VPN Custom Configuration space limited after upgrade :(

  • SNBForums will be unavailable for about 2 hours TOMORROW 23 January starting around 2PM EDT for a server changeover.

    All accounts and posts will be preserved.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Viktor Jaep

Regular Contributor
I recently upgraded from an RT-AC3100 to the RT-AC86U, and wow... made a WORLD of difference from the VPN side of the house. My speeds have been 5x-6x better than what the 3100 was giving me on ExpressVPN. Only one main drawback that I have not been able to resolve -- ie. for some reason, the "Custom Configuration" window under the VPN client seems to have a size limitation on the 86U... yet, there didn't seem to be a similar size limitation on the inferior 3100, since it never gave me issues with the size of my script. Weird!

I've been able to chop down my custom config a bit to keep things working on the 86U, but I'd like to get back to my old config. I was reading up that you could make use of the openvpnclientX.postconf script as a remedy to this? So I had some questions... not being a major scripting guru:

1.) Can I just pop my original config into this file, and save it under /jffs/scripts?
2.) Do I have to abide by any scripting language/lingo in this file, or just dump it in and save?
3.) Once this file is placed out under /jffs/scripts, I assume I can just I blank out the contents of my current "Custom Configuration" window and save?
4.) Anything else I need to worry about?

Thanks in advance for your help & advice!

Note: Stuff like this (below) kinda scares me... from the readme (https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-config-files)

" Note that postconf scripts are blocking the firmware while they run, to ensure the service only gets started once the script is done. Make sure those scripts do exit properly, or the router will be stuck during boot, requiring a factory default reset to recover it. "
 
Last edited:

CaptainSTX

Part of the Furniture
Just curious if any of the additions you add in custom configurations actually make any difference? If they do for you what settings are you adding that actual change anything

I have tried various suggested changes on Astrill, PIA and Strong and I could never measure any speed differences and in fact their servers tended to ignore most custom settings.
 

Maverickcdn

Senior Member
It does appear there is a line limit in the GUI and looks to be about 50 lines.

Not sure what you're adding to the custom config box. Without knowing what you have for custom entries, a postconf might be your only route.

We'd need to know what exactly it is your trying to add there though.
 

Viktor Jaep

Regular Contributor
It does appear there is a line limit in the GUI and looks to be about 50 lines.

Not sure what you're adding to the custom config box. Without knowing what you have for custom entries, a postconf might be your only route.

We'd need to know what exactly it is your trying to add there though.
Absolutely... I tend to have a lot of hosts in there to perform a remote random when I force a reset on my VPN... my original config looked like this:

Code:
fast-io
server-poll-timeout 10
remote usa-newyork-ca-version-2.expressnetw.com 1195
remote usa-sanfrancisco-ca-version-2.expressnetw.com 1195
remote usa-chicago-ca-version-2.expressnetw.com 1195
remote usa-washingtondc-ca-version-2.expressnetw.com 1195
remote usa-dallas-ca-version-2.expressnetw.com 1195
remote usa-miami-ca-version-2.expressnetw.com 1195
remote usa-losangeles-2-ca-version-2.expressnetw.com 1195
remote usa-losangeles-3-ca-version-2.expressnetw.com 1195
remote usa-newjersey-1-ca-version-2.expressnetw.com 1195
remote usa-newjersey-3-ca-version-2.expressnetw.com 1195
remote usa-seattle-ca-version-2.expressnetw.com 1195
remote usa-miami-2-ca-version-2.expressnetw.com 1195
remote usa-denver-ca-version-2.expressnetw.com 1195
remote usa-saltlakecity-ca-version-2.expressnetw.com 1195
remote usa-tampa-1-ca-version-2.expressnetw.com 1195
remote usa-losangeles-1-ca-version-2.expressnetw.com 1195
remote us-new-york-2-ca-version-2.expressnetw.com 1195
remote usa-dallas-2-ca-version-2.expressnetw.com 1195
remote usa-losangeles-ca-version-2.expressnetw.com 1195
remote usa-atlanta-ca-version-2.expressnetw.com 1195
remote usa-losangeles5-ca-version-2.expressnetw.com 1195
remote-random
pull
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
#keysize 256
sndbuf 524288
rcvbuf 524288
comp-lzo no
push "comp-lzo no"
auth-nocache
But after all was said and done, I had to pull most of the hosts out in order to fit within the bounds of the configuration box, and ended up with this:

Code:
fast-io
server-poll-timeout 10
remote usa-newyork-ca-version-2.expressnetw.com 1195
remote usa-dallas-ca-version-2.expressnetw.com 1195
remote usa-miami-ca-version-2.expressnetw.com 1195
remote usa-denver-ca-version-2.expressnetw.com 1195
remote-random
pull
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
#keysize 256
sndbuf 524288
rcvbuf 524288
comp-lzo no
push "comp-lzo no"
auth-nocache
Your input on how this openvpnclientX.postconf script needs to be formatted is much appreciated! :)
 

Viktor Jaep

Regular Contributor
Just curious if any of the additions you add in custom configurations actually make any difference? If they do for you what settings are you adding that actual change anything

I have tried various suggested changes on Astrill, PIA and Strong and I could never measure any speed differences and in fact their servers tended to ignore most custom settings.
I actually took a lot of notes from this thread: https://www.snbforums.com/threads/expressvpn-merlin-384-15.61656/#post-548393 -- because I was experiencing many of the same issues mentioned here with ExpressVPN... many of these settings in the config along with some of the GUI configuration options helped resolved my issues, and has been rock solid ever since.
 

Maverickcdn

Senior Member
Hmm interesting. I know @john9527 mentioned it was limited to 4096, but I cant fit more than 510 and your revised list is 482. 4096 bits maybe??

Someone with more knowledge than I can confirm (noob taking my best self-educated guess) but I think you can create openvpnclient1.postconf in /jffs/scripts and dump all your custom stuff in this format, then restart your openvpn instance. Anything in the postconf file should not be in the GUI custom box. Read about the basics of user scripts, ie. formatted for linux (dos2unix) and ownership (chmod a+rx)...

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "remote usa-newyork-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote... and so on"
or I could be totally wrong and your router melts down ;)

Just an overview, '#!/bin/sh' is always required, 'pc_append' is a function command from /usr/sbin/helper.sh which uses more complicated commands to insert your text to the file. The CONFIG=$1 tells it which file to edit.


If anything I will say I learn something everyday on this site
 
Last edited:

CaptainSTX

Part of the Furniture
I actually took a lot of notes from this thread: https://www.snbforums.com/threads/expressvpn-merlin-384-15.61656/#post-548393 -- because I was experiencing many of the same issues mentioned here with ExpressVPN... many of these settings in the config along with some of the GUI configuration options helped resolved my issues, and has been rock solid ever since.
Glad they are beneficial for your setup. I started off using additional settings but seeing no benefits just use the default OVPN files provided and have no issues with stability and my speeds are nearly line speeds.
 

john9527

Part of the Furniture
Hmm interesting. I know @john9527 mentioned it was limited to 4096, but I cant fit more than 510 and your revised list is 482. 4096 bits maybe??
Hmmm....based on your observation I went in and took another look.....and got a headache :)
It's declared as 4096 chars in defaults....then in the gui it allows 2047 for the input field.....then it looks like it's base64 encoded and broke into 3 x 255 byte chunks.....then the 255 byte chunks are put back together, and base64 decoded with a limit of 510 chars.....why, I have no idea.....maybe I'll learn something
 
Last edited:

RMerlin

Asuswrt-Merlin dev
.why, I have no idea.....maybe I'll learn something
- Asus's nvram backup/restore uses a salt value that can be between 0 and 31 (or 0 and 16, I forgot). The thing is, CR and LF chars are within that salt value, meaning if you backup then restore your settings, there is a high risk that custom settings will be truncated after the first line. Same reason why I had to replace CRLN with > in the SSH key value. Base64 encoding allows me to resolve that issue.

- On HND, any new variable will be limited to a maximum of 255 chars, because that is the value BCM/Asus chose as default. So if you create a new nvram and try to store 512 bytes, nvram_set() and httpd's nvram validation will reject it as part of their buffer overrun protection. So to work around that, I had to chop it into separate nvram settings, that I concatenate (and base64decode) when accessing it.

The validation code is closed source, meaning any change to shared/defaults.c will be ignored, only the variables defined (and their length) present when Asus compiled that code will be used.
 

Viktor Jaep

Regular Contributor
So due to the lack of documentation or good examples out there, I was wondering if someone could please tell me if this would work? Or should I be doing something else? Looking for your advice! ;)

Code:
#!/bin/sh
#Location: /jffs/scripts/openvpnserver1.postconf
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "fast-io" $CONFIG
pc_append "server-poll-timeout 10" $CONFIG
pc_append "remote usa-newyork-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-sanfrancisco-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-chicago-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-washingtondc-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-dallas-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-miami-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles-2-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles-3-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-newjersey-1-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-newjersey-3-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-seattle-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-miami-2-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-denver-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-saltlakecity-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-tampa-1-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles-1-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote us-new-york-2-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-dallas-2-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-atlanta-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote usa-losangeles5-ca-version-2.expressnetw.com 1195" $CONFIG
pc_append "remote-random" $CONFIG
pc_append "pull" $CONFIG
pc_append "tls-client" $CONFIG
pc_append "verify-x509-name Server name-prefix" $CONFIG
pc_append "remote-cert-tls server" $CONFIG
pc_append "route-method exe" $CONFIG
pc_append "route-delay 2" $CONFIG
pc_append "tun-mtu 1500" $CONFIG
pc_append "fragment 1300" $CONFIG
pc_append "mssfix 1450" $CONFIG
pc_append "sndbuf 524288" $CONFIG
pc_append "rcvbuf 524288" $CONFIG
pc_append "comp-lzo no" $CONFIG
pc_append "push "comp-lzo no"" $CONFIG
pc_append "auth-nocache" $CONFIG
Couple of items that I need some help/clarification with:

1.) How do you handle quotes within quotes? For instance, the item: push "comp-lzo no" -- already is in quotes. Would you do: pc_append "push 'comp-lzo no'"?

2.) Is there an exit statement? I noticed some people put "exit" at the end... others did "EOF"... others have nothing. What's the proper way to close this?

3.) Is there any code you can put in here that says "on error, exit gracefully?", or does that not exist? In some VBA code I used to write, you would start out the routine with calling an exit routine upon error... but I'm not sure how it compares.

Thanks in advance for your advice!
 

Maverickcdn

Senior Member
So due to the lack of documentation or good examples out there
There's stuff out there but when you dive this deep it really boils down to reading all you can and experimenting to learn as you go as it were. 8/10 times you can web search your issue with the words linux or snb merlin and get a top page result that either is the answer or will help guide you to the correct one.

1.) How do you handle quotes within quotes? For instance, the item: push "comp-lzo no" -- already is in quotes. Would you do: pc_append "push 'comp-lzo no'"?
Trial and error... ha no seriously, in this case you need to escape them with \ so that they appear as " in the config, so....
Code:
pc_append "push \"comp-lzo no\"" $CONFIG
Is this not for OpenVPN clients running on Windows... not a router ??
Code:
pc_append "route-method exe" $CONFIG
2.) What's the proper way to close this?
Personally I leave mine with nothing

3.) Is there any code you can put in here that says "on error, exit gracefully?", or does that not exist? In some VBA code I used to write, you would start out the routine with calling an exit routine upon error... but I'm not sure how it compares.
Sure, lots, lol

But any fail to start will be listed in the router log, and if the client starts successfully you can use...
Code:
cat /tmp/etc/openvpn/client1/config.ovpn
(I think that'll work at least) to read the config file and confirm everything you added is there

Good luck my friend
 

rumanzo

Occasional Visitor
I wanted to create a topic with a similar title and description, but fount this topic. I change router from RT AC-56U (with firmware from RT AC-68U) to RT AX-88U. And on AC-56U I could write full custom configuration, on AX-88U are not. It is curious that this is the same firmware version 384.19. I see a code (and maxlenght is true). Why so small?

HTML:
<textarea rows="8" class="textarea_ssh_table" spellcheck="false" style="width:99%;" id="vpn_client_custom_x" cols="55" maxlength="510"></textarea>
Also I read @RMerlin message, but I did not understand why there are differences on the same firmware version.
And it is unclear whether it is possible to get around all this without custom scripts.
 
Last edited:

Viktor Jaep

Regular Contributor
And it is unclear whether it is possible to get around all this without custom scripts.
I'm definitely no expert, and didn't quite understand what @RMerlin clarified, but I believe it's more of a physical NVRAM limitation that is present on the AC86U, but not, on let's say my older AC3100... because I was running the same firmware on both hardware platforms. But huge thanks to @Maverickcdn for helping me out, I was able to get around this limitation using the config file. So right now, my VPN custom configuration window is completely blank, and basically just dumped its contents (with a few small edits) into the openvpnclient1.postconf to get it working. Well, it works perfectly. (Thanks again @Maverickcdn ) :)
 

Maverickcdn

Senior Member
Also I read @RMerlin message, but I did not understand why there are differences on the same firmware version.
And it is unclear whether it is possible to get around all this without custom scripts.

.
- On HND, any new variable will be limited to a maximum of 255 chars, because that is the value BCM/Asus chose as default. So if you create a new nvram and try to store 512 bytes, nvram_set() and httpd's nvram validation will reject it as part of their buffer overrun protection. So to work around that, I had to chop it into separate nvram settings, that I concatenate (and base64decode) when accessing it.
AC-56U non-hnd platform.... AX88U hnd platform Its model specific, not FW ver.

Its a Broadcom/Asus limitation, nothing RMerlin can do, but hes already given us the ability to add custom scripts to get around this like @Viktor Jaep used which is what you will have to use if you need to input more than 510 characters in the custom config box in the GUI. Otherwise reduce the number of custom options to less than 510 characters and keep using the GUI custom entry field.
 
Last edited:

rumanzo

Occasional Visitor
AC-56U non-hnd platform.... AX88U hnd platform Its model specific, not FW ver.

Its a Broadcom/Asus limitation, nothing RMerlin can do, but hes already given us the ability to add custom scripts to get around this like @Viktor Jaep used which is what you will have to use if you need to input more than 510 characters in the custom config box in the GUI. Otherwise reduce the number of custom options to less than 510 characters and keep using the GUI custom entry field.
Thank you! All clear
 

rumanzo

Occasional Visitor
- On HND, any new variable will be limited to a maximum of 255 chars, because that is the value BCM/Asus chose as default. So if you create a new nvram and try to store 512 bytes, nvram_set() and httpd's nvram validation will reject it as part of their buffer overrun protection. So to work around that, I had to chop it into separate nvram settings, that I concatenate (and base64decode) when accessing it.
It is possible to do several parts for custom access, and concatenate after (custom_field1, custom_field2, custom_fieldN, may be +- buttons)? And if max length of variable (as far as I understand, the content of the field with custom configuration goes to a specific variable in nvram) 255 chars, why length limit of the custom configuration field if 510, it must be rejectred? If you workaround it with chop to separate nvram settings, why so small?
And what magic actually work when we use custom field, message encodes to base64 => split to 255 chars => written in 3 nvram variable?

What part of the code is responsible for this, where to look (in the project's git repository)?
 

RMerlin

Asuswrt-Merlin dev
It is possible to do several parts for custom access, and concatenate after (custom_field1, custom_field2, custom_fieldN, may be +- buttons)?
I already am doing this, since each nvram setting is limited to 255 bytes, and there is a 30%-ish overhead required for the base64 encoding. Since nvram is a limited resource (even undefined nvram values take up space), I settled on a reasonable number of them. Only very unusual cases would require more than that, in which cases an openvpn postconf script is the way to go to add more content.
 

rumanzo

Occasional Visitor
I already am doing this, since each nvram setting is limited to 255 bytes, and there is a 30%-ish overhead required for the base64 encoding. Since nvram is a limited resource (even undefined nvram values take up space), I settled on a reasonable number of them. Only very unusual cases would require more than that, in which cases an openvpn postconf script is the way to go to add more content.
Thank you for answer
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top