1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Custom firmware build for R7800 v. 1.0.2.66.1SF/1.0.2.66.2SF (for testing)

Discussion in 'NETGEAR AC Wireless' started by Voxel, May 21, 2019.

Tags:
  1. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,315
    Release for testing.

    WHY:

    My current firmware is using OpenSSL v. 1.0.2. This version is still supported by OpenSSL team, but currently only security updates are included into this version. Moreover, version 1.0.2 is supported until the end of this year (2019). After that date: EOL for 1.0.2:

    https://www.openssl.org/news/secadv/20190306.txt

    Note
    ====
    OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.


    So there are obvious plans to upgrade OpenSSL v. 1.0.2 to OpenSSL v. 1.1.1 in my build. The headline new feature of OpenSSL v. 1.1.1 is TLSv1.3 (not available in 1.0.2 and 1.1.0). You may google re: TLSv1.3. E.g.

    https://kinsta.com/blog/tls-1-3/

    Unfortunately I should keep (at least for a while) OpenSSL v. 1.0.2 (used e.g. by NG in ReadyCLOUD, net-cgi and some other NG applications, no source codes for them and I cannot change them) and even 0.9.8 (NG bug, v. 0.9.8 is still used in one prebuilt binary). So step-by-step migration to OpenSSL 1.1.1.

    WHAT:

    Test version of my custom firmware build: 1.0.2.66.2SF.

    Changes (vs 1.0.2.66.1SF):

    1. OpenSSL v. 1.1.1 config: WITH_CHACHA_POLY1305 option is added.
    2. OpenSSL v. 1.1.1 config: PREFER_CHACHA_OVER_GCM option is added.
    3. Issue with stubby (OpenSSL v. 1.1.1) is fixed (reported by Gar).
    4. curl package is upgraded 7.64.1->7.65.0.
    5. uci package is upgraded 2018-08-11->2019-05-17.

    Test version of my custom firmware build: 1.0.2.66.1SF.

    Changes (vs 1.0.2.66SF):

    1. OpenSSL v. 1.1.1b package is added.
    2. OpenVPN is changed to use OpenSSL v. 1.1.1.
    3. unbound package (used in stubby) is changed to use v. OpenSSL v. 1.1.1.
    4. getdns package (used in stubby) is changed to use OpenSSL v. 1.1.1.
    5. Because of “3.” and “4.” stubby now should supports TLSv1.3.
    6. wget package is changed to use OpenSSL v. 1.1.1.
    7. transmission package is changed to use OpenSSL v. 1.1.1.
    8. openssh-client add-on is changed to use OpenSSL v. 1.1.1.

    What is expected when using OpenSSL 1.1.1:

    Benchmarks:

    OpenSSL 1.0.2
    openssl speed aes-256-cbc
    Code:
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256 cbc      57258.96k    60606.29k    63883.73k    63200.32k    63851.02k
    
    OpenSSL 1.1.1
    openssl speed aes-256-cbc
    Code:
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
    aes-256 cbc      55545.83k    62713.88k    65533.09k    65390.25k    65483.94k    65349.69k
    
    OpenSSL 1.0.2
    openssl speed –evp aes-256-cbc
    Code:
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc      46885.64k    54187.49k    57094.83k    57057.01k    57880.05k
    
    OpenSSL 1.1.1
    openssl speed –evp aes-256-cbc
    Code:
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
    aes-256-cbc      47949.05k    60248.70k    65065.92k    65464.08k    65243.63k    65335.38k
    
    So there are improvement of an encryption speed especially when “-evp” option is used (OpenVPN).

    DOT (DNS over TLS) i.e. stubby. It has to support now TLSv1.3 so should work faster. See /etc/stubby/stubby.yml.default example config re: how to setup TLSv1.3.

    Transmission. Maybe too for encrypted connections.

    OpenSSH client add-on. Theoretically should be faster too (e.g. for Reverse SSH Tunneling).

    Well, I am ordinary consumer of NG production and I do not have possibility to test everything. There should be various OpenVPN providers, different ISP with different speed plans, connection etc. under my hand... So I’d expect feedbacks from guys who are interested. Mainly interested are OpenVPN/DOT/Transmission users. But everyone is welcome too. Let us improve firmware together ;-)

    The link is:

    https://www.voxel-firmware.com (thanks to vladlenas for his help with hosting).

    Folder OpenSSL 1.1.1

    Voxel.
     
    Last edited: May 27, 2019
    pege63, rk8531, maddoc and 9 others like this.
  2. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,315
    Done.

    Voxel.
     
    Gar, rk8531, Kal-EL and 3 others like this.
  3. ajp2k14

    ajp2k14 Regular Contributor

    Joined:
    Sep 1, 2014
    Messages:
    73
    Impressive, thanks! :)
     
    Voxel likes this.
  4. eevanskiteboards

    eevanskiteboards Occasional Visitor

    Joined:
    Nov 17, 2018
    Messages:
    43
    I just updated to this FW. I can verify Dnscrypt2 and vpn are working. Thank you
     
    Voxel likes this.
  5. pege63

    pege63 Very Senior Member

    Joined:
    Jan 17, 2015
    Messages:
    985
    Location:
    Sweden, AngelIsland
    You are the man Voxel who makes changes possible, thank you m8.
     
    Voxel likes this.
  6. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,315
    I know that they are working. I do use this version (including OpenVPN client and Dnsctypt2) and no doubts that changed packages are workable. What is interesting: speed. I hope, it should be faster. My internal tests confirm the increase of the speed, but interesting: practical usage.
    Thank you.

    Voxel.
     
    Last edited: May 23, 2019
    eevanskiteboards likes this.
  7. Gar

    Gar Senior Member

    Joined:
    Aug 26, 2018
    Messages:
    425
    Location:
    US
    This update working well for me. Thanks!
     
  8. Gar

    Gar Senior Member

    Joined:
    Aug 26, 2018
    Messages:
    425
    Location:
    US
    I spoke too soon, can't get DoT to work and haven't changed a thing since update. No Telnet changes, just the update and reboot.

    This is based on CF (1.1.1.1/help). I see yes, no, no instead of yes, no, yes. Does test build effect these results?

    Thanks.


    Edit: haven't tried a reset, that's next I guess, but did reconfigure stubby via telnet but it didn't help.
     
    Last edited: May 24, 2019
    Voxel likes this.
  9. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,315
    Thank you for your report. Should be fixed in 1.0.2.66.2SF.

    https://www.voxel-firmware.com/Down...irmware/OpenSSL 1.1.1/R7800-V1.0.2.66.2SF.zip

    Voxel.
     
    GaselK, Bendon and Gar like this.
  10. Gar

    Gar Senior Member

    Joined:
    Aug 26, 2018
    Messages:
    425
    Location:
    US
    Thanks, will try today

    Edit: still haven't tried yet....working on it!
     
    Last edited: May 30, 2019
  11. GaselK

    GaselK Occasional Visitor

    Joined:
    Jul 8, 2018
    Messages:
    13
    Stubby up and running !
    "
    Stubby DNS Servers OK: v0.2.6. Servers ip4:1 (cloudflare-dns.com), ip6:1 (cloudflare-dns.com)"
     
    Bendon and Voxel like this.
  12. Tom Brough

    Tom Brough Regular Contributor

    Joined:
    Dec 21, 2018
    Messages:
    53
    Which is the best these days?? Stubby or dnscrypt??
     
  13. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,315
    Rather: what is better for you. Depends on your location, ISP and distance to DNS servers used by stubby/dnscrypt. Just check what is better/faster for you. Stubby in this version is set to use Cloudflare servers. Usually they are available in close distance to everybody.

    https://www.snbforums.com/threads/r7800-stubby-vs-dnscrypt-proxy-performance.54987/


    P.S.
    For info: Default config of stubby in this version is set to use exclusively TLSv1.3 (OpenSSL 1.1.1).

    Voxel.
     
    kamoj and GaselK like this.
  14. Sizzlechest

    Sizzlechest Regular Contributor

    Joined:
    Nov 30, 2017
    Messages:
    102
    I use OpenDNS to block scam sites and blacklist other sites I enter manually. Since OpenDNS only uses DNSCrypt, then that's what I use.
     
    kamoj likes this.
  15. Gar

    Gar Senior Member

    Joined:
    Aug 26, 2018
    Messages:
    425
    Location:
    US
    Finally tried .66.2SF but no luck. I'm beginning to think the 1.1.1.1/help link is useless as it never indicates DoT is working even when I use .66SF. My computer is set to look at 1.1.1.1. I see "yes, no, no" with any firmware version. Not sure I'm configured correctly.

    Could someone link another test site for DoT plz? I have tried the other links I can find in the Netgear threads but none tells me whether DoT works. As you can tell, I'm not very experienced.

    Have never used DNSCrypt but would try it if I knew how to test it.

    All add-ons are off, cache cleared and tried different browsers.

    Thanks all!


    Edit: DNSsec test is good. Does that mean DoT works?
     
    Last edited: Jun 2, 2019