What's new

[Discussion] Remove several OpenVPN clients from RT-AC68U to reduce high nvram usage

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yota

Very Senior Member
Background:

Many members using RT-AC68U/RT-AC1900P/RT-AC66U_B1 may have noticed high nvram usage since 386.9 firmware.

For example, on 386.7_2, my nvram usage was around 55,000 bytes, but upgrading to 386.9 hit 60,000 bytes, and 386.10 remained around 60,000 bytes.

And some members with multiple OpenVPN clients and long static DHCP lists may see more nvram usage.

RT-AC68U only has a total of 65,536 bytes nvram space (can be seen in the Tools - System info page of the Merlin firmware), which is half less than other routers.

nvram is used to store system settings. When the space is filled, new settings cannot be written, causing system exceptions and crashes, and those truncated settings may also cause the router to fail to start.

Third-party developers cannot resize the nvram space because it is closed source, only Asus or Broadcom can resize it.

So in order to avoid possible problems with the system as nvram continues to grow, there is now a mitigation:

According to @RMerlin, moving from the original 5 OpenVPN clients to 2 would leave around 2,700 bytes of free nvram:

Removing OpenVPN clients 3, 4 and 5 would recover 2700 bytes of nvram,

Since other nvram settings are not controlled by RMerlin, it looks like we can currently only reduce nvram usage by removing redundant OpenVPN.



Background on this thread:

This thread is a topic forked from the 386.10 firmware release thread to avoid further off-topic discussions under that firmware release thread.

At present, members led by @Yota advocate to think more before removing OpenVPN to take care of those who may use 5 clients.

Members led by @Tech9 and @RMerlin advocate removing 3 OpenVPNs in future releases as a mitigation measure.

Read the previous discussion here:



Some advices:

For those who want to reduce nvram usage with some cleanup commands can see here.

After updating the router a factory reset and reconfigure everything (don't import the backup config) is recommended to remove those invalid nvram settings.


Some useful links provided by member @bennor:
Related Discussion:


Any discussion on this please do so below:
 
Last edited:

Yota

Very Senior Member
Latest Asuswrt runs just fine with the feature set offered. Irresponsible behavior to provide support for 10 years?

You could argue that Apple even offers updates for phones that are 11 years old (the iPhone 5s released in 2012 was last updated in January 2023). Compared to Google and Samsung, this is praised by many people.

But we all miss the point that providing long-term security updates and simultaneously introducing new features are two different things.

For example, enterprise-class routers, they will provide long-term updates, but hardly any new features are added, and the equipment maintains the performance when it is purchased even ten years later.

But with the addition of new features, if you get an iPhone 5s running iOS 7 versus an iPhone 5s running iOS 12.5.7 today, you can clearly see the performance gap.

These performance gaps are even introduced deliberately, which is a strategy.

Consumers don't have a choice there, they can't choose to only get security updates. (but member @john9527 does provide long-term support and backports security updates for some routers. Although I have never personally used his firmware, I really appreciate it).

So I mean, when we talk about long-term updates, we have to distinguish whether the update is aimed at fixing bugs or fixing bugs + adding features?

If RT-AC68U has not added new features for so many years, its nvram may only be used to 35,000.
 
Last edited:

KrypteX

New Around Here
So, before arguing whether 2 or 5 OpenVPN clients is the ideal for AC68U (I mean, why not reduce it to 3 if 5 is too large and 2 is too small ?), it would be nice to know why do we need multiple OpenVPN clients at all and what are some real-life use case situations for 2 or 5 or whatever the number.
Asking this because not everybody is a VPN genius and would like to see a down to earth explanation for multiple OpenVPN client usage.

BTW, I would prefer to increase the NVRAM from 64 to 128 KB, but if that's not achievable by Merlin (still haven't heard his version of the "closed source" story), then I guess we should all buy a better router with more NVRAM and call it a day.
 

Tech9

Part of the Furniture
At present, members led by @Yota

91ea11ec-7cf4-4337-8e61-0298d9610911_text.gif
 

Yota

Very Senior Member
still haven't heard his version of the "closed source" story
RMerlin has been mentioning Broadcom's stupid limitations on this forum over the years, but for some reason I can't find you a direct quote. You may need to ask him to explain again. Here's an indirect quote:

 

bennor

Very Senior Member
From another thread on NVRAM issues, RMerlin offers the following:
https://snbforums.com/threads/asus-rt-ac68u-386-2_6-low-on-free-nvram.73158/post-695283
If you ever used OpenVPN servers or clients, go through each of them, and click on "Default" to erase old settings.

Also if you have been running your router for many years without a factory default reset, you might have some very old certificate leftovers in memory. Create the following script then run it on your router:

Code:
#!/bin/sh

echo "Removing unused cert/key from nvram..."

for i in 1 2 3 4 5
do
    nvram unset vpn_crt_client$i\_ca
    nvram unset vpn_crt_client$i\_extra
    nvram unset vpn_crt_client$i\_crt
    nvram unset vpn_crt_client$i\_key
    nvram unset vpn_crt_client$i\_crl
    nvram unset vpn_crt_client$i\_static
done

for i in 1 2
do
    nvram unset vpn_crt_server$i\_ca
    nvram unset vpn_crt_server$i\_dh
    nvram unset vpn_crt_server$i\_ca_key
    nvram unset vpn_crt_server$i\_extra
    nvram unset vpn_crt_server$i\_client_crt
    nvram unset vpn_crt_server$i\_crl
    nvram unset vpn_crt_server$i\_crt
    nvram unset vpn_crt_server$i\_key
    nvram unset vpn_crt_server$i\_static
    nvram unset vpn_crt_server$i\_client_key
done

# SSH also migrated host keys to jffs a while back
nvram unset sshd_dsskey
nvram unset sshd_ecdsakey
nvram unset sshd_hostkey

nvram commit

echo "done."
 

Yota

Very Senior Member
Hahaha, that's funny.

First of all, I think we all know this, I chose the other side not even for myself, (my RT-AC68U is in AP mode, not running OpenVPN at all as the previous thread said), I just wish there was more when doing the subtraction consider potential users.

This is not a troll topic, sincere and rational discussion, my arguments have been made before:

But I'm trying to convey a point here, that is, I don't agree that cutting existing functionality is a good idea for potential users.

Some people don't even have a account in this forum, so they can't come here to express their views, I hope their concerns can be taken into account.

Maybe I'm just thinking too much, I don't know.
 

Tech9

Part of the Furniture
Hahaha, that's funny.

Not funny at all. One single person liked so far your opinion on the subject in the release thread.

At the end of the day whatever @RMerlin decides is what it is going to be. He knows better than anyone what fits in this old hardware and what will eventually allow him to release few more updates. The easiest action is to drop the support and move on. This is the only model causing issues.
 

Yota

Very Senior Member
Not funny at all. One single person liked so far your opinion on the subject in the release thread.

At the end of the day whatever @RMerlin decides is what it is going to be. He knows better than anyone what fits in this old hardware and what will eventually allow him to release few more updates. The easiest action is to drop the support and move on. This is the only model causing issues.
I've stated my point of view, as to whether someone actually uses it like this, I can only leave it to them to reply to this thread, I can't speak for them, because I don't use it that way.

It's worth pointing out that no matter what RMerlin chooses, it doesn't matter to you or me, since we don't use routers that way.

But maybe this thread can be seen by Asus to increase the nvram size? I don't know.
 

Yota

Very Senior Member
Basically, no one really needs 5x VPN clients so far and you are using the option to store your different VPN client settings. Is that it?
There is no OpenVPN page on AP mode. I do, but not on the RT-AC68U.

I do have a couple of AC68U's, in fact I'm collecting old classic routers, AC68U's, R7000's, I have them all.

But there is only one RT-AC68U that I am actually running, it is only used as an AP, WiFi settings + SSH + some static client names are imported via SSH to show the same client information as the main router, other than no other settings were changed.
 
Last edited:

bennor

Very Senior Member

Tech9

Part of the Furniture
There is no OpenVPN page on AP mode. I do, but not on the RT-AC68U.

So if no one needs 5x VPN clients so far including you - what's the discussion about? Who runs 5x VPN clients on AC68U anyway?
 

Yota

Very Senior Member
So if no one needs 5x VPN clients so far including you - what's the discussion about? Who runs 5x VPN clients on AC68U anyway?
I'm building on the assumption that removing a feature might have an impact on some people who depend on it. I don't rely on it, but I'm looking to validate my assumptions with this thread, and wait for those who use it to elaborate on their thoughts, rather than complaining after a change.

As I said, I use 5 OpenVPN clients on other routers, but they are not limited by nvram, is that because I have other routers, and suppose someone only has RT-AC68U?

For me, that would mean buying a new router, or continuing to use old firmware that is a security risk.

But if a family still uses the RT-AC68U as their main router in 2023, they may be grandma, or they may not have enough budget to replace the existing router.

So, when this change happens, they will be affected, and there's nothing they can do.
 

bennor

Very Senior Member
But that script author @Xentrk hasn't been on the forums for a long time, and it needs active maintenance to match the variables added and removed in the current firmware.
It may be out of date maintenance wise but it is on the Asus-Merlin Wiki page. RMerlin has not removed it from his Wiki page despite that script being roughly three years since it was last maintained. Like indicated may or may not be relevant to the discussion on NVRAM.
 

Tech9

Part of the Furniture
But if a family still uses the RT-AC68U as their main router in 2023, they may be grandma, or they may not have enough budget to replace the existing router.

Right... May I ask what scripts is your grandma using on her running 3rd party firmware router? On USB stick or SSD?

If you check Asuswrt-Merlin release notes over last 2 years you'll find other features altered or even removed from firmware due to various limitations. Not only for oldest supported AC68U, but for the entire series firmware or router model. AdaptiveQoS with fq_codel as an example - technical limitation. Memory graph was removed from the GUI as another example - space limitation. I'm pretty sure there were people who liked the old way better.

For me, that would mean buying a new router, or continuing to use old firmware that is a security risk.

Your choice. Or use stock Asuswrt on it - it runs fine with no issues. Your router is miraculously still supported by the manufacturer. When @RMerlin dropped support for the original MIPS N(AC)66U - Asus released firmware after. It was newer and an option for whoever still uses MIPS models.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top