Release [Fork] Asuswrt-Merlin 374.43 LTS releases (V44EA)

ColinTaylor

Part of the Furniture
Not necessarily.
Yes it does contradict what he had said. I explicitly asked him twice if his router's WAN IP address matched his publicly seen IP address and twice he said it did. Now he's saying they're different.
 

smyr

New Around Here
Hello fellow Merliners!

Been thinking about posting this for some time so here goes....

Question 1:
I am currently running the latest developer firmware on my RT-AC66U router - 374.43_45D5j9527 (13-August-2020) and working fine... never any issues really. Well, I did install and test Entware and all sort of tools. I want to undo what I did so only option is to do a factory reset thats the fastes way to get back clean it out... but then I have to go through all the "welcome to asus setup...." and that takes time. Is there another way to undo all the tools I installed via SSH.... ?! If I for example disable jffs and scripting will that work?

Qustion 2:
Latest official firmware is 374.43_44EAj9527 (12-July-2020) and I don't know if I should change back to the official firmware or stay with the one I got now. I am not a developer and just want the best most stable firmware... are you going to make the latest developer version official?! Or still work in progress... ?

Question 3:
I want to switch firmware , or at least give it a test, to Freshtomato. Latest build is from 2020-09-30.
But I can not install it. Does not work using the webinterface and when the firmware restoration util I seem to work fine.... but I can not login to the router interface, keeps asking for a password....... !? I have not tried the latest Freshtomato however... need to know before I try that again.... I know that this question is probably the wrong forum to ask but hey why not... ;) I keep thinking its the merlin firmware that is the cause. Should I get an older asus official firmware and then flash?! Any help or links whould be great. I plan to use the AIO version RT-AC66U_RT-AC6x-2020.7-AIO-64K btw...

Freshtomato:

Thanks.
:)
 

dave14305

Part of the Furniture
Is there another way to undo all the tools I installed via SSH.... ?! If I for example disable jffs and scripting will that work?
Disabling JFFS scripts in the GUI is certainly an option, but it’s overkill. Entware can be removed by:
  • Eject the USB from the GUI to stop any installed services that may be running from Entware.
  • Delete the Entware line from /jffs/scripts/post-mount or just delete the /jffs/scripts/post-mount script if nothing else is using it. Same for unmount and services-stop scripts.
  • rm /tmp/opt
  • Plug the USB back in and remove the /tmp/mnt/<usbname>/entware directory.
There may be better prescribed ways to get rid of Entware, but this is what I’d do.

EDIT: added 3rd bullet to remove link
 
Last edited:

guss

New Around Here
Hello everybody

I have an Asus RT-N66U with Firmware:374.43_44EAj9527.

On it I use two OpenVPN servers for many years without a problem. One does direct clients to redirect Internet traffic and one does not.

Since the latest update I have the problem that the option "Push LAN to clients" seems not longer to work. I can connect to the RT-N66U without any problem but I can't connect or ping any devices in my LAN. Normally I only connect to my Ubuntu desktop where a vnc server runs. But I can't connect to my Raspberry Pi either. Only the LAN ip of the RT-N66U itself does respond.

There is no firewall running on the Raspberry Pi and I didn't change the ufw settings on the Ubuntu client:
Anywhere ALLOW IN 192.168.1.0/24
Anywhere ALLOW IN 10.8.0.0/24
Anywhere ALLOW IN 10.8.1.0/24

Does anyone have the same problem?

Can I add something via the custom configuration to fix my problem or has anyone another suggestion for me?

Many thanks in advance
Guss
 

dave14305

Part of the Furniture
Since the latest update I have the problem that the option "Push LAN to clients" seems not longer to work. I can connect to the RT-N66U without any problem but I can't connect or ping any devices in my LAN.
Is there an IP subnet conflict between the network you are connecting FROM and your LAN subnet? Are they both 192.168.1.0/24?

DISCLAIMER: I'm not a VPN user, but I've seen Colin answer enough questions that I remember some of his answers. ;)
 

guss

New Around Here
Thanks for your comments.

@dave14305
Good idea, but the subnets are different. There is no conflict there.

@ColinTaylor
Here is the syslog from starting the openvpn server to connecting with the client.

Code:
Oct  9 23:46:14 rc_service: httpd 1042:notify_rc start_vpnserver2
Oct  9 23:46:14 kernel: device tun22 entered promiscuous mode
Oct  9 23:46:17 openvpn[2207]: OpenVPN 2.4.9 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 12 2020
Oct  9 23:46:17 openvpn[2207]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.09
Oct  9 23:46:17 openvpn[2209]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Oct  9 23:46:17 openvpn[2209]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct  9 23:46:17 openvpn[2209]: Diffie-Hellman initialized with 2048 bit key
Oct  9 23:46:17 openvpn[2209]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct  9 23:46:17 openvpn[2209]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct  9 23:46:17 openvpn[2209]: TUN/TAP device tun22 opened
Oct  9 23:46:17 openvpn[2209]: TUN/TAP TX queue length set to 1000
Oct  9 23:46:17 openvpn[2209]: /usr/sbin/ip link set dev tun22 up mtu 1500
Oct  9 23:46:17 openvpn[2209]: /usr/sbin/ip addr add dev tun22 10.8.1.1/24 broadcast 10.8.1.255
Oct  9 23:46:17 openvpn[2209]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Oct  9 23:46:17 openvpn[2209]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Oct  9 23:46:17 openvpn[2209]: UDPv4 link local (bound): [AF_INET]xx.xx.xx.xx:1194
Oct  9 23:46:17 openvpn[2209]: UDPv4 link remote: [AF_UNSPEC]
Oct  9 23:46:17 openvpn[2209]: MULTI: multi_init called, r=256 v=256
Oct  9 23:46:17 openvpn[2209]: IFCONFIG POOL: base=10.8.1.2 size=252, ipv6=0
Oct  9 23:46:17 openvpn[2209]: Initialization Sequence Completed
Oct  9 23:46:52 openvpn[2209]: yy.yy.yy.yy:58127 TLS: Initial packet from [AF_INET]yy.yy.yy.yy:58127, sid=83341d68 35fbcaec
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, [email protected]
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, [email protected]
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_VER=2.4.6
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_PLAT=win
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_PROTO=2
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_NCP=2
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_LZ4=1
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_LZ4v2=1
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_LZO=1
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_COMP_STUB=1
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_COMP_STUBv2=1
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 peer info: IV_TCPNL=1
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 TLS: Username/Password authentication succeeded for username 'mustermann'
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Oct  9 23:46:53 openvpn[2209]: yy.yy.yy.yy:58127 [client] Peer Connection Initiated with [AF_INET]yy.yy.yy.yy:58127
Oct  9 23:46:53 openvpn[2209]: client/yy.yy.yy.yy:58127 MULTI_sva: pool returned IPv4=10.8.1.2, IPv6=(Not enabled)
Oct  9 23:46:53 openvpn[2209]: client/yy.yy.yy.yy:58127 MULTI: Learn: 10.8.1.2 -> client/yy.yy.yy.yy:58127
Oct  9 23:46:53 openvpn[2209]: client/yy.yy.yy.yy:58127 MULTI: primary virtual IP for client/yy.yy.yy.yy:58127: 10.8.1.2
Oct  9 23:46:54 openvpn[2209]: client/yy.yy.yy.yy:58127 PUSH: Received control message: 'PUSH_REQUEST'
Oct  9 23:46:54 openvpn[2209]: client/yy.yy.yy.yy:58127 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route-gateway 10.8.1.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.1.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Oct  9 23:46:54 openvpn[2209]: client/yy.yy.yy.yy:58127 Data Channel: using negotiated cipher 'AES-128-GCM'
Oct  9 23:46:54 openvpn[2209]: client/yy.yy.yy.yy:58127 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Oct  9 23:46:54 openvpn[2209]: client/yy.yy.yy.yy:58127 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Edit: I'm wondering about the "dhcp-option DNS 192.168.1.1". Maybe that could be the problem, because my DNS Server runs at 192.168.1.2 (unbound on a raspberry pi)? But as I said, it worked before with 374.43_44E5j9527.
 
Last edited:

ColinTaylor

Part of the Furniture
@guss That looks essentially the same as mine so I can't see why it would have stopped working in the way you describe.

Can you remember the version number that worked before you updated?

EDIT: Just seen you updated post. So you were on 374.43_44E5j9527. I'd assumed you were trying to access devices on your LAN by IP address not name therefore whether the DNS server address is valid shouldn't matter.

Could you post the output of iptables-save please?
 
Last edited:

guss

New Around Here
You are right. The DNS shouldn't matter.

Here is the output from iptables-save:

Code:
ASUSWRT-Merlin RT-N66U_3.0.0.4 Mon Jul 13 01:59:47 UTC 2020
[email protected]:/tmp/home/root# iptables-save
# Generated by iptables-save v1.3.8 on Sat Oct 10 08:27:25 2020
*nat
:PREROUTING ACCEPT [277:27597]
:POSTROUTING ACCEPT [45:2771]
:OUTPUT ACCEPT [24:2519]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -d xx.xx.xx.xx -j VSERVER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING -s ! xx.xx.xx.xx -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.51:22
-A VSERVER -p tcp -m tcp --dport 8920 -j DNAT --to-destination 192.168.1.51:8920
-A VSERVER -p udp -m udp --dport 9987 -j DNAT --to-destination 192.168.1.51:9987
-A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.51:443
-A VSERVER -j VUPNP
COMMIT
# Completed on Sat Oct 10 08:27:25 2020
# Generated by iptables-save v1.3.8 on Sat Oct 10 08:27:25 2020
*mangle
:PREROUTING ACCEPT [171803:21072551]
:INPUT ACCEPT [94177:8999853]
:FORWARD ACCEPT [62308:8055822]
:OUTPUT ACCEPT [92948:55579671]
:POSTROUTING ACCEPT [155280:63645397]
-A PREROUTING -i tun21 -j MARK --set-mark 0x1/0xf
-A PREROUTING -i tun22 -j MARK --set-mark 0x1/0xf
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MARK --set-mark 0x1/0x1ff
COMMIT
# Completed on Sat Oct 10 08:27:25 2020
# Generated by iptables-save v1.3.8 on Sat Oct 10 08:27:25 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5129:1371501]
:FUPNP - [0:0]
:PControls - [0:0]
:PTCSRV - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i tun22 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j PTCSRV
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o eth0 -p ipv6-auth -j DROP
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -i tun22 -j ACCEPT
-A FORWARD -i br0 -o eth0 -p ipv6-crypt -j DROP
-A FORWARD -i br0 -o eth0 -p gre -j DROP
-A FORWARD -i br0 -o eth0 -p udp -m udp --dport 4500 -j DROP
-A FORWARD -i br0 -o eth0 -p udp -m udp --dport 500 -j DROP
-A FORWARD -i br0 -o eth0 -p udp -m udp --dport 1701 -j DROP
-A FORWARD -i br0 -o eth0 -p tcp -m tcp --dport 1723 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -p icmp -j DROP
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -m limit --limit 4/sec -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sat Oct 10 08:27:25 2020
 

smyr

New Around Here
Disabling JFFS scripts in the GUI is certainly an option, but it’s overkill. Entware can be removed by:
  • Eject the USB from the GUI to stop any installed services that may be running from Entware.
  • Delete the Entware line from /jffs/scripts/post-mount or just delete the /jffs/scripts/post-mount script if nothing else is using it. Same for unmount and services-stop scripts.
  • rm /tmp/opt
  • Plug the USB back in and remove the /tmp/mnt/<usbname>/entware directory.
There may be better prescribed ways to get rid of Entware, but this is what I’d do.

EDIT: added 3rd bullet to remove link
Ok, thanks. Will try that.

You know the answer to my question regarding flashing from Merlin to Freshtomato?!
Anyone else try Freshtomato!?

Thanks
 

guss

New Around Here
I tested some more and still can't find the problem. If I disable "Push LAN to clients" I can't even ping the router itself via 192.168.1.1. If it's enabled this does work, so "Push LAN to clients" does something.

I had a look at the server config and it looks well for me:

Code:
# Automatically generated configuration
daemon
topology subnet
server 10.8.1.0 255.255.255.0
local xx.xx.xx.xx        
proto udp    
port 1194    
dev tun22    
txqueuelen 1000
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC          
comp-lzo adaptive          
keepalive 15 60
verb 3        
push "route 192.168.1.0 255.255.255.0"                    
client-config-dir ccd      
client-to-client            
duplicate-cn  
push "dhcp-option DOMAIN orion"                          
push "dhcp-option DNS 192.168.1.1"                        
tls-auth static.key        
auth-user-pass-verify /usr/sbin/ovpnauth.sh via-file      
script-security 2          
ca ca.crt    
dh dh.pem    
cert server.crt
key server.key
status-version 2            
status status 10            
             
# Custom Configuration
I guess my next step is setting up a OpenVPN server on my raspberry pi and check if this works.

Edit: I installed PiVPN on my raspberry and it works fine. So my guess is now, that the OpenVPN is broken in the last firmware for the Asus RT-N66U. Now I use the Pi for redirect traffic with the benefit of a Pi-hole.
Only for work I need a connection without redirection. The Asus works with a TAP interface. With it I can connect to my LAN. But with my preferred way TUN it's not possible. I have now limited the TAP OpenVPN on my Asus for my work ip only and deactivated the second OpenVPN on the Asus. So I'm fine for now.
 
Last edited:

ColinTaylor

Part of the Furniture
Edit: I installed PiVPN on my raspberry and it works fine. So my guess is now, that the OpenVPN is broken in the last firmware for the Asus RT-N66U. Now I use the Pi for redirect traffic with the benefit of a Pi-hole.
Only for work I need a connection without redirection. The Asus works with a TAP interface. With it I can connect to my LAN. But with my preferred way TUN it's not possible. I have now limited the TAP OpenVPN on my Asus for my work ip only and deactivated the second OpenVPN on the Asus. So I'm fine for now.
Thanks for the update. Your iptables output looks fine so I don't know what the problem is. Maybe some sort of bug in the routing table on the router. Anyway, unless you want to debug this any further it looks like you have a workaround.
 

guss

New Around Here
Thanks ColinTaylor and yes, for me the matter is settled for the time being. But if the problem occurs with other people and I can somehow help to fix it, I'm happy to help.
 

ngc5195

New Around Here
Hello everybody

I have an Asus RT-N66U with Firmware:374.43_44EAj9527.

On it I use two OpenVPN servers for many years without a problem. One does direct clients to redirect Internet traffic and one does not.

Since the latest update I have the problem that the option "Push LAN to clients" seems not longer to work. I can connect to the RT-N66U without any problem but I can't connect or ping any devices in my LAN. Normally I only connect to my Ubuntu desktop where a vnc server runs. But I can't connect to my Raspberry Pi either. Only the LAN ip of the RT-N66U itself does respond.

There is no firewall running on the Raspberry Pi and I didn't change the ufw settings on the Ubuntu client:
Anywhere ALLOW IN 192.168.1.0/24
Anywhere ALLOW IN 10.8.0.0/24
Anywhere ALLOW IN 10.8.1.0/24

Does anyone have the same problem?

Can I add something via the custom configuration to fix my problem or has anyone another suggestion for me?

Many thanks in advance
Guss
I've been having the same issue on recent versions. I can't ping any devices on my LAN either; this used to work fine...
I think it may have something to do with changes on the OpenVPN side, because using the latest OpenVPN Connect iOS client (official) I cannot get it to work at all. However, I was able to get it to work using Passepartout.
Additionally, I disabled the Direct clients to redirect Internet traffic and Push LAN to clients options and instead am manually pushing the following:
Code:
push 'redirect-gateway def1'
push 'route 192.168.2.0 255.255.255.0'
 
Last edited:

guss

New Around Here
Thanks ngc5195. For me that doesn't work either. I experimented with custom code and manually push my LAN before and just tested your suggestion again. But I can't connect to my LAN.
 

ColinTaylor

Part of the Furniture
Thanks ngc5195. For me that doesn't work either. I experimented with custom code and manually push my LAN before and just tested your suggestion again. But I can't connect to my LAN.
The most noticeable change between the firmware you previously had and the current one is the change to OpenVPN 2.4.9. In light of @ngc5195's post I'm wondering whether there's a compatibility issue on the client side rather than the router. Can you have a look in the client's log and see if there are any clues there?
 

guss

New Around Here
I started testing with Windows 10 64bit OpenVPN client in version 2.4.x. I don't remember the exact version and at some point installed the newest available client (OpenVPN-2.5-rc2-I601-2-amd64.msi). The same problem occurred on my Android (v8.1) phone running LineageOS 15.1 with OpenVPN for Android 0.7.21. Both clients worked perfectly before. So to be honest, I don't think this is a client issue.

But nevertheless I post you the logs.

Windows:
Code:
2020-10-12 19:27:55 Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
2020-10-12 19:27:55 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2020-10-12 19:27:55 OpenVPN 2.5_rc2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 30 2020
2020-10-12 19:27:55 Windows version 10.0 (Windows 10 or greater) 64bit
2020-10-12 19:27:55 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2020-10-12 19:28:12 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
2020-10-12 19:28:12 UDP link local: (not bound)
2020-10-12 19:28:12 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
2020-10-12 19:29:13 [UNDEF] Inactivity timeout (--ping-restart), restarting
2020-10-12 19:29:13 SIGUSR1[soft,ping-restart] received, process restarting
2020-10-12 19:29:18 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
2020-10-12 19:29:18 UDP link local: (not bound)
2020-10-12 19:29:18 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
2020-10-12 19:29:18 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-10-12 19:29:18 [RT-N66U] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
2020-10-12 19:29:19 open_tun
2020-10-12 19:29:19 tap-windows6 device [OpenVPN TAP-Windows6] opened
2020-10-12 19:29:19 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
2020-10-12 19:29:19 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {8B1EBAC6-1D99-49CD-8AE0-C595B27095B6} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
2020-10-12 19:29:19 Successful ARP Flush on interface [18] {8B1EBAC6-1D99-49CD-8AE0-C595B27095B6}
2020-10-12 19:29:19 IPv4 MTU set to 1500 on interface 18 using service
2020-10-12 19:29:24 Initialization Sequence Completed
Android:
Code:
2020-10-12 19:46:15 F-Droid built and signed version 0.7.21 running on ZTE ZTE A2017G (ailsa_ii), Android 8.1.0 (OPM7.181205.001) API 27, ABI arm64-v8a, (ZTE/P996A01_O/ailsa_ii:8.0.0/OPR1.170623.032/20180718.100630:user/release-keys)

[...] (edited because post exceeds 10000 character)

2020-10-12 19:46:52 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-10-12 19:46:52 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-10-12 19:46:52 LZO compression initializing
2020-10-12 19:46:52 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2020-10-12 19:46:52 MANAGEMENT: >STATE:1602524812,RESOLVE,,,,,,
2020-10-12 19:46:53 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2020-10-12 19:46:53 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2020-10-12 19:46:53 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2020-10-12 19:46:53 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
2020-10-12 19:46:53 Socket Buffers: R=[212992->212992] S=[212992->212992]
2020-10-12 19:46:53 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2020-10-12 19:46:53 UDP link local: (not bound)
2020-10-12 19:46:53 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
2020-10-12 19:46:53 MANAGEMENT: >STATE:1602524813,WAIT,,,,,,
2020-10-12 19:46:53 MANAGEMENT: >STATE:1602524813,AUTH,,,,,,
2020-10-12 19:46:53 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=e5ffad75 20efc2e9
2020-10-12 19:46:53 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-10-12 19:46:53 VERIFY KU OK
2020-10-12 19:46:53 Validating certificate extended key usage
2020-10-12 19:46:53 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-10-12 19:46:53 VERIFY EKU OK
2020-10-12 19:46:53 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, [email protected]
2020-10-12 19:46:53 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
2020-10-12 19:46:53 [RT-N66U] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
2020-10-12 19:46:54 MANAGEMENT: >STATE:1602524814,GET_CONFIG,,,,,,
2020-10-12 19:46:54 SENT CONTROL [RT-N66U]: 'PUSH_REQUEST' (status=1)
2020-10-12 19:46:54 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN orion,dhcp-option DNS 192.168.1.1,route 192.168.1.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.3 255.255.255.0,peer-id 1,cipher AES-128-GCM'
2020-10-12 19:46:54 OPTIONS IMPORT: timers and/or timeouts modified
2020-10-12 19:46:54 OPTIONS IMPORT: --ifconfig/up options modified
2020-10-12 19:46:54 OPTIONS IMPORT: route options modified
2020-10-12 19:46:54 OPTIONS IMPORT: route-related options modified
2020-10-12 19:46:54 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-10-12 19:46:54 OPTIONS IMPORT: peer-id set
2020-10-12 19:46:54 OPTIONS IMPORT: adjusting link_mtu to 1625
2020-10-12 19:46:54 OPTIONS IMPORT: data channel crypto options modified
2020-10-12 19:46:54 Data Channel: using negotiated cipher 'AES-128-GCM'
2020-10-12 19:46:54 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
2020-10-12 19:46:54 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2020-10-12 19:46:54 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2020-10-12 19:46:54 ROUTE_GATEWAY 127.100.103.119 IFACE=android-gw
2020-10-12 19:46:54 do_ifconfig, ipv4=1, ipv6=0
2020-10-12 19:46:54 MANAGEMENT: >STATE:1602524814,ASSIGN_IP,,10.8.0.3,,,,
2020-10-12 19:46:54 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2020-10-12 19:46:54 MANAGEMENT: >STATE:1602524814,ADD_ROUTES,,,,,,
2020-10-12 19:46:54 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2020-10-12 19:46:54 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2020-10-12 19:46:54 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
2020-10-12 19:46:54 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2020-10-12 19:46:54 Opening tun interface:
2020-10-12 19:46:54 Local IPv4: 10.8.0.3/24 IPv6: (not set) MTU: 1500
2020-10-12 19:46:54 DNS Server: 192.168.1.1, Domain: orion
2020-10-12 19:46:54 Routes: 10.8.0.0/24, 192.168.1.0/24
2020-10-12 19:46:54 Routes excluded: 
2020-10-12 19:46:54 VpnService routes installed: 10.8.0.0/24, 192.168.1.0/24
2020-10-12 19:46:54 Disallowed VPN apps:
2020-10-12 19:46:54 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2020-10-12 19:46:54 Initialization Sequence Completed
2020-10-12 19:46:54 MANAGEMENT: >STATE:1602524814,CONNECTED,SUCCESS,10.8.0.3,xx.xx.xx.xx,1194,,
2020-10-12 19:46:55 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
I can't see anything wrong there but perhaps somebody else can.
 

ColinTaylor

Part of the Furniture
UPDATE:

@guss @ngc5195 I've just dug out my old RT-N66U and installed V44EA on it. I've configured it as identical as I can determine to guss' setup based on the information posted (although some of the port numbers appear to have been changed in the later posts). I had no problem at all pinging a Windows PC connected to it once I had disabled the Windows Firewall. I'm using the latest version of standard free Android client.

So at the moment I'm at a loss as to why you're having this problem. All I can suggest is that you a) backup your current router settings, b) do a factory reset, and c) do a minimal setup just enough to test the VPN configuration. If it still doesn't work then you can always restore your settings from the backup file.

---------------------------------------------------------------------------
I can't see anything wrong there but perhaps somebody else can.
Thanks for that. Alas I can't see anything wrong with that either. If you have the time could you post the output of the following (obviously when it's in the "non-working" configuration). But I'm clutching at straws here.
Code:
route -n
cat /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/conf/*/forwarding
cat /proc/sys/net/ipv4/conf/*/rp_filter
ip rule show
 
Last edited:

guss

New Around Here
I did it twice, once with "Push LAN to clients Yes" and once with "No" and this custom configuration:
Code:
route 192.168.1.0 255.255.255.0
push 'route 192.168.1.0 255.255.255.0'
Direct clients to redirect Internet traffic in both cases "No"

The output is identical:

route -n
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
xx.xx.xx.1      0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun22
xx.xx.xx.0      0.0.0.0         255.255.240.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         xx.xx.xx.1      0.0.0.0         UG    0      0        0 eth0

cat /proc/sys/net/ipv4/ip_forward
Code:
1
cat /proc/sys/net/ipv4/conf/*/forwarding
Code:
1
1
1
1
1
1
1
1
1

cat /proc/sys/net/ipv4/conf/*/rp_filter
Code:
-1
1
1
1
1
1
1
1
1

ip rule show
Code:
0:    from all lookup local
32766:    from all lookup main
32767:    from all lookup default
Edit: Oh, I see just now you edited your post. Thank you very much for your time ColinTaylor. It's good to know it's working for you with the same router model. So the problem has to be something else in my case. If I find the solution I will post it.

Edit2: I did a factory reset and somehow bricked my router. It doesn't boot anymore, I can't connect in any way. The poor thing is dead. I have no idea what happened.
 
Last edited:

nekkihs

New Around Here
Just register to say thank you to John
My router had been running laggy and buggy ever since they stop updating asuswrt-merlin for ac66u
After a firmware restoration and clean install of your latest release, it's running buttery smooth now
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top