Release Asuswrt-Merlin 3006.102.4 is now available

[bennor]

Anybody else witnessing that issue?
LAN isolation from VPN clients is no longer working.

Any idea, how I can enforce that manually in the meantime until it gets fixed?
Tried to mess around with iptables already but without luck...

It may help if you post some specifics of your OpenVPN server settings on the router, redacting sensitive information. Provide any additional information like addon scripts or changes made that affect VPN like your VPN Director settings. Screen captures typically help others in trying to diagnose your possible issue.

 

[MarkusI]

Yeah, sure... my bad...

in clientconnect.sh I push static client IPs depending on who is actually connecting.

That's basically it.
Wenn I connect e.g. via mobile to my OpenVPN, I can e.g. ping local LAN clients (192.168.1.x) and vice versa, even though the server is configured as "Internet only".
This was not the case with prior firmware versions.

Does this help?

 

[octopus]

Try to remove -- in custom configuration.

 

[MarkusI]

You mean regarding client-connect?
Can try, but the script is executed correctly.

--> tried it... same result...

 

[octopus]

You mean regarding client-connect?
Can try, but the script is executed correctly.

--> tried it... same result...

If you connect what your log says?

 

[MarkusI]

You mean on client or on server side?
Client side shouldn't be important because I don't want to allow the client to decide.

Server logs

Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U_PRO, emailAddress=me@asusrouter.lan
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_VER=3.11.1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_PLAT=ios
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_NCP=2
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_TCPNL=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_PROTO=8094
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_MTU=1600
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_SSO=webauth,crtext
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_BS64DL=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: Username/Password authentication succeeded for username 'loginname' [CN SET]
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: tls_multi_process: initial untrusted session promoted to trusted
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bits RSA, signature: RSA-SHA256, peer temporary key: XXX bits X25519
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 [loginname] Peer Connection Initiated with [AF_INET]XX.XXX.XX.XX:25947 (via [AF_INET]192.168.0.5%eth0)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 OPTIONS IMPORT: reading client specific options from: /tmp/XXXX.tmp
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI: Learn: 10.8.0.18 -> loginname/XX.XXX.XX.XX:25947
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI: primary virtual IP for loginname/XX.XXX.XX.XX:25947: 10.8.0.18
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 SENT CONTROL [loginname]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.18 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Timers: ping 15, ping-restart 120
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

 

[octopus]

You mean on client or on server side?
Client side shouldn't be important because I don't want to allow the client to decide.

Server logs

Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U_PRO, emailAddress=me@asusrouter.lan
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_VER=3.11.1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_PLAT=ios
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_NCP=2
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_TCPNL=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_PROTO=8094
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_MTU=1600
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_SSO=webauth,crtext
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 peer info: IV_BS64DL=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: Username/Password authentication succeeded for username 'loginname' [CN SET]
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 TLS: tls_multi_process: initial untrusted session promoted to trusted
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bits RSA, signature: RSA-SHA256, peer temporary key: XXX bits X25519
Jun 13 15:14:24 ovpn-server1[4218]: XX.XXX.XX.XX:25947 [loginname] Peer Connection Initiated with [AF_INET]XX.XXX.XX.XX:25947 (via [AF_INET]192.168.0.5%eth0)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 OPTIONS IMPORT: reading client specific options from: /tmp/XXXX.tmp
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI: Learn: 10.8.0.18 -> loginname/XX.XXX.XX.XX:25947
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 MULTI: primary virtual IP for loginname/XX.XXX.XX.XX:25947: 10.8.0.18
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 SENT CONTROL [loginname]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.18 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
Jun 13 15:14:24 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Timers: ping 15, ping-restart 120
Jun 13 15:14:25 ovpn-server1[4218]: loginname/XX.XXX.XX.XX:25947 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

I can't see anything strange there.

 

[GWTechTalk]

Quick question is this build of Merlin based on ASUS RT-BE96U Firmware version 3.0.0.6.102_37839 released May 5th or is this custom image one build behind official releases? Thanks for your time and work on Merlin its very useful to individuals such as myself.

 

[FLA_NL]

Yeah, sure... my bad...

in clientconnect.sh I push static client IPs depending on who is actually connecting.

That's basically it.
Wenn I connect e.g. via mobile to my OpenVPN, I can e.g. ping local LAN clients (192.168.1.x) and vice versa, even though the server is configured as "Internet only".
This was not the case with prior firmware versions.

Does this help?

You have "Advertise DNS to clients" enabled + dhcp option DNS in the custom config. This means that whatever DNS is configured in your LAN settings is also pushed to the clients on top of your custom configuration. Also in my situation pushing DNS settings doesn't seem to work with DNS director enabled. Then everything is redirected to the global settings of the DNS director.

 

[RMerlin]

Quick question is this build of Merlin based on ASUS RT-BE96U Firmware version 3.0.0.6.102_37839 released May 5th or is this custom image one build behind official releases? Thanks for your time and work on Merlin its very useful to individuals such as myself.

From the changelog:

  - NEW: Added RT-BE92U support, based on GPL 102_37526.

  - UPDATED: Merged GPL 3006.102_36521 for Wifi 6 models (Wifi 7 devices other than the RT-BE92U are still on 102_37346).

 

[FourthandShort]

It’s a shot in the dark but if you’re using a USB thumb drive and it’s going bad, that might explain the lockups. There’s quite a few forum posts on that. If you’re using an SSD then it’s unlikely to be that.

Quick question related to this, I am thinking I might want to order a more stable USB drive. The one I am using is a brand new USB but it was just some random PNY 32G flash drive so I am open to testing out another brand which might be more stable.

Recently I uninstalled Adguard and Skynet as someone mentioned the dnsmasq errors could have been related to Skynet restarting during an update, or due to the blocklists in adguard.

I still have the PNY flashdrive running AMTM with Tailmon and BKMon (and I think that is it), but I haven't had a reboot or issue since I uninstalled both AGH and Skynet. I am wondering if this would be an indicator this could be an issue with memory full issues as the usb drive is still present.

 

[nzwayne]

Quick question related to this, I am thinking I might want to order a more stable USB drive. The one I am using is a brand new USB but it was just some random PNY 32G flash drive so I am open to testing out another brand which might be more stable.

Recently I uninstalled Adguard and Skynet as someone mentioned the dnsmasq errors could have been related to Skynet restarting during an update, or due to the blocklists in adguard.

I still have the PNY flashdrive running AMTM with Tailmon and BKMon (and I think that is it), but I haven't had a reboot or issue since I uninstalled both AGH and Skynet. I am wondering if this would be an indicator this could be an issue with memory full issues as the usb drive is still present.

Recommend using a SSD-NVMe for much improved reliability rather then a USB drive.

 

[jksmurf]

I am wondering if this would be an indicator this could be an issue with memory full issues as the usb drive is still present.

Possibly … you could leave it and just see how you get on, if having the router reboot occasionally does not bother you or the family.

Recommend using a SSD-NVMe for much improved reliability rather than a USB drive.

Having said that, I am 100% on this one. Some folks have been lucky, even RMerlin IIRC noted he used a very old USB on one of his (probably a thousand ) routers, but as I noted initially there are sufficient cases where replacing it fixed issues folks were having, that to put one just takes away the “I am wondering” factor.

 

[FourthandShort]

Possibly … you could leave it and just see how you get on, if having the router reboot occasionally does not bother you or the family.

Having said that, I am 100% on this one. Some folks have been lucky, even RMerlin IIRC noted he used a very old USB on one of his (probably a thousand ) routers, but as I noted initially there are sufficient cases where replacing it fixed issues folks were having, that to put one just takes away the “I am wondering” factor.

Well the issue is the rebooting is a serious issue. Wife has a ton of Video Calls and when the internet drops out, she has to scramble to reconnect through her hot spot or wait for the router to reboot. This was my reasoning behind rolling back Skynet and AGH. Now that both of those are gone, the router has been fairly solid and we haven't had a reboot since even with the crappy PNY usb flash drive.... That is why i am wondering how I can test to see if it is more related to the swap issue mentioned or indeed the usb drive.

Recommend using a SSD-NVMe for much improved reliability rather then a USB drive.

How large of an NVME drive are most running? Are some running other applications than just the swap file/amtm? Are people using the drives for file sharing as well? Just curious.

 

[MDM]

This was my reasoning behind rolling back Skynet and AGH.

Did you really mis this post...?

 

[RMerlin]

Some folks have been lucky, even RMerlin IIRC noted he used a very old USB on one

I just found the receipt in my emails. On my primary router I currently have a Kingston DataTraveler 410, which I purchased from FutureShop during the 2010 Boxing Day.

Sure, how much writing you do will have an impact on longevity, but it's still a 14 years old USB drive that's been powered on 24/7 for all these years. If you expect to do a lot of writing, then an entry level SSD is probably the best idea. I doubt any modern USB thumbdrive would last that long...

 

[visortgw]

I just found the receipt in my emails. On my primary router I currently have a Kingston DataTraveler 410, which I purchased from FutureShop during the 2010 Boxing Day.

Sure, how much writing you do will have an impact on longevity, but it's still a 14 years old USB drive that's been powered on 24/7 for all these years. If you expect to do a lot of writing, then an entry level SSD is probably the best idea. I doubt any modern USB thumbdrive would last that long...

Probably cost quite a bit more than a modern USB thumb drive...

 

[Tech9]

I doubt any modern USB thumbdrive would last that long...

Probably cost quite a bit more than a modern USB thumb drive...

Exactly. Cheaper flash and thermal design, lots of fakes on the market.

 

[RMerlin]

Exactly. Cheaper flash and thermal design, lots of fakes on the market.

Newp.

 

[XIII]

Which SSDs do people use/recommend for (ASUS) routers?