Beta [Fork] Asuswrt-Merlin 374 LTS development 46D7 - OpenVPN 2.5.0 / IPSET 7 - CLOSED

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

john9527

Part of the Furniture
The public release 46E8 is now available


Development release for OpenVPN 2.5.0 and IPSET 7 - 46D7
============================================
Updates IPSET to release 7.6 (ARM AC68/AC56 only)
Adds fixes from latest stable 45EC release

Development release for OpenVPN 2.5.0 - 46D3
============================================
For those that would like to try the latest OpenVPN release
Changelog
fa2c8b4bc5 (HEAD -> dev46) Version and Documentation to 46D3j9527
535b0db889 e2fsprogs: revert mke2fs.conf.in due to unsupported 64bit and metadata_csum options for ext4
3114ac76f8 webui: suppress ntp server sync reminder when ntp_update disabled - @octopus
51bbd677ff Version and Documentation to 46D2j9527
e570fb1e11 openvpn: httpd: webui: (backport) implement stub/stub-v2 support
cfee6cf8fe openvpn: httpd: webui: (backport) implement tls-crypt-v2 support
35e3e7a2a9 make: update for lz4 support
2241d2daae lz4: add 1.9.2
d87743be93 Version and Documentation to 46D1j9527
ec590e5fd3 openvpn: new cipher option naming
bba4224690 webui: openvpn: (backport) limit max data-ciphers length to 127 chars per OpenVPN doc
6056bc5309 openvpn: (backport) try to use CHACHA20-POLY1305 if supported by the remote end
9d44011f7c openvpn: asus-merlin customizations 2.5.x
d2cad7a51c openvpn: update to 2.5.0


NOTES:
  • From the OpenVPN 2.5.0 release notes

    CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK
    Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
    implemented their own cipher negotiation method that always reports back that it is
    using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers.
    We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix.
    If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.

    This affects at least Private Internet Access (PIA), therefore the deprecated 'Cipher Negotiation Disable' (ncp-disable) option has NOT been removed
    from the gui. A syslog warning msg will be generated, but at present it still can be used to force a specific cipher with the Legacy/Fallback Cipher setting.
  • The CHACHA20-POLY1305 cipher will be added to the default cipher negotiation following a factory default reset. You may also manually add it to the cipher negotiation list.

Download: https://1drv.ms/f/s!Ainhp1nBLzMJiF2l3WjM46lSmxrH

SHA256
5507304db0097a15b3cfcfc11c5c0d7f83734f95e41399d23e4c4c1f51178124 RT-N16_374.43_46D7j9527.trx
424cb8067f7069fb00c2fa5ee60d9b7c17bc7d6f13a8b303637c05dd7d70c612 RT-AC66U_374.43_46D7j9527.trx
6477fdee31412f884cc4194340c80778e0b3f98f5df742f2709a7e4fe9e807ac RT-N66U_374.43_46D7j9527.trx
be405bb058581c2dc3fa5722aca92bb4f4e4acb365ec15e5446f9406d2b75da9 RT-AC68U_374.43_46D7j9527.trx
f1b78bdf3596e2e509c2db60184ed4af603e4cd84df9f7f3a586dbe621450dc8 RT-AC56U_374.43_46D7j9527.trx
 
Last edited:

L&LD

Part of the Furniture
Great work @john9527 and very prolific too! I will be testing this in the next few days for a client running an RT-AC66U.
 

octopus

Very Senior Member
I have used this FW since relese and CHACHA20-POLY1305 working fine on my nodes.
Code:
Nov  9 16:59:24 openvpn[2598]: Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
Nov  9 16:59:24 openvpn[2598]: Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
Nov  9 16:59:24 openvpn[2598]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 1024 bit RSA

Thank you
@john9527
 

john9527

Part of the Furniture
Just a quick note...it looks like Private Internet Access (PIA) fixed cipher negotiation on their next gen servers....
Code:
Dec  2 22:58:45 openvpn[7423]: OPTIONS IMPORT: data channel crypto options modified
Dec  2 22:58:45 openvpn[7423]: Data Channel: using negotiated cipher 'AES-128-GCM'
Dec  2 22:58:45 openvpn[7423]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Dec  2 22:58:45 openvpn[7423]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
 

Gar

Very Senior Member
Installed and working great. Thanks for updates!
 

Gar

Very Senior Member
Is skynet doing OK? I thought I saw some discussion about ipset 7 requiring some updates in the Merlin alpha thread.
I checked the log after update and didn't see any errors, will check again later when home.
 

Gar

Very Senior Member
Update: I'm not seeing any error messages, anything in particular I should be looking for? Skynet is blocking as usual.

Edit: I see the post from @dave14305 fixing an error msg.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top