[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

I could not find any names that did not look normal, I even used your utility to pull data out and look at it. I decided to reboot the router one more time and the list populated after a while. Thanks for your help.

Ahhh....the ever popular 'reboot' fix Glad it worked itself out.

 

[john9527]

Last Beta release before the final, as there are a couple of things I can't fully test and need some feedback on. Content is pretty much fixed at this point.

BETA RELEASE: Update-16BG
07-January-2015
Merlin fork 374.43_2-16BGj9527
Download http://1drv.ms/1sDtB1V
============================

Changelog 16BG (new fixes over 16B5)

• Updated OpenVPN to 2.3.10
• Updated LZO to 2.09
• NEW: Support OpenVPN custom setup for Private Internet Access (PIA) users
  For PIA users, you can now set cipher, authentication and encryption options via the router as you would using the PIA app. There is a separate zip file (pia_openvpn_options.zip) in the download directory with short directions on how to use/set the options. You need to add a line to the custom config section and replace the ca with a new cert (included in the zip)
• FIX: Fixed numerous issues during boot when QoS is active with native IPv6
  At at minimum this could cause an IPv6 performance degredation...at worst case a boot failure. Appreciate feedback from QoS users with native IPv6
• FIX: IPv6 performance degredation when using QoS rules that specified an IP address
• FIX: Prevent portmap errors when booting with NFS active (enhancement to fix in 16B5)
• FIX: Option to advertise router as IPv6 DNS server for native IPv6
  Note: This option is set by default to prevent DNS leaks with OpenVPN
• NEW: User QoS rules can now specify an address range (ex: 192.168.1.200-192.168.1.202) - @Nazgulled
• NEW: User QoS rules can now specify addresses in CIDR format (ex: 192.168.1.200/30 for range 192.168.1.200 thru 192.168.1.203)
  Just for reference, one site to help with CIDR calculations is http://www.ipaddressguide.com/cidr
• Updated kernel Ethernet driver for ARM routers
• Updated packet matching netfilter for ARM routers with improved IPv6 support
  Looking for feedback on these last two ARM updates....seems to be working well for me but would like some more checks
• Updated usbmodeswitch to 2.2.3
  Another one where I need some help, as I can't test USB Modems. This may improve stability/function or completely break it. Would appreciate it if someone could help out and test (Note this DOES NOT add support for addition modems)

 

[pdxigor]

I flashed 16BG on top of 16B5 and so far so good (N66U).
Nice work

 

[camilaacolide]

Flashed it here too and everything is smooth!
Quick question: Before flashing this version I was using 378.56_2. Both versions are working very well for me.
Is there any advantage of using this version besides controlling the wireless power?
I have an AC68U. Thanks!

 

[Lotta Cox]

I can't get PIA working with this new beta on AC68 . I'm doing something wrong.

Do I paste the copy and paste the contents of ca_rsa2048.crt into Certificate Authority?

I don't understand what to put in Custom Configuration. Readme says
- add the configuration option pia-signal-settings
(Router: add in router "Custom Configuration")
What exactly do I put in that box? Is it:
option pia-signal-settings

The PIA site says to put:
persist-key
persist-tun
tls-client
verb 1

Totally confused.
I see this in the log:
Jan 8 08:38:05 openvpn[1132]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 8 08:38:05 openvpn[1132]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 8 08:38:05 openvpn[1132]: UDPv4 link local: [undef]
Jan 8 08:38:05 openvpn[1132]: UDPv4 link remote: [AF_INET]209.222.5.234:1194
Jan 8 08:38:06 openvpn[1132]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Jan 8 08:38:06 openvpn[1132]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Jan 8 08:38:06 openvpn[1132]: TLS Error: TLS object -> incoming plaintext read error
Jan 8 08:38:06 openvpn[1132]: TLS Error: TLS handshake failed
Jan 8 08:38:06 openvpn[1132]: SIGUSR1[soft,tls-error] received, process restarting

 

[Nullity]

Flashed it here too and everything is smooth!
Quick question: Before flashing this version I was using 378.56_2. Both versions are working very well for me.
Is there any advantage of using this version besides controlling the wireless power?
I have an AC68U. Thanks!

Hopefully you read the first post in this thread...

Beyond that, there is not too much that the standard user should play with. With my RT-N66U, there is a marked increase in WiFi throughput without breaking the law (US). I dunno about the ac68.

 

[camilaacolide]

Hopefully you read the first post in this thread...

Beyond that, there is not too much that the standard user should play with. With my RT-N66U, there is a marked increase in WiFi throughput without breaking the law (US). I dunno about the ac68.

Yes, I've read!

It's exactly the phrase "This older code base has a history of being very stable" that made me flash it!
I started having some instability problems with 378.56_2, so I flashed the latest 374.43 beta.
But later I traced the problems to my ISP's ADSL router, and now they're fixed.

I was asking that exactly to help me decide if I should stay in 374, or flash 378 back!

 

[john9527]

I don't understand what to put in Custom Configuration. Readme says
- add the configuration option pia-signal-settings
(Router: add in router "Custom Configuration")
What exactly do I put in that box? Is it:
option pia-signal-settings

The PIA site says to put:
persist-key
persist-tun
tls-client
verb 1

Totally confused.

Think simple

In the gui....
- protocol UDP
- port 1194
- Click on content modification of keys and certificates and paste in the contents of one of the ca's included in the zip in the Certificate Authority field....I'm using the contents of the recommended ca_rsa2048.crt certificate
- Select the encryption cipher you want, choices are BF-CBC (the default for PIA), AES-128-CBC or AES-256-CBC

In the Custom Configuration box, add the single line
pia-signal-settings

BTW....the PIA instructions duplicate a lot of what is automatically configured. Here is my custom config section

pia-signal-settings
mute-replay-warnings
inactive 0
keepalive 5 60
sndbuf 0
rcvbuf 0

 

[john9527]

Flashed it here too and everything is smooth!
Quick question: Before flashing this version I was using 378.56_2. Both versions are working very well for me.
Is there any advantage of using this version besides controlling the wireless power?
I have an AC68U. Thanks!

It really depends how you use the router....quite frankly the TrendMicro options in the later levels really don't interest me, and add what is to me unnecessary overhead. I don't regularly check my client lists, care about custom client icons or need to do an apps analysis on my traffic. I prefer simple, others may have different requirements.

Also, there are some things I've added that are unique to my fork. I'll add making a list of what those are to my 'todo' list

 

[TeTo]

I use purevpn on ac66u. With v15E5 i can't use option redirect traffic in openvpn, but with V16BG works fine.
Great work John, thanks!


Enviado desde mi iPhone utilizando Tapatalk

 

[Lotta Cox]

Still can't get it to work. Does this look right? Really not much to mess up. Getting name not resolved when I load a page.
Is my "Accept DNS Configuration"configured correctly?
I have the ca_rsa2048.crt pasted in Certificate Authority.
Log:
Jan 8 11:27:39 dnsmasq-dhcp[2053]: DHCP, IP range 192.168.1.2 -- 192.168.1.77, lease time 1d
Jan 8 11:27:39 dnsmasq-dhcp[2053]: DHCP, sockets bound exclusively to interface br0
Jan 8 11:27:39 dnsmasq[2053]: read /etc/hosts - 6 addresses
Jan 8 11:27:39 dnsmasq[2053]: read /etc/hosts.dnsmasq - 7 addresses
Jan 8 11:27:39 dnsmasq-dhcp[2053]: read /etc/ethers - 7 addresses
Jan 8 11:27:39 dnsmasq[2053]: using nameserver 209.222.18.222#53
Jan 8 11:27:39 dnsmasq[2053]: using nameserver 209.222.18.218#53
Jan 8 11:27:39 dnsmasq[2053]: using nameserver 75.75.75.75#53
Jan 8 11:27:39 dnsmasq[2053]: using nameserver 75.75.76.76#53
Jan 8 11:27:41 openvpn[2001]: /usr/sbin/ip route add 209.222.18.83/32 via 73.213.156.1
Jan 8 11:27:41 openvpn[2001]: /usr/sbin/ip route add 0.0.0.0/1 via 10.180.1.5
Jan 8 11:27:41 openvpn[2001]: /usr/sbin/ip route add 128.0.0.0/1 via 10.180.1.5
Jan 8 11:27:41 openvpn[2001]: /usr/sbin/ip route add 10.180.1.1/32 via 10.180.1.5
Jan 8 11:27:41 openvpn-routing: Skipping, client 1 not in routing policy mode
Jan 8 11:27:41 openvpn[2001]: Initialization Sequence Completed
Jan 8 11:27:49 openvpn[2001]: write to TUN/TAP : Invalid argument (code=22)
Jan 8 11:27:59 openvpn[2001]: write to TUN/TAP : Invalid argument (code=22)

 

[john9527]

Still can't get it to work. Does this look right?

Try Redirect internet traffic All
(if you don't want to use policy based routing for specific clients)

 

[Lotta Cox]

Try Redirect internet traffic All
(if you don't want to use policy based routing for specific clients)

Same, not working. Like DNS not working.
A cached? DNS for slickdeals seem to work. Nothing else works.
Same entries in log. I tried relaxed DNS too. NG

 

[john9527]

@Lotta Cox Everything looks fine up to the TUN/TAP error (209.222.18.222 and 218 are PIA DNS servers, and they're being inserted correctly into the DNS resolve). Route adds also look good. Can you append the syslog from a bit further back where the initial connection to PIA is set up?

 

[Lotta Cox]

Spoiler: log

Jan 8 12:24:59 rc_service: httpd 643:notify_rc start_vpnclient1
Jan 8 12:24:59 kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 8 12:24:59 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jan 8 12:24:59 openvpn[1179]: OpenVPN 2.3.10 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 7 2016
Jan 8 12:24:59 openvpn[1179]: library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
Jan 8 12:24:59 openvpn[1183]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 8 12:24:59 openvpn[1183]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 8 12:24:59 openvpn[1183]: Socket Buffers: R=[120832->120832] S=[120832->120832]
Jan 8 12:24:59 openvpn[1183]: UDPv4 link local: [undef]
Jan 8 12:24:59 openvpn[1183]: UDPv4 link remote: [AF_INET]108.61.68.157:1194
Jan 8 12:24:59 openvpn[1183]: TLS: Initial packet from [AF_INET]108.61.68.157:1194, sid=1732441d 28e26c5d
Jan 8 12:24:59 openvpn[1183]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 8 12:24:59 openvpn[1183]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jan 8 12:24:59 openvpn[1183]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jan 8 12:25:00 openvpn[1183]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Jan 8 12:25:00 openvpn[1183]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jan 8 12:25:00 openvpn[1183]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 8 12:25:00 openvpn[1183]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 8 12:25:00 openvpn[1183]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 8 12:25:00 openvpn[1183]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 8 12:25:00 openvpn[1183]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 8 12:25:00 openvpn[1183]: [Private Internet Access] Peer Connection Initiated with [AF_INET]108.61.68.157:1194
Jan 8 12:25:02 openvpn[1183]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
Jan 8 12:25:02 openvpn[1183]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.103.1.1,topology net30,ifconfig 10.103.1.6 10.103.1.5'
Jan 8 12:25:02 openvpn[1183]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 8 12:25:02 openvpn[1183]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 8 12:25:02 openvpn[1183]: OPTIONS IMPORT: route options modified
Jan 8 12:25:02 openvpn[1183]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 8 12:25:02 openvpn[1183]: TUN/TAP device tun11 opened
Jan 8 12:25:02 openvpn[1183]: TUN/TAP TX queue length set to 100
Jan 8 12:25:02 openvpn[1183]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 8 12:25:02 openvpn[1183]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan 8 12:25:02 openvpn[1183]: /usr/sbin/ip addr add dev tun11 local 10.103.1.6 peer 10.103.1.5
Jan 8 12:25:02 openvpn[1183]: updown.sh tun11 1500 1541 10.103.1.6 10.103.1.5 init
Jan 8 12:25:02 rc_service: service 1222:notify_rc updateresolv
Jan 8 12:25:02 dnsmasq[1163]: exiting on receipt of SIGTERM
Jan 8 12:25:02 dnsmasq[1228]: started, version 2.75 cachesize 1500
Jan 8 12:25:02 dnsmasq[1228]: asynchronous logging enabled, queue limit is 5 messages
Jan 8 12:25:02 dnsmasq-dhcp[1228]: DHCP, IP range 192.168.1.2 -- 192.168.1.77, lease time 1d
Jan 8 12:25:02 dnsmasq-dhcp[1228]: DHCP, sockets bound exclusively to interface br0
Jan 8 12:25:02 dnsmasq[1228]: read /etc/hosts - 6 addresses
Jan 8 12:25:02 dnsmasq[1228]: read /etc/hosts.dnsmasq - 7 addresses
Jan 8 12:25:02 dnsmasq-dhcp[1228]: read /etc/ethers - 7 addresses
Jan 8 12:25:02 dnsmasq[1228]: using nameserver 209.222.18.222#53
Jan 8 12:25:02 dnsmasq[1228]: using nameserver 209.222.18.218#53
Jan 8 12:25:02 dnsmasq[1228]: using nameserver 75.75.75.75#53
Jan 8 12:25:02 dnsmasq[1228]: using nameserver 75.75.76.76#53
Jan 8 12:25:04 openvpn[1183]: /usr/sbin/ip route add 108.61.68.157/32 via 73.213.156.1
Jan 8 12:25:04 openvpn[1183]: /usr/sbin/ip route add 0.0.0.0/1 via 10.103.1.5
Jan 8 12:25:04 openvpn[1183]: /usr/sbin/ip route add 128.0.0.0/1 via 10.103.1.5
Jan 8 12:25:04 openvpn[1183]: /usr/sbin/ip route add 10.103.1.1/32 via 10.103.1.5
Jan 8 12:25:04 openvpn-routing: Skipping, client 1 not in routing policy mode
Jan 8 12:25:04 openvpn[1183]: Initialization Sequence Completed
Jan 8 12:25:11 openvpn[1183]: write to TUN/TAP : Invalid argument (code=22)

 

[john9527]

@Lotta Cox - OK, recreated it. Change Compression from Disabled to any of the other options. The PIA server pushes a compression setting (actually disables it), and it looks like it doesn't like it if there is no client setting to modify.

EDIT - Also, for best performance you should use AES-128-CBC cipher (OpenSSL actually has assembler code optimized for AES support on ARM).

 

[Lotta Cox]

Ok, used AES 128 CBC and changed compression.
Internet works, but it see my Comcast IP.
EDIT: Service state went to off after I turn it on.
I see this in the log now.

an 8 12:57:02 openvpn[1495]: Options error: You must define CA file (--ca) or CA path (--capath)
Jan 8 12:57:02 openvpn[1495]: Use --help for more information.

I think I uploaded a ca.crt from that openvpn.zip from PIA site.
https://www.privateinternetaccess.com/openvpn/openvpn.zip

 

[john9527]

I see this in the log now.

Your update to the new ca didn't take.....after you paste it in and hit Save, you also have to hit Apply on the main OpenVPN page. You have to use one of the new ca's from the options zip I uploaded.

 

[Lotta Cox]

Your update to the new ca didn't take.....after you paste it in and hit Save, you also have to hit Apply on the main OpenVPN page. You have to use one of the new ca's from the options zip I uploaded.

You are right. Working now! TYSOM! TY for all the help!
Sorry to be such a nOOb

 

[Lotta Cox]

One last question. My Obi VIOP still works when connected to PIA now.
It didn't used to work with the old PIA setup last year.
Something they changed or something? Just glad it still works.
Can I still use a standard speed test? Or is there a special test?

EDIT: Speed test on Comcast and PIA were the same 27Mbps