Release [Test] Asuswrt-Merlin 384.19 - OpenVPN test builds

[FTC]

OK. Thanks for the info. It was pegging for approx. 1 hour.. I will reflash the code now and let it run overnight...
Regarding my ovpn slowlyness, I'll be able to confirm tomorrow and in that case will post my settings..

Well, happy to comment that the 'CPU pegging' caused by nt_center database maintenance finally stopped during the night and the CPU activity is back to normal. Also checked the OpenVPN access again and it seems more responsive today.. maybe yesterday the 4G network around here was a bit crowded and any access to my router from my phone / ipad (which is what I use to test external access) was impacted and caused the slowlyness feeling.

So, all in all I am keeping the alpha code ... I will post back if anything else strange is detected (specially OpenVPN related)

 

[SheikhSheikha]

Zero change to the OpenVPN code itself - only the code that creates the config files was changed.

Thank you for your response. Will check further with other OVPN nodes of my vpn provider (ExpressVPN) to see if other speed results can be noticed.

 

[octopus]

Post your list of policy rules, I suspect you have a rule that basically tells all clients (or 0.0.0.0 in the past) to be excluded from DNS routing.

octopus@RT-AC68U-F2D8:/tmp/home/root# ip rule
0:    from all lookup local
10001:    from all to 213.136.xx.xx lookup main
10101:    from 192.168.12.120 lookup ovpnc1
10102:    from 192.168.12.144 lookup ovpnc1
10103:    from 192.168.12.142 lookup ovpnc1
10401:    from all to 213.136.xx.xx lookup main
10501:    from 192.168.12.146 lookup ovpnc3
32766:    from all lookup main
32767:    from all lookup default

octopus@RT-AC68U-F2D8:/tmp/home/root# routes
Table 254
default via 158.174.xxx.x dev eth0
Table 111
0.0.0.0/1 via 10.128.0.1 dev tun11
128.0.0.0/1 via 10.128.0.1 dev tun11
default via 10.128.0.1 dev tun11
Table 112
Table 113
0.0.0.0/1 via 10.129.0.1 dev tun13
128.0.0.0/1 via 10.129.0.1 dev tun13
default via 10.129.0.1 dev tun13
Table 114
Table 115

 

[brummygit]

Performed a dirty update from Alpha 1 on my RT-AX88U which had previously been reset to defaults on Alpha 1.

I didn't have OpenVPN configured and hadn't saved any config from my previous build. I'm using DDNS and Let's Encrypt in basic form.

I enabled OpenVPN server and exported the client configuration. When I import into both my iPhone and Windows 10 clients I get the following error when I try to connect:

Wed Jul 22 16:17:53 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Wed Jul 22 16:17:53 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jul 22 16:17:53 2020 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Enter Management Password:
Wed Jul 22 16:17:56 2020 OpenSSL: error:0909006C:PEM routines:get_name:no start line
Wed Jul 22 16:17:56 2020 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Wed Jul 22 16:17:56 2020 Cannot load inline certificate file
Wed Jul 22 16:17:56 2020 Exiting due to fatal error

A quick google implies that the certificate is malformed, but it might be because I am not familiar with configuring OpenVPN.

 

[RMerlin]

octopus@RT-AC68U-F2D8:/tmp/home/root# ip rule
0:    from all lookup local
10001:    from all to 213.136.xx.xx lookup main
10101:    from 192.168.12.120 lookup ovpnc1
10102:    from 192.168.12.144 lookup ovpnc1
10103:    from 192.168.12.142 lookup ovpnc1
10401:    from all to 213.136.xx.xx lookup main
10501:    from 192.168.12.146 lookup ovpnc3
32766:    from all lookup main
32767:    from all lookup default

I need a screenshot of what you entered on the webui.

 

[RMerlin]

A quick google implies that the certificate is malformed, but it might be because I am not familiar with configuring OpenVPN.

Post the content of your config file.

 

[brummygit]

Post the content of your config file.

This is what I exported from the router. Do I now need to replace my certificate having posted it?

client
dev tun
proto udp
remote [REMOVED].asuscomm.com 1194
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
MIIEkzCCA3ugAwIBAgIUeYjJxQbBXPXF9spE72410vaqGscwDQYJKoZIhvcNAQEF
BQAwgYUxCzAJBgNVBAYTAlRXMQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVp
MQ0wCwYDVQQKEwRBU1VTMRQwEgYDVQQLEwtIb21lL09mZmljZTERMA8GA1UEAxMI
UlQtQVg4OFUxIDAeBgkqhkiG9w0BCQEWEW1lQGFzdXNyb3V0ZXIubGFuMB4XDTIw
MDcyMjEyMTc0OFoXDTMwMDcyMDEyMTc0OFowgYUxCzAJBgNVBAYTAlRXMQswCQYD
VQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMQ0wCwYDVQQKEwRBU1VTMRQwEgYDVQQL
EwtIb21lL09mZmljZTERMA8GA1UEAxMIUlQtQVg4OFUxIDAeBgkqhkiG9w0BCQEW
EW1lQGFzdXNyb3V0ZXIubGFuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA3Hw/LAdm9xjw3MF4aGdqXoekpHmsucbULLqwUbglO/ALSm7426t9HI84IBvC
W8+bjH3HHxDCXiWAYI79TOSMmWpl/RBbMI6B3loIJ57SyPpLOmv4wQYnLV4MW4TZ
JLWWDE9yWiCbYpbh9i8YeL3f998C5hjD1v6ZwvP7KEvL8IwpkJ6Q29NRb+WePYav
MDJy7i/HZuZHsWdVcNnQTRvhcoKvxibofOGSJ0hY7QaR9CBX+vq3gbbnubTrbogT
nxijw/Jb7FNuPpoMFYkws1dRNMzXezxzbO1oKKxnJ8CdUpzgK6u5RRKU3WkcBt8/
XfK3cxBVjlmVbTvNZLip8g7VEwIDAQABo4H4MIH1MB0GA1UdDgQWBBRQA7w9o3Uz
tLerktRAHeRkcA5rsTCBxQYDVR0jBIG9MIG6gBRQA7w9o3UztLerktRAHeRkcA5r
saGBi6SBiDCBhTELMAkGA1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZU
YWlwZWkxDTALBgNVBAoTBEFTVVMxFDASBgNVBAsTC0hvbWUvT2ZmaWNlMREwDwYD
VQQDEwhSVC1BWDg4VTEgMB4GCSqGSIb3DQEJARYRbWVAYXN1c3JvdXRlci5sYW6C
FHmIycUGwVz1xfbKRO9uNdL2qhrHMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADggEBANibtxtyAuUw/5JZ9W4AFEwsfbUPtxadmOw6Px6wnY+B0dOmoN7ydzS2
6xHpEtzYl3+y7J/axxdSTci7nSOOI44nzXBt7yyEZ9DCfEnjHBG90nj+23cj6ev+
L2busCTK22WW6AGvNTjpp8ZCQtJhddiCXG9mxKp9jgFcEGxZqbZ0N4ubF+nlpL/e
/NU/CZur4ioFcjlae12ar0NqL8xW9B8WMK8A5GxsgXztQQz3LuWgyb93Vq3O/0dU
lk6OysFifCfyB01COtniRs39n6tSiyNkn6eDu/D7YKMD6pbuBMxGQQfzC3m6RySn
VAFKmWPsYdMOWmdBwND0vzsaSubHdxo=
-----END CERTIFICATE-----

</ca>
<cert>
    paste client certificate data here
</cert>
<key>
    paste client key data here
</key>

 

[octopus]

I need a screenshot of what you entered on the webui.

Sorry for the hassle.........here is the pic

 

[RMerlin]

This is what I exported from the router. Do I now need to replace my certificate having posted it?

This would indicate you enabled cert-based authentication, but you didn't provide it. If you generate your own client key and certs, you have to paste them in the two labeled sections before importing the ovpn file in your client device.

Posting the CA cert is fine, it's posting any key, or a client cert that might require you to replace it.

 

[RMerlin]

Sorry for the hassle.........here is the pic

View attachment 24818

The log message is probably just a visual glitch. The empty parameter used to contain 0.0.0.0 before 384.18 - that was actually changed last release.

EDIT: The issue was indeed introduced in 384.18 with the rules storage change. updown-client.sh was still expecting 0.0.0.0 to represent "any" rather than an empty string.

 

[SheikhSheikha]

OVPN client with ExpressVPN running stable on RT-AC5300

 

[brummygit]

This would indicate you enabled cert-based authentication, but you didn't provide it. If you generate your own client key and certs, you have to paste them in the two labeled sections before importing the ovpn file in your client device.

Posting the CA cert is fine, it's posting any key, or a client cert that might require you to replace it.

Thanks, I didn't deliberately enable client certs - I believe I followed the same process as I did on 384.18 - enable the VPN server on the router without changing any Advanced Settings, then export / import the config file into my client. Should I have turned off client certs somewhere?

EDIT: I've done a reset to defaults on the OpenVPN server and started again. I get the same results.

 

[Intrepid2007]

I am not sure if this issue I have, is particular to this version.. I started noticing it with this version though. I have an AX88U router.

I am using the LAN DNS filter feature and whenever I disable and then enable this feature, it appears to override the DNS behavior in my vpn client (DNS mode set to exclusive). It won't use the VPN DNS servers, it will use the DNS servers set in WAN.

My settings:

In WAN:
DNS Servers set to 1.0.0.1 and 1.1.1.1

In LAN:
No DNS servers configured

In LAN DNS FILTER:
Using custom dns (EXPRESSVPN)
(my TV has WAN access to Internet via Asus router, it uses the dns server from expressvpn, TV is listed below)
Global mode: router

In VPN client:
DNS set to 'exclusive'

So whenever I do 'something' in the dns filter setting section and apply the changes, my devices using the VPN start using the dns servers specified in WAN.

To correct this, I set the dns mode in vpn to 'strict', apply the setting, and then I set it to 'exclusive' again and apply... This corrects the issue and devices using the VPN will use the VPN DNS server again.

It's a long story, I hope I made it clear..

 

[Xentrk]

I am not sure if this issue I have, is particular to this version.. I started noticing it with this version though. I have a AX88U router.

I am using the LAN DNS filter feature and whenever I disable and then enable this feature, it appears to override the DNS behavior in my vpn client (DNS mode set to exclusive). It won't use the VPN DNS servers, it will use the DNS servers set in WAN.

My settings:

In WAN:
DNS Servers set to 1.0.0.1 and 1.1.1.1

In LAN:
No DNS servers configured

In LAN DNS FILTER:
Using custom dns (EXPRESSVPN)
(my TV has direct access to Internet, it uses the dns server from expressvpn, TV is listed below)
Global mode: router

In VPN client:
DNS set to 'exclusive'

So whenever I do 'something' in the dns filter setting section and apply the changes, my devices using the VPN start using the dns servers specified in WAN.

To correct this, I set the dns mode in vpn to 'strict', apply the setting, and then I set it to 'exclusive' again and apply... This corrects the issue and devices using the VPN will use the VPN DNS server again.

It's a long story, I hope I made it clear..

I am able to duplicate. Applying the DNS Filter bounces the firewall which is probably responsible for wiping out the Accept DNS Configuration = Exclusive DNS iptables rules. Just bouncing the VPN Client using the apply button reinstates them. Or, from command line: service restart_vpnclient1

Will show the DNSFilter Rules

iptables --line -t nat -nvL PREROUTING

DNS Exclusive Rules for VPN Client 1 (can be 1-5)

iptables --line -t nat -nvL DNSVPN1

For your use case, I recommend setting DNS Filter to Router. LAN clients routed to the VPN will use the DNS of the Express since you have the Accept DNS Configuration = Exclusive. WAN clients will use the DNS specified on the WAN page.

 

[Intrepid2007]

I am able to duplicate. Applying the DNS Filter bounces the firewall which is probably responsible for wiping out the Accept DNS Configuration = Exclusive DNS iptables rules. Just bouncing the VPN Client using the apply button reinstates them. Or, from command line: service restart_vpnclient1

Will show the DNSFilter Rules

iptables --line -t nat -nvL PREROUTING

DNS Exclusive Rules for VPN Client 1 (can be 1-5)

iptables --line -t nat -nvL DNSVPN1

For your use case, I recommend setting DNS Filter to Router. LAN clients routed to the VPN will use the DNS of the Express since you have the Accept DNS Configuration = Exclusive. WAN clients will use the DNS specified on the WAN page.

Happy to read that you can reproduce it!

In my environment, the DNS filter mode is already set to 'router', forcing all DNS requests from WAN clients to be redirected to the dns servers set in the WAN section.

 

[tuntun]

Howdy folks,

In the Test Builds folder on Onedrive I created a new folder named OpenVPN-test. This folder contains test builds that uses largely rewritten OpenVPN code, which will need to be tested in depth.

OpenVPN's implementation in Asuswrt-Merlin is a long story, but to make it short, the code I'm currently using was originally ported from Tomato with its original author's permission. That author retains licensing rights to that code (reusing that code is forbidden unless you obtain the author's permission, which I did obtain at the time).

Quite a few portions of the code are redundant, and almost everything is implemented in a fairly monolithic way, making it hard to maintain. I first started out by refactoring some of the code to make it more manageable, by moving portions into separate functions. One thing led to another, and I ended up rewriting a large portion of the OpenVPN implementation. There were a few goals behind this project:

• Continue the code cleanup I had been working on from time to time in the past
• Make the code more modular, moving redundant portions into separate functions
• Rewriting as much as possible so it could be placed under a GPL licence (or for portions I had already written, move them under a GPL licence)

Feature-wise, the implementation still has all the same features. The webui wasn't changed, only the backend code was reorganized. A few minor issues were tracked down along the way, some were fixed (like the reneg time that could be set to a larger vaue than supported by nvram storage). Others were added to my todo list.

One of the related enhancements I've made while working on this was to change the way OpenVPN instances are launched at boot time, which should help make it more reliable on certain scenarios (such as when you have a very fast NTP server, which could lead to OpenVPN instances starting twice at boot time).

With such a large code change, pretty much everything tied to OpenVPN will need to be retested, hence this test project. Please, try out these test builds. Try out various OpenVPN setups, both client and server. Report any issue encountered (particularly new ones). Please stick to only OpenVPN-related issues. This isn't about the 384.19 dev cycle as a whole, this is currently only focused on OpenVPN. The full beta cycle will happen later.

Test builds: https://www.asuswrt-merlin.net/test-builds

Thank you for your cooperation.

will you do this similar feature build for RT-AC87U? looking forward....Thanks

 

[jsbeddow]

will you do this similar feature build for RT-AC87U? looking forward....Thanks

It seems highly unlikely, as RMerlin has made clear on more than one occasion. Here is his last direct quote on this 87U subject, from the release notes of 384.18 final (and the corresponding build for the 87U):

"384.13_10 will probably be the final release for the RT-AC87U and RT-AC3200, due to the GPL code of these two models being currently completely out of sync with the code used by the other models."

 

[RMerlin]

Thanks, I didn't deliberately enable client certs - I believe I followed the same process as I did on 384.18 - enable the VPN server on the router without changing any Advanced Settings, then export / import the config file into my client. Should I have turned off client certs somewhere?

EDIT: I've done a reset to defaults on the OpenVPN server and started again. I get the same results.

I see - the issue only happens if you leave the bit strength to 1024 bit, it doesn't occur with 2048 bit.

 

[brummygit]

I see - the issue only happens if you leave the bit strength to 1024 bit, it doesn't occur with 2048 bit.

Apologies for appearing stupid, but where do I change this?

 

[RMerlin]

Apologies for appearing stupid, but where do I change this?

It's on the settings page the first time you enable a new server instance.

Anyway, this issue seems to be more complex than that, there's some code missing to ensure it gets stored to jffs as well.