Release Asuswrt-Merlin 3006.102.4 is now available

[bennor]

Anybody else witnessing that issue?
LAN isolation from VPN clients is no longer working.

Any idea, how I can enforce that manually in the meantime until it gets fixed?
Tried to mess around with iptables already but without luck...

It may help if you post some specifics of your OpenVPN server settings on the router, redacting sensitive information. Provide any additional information like addon scripts or changes made that affect VPN like your VPN Director settings. Screen captures typically help others in trying to diagnose your possible issue.

 

[MarkusI]

Yeah, sure... my bad...

in clientconnect.sh I push static client IPs depending on who is actually connecting.

That's basically it.
Wenn I connect e.g. via mobile to my OpenVPN, I can e.g. ping local LAN clients (192.168.1.x) and vice versa, even though the server is configured as "Internet only".
This was not the case with prior firmware versions.

Does this help?

 

[octopus]

Try to remove -- in custom configuration.

 

[MarkusI]

You mean regarding client-connect?
Can try, but the script is executed correctly.

--> tried it... same result...

 

[octopus]

You mean regarding client-connect?
Can try, but the script is executed correctly.

--> tried it... same result...

If you connect what your log says?

 

[MarkusI]

You mean on client or on server side?
Client side shouldn't be important because I don't want to allow the client to decide.

Server logs

Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U_PRO, emailAddress=me@asusrouter.lan
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_VER=3.11.1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_PLAT=ios
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_NCP=2
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_TCPNL=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_PROTO=8094
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_MTU=1600
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_SSO=webauth,crtext
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_BS64DL=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: Username/Password authentication succeeded for username 'loginname' [CN SET]
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: tls_multi_process: initial untrusted session promoted to trusted
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bits RSA, signature: RSA-SHA256, peer temporary key: XXX bits X25519
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 [loginname] Peer Connection Initiated with [AF_INET]XX.XXX.XX.XX:25947 (via [AF_INET]192.168.0.5%eth0)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 OPTIONS IMPORT: reading client specific options from: /tmp/XXXX.tmp
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI: Learn: 10.8.0.18 -> loginname/XX.XXX.XX.XX:25947
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI: primary virtual IP for loginname/XX.XXX.XX.XX:25947: 10.8.0.18
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 SENT CONTROL [loginname]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.18 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Timers: ping 15, ping-restart 120
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

 

[octopus]

You mean on client or on server side?
Client side shouldn't be important because I don't want to allow the client to decide.

Server logs

Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U_PRO, emailAddress=me@asusrouter.lan
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_VER=3.11.1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_PLAT=ios
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_NCP=2
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_TCPNL=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_PROTO=8094
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_MTU=1600
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_SSO=webauth,crtext
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_BS64DL=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: Username/Password authentication succeeded for username 'loginname' [CN SET]
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: tls_multi_process: initial untrusted session promoted to trusted
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bits RSA, signature: RSA-SHA256, peer temporary key: XXX bits X25519
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 [loginname] Peer Connection Initiated with [AF_INET]XX.XXX.XX.XX:25947 (via [AF_INET]192.168.0.5%eth0)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 OPTIONS IMPORT: reading client specific options from: /tmp/XXXX.tmp
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI: Learn: 10.8.0.18 -> loginname/XX.XXX.XX.XX:25947
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI: primary virtual IP for loginname/XX.XXX.XX.XX:25947: 10.8.0.18
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 SENT CONTROL [loginname]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.18 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Timers: ping 15, ping-restart 120
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

I can't see anything strange there.

 

[GWTechTalk]

Quick question is this build of Merlin based on ASUS RT-BE96U Firmware version 3.0.0.6.102_37839 released May 5th or is this custom image one build behind official releases? Thanks for your time and work on Merlin its very useful to individuals such as myself.

 

[FLA_NL]

Yeah, sure... my bad...

in clientconnect.sh I push static client IPs depending on who is actually connecting.

That's basically it.
Wenn I connect e.g. via mobile to my OpenVPN, I can e.g. ping local LAN clients (192.168.1.x) and vice versa, even though the server is configured as "Internet only".
This was not the case with prior firmware versions.

Does this help?

You have "Advertise DNS to clients" enabled + dhcp option DNS in the custom config. This means that whatever DNS is configured in your LAN settings is also pushed to the clients on top of your custom configuration. Also in my situation pushing DNS settings doesn't seem to work with DNS director enabled. Then everything is redirected to the global settings of the DNS director.

 

[RMerlin]

Quick question is this build of Merlin based on ASUS RT-BE96U Firmware version 3.0.0.6.102_37839 released May 5th or is this custom image one build behind official releases? Thanks for your time and work on Merlin its very useful to individuals such as myself.

From the changelog:

  - NEW: Added RT-BE92U support, based on GPL 102_37526.

  - UPDATED: Merged GPL 3006.102_36521 for Wifi 6 models (Wifi 7 devices other than the RT-BE92U are still on 102_37346).