OpenVPN version in Merlin compared to stock?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

RFT354

Occasional Visitor
Do both firmwares have the same OpenVPN version? Where can I see which version they have?

Thanks.
 

cooloutac

Very Senior Member
Merlin has policy routing among other features. The merlin firmware is way better for openvpn as well as having the latest version.
 

RMerlin

Asuswrt-Merlin dev
Do both firmwares have the same OpenVPN version? Where can I see which version they have?

Thanks.
The version is in the system log when you start a server or client.
 

RFT354

Occasional Visitor
The version is in the system log when you start a server or client.

Thanks.


What will happen with Merlin for RT-AC86U when Asus stops issuing new firmware for that router (it's already 4 years old)? Will Merlin stop supporting it? If so, does any other opensource firmware support this model?

I'm about to unbox Asus RT-AC86U and need to decide which firmware to use. I have never installed custom firmware on any device before. The only reason I replaced my wired-only router with a wireless router, and this expensive, is because I want to have OpenVPN in the router instead of Windows. I've read this router has some kind of AES accelerator.
 

Martineau

Part of the Furniture
Do both firmwares have the same OpenVPN version?

Where can I see which version they have?
For a detailed response use the openvpn --version command

e.g. RT-AC68U v384.19
Code:
openvpn --version

OpenVPN 2.4.9 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 14 2020
library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

RT-AC86U v386.1 Alpha4
Code:
openvpn --version

OpenVPN 2.5.0 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 29 2020
library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
 

RFT354

Occasional Visitor
For a detailed response use the openvpn --version command

e.g. RT-AC68U v384.19
Code:
openvpn --version

OpenVPN 2.4.9 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 14 2020
library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

RT-AC86U v386.1 Alpha4
Code:
openvpn --version

OpenVPN 2.5.0 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 29 2020
library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Is the RT-AC86U log for Merlin or stock?
 

RFT354

Occasional Visitor

Do you know if in the past Merlin updates stopped after Asus stopped updating the firmware of older models?

It seems my model is not supported by OpenWRT, DD-WRT or any Tomato.
 

Mr Tvardovsky

Occasional Visitor
Do you know if in the past Merlin updates stopped after Asus stopped updating the firmware of older models?
Maybe this reference will help you - in summer RMerlin announced he’ll the most probably stop supporting ac87u and ac3200 (version 384.13_10):
The reason is limited support from Asus.

At the same time, Merlin still fully supports ac66u_b1 that was launched, I believe, in 2016. And which remains fully supported by Asus.

All in all, I don’t think you have to worry about support for your ac86u for next couple of years.
 

RFT354

Occasional Visitor
Maybe this reference will help you - in summer RMerlin announced he’ll the most probably stop supporting ac87u and ac3200 (version 384.13_10):
The reason is limited support from Asus.

At the same time, Merlin still fully supports ac66u_b1 that was launched, I believe, in 2016. And which remains fully supported by Asus.

All in all, I don’t think you have to worry about support for your ac86u for next couple of years.

Asus released stock firmware for the AC87U in 2020/07/09, but Merlin didn’t follow up in his latest release. I didn’t know Asus helps him. I emailed Asus a while ago and they could not provide a support end date for my AC86U model.

I wish there was some law that required the manufacturers to provide security updates for 10 years after they stopped selling a model. If Microsoft can do it with Windows, why not everybody else? It seems router security will remain in a state of anarchy for the foreseeable future.

The wire-only Asus router I’m using now had its last firmware update released in 2012, a year after I bought it, but it’s primitive compared to the one I bought now and therefore probably is less prone to security holes – and as I’m writing this my computer’s remote owner doesn’t seem to disagree with me (yes, very good security and no holes whatsoever…)
 

Smokey613

Senior Member
Thanks.


What will happen with Merlin for RT-AC86U when Asus stops issuing new firmware for that router (it's already 4 years old)? Will Merlin stop supporting it? If so, does any other opensource firmware support this model?

I'm about to unbox Asus RT-AC86U and need to decide which firmware to use. I have never installed custom firmware on any device before. The only reason I replaced my wired-only router with a wireless router, and this expensive, is because I want to have OpenVPN in the router instead of Windows. I've read this router has some kind of AES accelerator.

 

RMerlin

Asuswrt-Merlin dev
What will happen with Merlin for RT-AC86U when Asus stops issuing new firmware for that router (it's already 4 years old)? Will Merlin stop supporting it?

Asuswrt-Merlin is essentially a fork of the original firmware. Once Asus stops supporting a model, it becomes impossible for me to continue supporting it due to the large amount of closed source portions of code in a firmware, which is model-specific. Once Asus's code and my code start drifting apart too much, then those closed source components become incompatible. This is what happened with the RT-AC87U, where Asus was still using 382 code for that model, and my firmware was using 384 code. Those closed source 382 components can no longer be used with 384 code.

True open source firmwares for commercial routers are all dying. Broadcom and Qualcomm are both increasingly closed in regards to driver code, and they both increasingly rely on more proprietary/closed source components to enhance features. In a few years, the only way to have an open sourced firmware on a modern router will be to build your own router based on an X86 or generic ARM platform platform. DD-WRT and Tomato are going nowhere in terms of new model support, and OpenWRT is increasingly getting cornered in terms of model support as well. I don't think there is any open source firmware that supports a Wifi 6 router right now.
 

RFT354

Occasional Visitor
Asuswrt-Merlin is essentially a fork of the original firmware. Once Asus stops supporting a model, it becomes impossible for me to continue supporting it due to the large amount of closed source portions of code in a firmware, which is model-specific. Once Asus's code and my code start drifting apart too much, then those closed source components become incompatible. This is what happened with the RT-AC87U, where Asus was still using 382 code for that model, and my firmware was using 384 code. Those closed source 382 components can no longer be used with 384 code.

True open source firmwares for commercial routers are all dying. Broadcom and Qualcomm are both increasingly closed in regards to driver code, and they both increasingly rely on more proprietary/closed source components to enhance features. In a few years, the only way to have an open sourced firmware on a modern router will be to build your own router based on an X86 or generic ARM platform platform. DD-WRT and Tomato are going nowhere in terms of new model support, and OpenWRT is increasingly getting cornered in terms of model support as well. I don't think there is any open source firmware that supports a Wifi 6 router right now.

I can already see how things will repeat itself for me, with years of no firmware updates. Politicians are constantly preaching how important the environment is and why they must tax everything and everyone so to limit our carbon footprint, but at the same time they force us to choose between throwing away our smartphones and routers every few years or using them without security updates.

I’m mostly concern with having old OpenVPN on my router once Asus stops releasing new firmware. Is there a way for me to copy and paste new OpenVPN code into the firmware of my router when that happens? It has to be really simple, because I don’t know anything about coding.

If not, I’ll probably buy cheap routers that still receive new firmware and put this one, the one which is running the OpenVPN, behind the new one’s firewall. What I’m not going to do is buy a high-end router every few years. I don’t game, so this router is really an overkill for me.


Here’s an x86 router, but too expensive for me. They seem to preconfigure them for different VPN providers, so you just hook them up and go.


I don’t know if this is possible, but perhaps a better business idea would be to sell software people can use in their old PCs and turn them into routers. Good for the environment, too.
 

L&LD

Part of the Furniture
pfSense. :)
 

RMerlin

Asuswrt-Merlin dev
I’m mostly concern with having old OpenVPN on my router once Asus stops releasing new firmware. Is there a way for me to copy and paste new OpenVPN code into the firmware of my router when that happens? It has to be really simple, because I don’t know anything about coding.

It's not as simple as just copying newer files on top of the old one unfortunately. You need to do an actual code merge using tools such as "patch" and "diff", and you also have to adjust other areas of the code when there are changes done at the settings level (for instance, you can't just replace 2.4.x code with 2.5.x and expect it to work properly).

To be honest, OpenVPN is pretty solid security-wise. The code received two independent audit a few years ago, and I've seen very little (if any) security fixes in OpenVPN since then. OpenSSL has also gained a lot in terms of security, with the last few security issues being rather esoteric to exploit (i.e. most can't be exploited through an application such as OpenVPN).

If the VPN service is your main worry, then I can suggest running it on another system behind your router. Can be a virtual machine running on an existing PC, for example. Something like CentOS or Ubuntu LTS should at least give you a few years of security update, and after that you can upgrade the whole distro.

I don’t know if this is possible, but perhaps a better business idea would be to sell software people can use in their old PCs and turn them into routers.

That already exists, and many are actually free. OpenSense, pfSense, Sophos XG (their home edition is free), Gargoyle, etc...
 

RFT354

Occasional Visitor
It's not as simple as just copying newer files on top of the old one unfortunately. You need to do an actual code merge using tools such as "patch" and "diff", and you also have to adjust other areas of the code when there are changes done at the settings level (for instance, you can't just replace 2.4.x code with 2.5.x and expect it to work properly).

To be honest, OpenVPN is pretty solid security-wise. The code received two independent audit a few years ago, and I've seen very little (if any) security fixes in OpenVPN since then. OpenSSL has also gained a lot in terms of security, with the last few security issues being rather esoteric to exploit (i.e. most can't be exploited through an application such as OpenVPN).

If the VPN service is your main worry, then I can suggest running it on another system behind your router. Can be a virtual machine running on an existing PC, for example. Something like CentOS or Ubuntu LTS should at least give you a few years of security update, and after that you can upgrade the whole distro.



That already exists, and many are actually free. OpenSense, pfSense, Sophos XG (their home edition is free), Gargoyle, etc...

I’m probably going to keep the still unboxed AC86U I bought, but I am curious of alternative solutions so I don’t have to look for new hardware every few years when the manufacturer stops updating the firmware.

You mentioned running OpenVPN on a separate machine behind my router. I want the OpenVPN machine to remain on 24/7, so it can’t be a VM on a machine I turn off every day. This is the main reason I’m not keeping the Windows VPN app I’m using now, since it’s leaking every time the computer reboots. I assume I should then connect other machines to that OpenVPN machine, but how do I make that connection so all data goes through the OpenVPN machine? I tried to share adapter a while back, but couldn’t make it work.



Does Sophos XG also function as a router?

Also, which is easiest to understand for somebody like me, who thinks the ac86u UI is very complicated: Sophos XG, OPNsense or PFsense? I’ve watched Youtube videos of all three, and my impression is that Sophos XG is ever so slightly more intuitive, followed by OPNsense and lastly PFsense, which is least intuitive. Should I even attempt, because I risk leaving big security holes in the firewall?

I realized my old machines only have 100Mb LAN, so it would have to be something like this:

https://www.amazon.com/dp/B074XP8XRG/?tag=snbforums-20
 

RMerlin

Asuswrt-Merlin dev
. I assume I should then connect other machines to that OpenVPN machine, but how do I make that connection so all data goes through the OpenVPN machine? I tried to share adapter a while back, but couldn’t make it work.

You didn't specify the goal was to route your outbound traffic through a VPN provider rather than getting remote access to your LAN. That's a completely different scenario. You would need your client to use that VPN router as your default gateway.

Does Sophos XG also function as a router?

Yes, it's a complete router/gateway/security solution.

Also, which is easiest to understand for somebody like me, who thinks the ac86u UI is very complicated: Sophos XG, OPNsense or PFsense?

Sophos XG is probably the simplest of the three, with pfsense being the most complicated one. But none of these are designed for network novices, unlike home routers like the Asus routers, so they all carry a certain learning curve.
 

RFT354

Occasional Visitor
You didn't specify the goal was to route your outbound traffic through a VPN provider rather than getting remote access to your LAN. That's a completely different scenario. You would need your client to use that VPN router as your default gateway.

You mean the OpenVPN must be in my AC86U, or Sophos XG if I go that way?

Edit:

If inbound VPN was my primary interest, I would probably look in to Wireguard.

 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top