static routes. All automatic via OSPF. Is vtysh (quagga) working on your routers or OSPF option available when selecting operational mode on Asus Merlin routers?

upload_2020-7-16_17-31-29.png


[email protected]:~# vtysh
Hello, this is Quagga (version 1.2.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
ASUS# sh running-config
Building configuration...
Current configuration:
!
hostname ASUS
log file /var/log/zebra.log
log file /jffs/ospf/ospf.log
!
interface br0
!
interface eth0
!
interface eth1
!
interface eth2
!
interface ipsec0
!
interface lo
!
interface teql0
!
interface tun2
!
interface vlan1
!
interface vlan2
!
interface wl0.1
!
interface wl1.1
!
router ospf
ospf router-id 192.168.0.6
log-adjacency-changes
redistribute kernel
redistribute connected
redistribute static
network 192.168.0.0/24 area 0.0.0.0
default-information originate
!
ip forwarding
ipv6 forwarding
!
line vty
!
end
ASUS#
ASUS#
ASUS# sh ip ospf route
============ OSPF network routing table ============
N 10.0.0.0/24 [11] area: 0.0.0.0
via 192.168.0.1, br0
N 192.168.0.0/24 [10] area: 0.0.0.0
directly attached to br0
============ OSPF router routing table =============
============ OSPF external routing table ===========
ASUS#




Thx,
 

Jeffrey Young

Regular Contributor
Entware via SSH, load the modules and I'm good then?
In theory. I've loaded kernel modules before to get projects working. With SoftEtherVPN, the 86U does not load the tun.ko module unless the firmware VPN is turned on, so I have to load it via a service-start script. Have also loaded the cifs.ko module (one FW version had it left out, fixed since). The only caveat being the kernel would have to support it. The 68U at the moment is Kernel Version 2.6.36.4 (uname -r).

I noticed in the Entware package list that there is a "strongswan" package. I also saw another package that supports OSPF V2 and V3 (Don't remember what it was called, but just do a google search on Entware Packages, and search the list).

Cheers
 

newnews

Occasional Visitor
In theory. I've loaded kernel modules before to get projects working. With SoftEtherVPN, the 86U does not load the tun.ko module unless the firmware VPN is turned on, so I have to load it via a service-start script. Have also loaded the cifs.ko module (one FW version had it left out, fixed since). The only caveat being the kernel would have to support it. The 68U at the moment is Kernel Version 2.6.36.4 (uname -r).

I noticed in the Entware package list that there is a "strongswan" package. I also saw another package that supports OSPF V2 and V3 (Don't remember what it was called, but just do a google search on Entware Packages, and search the list).

Cheers
Hi Jeffrey:

Could you please give some procedure how to setup SoftEtherVPN server in RT-AC68U? I have entware installed already in the router. Thank you!
 

Jeffrey Young

Regular Contributor
Hi Jeffrey:

Could you please give some procedure how to setup SoftEtherVPN server in RT-AC68U? I have entware installed already in the router. Thank you!
I'll try to write up what I did to get everything working this weekend.

Is your WAN IP a public address or are you behind a NAT? I ended up using SoftEtherVPN because I am behind a NAT and it can do NAT punching as well as SoftEtherVPN has a free Azure relay server if NAT punching does not work.
 

newnews

Occasional Visitor
I'll try to write up what I did to get everything working this weekend.

Is your WAN IP a public address or are you behind a NAT? I ended up using SoftEtherVPN because I am behind a NAT and it can do NAT punching as well as SoftEtherVPN has a free Azure relay server if NAT punching does not work.
Hi Jeffery:

My WAN IP is public IP and has not been changed for many years, so I do not need DDNS/NAT. I managed to make L2TP work using SoftEtherVPN yesterday. Only issue is the OpenVPN included in SoftEtherVPN (even it is not enabled) conflicts with the openvpn in Merlin because they all use port 1194, so openvpn in Merlin stopped working for a while until I change the port no. to 1190.
 

Jeffrey Young

Regular Contributor
Cool, I have a write up of my experience almost finished. Since I have got most of it written, I think I post when finished anyway :)
 

Jeffrey Young

Regular Contributor
Here are some notes that I put together for the way I set up SoftEtherVPN (SE) on my RT-AC86U.

First, some background that is worth mentioning in case you need to modify the following information to match your own needs.

I started using SE as my ISP hands out a private IP in the 10.10.0.0/24 range via DHCP. Therefore I needed a way to either use NAT Traversal or make use of a VPN Relay Server, both of which SE supports. If you get a static public IP or dynamic public IP as your WAN address, you are ahead of the game.
Some things of note:

  1. You can setup SE Server by using the SE Server CLI on the router, but requires knowing possibly a hundred or more command line commands. I use the optional Windows 10 SE Server Manger GUI. The GUI is also available for you apple folks as well. Life is a lot easier with the GUI.
  2. SE has its own NAT and DHCP (called Secure NAT). I don’t use either. My aim was to sign into my network and have complete access to all my network resources. I did not see any point in adding another layer of NAT and have to set up additional layer 3 routing.
  3. In order to use SE without using Secure NAT, you need to set up a TAP adaptor in SE (more on this later). To do so, you need the tun.ko kernel module. That module is not loaded by the router when its internal OpenVPN is turned off, therefore, the scripts below loads the module as required. In the scripts below, the directory where tun.ko is stored is for the 86U router. For your router, you will need to adjust the directory path as required.
  4. When installing SE, the installer installs a startup script in /opt/etc/init.d. You will need to move or delete that file as we will be creating our own script.
  5. By default, SE listens for traffic on 0.0.0.0. This works fine when using the Azure Relay Server, but NAT Traversal will not work as SE is listening to your internal router IP address instead of the WAN address. If your WAN address is static, then you can modify the SE Config file and change the ListenIP directive to your WAN’s static public IP. If you are like me and the WAN address changes when my router is off longer than the WAN DHCP lease time (which is 10 minutes), my script checks the current SE ListenIP directive against the WAN address and, if different, stops SE, modifies the config file, and restarts SE. This is why I call my startup script from the WAN-EVENT (connected) script – so that I can alter the SE config when my WAN address changes.
  6. Since I use NAT Transversal, I use port 443 for communications as most firewalls allow this port through. However, if you are using Diversion with PixelServe, this creates a problem and SE will not start as it can’t open port 443. If you don’t need port 443, you can use the SE Server GUI to tell SE to stop listening to port 443.
Installation of SoftEther VPN and configure it to work if you are behind a NAT.

  1. SSH into router and install SE
Code:
Opkg install softethervpn5-server
Opkg install softethervpn5-libs
SE gets started right away. No need to reboot.

2. Move or delete the file /opt/etc/init.d/S05vpnserver.​

Note that if entware updates SE at any time, this file is recreated. You will need to remove it again.​

3. On your computer (Windows or MAC), download the SE Server Manager and install​



Initial setup

Before you can sign into SE from the SE Server Manager GUI, you need to set the SE Server admin password to something other than an empty password (default). We can also have SE run a simple test to ensure you can use SE on your router;

1. SSH into your router and issue the following commands;

Code:
cd /opt/libexec/softethervpn
./vpncmd
Once vpncmd opens, select 3 from the menu and then type “check”. If everything passes, great, moving on; type exit to exit vpncmd, then restart vpncmd again​

This time select 1 and hit enter. When asked for an IP address and port, simply hit enter.​
When asked for VPN Virtual hub name, press <Enter>​
When asked for a password, press <Enter> (default password is empty)​

Once you are in the server admin CLI, type “serverpasswordset” <Enter> and give your SE server a password.​

Now SE has an admin password and you can use the GUI to manage your server.​

By default, SE listens on IP 0.0.0.0, so in SE Manger, select the router IP address as your server and select connect. Once connected, you can set up your default VPN Hub and select the “Layer2 Bridge” menu and create a tap adaptor called “tap0”. Note that the adaptor status may say “error”. This is normal if the tun.ko kernel module has not been installed.​

If you need NAT Traversal or Azure relay, now is a good time to setup the DDNS and/or Azure setting with in SE Manager.​

I will leave it up to folk to read the SE documentation on their website on how to setup your virtual server. The SE Manager has all the tool required to create a CA, Server, and Client certificates. I like a little more control, so I use XCA as my certificate manager for all my needs.​


2. Create a Server Startup script. I called my script “vpn_server_start”. My scripts are in the next post.​
3. I call the “vpn_server_start” script from the WAN-EVENT script when a “Connected” event happens. I do this because for NAT traversal to work, SE must be listening to the WAN IP and not the Router IP. SE Azure relay worked fine with SE listening on the Router IP. I don’t know if you need to set the SE ListenIP to the WAN IP for any public IP at the WAN port. If your WAN IP never changes, then you could call the script from the post-mount script.​

The script does the following functions;​

a) checks to ensure the USB drive is reachable (mounted);​
b) checks the SE config file’s ListenIP directive against the WAN’s IP address. If the WAN IP address has changed, SE Server is shut down, then the ListenIP address is changed in the SE’s config file;​
c) Start the SE Server, if it is not already running . If the SE Server needs starting, the script will fist load the tun.ko kernel module, if not already loaded​
d) Add the Tap0 interface (created in the SE Server Manager) to the router’s br0 bridge and set the appropriate NVRAM is set.​

4. Lastly, you will need to add the appropriate iptables commands in firewall-start script depending on how you want to use SE.​

And that is it.

Once you set the ListenIP directive to an address other that 0.0.0.0, you will need to use the WAN IP address in SE Manager to connect to the SE Admin GUI.

You can shut down SE by issuing the following command

/opt/libexec/softethervpn/vpnserver stop

Note that doing so will also shutdown the tap0 interface and remove it from the br0 bridge, so to restart SE, use our custom “vpn_server_start” script to ensure the tap0 interface is added back to the br0 bridge.

For speed testing, I have tried Windows build in IPSec, p2p, and SSTP VPN client, however, the transfer speeds were awful (used ipferf3 between client and server). Using SoftEtherVPN’s client, I get transfer speeds very close to my ISP rated speeds (50 mbits/s) with both NAT Traversal and Azure Relay Server (which says a lot for the bandwidth going to/from Japan).
 

Jeffrey Young

Regular Contributor
Reserved
 

Jeffrey Young

Regular Contributor
Here is my VPN_SERVER_START script

Code:
#!/bin/sh

# Location of SoftEtherVPN Config File
CONFIG="/opt/libexec/softethervpn/vpn_server.config"

# Set to see if config file is available (USB Drive has been mounted).
# Exit script after waiting for 30 seconds
C1=1
logger "SoftEtherVPN: Script Start_vpn_server (SoftEtherVPN) running......"

while ! [ -f "$CONFIG" ]
do
    logger "SoftEtherVPN: VPN Config file is not available yet .... sleeping for 3 seconds. Loop # ${C1}"
    sleep 3
    let "C1=C1+1"
    if [ "$C1" -gt 10 ]; then
        logger "SoftEtherVPN: Waited for 30 seconds for config file to become available - Exiting without starting VPN"
        exit
    fi
done

# Get IP Address currently in the VPN Config File
SOFTIP=$(grep -Eo "string ListenIP (([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])" $CONFIG)

# Get the WAN IP Address
IP="string ListenIP "$(nvram get wan${1}_ipaddr)

logger "SoftEtherVPN: VPN Config file available ..... processing"

# If the two IP addresses are different, then replace the IP address in the config file with the WAN IP.
if ! [ "$SOFTIP" = "$IP" ]; then
    logger "SoftEtherVPN: Change of IP Detected, setting new WAN IP in Config file"
    logger "SoftEtherVPN: Current ListenIP Statement in vpn_server.config is "$SOFTIP
    logger "SoftEtherVPN: ListenIP Statement needs to be changed to " $IP
    logger "SoftEtherVPN: Stopping current SoftEtherVPN Server ......"
    /opt/libexec/softethervpn/vpnserver stop > /dev/null
    sleep 2
    logger "SoftEtherVPN: Changing ListenIP Statement"
    sed -i "s/$SOFTIP/$IP/g" "$CONFIG"
else
    logger "SoftEtherVPN: IP Address in vpn_server config file is the same as WAN address. No change required"
fi

# Check to see if VPN Server is already running
# Needed should WAN-EVENT gets called on a disconect and the WAN IP address has not changed.
if ! pidof vpnserver > /dev/null
then
    logger "SoftEtherVPN: VPN Server is not running - starting SoftEtherVPN"
    sleep 5

    # Load the tun kernal module, if required.
    if ! lsmod | grep tun > /dev/null; then
        insmod /lib/modules/4.1.27/kernel/drivers/net/tun.ko
        logger "SoftEtherVPN: tun kernal module loaded"
    fi   

    sleep 2
    /opt/libexec/softethervpn/vpnserver start > /dev/null
    sleep 10

    brctl addif br0 tap_tap0
    nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 tap_tap0"
    logger "SoftEtherVPN: VPN Server started and Tap0 added to br0 bridge"
else
    logger "SoftEtherVPN: SoftEtherVPN is already running, not restarting"
fi
My firewall-start script entry

Code:
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 

Attachments

newnews

Occasional Visitor
Here is my VPN_SERVER_START script
Great!. Based on your post I made some changes on my configuration to make the system better:

1. It is great that I can use Windows GUI to configure the server, I did not know I can use it to configure the server in other system. Now I disabled SecureNAT and added tap0 to the server so the vpn client is in the same subnet with LAN devices.
2. I added " brctl addif br0 tap_tap0 " in the S05vpnserver script. I still use the default script because my WAN IP has never been changed for several years.
For the command nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 tap_tap0", I did not use this command because I don't have eth3/4/5/6 in my router. I don't understand this command much so I hesitate to run it. Could you please explain? Without nvram set, I am still able to connect to the server from SoftEtherVPN client.
3. However I received the following information upon connection:

** Connected with NAT traversal - might be unstable **

This VPN Client is connected to the VPN Server 'RT-AC68U-24F0' by using the NAT Traversal (UDP Hole Punching) technology.

NAT Traversal allows the VPN Server behind the NAT-box to accept VPN connections from VPN Client without any port-forwarding setting on the NAT-box.

However, NAT Traversal-based VPN sessions sometimes become unstable, because NAT Traversal uses UDP-based protocol. For example, the VPN tunnel disconnects every 5 minutes if there is a poor NAT-box between the VPN Server and the VPN Client. Some large-scale NAT gateways in cheap ISPs sometimes cause the same problem on NAT Traversal. This is a problem of routers or ISPs. This is not a problem of SoftEther VPN software.

To solve the unstable tunnel problem, you should connect to the VPN Server's TCP listener port directly, instead of using NAT Traversal. To connect to the VPN Server directly by using TCP, a listener port of the VPN Server must be exposed to the Internet by a port-forward setting on the NAT-box. Ask the administrator of the NAT-box, or refer to the manual of the NAT-box to add a port-forwarding setting on the NAT-box.

If this message still remains despite the VPN Server is exposing a TCP port to the Internet, check the "Disable NAT-T" checkbox on the VPN Client connection setting screen.


I want to use direct connection. In the server configuration I have listening port 992/1194/5555, does that mean port 992/1194/555 are already open to the internet or I still need to open it in the firewall? I am not able to connect to the server if "Disable NAT-T" is checked.

4. It seems I cannot remove 1194 from listening port even the openVPN is disabled (I have Merlin OpenVPN server enabled using port 1190). I removed port 1194 but it re-added automatically.

Any advices?
 

Jeffrey Young

Regular Contributor
You are using the AC68U right?

For the NVRAM variable, it makes no difference to SE if you adjust it. The NVRAM variable is used by other ASUS applications and router level stuff. ASUS's stuff may be OK with not adjusting the NVRAM as well, but other applications could get tripped up if you don't. For consistency and to avoid possible issues, I elected to modify the NVRAM.

I am pretty sure the 68U has the same interfacing naming scheme as the 86U. I would have to break mine out of storage to check. You can check to see what the nvram variable is now by SSH into your router and enter;

Code:
nvram show | grep br0_ifnames
Likewise, if you want to see a full list of interfaces being used on your router, and their states, enter;

Code:
ifconfig
and lastly, if you want to see the current bridges setup on your router;

Code:
brctl show
I am pretty sure you will find that eth0 is your WAN, eth4 to 1 is your LAN ports 1 to 4, and eth5 and 6 are your wifi channels.

As for your NAT Traversal, if your WAN IP is a public IP address, then you should not be using NAT Traversal. In fact, you would not even need to set up SE DDNS or Azure.

Have you edited the SE Config File and changed the ListenIP directive to your WAN IP?

If not, and you are not using my script, then SE will use the Router's LAN IP address, which is behind a NAT (that is what a router does). You will need to edit the config file, find the line "string ListenIP 0.0.0.0" and change it to your WAN IP. You will also need to change the address in SE Server Manger as well. The code in my script would do this for you as well. Once SE starts listening on your WAN IP, it will not use NAT Traversal. A well built and functioning NAT won't have issues with NAT Traversal, when used.

If you have changed the ListenIP directive and you SE is still using NAT-T, then maybe you have a GCNAT address instead of a true public address?? I could not tell you until I saw your IP address. Google search it.

The NAT-T warning is just there in case a provider does things to purposely mess up NAT traversal or is doing things non standard which makes SE NAT-T nonfunctional or unstable so you don't blame SE.

The firewall start script example I gave was for port 443, but if you want to use other ports (992, 4500, etc), then you will need to add the appropriate fire wall rules so that your Router would allow that traffic.

For your point 4, I don't use OpenVPN in SE, so I have never played with it. I've never tried disabling the port in SE as my firewall blocks those ports anyway. Something to play with tonight.

Hope this helps.
 

SirLoinOfSteak

Occasional Visitor
Thanks for all the replies guy's!

Looks like the Asus Merlin F/W might be best since it's the only one to support IPSEC. However has anyone configured OSPF / Quagga / FRRouting and how was your experience with it on the Asus Merling FW?

The only hint that I can see is off the github sources:


No other mention I can find.
 
Last edited:

newnews

Occasional Visitor
Yes I have AC-RT68U.
The command nvram show | grep br0_ifnames gives the following result:

br0_ifnames=vlan1 eth1 eth2 wl0.1

so I should use nvram set br0_ifnames="vlan1 eth1 eth2 wl0.1 tap_tap0", right?

My external IP is 73.xxx.xxx.xxx, it is public IP address. in SE config file, the listener IP is set to this public IP. I have L2TP working fine using built-in Windows L2TP, but when I try to connect to my router using SE client software on my Windows PC, I cannot connect(with port 992 or 5555, they are open). I also cannot connect using SE server manager GUI.

Once I enabled SecureNAT on my router, both SE client software and Server GUI can connect to the server, but I want SecureNAT to be disabled.

After rebooting my router, now I have another issue, I could not run S05vpnserver script, see below:
1602655327166.png

How to fix this one also?

EDIT:
After I use the command nvram set br0_ifnames="vlan1 eth1 eth2 wl0.1 tap_tap0", I am able to connect SE client now although I still get the NAT-T warning message. So now the real issue is why I could not run S05vpnserver?
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top