best build for none WiFi wrt3200acm w OpenVPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 321

PostPosted: Thu Aug 08, 2019 6:10    Post subject: best build for none WiFi wrt3200acm w OpenVPN Reply with quote
Am looking at updating my wrt3200's and wrt1200v2. Am currently running builds r-36995 and r-35531.
Having the latest or near latest versions of OpenVPN & OpenSSL are very important.

WiFi is NOT used with my wrt routers at all. Basically they are there for their clock speed, thru put, and security.

I am guessing that most of the newer builds focus on features and things that I don't need.
I spent a lot of time in the forum a few years ago when I was putting this router stack version together.
But haven't been here much since then. So am kind of out of touch.

Suggestions will be appreciated.

I will likely be posting some additional questions later.
Am also looking to be able to either bypass or turn off the RTR VPN or selectively go thru the WAN
instead of thru rtr based VPN; setting up a heavy duty firewall,
(my PC firewall handles a block list of ~250k IP addresses.
But can't expect the router to be able to do that.)

Sam

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Sponsor
illuminati_tri
DD-WRT Novice


Joined: 15 Jul 2019
Posts: 41
Location: Texas

PostPosted: Thu Aug 08, 2019 13:39    Post subject: Reply with quote
I can't really answer specifically for what you're wanting since I don't have personal experience with it, but this is what I've gathered/experienced from the builds recently. Maybe someone else will have some more insight, though.

r40527 (08/04/2019) is the first recent build for me where SFE will work with PBR enabled (PBR enables you to let certain IPs bypass the VPN, for example, which sounds like what you might want). For me, it has been completely stable using SFE, PBR, QoS, VAPs, and a USB NAS via Samba.

r40134 (06/27/2019) I would say is the most recent build that is considered almost completely stable. Note that SFE will not work if you use PBR on this build.

r40009 (06/11/2019) is the fallback for people who have an issue with r40134; slightly older, but not hugely. I had no problems using r40134 except SFE with PBR, but that's also an issue in r40009 as far as I'm aware.

Using the newest releases should give you the most up-to-date versions of everything. If you want to dig into the changes for each, you can check the "changelog" here:
https://svn.dd-wrt.com/timeline

Edit: You can also check the new build threads for each build to see if people had issues with it.
Edit2: Also for the 1200 router, note that you'll have to flash newer firmware to partition 1 due to size, there's a few threads on the forum about it already. 3200 doesn't have the issue because it has more storage.

_________________
Linksys WRT3200ACM r41586
- ExpressVPN | VAP & PBR | Synology NAS
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 321

PostPosted: Thu Aug 08, 2019 23:56    Post subject: Reply with quote
illuminati_tri,

Thanks for your reply. Do you just have r40527 currently installed? Or do you have another build in the 2nd partition?

Would you be willing to check for me what versions your builds have?

The only way I know of to check for the actual openVPN & openSSL is using the Command line in an installed build.

The CLI command to find the VPN & SSL versions is
openvpn --version

The first 2-3 lines in the result give the versions for both. But apply only to the active partition.

verify the active partition # with
ubootenv get boot_part

Then change partition to get the VPN & SSL version for that build.

ubootenv set boot_part # (1 or 2)

return to the partition that you want to be using. And reboot before doing anything.

thanks,
Sam

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
illuminati_tri
DD-WRT Novice


Joined: 15 Jul 2019
Posts: 41
Location: Texas

PostPosted: Fri Aug 09, 2019 2:37    Post subject: Reply with quote
Sam1789 wrote:
illuminati_tri,
Thanks for your reply. Do you just have r40527 currently installed? Or do you have another build in the 2nd partition?

Would you be willing to check for me what versions your builds have?
Sam


Sure, no problem. I only have 40527 installed right now, I've kept partition 1 with stock firmware.

OpenVPN: 2.4.7
OpenSSL: 1.1.1c 28 May 2019

Here's the exact output:
OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 4 2019 library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.09

_________________
Linksys WRT3200ACM r41586
- ExpressVPN | VAP & PBR | Synology NAS
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 321

PostPosted: Fri Aug 09, 2019 5:42    Post subject: Reply with quote
illuminati_tri,

Thank you for getting that. It's exactly the info I was looking for. And that would seem to point me
to that latest build r40527. Both the vpn & SSL look significantly newer.

Should I expect any issues with other features or build size. I'll be using router based OpenVPN client,
PBR, a modest firewall, and maybe a wan-vpn bypass for selected IP's and selected programs.
Not too heavy, but speed and security are paramount.

And I can put it in the 1st partition on the 1200v2. Is this build's size likely to be a problem for the 1200v2?

Thanks again.
Sam

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
illuminati_tri
DD-WRT Novice


Joined: 15 Jul 2019
Posts: 41
Location: Texas

PostPosted: Fri Aug 09, 2019 13:11    Post subject: Reply with quote
Sam1789 wrote:
illuminati_tri,
Should I expect any issues with other features or build size. I'll be using router based OpenVPN client,
PBR, a modest firewall, and maybe a wan-vpn bypass for selected IP's and selected programs.
Not too heavy, but speed and security are paramount.

And I can put it in the 1st partition on the 1200v2. Is this build's size likely to be a problem for the 1200v2?
Sam


No problem, glad I could help!

This is the new build thread for it: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320734

One bug is you have to press Apply Settings twice to get OpenVPN client to start. Otherwise, I've experienced no issues, but I don't use a firewall on my router, so I'm not sure how that'll work firsthand. A nice thing with 40527 is that SFE will work if you're using PBR, so you should get better throughput. 1200v2 will need it to be flashed into partition 1, as long as you do that the build size should be fine. However, if for some reason 40527 isn't working how you need, I'd try 40134 or 40009. They are slightly older, but only a month or so, so I doubt their versions are very different. I also don't think those two have the issue with build size, but check the build threads.

Edit: Sorry I can't be of more help, if anyone with more knowledge wants to share input, please do! I'm just getting started digging into networking.

_________________
Linksys WRT3200ACM r41586
- ExpressVPN | VAP & PBR | Synology NAS
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 743
Location: Appalachian mountains, USA

PostPosted: Fri Aug 09, 2019 15:17    Post subject: Reply with quote
Just to confirm (on a WRT1900ACSv2) that I have 40009 in partition 2, so no build-size issue. New-build threads assert that 40134 is the last (solid) build that fits in either partition on the older WRTs.
_________________
Six Linksys WRT1900ACSv2 (40009/41954/42926):
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 321

PostPosted: Fri Aug 09, 2019 17:02    Post subject: Reply with quote
SurprisedItWorks,

Thanks for your reply. Curious that BrainSlayer is letting this happen?

For me at least, all I want is security, reliability and thru put speed. Except for an easy way to occasionally
bypass the VPN on the fly, I can't think of any "new features" I'd care about.

But we definitely do need to be able to update both old and new routers. And it "helps" if they fit into the router.

Grumble.

Also would you be willing to check the versions of the OpenVPN and Open SSL in the r40009 version that your running?

Just enter "openvpn -- version" and hit "run" on the Command Line Interface under "Administration tab"

Thanks,
Sam

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 743
Location: Appalachian mountains, USA

PostPosted: Fri Aug 09, 2019 19:26    Post subject: Reply with quote
Sam1789 wrote:
SurprisedItWorks,

Thanks for your reply. Curious that BrainSlayer is letting this happen?

For me at least, all I want is security, reliability and thru put speed. Except for an easy way to occasionally
bypass the VPN on the fly, I can't think of any "new features" I'd care about.

But we definitely do need to be able to update both old and new routers. And it "helps" if they fit into the router.

Grumble.

I felt the same way until someone pointed out that the size problem is largely due to a kernel upgrade rather than to new features. I gather that BS has been working to squeeze the code downward in size where feasible.
Quote:
Also would you be willing to check the versions of the OpenVPN and Open SSL in the r40009 version that your running?

Just enter "openvpn -- version"

# openvpn --version
OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 11 2019
library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.09

_________________
Six Linksys WRT1900ACSv2 (40009/41954/42926):
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 5705
Location: Texas, USA

PostPosted: Fri Aug 09, 2019 19:52    Post subject: Reply with quote
Not surprised in regards to the kernels. Android --current is developing the 4.10, but most devices on the market are still running patched 3.18 kernels, last I knew. There is probably kernel functionality being added that is not a necessity, perhaps, but I digress.
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 321

PostPosted: Fri Aug 09, 2019 20:55    Post subject: Reply with quote
SurprisedItWorks,

Thanks for getting that. So r40009 is oVPN 2.4.7 & oSSL 1.1.1b
It shows that the r40009 build is 2 fixes back from the most current OpenSSL. Sad
Being 1 level back from the latest today would be understandable given its build date.
But not being 2 levels back.
The most current OpenSSL fix is 2019-07-20 and is in versions 1.1.1d, 1.1.0.L, & 1.0.2t.

While the site says the July 20th fix was not a major vulnerability, none-the-less seems
most definitely better to have the latest available when the build was created.
Which for r40009 would have been from 2019-05-20 1.1.1c; 1.1.0k; 1.0.2s

I've seen these included versions lag behind before.
But BS would sometimes catch up after people complained.

Wouldn't it be easier if the versions were was announced when the build is released.
Or if BS made the "as downloaded" builds so we could probe them and find out
these included versions before we wasted the installation time?

Grumble
Sam

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 743
Location: Appalachian mountains, USA

PostPosted: Fri Aug 09, 2019 22:18    Post subject: Reply with quote
Sam1789 wrote:
...shows that the r40009 build is 2 fixes back from the most current OpenSSL.

Enlightening. Thanks, Sam.

I know you are asking around re other releases. Could you perhaps post here whether 40134 is any more recent SSLwise? I'd like to know whether it's worth moving on to that one. (Going beyond 40134 means facing the build-size issue.)

_________________
Six Linksys WRT1900ACSv2 (40009/41954/42926):
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 321

PostPosted: Sat Aug 10, 2019 2:13    Post subject: Reply with quote
SurprisedItWorks,

Strangely, I have not gotten anything on the actual versions in build 40134 ... Wish I had.

But since 40527 does not even have the latest at the time of it's build,
the odds are against 40134 having oSSL different from 40009.
The newest oSSL available at its build date would been 1.1.1c; 1.1.0k; 1.0.2s = release date 2019-05-20.

hth. This seems to be a real mess. And doesn't speak all that well for our dd-wrt developer's focus.
Like others are also saying BS needs to focus on the really important things and not on fancying things up.
Shocked

If anyone has an installation of 40134, please run the CLI command on it & post your results.

Took a bit to reply because my ISP connection went bonkers.
It's called Comcast "ripples" which interrupt the signal to the modem.
It's been happening a lot this summer.
They know about it. But have not been able to fix it, apparently.
Maybe time to drop CC & go over to FIOS? Evil or Very Mad

Sam

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum