-
Notifications
You must be signed in to change notification settings - Fork 647
/
Changelog-NG.txt
2106 lines (1922 loc) · 99.6 KB
/
Changelog-NG.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Asuswrt-Merlin Changelog
========================
3004.388.7 (26-Apr-2024)
- NOTE: RT-AX56U is exceptionally included in this release.
- NEW: IGD2 support for UPNP/PCP. This will allow IPv6 pinhole
support for clients. It must be enabled on the WAN
page. Existing pinholes will be listed on the
System Log -> IPV6 page.
Note that IGDv2 has compatibility issues with various
clients that do not properly follow the standard.
- UPDATED: Openvpn to 2.6.10.
- UPDATED: TOR to 0.4.8.10.
- UPDATED: wsdd2 to 2023-12-21 snapshot.
- UPDATED: miniupnpd to 2.3.6.
- UPDATED: wireguard kernel to v1.0.20220627.
- UPDATED: wireguard tools to 2023-08-04 snapshot.
- UPDATED: dropbear to 2024.84.
- UPDATED: strongswan to 5.9.13 (fixes CVE-2023-41913)
- CHANGED: Hardcoded location of the CA bundle in inadyn, so it
no longer needs to be manually defined in custom
configurations.
- CHANGED: Re-designed Tools->Sysinfo page, adding graphs
and removing useless content.
- CHANGED: Updated free memory report on networkmap to also
consider reclaimable memory as being free (kjbracey)
- CHANGED: "Prevent client auto DoH" will also prevent the use of
Apple's iCloud Private Relay.
- CHANGED: NAT Passthrough page - removed the "Enabled + NAT
Helper" option as the firewall no longer blocks
traffic when set to disabled. This is back to the
former behaviour, where this setting only controls
whether or not to load the NAT helper. You might
need to readjust that setting if you had previously
changed it.
- CHANGED: SIP, RTSP and H323 ALG (NAT helpers) are now
disabled by default, as these legacy features tend
to create issues with modern VoIP setups.
This change will only apply to people doing a
factory default reset of their router.
- FIXED: Concurrent cronjob changes through cru could cause
collisions, leading to missing jobs (dave14305)
- FIXED: crond would not use the new timezone if it got changed.
- FIXED: MiniDLNA web interface could only be accessed through an
IP address (regression in 3004.388.6).
- FIXED: CVE-2023-5678 & CVE-2024-0727 in openssl (backport from
Ubuntu by RSDNTWK)
- FIXED: Long lists on System Log -> Connections tab could result
in a timeout (Sani Huttunen)
- REMOVED: Temperature page (charts are now part of the redesigned
Tools->Sysinfo page).
3004.388.6_2 (26-Feb-2024)
- UPDATED: dnsmasq to 2.90 (resolves CVE 2023-50868 and CVE 2023-50387).
- FIXED: LACP support was missing on the XT12.
3004.388.6 (20-Jan-2024)
- NOTE: Since Asus provided GPL code for the RT-AX56U, this model
will exceptionally be included with this release, despite
still being considered being end-of-life.
- NOTE: Asus reworked the way SSL certificates are handled in
24353. The automatic conversion code does not always
work properly, you might need to force your router
to re-generate its SSL certificates by toggling the
SSL mode on the DDNS page.
- NEW: Added ethtool to the firmware.
- UPDATED: Merged GPL 388_24353.
- UPDATED: nano to 7.2.
- UPDATED: ncurses to 6.3.
- UPDATED: OUI database used by networkmap and the webui.
- FIXED: CVE-2023-48795 in dropbear.
- FIXED: e-Learning category not always properly identified
on the Classification/Stats page.
- FIXED: Incorrectly report 2.4 GHz as being disabled when
disabling 6 GHz on the GT-AXE16000.
- FIXED: UPNP leases without a description would not appear
on the Forwarded Ports page.
3004.388.5 (2-Dec-2023)
- UPDATED: OpenSSL to 1.1.1w.
- UPDATED: Curl to 8.4.0.
- UPDATED: OpenVPN to 2.6.8.
- CHANGED: Enable fast-io for OpenVPN clients and servers that
use UDP, which will speed up performance on some models.
- CHANGED: You can now directly enter an IPv6 address on the
Network Tools page as a target.
- CHANGED: Display tracked connections on the QoS/Classification
page even if QoS isn't set to Adaptive QoS.
- CHANGED: QOS/Classification page can now resolve local IPv6
addresses.
- CHANGED: Allow custom MTU for Wireguard clients (patch from
Asus).
- FIXED: CIDR-formatted addresses were rejected on the Network
Filter page. Implemented temporary workaround.
- FIXED: Various issues with the QOS Classification page.
- FIXED: Netfilter TEE kernel module is missing.
- FIXED: OpenVPN client state getting cleared when Wireless
was being restarted.
- FIXED: Networkmap wasn't recognizing the GT-AX11000_PRO as
having USB 3.0 ports
3004.388.4 (21-Aug-2023)
- NOTE: In preparation for the new 3.0.0.6 codebase, the version
string will now start with 3004 or 3006 to match with
upstream.
- NOTE: The RT-AX56U is no longer supported, as Asus has put it
on End-of-Life status, and the previous Asuswrt-Merlin
388 releases for that model were all based on untested
code.
- NEW: Display channel utilisation for supported platforms on the
Wireless Log page.
- UPDATED: Merged GPL 388_23588.
- UPDATED: curl to 8.1.2.
- UPDATED: OpenVPN to 2.6.5.
- UPDATED: openssl to 1.1.1u.
- UPDATED: tor to 0.4.7.13.
- CHANGED: FTP server will now only support strong ciphers
in TLS mode.
- FIXED: QOS Classification showing no Upload data on some
WAN configurations.
- FIXED: Radio temperature graphs weren't updating
- FIXED: XT12 proximity pairing wasn't working (missing
bluetooth firmware)
- REMOVED: Ethernet port status from the Tools Sysinfo page
(as this is redundant with Asus' own display
now available on the networkmap page).
388.2_4 (17-Aug-2023)
- NOTE: This release is only for the GT-AXE11000.
- UPDATED: Critical Wireless driver update, Asus strongly
recommends updating.
388.3 (9-June-2023)
- NOTE: This release is only available for the RT-AX88U_Pro.
- NEW: Merged with GPL 388_23110, adding support for a new
RT-AX88U PRO hardware revision.
388.2_2 (7-May-2023)
- UPDATED: Merged GPL 388_22668 for the XT12 (only)
- UPDATED: OpenVPN to 2.6.3.
- FIXED: QoS Status page wouldn't display Upload stats
if the WAN interface was set to a secondary
2.5G/10G port instead of the default WAN port.
- FIXED: dnsmasq may crash if no DNS server is configured
(fix backported from dnsmasq upstream)
- FIXED: Missing GPY211 driver for the XT12 and for certain
hardware revisions of other HND 5.04 models.
388.2 (12-Apr-2023)
- NOTE: This release is currently not available
for the XT12 due to issues with that model's GPL.
- NEW: Added support for the RT-AX88U Pro.
- NEW: Merged with GPL 388_22525.
- NEW: Added Site Survey page under Network Tools tab. This is
the same network scan that is available for pre-HND
models, with Wifi 6E support added.
- UPDATED: dnsmasq to 2.89.
- UPDATED: openvpn to 2.6.2. If your client fails to connect
then your custom settings must contain settings no
longer supported by OpenVPN 2.6. Review the System
Log, then remove unsupported settings that are
reported in your log.
- UPDATED: nettle to 3.8.1.
- UPDATED: inadyn to 2.10.0.
- UPDATED: dropbear to 2022.83.
- UPDATED: miniupnpd to 2.3.3.
- UPDATED: openssl to 1.1.1t.
- UPDATED: curl to 8.0.1.
- CHANGED: moved WiFi Radar to the Network Tools tab.
- CHANGED: Disabled auto logout on System Log and Wireless Log
pages.
- CHANGED: Reduced EDNS packet size from 1280 to 1232 bytes in
dnsmasq, to better work with some upstream servers
not fully supporting EDNS0.
- CHANGED: Allow empty fields on WireGuard Client page if the
client is disabled. This allow users to manually
clear settings when they are no longer using a client.
- FIXED: NTP redirection wouldn't work properly with Guest
Network, removed redirection for these.
- FIXED: Added missing Tools icon on ROG UI (icon contributed
by Cody).
- FIXED: DDNS was being refreshed every time IPv6 bound6() event
occured even if IPv6 DDNS update was disabled.
- FIXED: Wireless Log wouldn't properly show IPv6 address
for clients with multiple addresses.
- FIXED: ICMPv6 pings would be dropped when DoS protection
was enabled (regression in 388.1).
388.1 (3-Dec-2022)
- NOTE: This release is only available for AX models.
AC models will remain on the 386_xx release branch.
- NEW: Add RT-AX86U_PRO support.
- NEW: Merged with GPL 388_20566 (RT-AX88U and GT-AX11000)
- NEW: Merged with GPL 388_21224 (all other AX models)
- NEW: Experimental ROG UI version for GT models, as a separate
firmware image within the distribution archive, with
"_rog" in the filename.
- NEW: (Asus 388) WireGuard client and server. The server uses
the new 388 VPN server webui. Implemented a webui for
clients, based on the early development UI from Asus.
WG client routing is handled by VPN Director - you must
configure redirection rules through it, same as on stock
firmware which requires configuring rules through
VPN Fusion.
DNS handling will be identical to OpenVPN's Exclusive DNS
mode, forcing clients to use the DNS provided by it
(if any is provided).
Note that enabling WireGuard will disable hardware
NAT acceleration due to compatibility reasons.
- NEW: httpd support for EC certificates (Ivan Kruglov)
- UPDATED: getdns/stubby to 1.7.2/0.4.2.
- UPDATED: zlib to 1.2.12 + backports.
- UPDATED: openssl to 1.1.1s.
- CHANGED: Rebranded DNSFilter as DNS Director. This will prevent
confusion with the company sharing the same name, and
also better describes what the feature does.
- CHANGED: Setting an OpenVPN client to redirect all traffic while
in "Exclusive" DNS mode will now force redirect ALL
DNS traffic just like in VPN Director mode.
While this will allow redirecting clients with
hardcoded DNS servers, it also means that your whole
LAN will lose the ability of doing local name
resolution. It might be best to use VPN Director
in that case to control which client should
be involved in the DNS redirection, or use
DNS Director instead of Exclusive DNS mode.
- CHANGED: (Asus 388) nvram storage increased to 192 KB on newer
HND 5.04 devices like the GT-AXE16000.
- CHANGED: Reworked VPN Status page to only show currently
active services.
- CHANGED: Reworked VPN Director page design, added buttons to
access a client's settings page, and allow leaving
both source and destination IPs empty (for "all").
- CHANGED: Optimized VPN Director WAN and DNS rule creation, so
they no longer get re-created multiple times when
editing VPNDirector rules.
- CHANGED: Switched generated self-signed certificate to an
EC certificate.
- CHANGED: Disabled DSS key support in Dropbear SSH.
- FIXED: Wrong temperatures used by the temperature graphs
(386.8 regression)
- FIXED: CVE-2022-37434 in zlib.
- FIXED: GT-AXE16000 random reboots when using an OpenVPN
client with VPN Director and Adaptive QoS.
- FIXED: Clients connected to Guest Network 1 aren't
redirected if NTP interception is enabled.
- FIXED: Name was truncated to 31 chars when enabling OpenVPN client's
Server Certificate Name Validation.
- REMOVED: Interface selector on Speedtest page (no longer
working, possibly due to an ookla client update)
- REMOVED: NAT Type setting on HND 5.04 devices (fullcone is
not supported by kernel 4.19, so it wasn't working)
386.8 (13-Aug-2022)
- NOTE: This release is only available for the RT-AX88U as
well as the two new models listed below.
- NEW: Added support for the GT-AXE16000.
- NEW: Added support for the GT-AX11000_Pro.
- NEW: Added support for new RT-AX88U hardware revision.
- UPDATED: Merged with GPL 386_49634.
- CHANGED: Re-enabled IPv6 DDNS support.
- CHANGED: Once again block router DNS access over IPv6 when
using DNSFilter on a pre-HND model (reverted back
to 386.7 behaviour for that scenario)
- FIXED: inaccurate nvram usage on Sysinfo page for some HND
models. Now accurately report kernel nvram usage.
- FIXED: WiFi Radar page alignment.
- FIXED: AiMesh node new firmware popup would use the device model
(like RT-AC66U_B1) rather than the product id (like
RT-AC68U) for the generated download URL.
- FIXED: OVPN client with DNS set to strict had lower priority
than DNSPrivacy servers.
- FIXED: IPv6 DNS may be missing if DNSPrivacy is enabled.
- FIXED: Wifi Radar pages missing on XT12.
- FIXED: QRcode failing to generate if the SSID contained unicode
characters (like emojis or other UTF8 entities)
386.7_2 (24-July-2022)
- UPDATED: openssl to 1.1.1q.
- UPDATED: RT-AX86U driver + SDK updated to latest upstream version
- UPDATED: RT-AX88U and GT-AX11000 radio firmware downgraded to the
previous version.
- FIXED: Some ISPs would fail to allocate a proper IPv6 prefix (tvlz)
- FIXED: Packet checksum errors logged when using DNSFilter in Router
mode. Router mode will no longer use DNAT, except for newer
HND 5.04 models like the GT-AX6000 or XT12, which work
properly. Non-Router mode on HND will still use
the new DNAT support added in 386.7.
- FIXED: Some SSH clients would end up with an incorrect PATH
value for the default search path.
- FIXED: OpenVPN clients wouldn't get updated routing tables
if an OpenVPN server was stopped/started while an
OpenVPN client was connected
386.7 (22-June-2022)
- NEW: IPV6 support for DNSFilter for HND router models.
Custom settings can also let you specify IPv6 servers.
These (as well as providers that support IPv6) will
now also get intercepted and redirected like the IPv4
DNS servers are.
- UPDATED: Merged with 386_49335 GPL for the RT-AC5300.
- UPDATED: Merged with 386_48966 GPL for all other models.
- UPDATED: openssl to 1.1.1o.
- UPDATED: haveged to 1.9.18.
- UPDATED: openvpn to 2.5.7.
- UPDATED: tor to 0.4.7.8.
- CHANGED: dhcpc-event now has a second parameter that will
contain "4" or "6" depending on the IP protocol of
the event (dave14305)
- FIXED: JFFS backup/restore functions not working on XT12
and GT-AX6000.
- FIXED: CVE-2022-0934 in dnsmasq (backport)
- FIXED: CVE-2022-26376 (reported by Cisco Talos, fixed by Asus)
- FIXED: DNSFilter client list was limited to around 10 clients
on some models.
- FIXED: AuraRGB could be re-enabled on reboot if it was
previously disabled.
- FIXED: Wifi LEDs wouldn't turn back on when re-enabling
LEDs on the RT-AX86S.
386.6 (20-Apr-2022)
- NOTE: This release is only available on the GT-AX6000
and XT12.
- NEW: Added support for the GT-AX6000.
- NEW: Added support for the ZenWifi Pro XT12.
- NEW: Added Cloudflare and AdGuard to DNSFilter services.
- NEW: Added option to enable/disable IPv6 support to OpenVPN
server. This is disabled by default.
- NEW: Added NAT support for OpenVPN server in IPv6 mode.
This allows to redirect IPv6 Internet traffic
through your OpenVPN server.
- UPDATED: Merged with GPL 386_47885.
- UPDATED: wget to 1.21.3.
- UPDATED: dropbear to 2022.82.
- CHANGED: Reworked DNSFilter page design.
- CHANGED: Allow requesting bigger IPv6 subnets from
your ISP (Tvlz)
- CHANGED: Allow hostuniq PPPoE value of up to 256
characters long.
- FIXED: Traditional QoS download traffic limited by
upstream bandwidth (dave14305)
386.5_2 (25-March-2022)
- UPDATED: openssl to 1.1.1n.
- UPDATED: openvpn to 2.5.6.
- CHANGED: Added Wireguard module + userspace tool to
GT-AXE11000.
- FIXED: Only a few DNSFilter clients are supported
on HND models (entries limited to 255 chars).
- FIXED: Security issue in AiCloud (backport from Asus)
- FIXED: Cannot enable Adaptive QoS under certain scenarios
on pre-HND router models.
386.5 (2-March-2022)
- NEW: Added support for the RT-AC68U V4. All
RT-AC68U models are using a combined
firmware file (like stock firmware),
with both firmwares within the same file.
- NEW: Added support for the GT-AXE11000.
- NEW: Added config option for the Boost key on
GT models. The option can be found on the
Administration -> System page.
- NEW: Basic IPv6 support for TQoS (Kevin Bracey)
- UPDATED: Merged with GPL 386_46065.
- UPDATED: Reverted dnsmasq from 2.86 to 2.85.
- UPDATED: miniupnpd to 2.3.0.
- UPDATED: avahi to 0.8 + a few backports.
- CHANGED: Improved accuracy of overhead parameters
in Traditional QoS (Kevin Bracey)
- CHANGED: Report download stats for TQoS (Kevin Bracey)
- CHANGED: Report DFS scanning state for both 5 GHz bands
if appropriate on tri-band models
- CHANGED: Enabled pass_persist support in net-snmp.
- FIXED: Various TQoS issues (Kevin Bracey)
- FIXED: enabling/disabling 802.11b rates wouldn't get saved
to nvram.
- FIXED: netatalk failing to load extensions.
- FIXED: Large swapfiles reported the incorrect size on
the Tools page (Kevin Bracey)
- FIXED: User accounts would not show as connected on
the OpenVPN server username list if a remote
client connected over IPv6.
- FIXED: Earlier syslog content was missing on RT-AX86U
and RT-AX68U after a reboot.
- FIXED: WAN monitoring could fail if using IPv6 and
DNS Rebind protection was enabled.
- FIXED: RT-AX86U syslog could be truncated after a reboot.
- FIXED: Toggling FTP WAN access without applying settings
wouldn't reconfigure the FTP server properly.
- FIXED: Non-functionning TrendMicro features on the
RT-AX68U and RT-AX86U (reverted kernel components
to the previous version).
386.4 (1-Jan-2022)
- NEW: Added support for the RT-AX86S (uses the same firmware
as the RT-AX86U).
- NEW: Added wireguard kernel module + userspace tool to
HND models firmware images.
- NEW: IPv6 support for OpenVPN server. Allows to remotely
connect to your router's OpenVPN server over IPv6, and
reach LAN clients over their IPv6 (redirecting IPv6
Internet traffic does not work).
- UPDATED: Merged with GPL 386_45958 + a few newer patches
from Asus.
- UPDATED: curl to 7.79.1.
- UPDATED: vsftpd to 3.0.5.
- UPDATED: openssl to 1.1.1m.
- UPDATED: wget to 1.21.1.
- UPDATED: nettle to 3.7.3.
- UPDATED: dnsmasq to 2.86.
- UPDATED: openvpn to 2.5.5.
- UPDATED: tor to 0.4.5.11.
- UPDATED: miniupnpd to 2.2.3-git 20211017.
- UPDATED: inadyn to 2.9.1.
- UPDATED: CA bundle to 2021-12-13.
- UPDATED: amtm to 3.2.2 (thelonelycoder)
- CHANGED: replaced jitterentropy-rngd with haveged.
It uses more resources, but it works
properly on older platforms, and is
generally less CPU intensive in regular
use. This is implemented for all router
models.
- CHANGED: Switched dnsmasq crypto backend to nettle.
- CHANGED: Switched to Asus's own dhcp hostname support.
Existing dhcp_hostnames entries will be
converted on first boot.
- CHANGED: miniupnpd will now be supplied the public WAN
IP to improve compatibility with dual NAT
setups.
- CHANGED: Disabling Auto DoH will now also disable
Windows' new Discovery of Designated
Resolvers (DDR) feature.
- FIXED: Wrong interface might be used for the default
gateway in an openvpn client routing table.
- FIXED: Generated OpenVPN certs used SHA1 signatures
instead of SHA256 (regression from 386.1)
- FIXED: Various issues with protocol handling when
importing an ovpn client file.
- FIXED: IPv6 not working while in Dual WAN mode.
- FIXED: Failed OpenVPN client connections might sometime
be stuck with a "Connecting" state.
- FIXED: NTP sometimes failing to update at boot time
when using IPv6.
- FIXED: Changes done by firewall-start may be lost after
ddns service gets stopped when using tunnelbroker
386.3_2 (6-Aug-2021)
- NOTE: closed down the Issue tracker on Github, as 90%
of it was people asking for technical support,
or failing to use the supplied submission form.
- CHANGED: Re-disabled jitterentropy-rngd on non-HND
models. It kept using CPU time every two
seconds and had a very marginal impact on
the entropy pool (which it never could push
above the target threshold of 1024).
- CHANGED: Moved the "Redirect Internet traffic" setting on
the OpenVPN Client page to the Network Settings
section to increase its visibility, as too many
users are forgetting to configure it.
- CHANGED: Display "Internet traffic not redirected" instead
of "Public IP Unknown" on the OpenVPN Client
status display when Redirect Internet traffic
is set to "No".
- FIXED: Only the first OpenVPN client would be used if
you had multiple clients connected and the first
one had a Redirect Internet set to "No". Now,
setting this to "No" means that client's routing
table will no longer get a default gateway
configured, allowing traffic to be processed
by other RPDB tables if there wasn't a matching
route within that client's table.
- FIXED: IPV6-compatible DNSFilter servers weren't
properly configured in dnsmasq.
- FIXED: DNSFilter client rules may get corrupted after a
reboot.
386.3 (23-July-2021)
- NOTE: First time you boot into this version, you need to
either shift-reload the main index page, or clear
your browser cache.
- NEW: Introducing VPN Director, which replaces the original
policy routing management interface for OpenVPN clients.
A bit similar to Asus's own VPN Fusion, OpenVPN routing
rules are now managed through a central web interface,
and they are stored in JFFS instead of nvram, to allow
creating more rules, and free up some nvram for
nvram-limited devices such as the RT-AC68U.
See the Wiki for more information.
- NEW: Added QR codes to the networkmap as well as the Guest
Network page, to allow easily connecting a mobile
device just by scanning the QR code.
The generated QR code can also be saved as a file
if you'd like to print it.
- CHANGED: Rewrote OpenVPN routing handling. The firmware will
now handle route creation itself rather than letting
the openvpn client create/remove routes.
The new implementation brings a few changes:
- "Force Internet traffic through tunnel" can now
be set to "No", "Yes (All)" or "VPN Director".
- This setting will now override whatever setting
pushed by the server regarding gateway redirection.
- The kill switch can now be used in both "Yes" and
"VPN Director" routing modes
- Manually stopping a client will remove the kill
switch. It will now only be applied at boot time
(if client was set to start at boot), or if the
tunnel is disconnected through a non-user event
- CHANGED: Reworked OpenVPN's DNS Exclusive mode implementation
and interaction with dnsmasq.
- CHANGED: Moved OpenVPN Custom settings content to JFFS, and
increased max storage length from around 350 chars
to 4095 chars.
- CHANGED: Added support for BCM50991 used for the 2.5G
interface in newer RT-AX86U revisions.
- UPDATED: nano to 5.7.
- UPDATED: curl to 7.76.1.
- UPDATED: dnsmasq to 2.85-openssl.
- UPDATED: openvpn to 2.5.3.
- UPDATED: getdns to 1.7.0.
- UPDATED: stubby to 0.4.0.
- FIXED: Setting an OpenVPN client's DNS mode to Exclusive
could fail to work for certain configurations
- FIXED: DNS Exclusive redirections applied in Policy mode
could be executed in the wrong order if you had
overlapping policy rules in two separate clients.
- FIXED: Clients connected to Guest Network 1 couldn't be
routed through an OpenVPN tunnel.
- FIXED: Clients connected to Guest Network 1 would bypass
DNSFilter rules.
- FIXED: USB disks not properly unmounted on reboot
on some router models.
- FIXED: Missing error report on OpenVPN client connection
failure
- FIXED: profile.add getting used even if JFFS scripting
was disabled (dave14305)
- FIXED: Freedns authentication errors would not
properly be reported as errors.
386.2_6 (6-June-2021)
- NOTE: The IRC channel, #asuswrt, has moved to the
Libera IRC network (https://libera.chat/).
- UPDATED: chart.js to 2.9.4.
- UPDATED: tor to 0.4.5.8.
- UPDATED: root certificate bundle to June 5th 2021.
- FIXED: Fragattack security issues
386.2_4 (30-Apr-2021)
- NEW: Added jitterentropy-rngd to non-HND models, in addition
to HND models.
- UPDATED: OpenVPN to 2.5.2.
- UPDATED: jitterentropy-rngd to 1.2.2 (library 3.0.3)
- FIXED: Scheduled new FW checks wouldn't display the webui
notification icon when the local router had a
new release available.
- FIXED: OpenVPN server would flip into an error state (being
shown as "initializing" on the webui) whenever an
inbound client failed to connect to it.
386.2_2 (13-Apr-2021)
- FIXED: IPv6 pings were blocked if sent below the rate limit
instead of above (issue introduced in 42095)
- FIXED: kernel debuging log entry (was removed) (RT-AC86U)
- FIXED: Field that accepted a float value would reject
values equal to the allowed minimum (for example
the QoS bandwidth limits)
- FIXED: QoS Bandwidth settings were hidden on
non-HND models when accessing the QoS page.
- CHANGED: Tweaks to the Firmware Upgrade page display.
- CHANGED: Enabling DOS protection will now also rate limit
ICMPV6 echo (type 128) packets, like with IPv4.
386.2 (2-Apr-2021)
- NOTE: due to changes in how custom device icons are handled,
first time you boot with 386.2 you need to either
shift-reload the main index page, or clear your
browser cache.
- NEW: Added support for the GT-AX11000. Note that VPN Fusion,
as well as the ROG-specific features such as the custom
UI are not supported.
- NEW: Added support for the RT-AX68U.
- NEW: Added jitterentropy-rngd daemon to HND routers. This will
ensure sufficient entropy is generated early on at
boot time, reducing boot stalls caused by insufficient
entropy for the kernel's random number generator,
and also generally improves security related to
crypto operations by the router.
- NEW: Added Cake QoS for HND routers. Note that just like
Traditional QoS, this is not compatible with hardware
acceleration, and therefore might not be usable on
connections faster than around 350 Mbps (may vary based
on router models).
- UPDATED: Merged GPL 386_42095.
- UPDATED: Openssl to 1.1.1k.
- UPDATED: OpenVPN to 2.5.1.
- UPDATED: iproute2 to 5.11.0 (HND models).
- UPDATED: root certificate bundle to March 9th 2021.
- CHANGED: qos-start "init" user script now runs in blocking
mode to ensure it's able to complete any changes
it may apply to qos configs before these
configs get applied.
- FIXED: Router could get stuck at boot time after the user
migrated from stock firmware, or just erased his
JFFS partition, requiring a factory default reset.
- FIXED: ATM checkbox could not be enabled on QOS page.
- FIXED: DST not getting applied to some timezones (snauton)
- FIXED: Traditional QoS was broken in 386.1 (dave14305)
- FIXED: Connected IPSEC clients weren't shown on the VPN Status
page.
- FIXED: Userspace conntrack tool was no longer working
- FIXED: Traffic Monitor spikes for HND models. (Asus backport)
- FIXED: webui incorrectly complaining about mismatched timezone
between browser and webui for some timezones (dave14305)
- REMOVED: SSH Brute Force Protection option (already handled
by Asuswrt's protect service daemon)
386.1_2 (12-Feb-2021)
- NEW: Added snmp support to the RT-AX86U.
- UPDATED: inadyn to 2.8.1.
- UPDATED: nano to 5.5.
- CHANGED: Use local OUI database instead of remote one hosted
on Asus's server (allows queries to work even when
accessing webui over https)
- CHANGED: If dropbear cannot create keys in /jffs then
create temporary ones in /etc so SSH can work even
without a working JFFS partition.
- FIXED: Missing Game Mode on RT-AC88U
- FIXED: Non-working 160 MHz settings for RT-AC88U region/versions
that should support it
- FIXED: Missing Instant Guard to RT-AX56U and RT-AC88U.
- FIXED: IPv6 ending with "::" were considered invalid on the
webui (was breaking the Prefix field on the 6in4 tunnel
page for instance).
- FIXED: OUI lookups on site survey page not working
(for non-HND models)
- FIXED: Wifi Radar missing on GT-AC2900
- FIXED: Netools-enabled pages not used by GT-AC2900 and
RT-AX86U
- FIXED: GeForce NOW UPNP not working
- FIXED: Erasing the JFFS partition would often require a second
reboot since the operation failed when encountering
a bad block. These are now properly skipped.
- FIXED: Parental Control's time scheduler not working properly.
386.1 (30-Jan-2021)
Switched to the new 386 codebase. 386 introduces
AiMesh 2.0, finalizes the move to OpenSSL 1.1.1
firmware-wide, adds a new speedtest (powered
by Ookla). For more details, please refer
to Asus's own release notes.
- NOTE: For developers, note that firmware code is
once again back on the master branch, with
both mainline and ax being reunified again.
- NOTE: Some users upgrading might have to go through some
database maintenance on first boot, which means the
router might be slower or have a non-responsive webui
for a while.
This can take anywhere from 5 minutes up to an hour,
depending on your model, just give it time to complete
the process.
- NEW: Added support for the RT-AX86U.
- NEW: Added support for the GT-AC2900, with a few restrictions:
- Non-ROG UI is used
- VPN Fusion is not supported
- A few other ROG-specific features are not supported
This is an experiment done in collaboration with Asus.
- NEW: Added support for the RT-AC68U V3.
- NEW: Added stub and stub-v2 compression options to OpenVPN
clients. Not added to server, since compression is
considered deprecated, and will be removed most likely
in OpenVPN 2.6, for security reasons.
- NEW: Added tls-crypt-v2 support to OpenVPN clients.
- NEW: Added option to select an OpenVPN client when
running Oookla Speedtest.
- UPDATED: Merged GPL 386_41700
- UPDATED: Openssl to 1.1.1i.
- UPDATED: Updated to OpenVPN 2.5.0. Note that OpenVPN
2.4.0 or newer is now required by the exported
client config file. You can still manually
configure an older client to connect with your
router.
- UPDATED: dnsmasq to 2.84, resolving CVE-2020-25681,
CVE-2020-25682, CVE-2020-25683, CVE-2020-25687,
CVE-2020-25684, CVE-2020-25685 and
CVE-2020-25686 aka DNSpooq (themiron)
- UPDATED: nano to 5.2.
- UPDATED: curl to 7.72.0.
- UPDATED: zlib to 1.2.11.
- UPDATED: lz4 to 1.9.2.
- UPDATED: e2fsprogs to 1.45.6.
- UPDATED: dropbear to 2020.81.
- UPDATED: miniupnpd to 2.2 (git snapshot from 20201129)
- UPDATED: Switched userspace ipset from 6.32 to 7.6 (to match
with upstream)
- CHANGED: firmware update checks are no longer using the
server address stored in nvram, for security
reasons. Devs who were using that nvram
should instead edit the webs_scripts/* to
use their own URL.
- CHANGED: The old legacy cipher setting in OpenVPN is now only
available when running with static key authentication.
- CHANGED: Tweaks to the OpenVPN webui layout
- CHANGED: OpenVPN clients will now NAT all outbound traffic,
regardless of the source subnet.
- CHANGED: Reworked the display of DNSPrivacy presets
- CHANGED: Added AdGuard (ad blocking) and CIRA Canadian Shield
(non US-based service) to the DNSPrivacy presets.
- CHANGED: At boot time, OpenVPN killswitch will only be
applied for clients set to auto-start with WAN.
- CHANGED: Increased number of available mount points for addon
webpages to 20.
- CHANGED: Multiple routes can now be defined per client on the
OpenVPN client-specific configuration.
- CHANGED: Improved NAT acceleration report for newer models on
the sysinfo page. Now query the hardware for the
current state instead of reporting the nvram values.
- CHANGED: When logging allowed connections is enabled, also log
outbound LAN connections (reverts to the behaviour from
a few years ago)
- FIXED: DHCP could fail to renew its lease with some ISPs when
Trend Micro engine was enabled (workaround provided
by Asus)
- FIXED: OpenVPN client remote IP wasn't updated on client
stop/restart.
- FIXED: Couldn't force generating a new SSL certificate for the
webui.
- REMOVED: Option to disable NCP. The NCP cipher list is
now used both for NCP and non-NCP endpoints.
- REMOVED: fq_codel support for Adaptive QoS. Due to a change
in how Trend Micro configures QoS, it is no longer
possible to intercept these to inject fq_codel.
- REMOVED: Option to select sfq as a queue scheduler for t.QoS
or Bandwidth Limiter, and always use fq_codel.
- REMOVED: Support for the Cloudcheck mobile app.
384.19 (14-Aug-2020)
- NOTE: Due to flash partitioning changes done by Asus, it is
strongly recommended to make a backup of your JFFS
partition before upgrading the RT-AC86U, and restoring
that backup afterward. If you run into issues,
reformat your JFFS partition and reboot.
- NOTE: The RT-AX56U build is not available for this release.
- NEW: Added support for static routes for PPTP/L2TP VPN
clients, on the Static Route page (themiron)
- NEW: Added notification when JFFS free space drops
below 3 MB.
- UPDATED: Merged GPL 384_9354 for AX models.
- UPDATED: Merged GPL 384_81992 for mainline models.
- UPDATED: Merged SDK + binary blobs 384_9354 for RT-AX58U.
- UPDATED: Merged SDK + binary blobs 384_9107 for RT_AX88U.
- UPDATED: Merged binary blobs + SDK 384_81981 for RT_AC5300.
- UPDATED: Merged binary blobs + SDK 384_81992 for RT-AC86U.
- UPDATED: Merged bwdpi components from 385_20630 firmware
image for RT-AC68U.
- UPDATED: dnsmasq to 2.82-openssl (themiron)
- CHANGED: Rewrote a large portion of the OpenVPN implementation,
to make the code easier to maintain. The new libovpn
code is released under a GPL licence. Functionality
should largely remain the same.
- CHANGED: Replaced updown-*.sh OpenVPN event handler scripts
with binary libovpn functions. The new code does
stricter validation of the configuration.
- CHANGED: Enabling Client Config Dir (ccd) for an OpenVPN
server in non-exclusive mode will no longer accept
duplicate common names (to prevent issues with
two clients trying to share the same settings).
If you need such an unusual setup, you should
enable "Username/Password auth only", which will
make the common name become the username. Or
better, ensure that you have unique certificates
for all of your users.
- CHANGED: Removed the (undocumented) vpn_debug setting. Debug
logging will now only come from OpenVPN itself
(configurable through the log verbosity setting).
- CHANGED: Improved mechanism for providing an available
mount point for addon API scripters (dave14305)
- CHANGED: Harmonized the various SSL certificate modes with
upstream.
0-None - will be self-generated
1-Imported - lets you upload your own (no longer
self generated unless you don't
upload one)
2-Let's Encrypt (unchanged)
Self-generated cert will be stored to /jffs/cert.tgz,
just like upstream.
- FIXED: Broken French webui on AX models (fixed with
Asus's GPL update)
- FIXED: Chacha20 wasn't prioritized for bcm675x models which
lacked AES acceleration (RT-AX56U and RT-AX58U)
- FIXED: ddns updates and OpenVPN instances might be launched
twice at boot time if the initial ntp clock sync
happened too fast.
- FIXED: Enforced DNS and tQoS fix would be lost when the
firewall gets restarted while an OpenVPN client
is running.
- FIXED: Various issues surrounding error state report
when an OpenVPN client failed to start properly.
- FIXED: WINS provided by an OpenVPN server weren't properly
used.
- FIXED: Some large DNS queries could fail when using DoT
(patch backported from upstream)
384.18 (28-June-2020)
- NOTE: A number of changes for some models are not backward
compatible with previous versions. Downgrading to
a previous release will require a factory default reset
afterward in many cases.
- UPDATED: Merged GPL 384_8563 for AX models.
- UPDATED: Merged GPL 384_81918 for mainline models.
- UPDATED: Merged SDK + binary blobs 384_81918 for RT-AC86U.
- UPDATED: Merged SDK + binary blobs 384_81902 for RT-AC5300.
- UPDATED: Merged SDK + binary blobs 385_20490 for RT-AC68U.
- UPDATED: Merged binary blobs 385_20490 for RT-AC3100.
- UPDATED: Merged binary blobs 384_81918 for RT-AC88U.
- UPDATED: Merged SDK + binary blobs 384_8563 for RT-AX58U.
- UPDATED: amtm to 3.1.7.
- UPDATED: Root certificate bundle to June 3rd 2020.
- UPDATED: OUI database used by the webui.
- UPDATED: Dropbear 2020.80 (themiron)
- UPDATED: nano to 4.9.3.
- CHANGED: Optimized OpenVPN routing policy storage (this change
is NOT backward compatible with previous firmwares)
- FIXED: ssh/scp client would fail to connect while negotiating
a chacha20 connection (themiron)
384.13_10 (28-June-2020)
This release will most likely be the last release for the
RT-AC87U and RT-AC3200, due to limited upstream support.
- UPDATED: amtm to 3.1.7.
- UPDATED: Root certificate bundle to June 3rd 2020.
- UPDATED: OUI database used by the webui.
- UPDATED: Dropbear 2020.80 (themiron)
- UPDATED: Wireless driver from 382_52230 for RT-AC87U and
RT-AC3200 (should in theory address Kr00k)
- FIXED: ssh/scp client would fail to connect while negotiating
a chacha20 connection (themiron)
384.17 (26-Apr-2020)
Updating some models (like the RT-AC88U) from stock firmware
3.0.0.4.384_81790 and newer will require a factory default reset
after flashing Asuswrt-Merlin, due to a change in how Asus
stores the admin password starting with 384_81790.
- NEW: Add Chacha20-poly1305 support to dropbear (themiron)
- UPDATED: dnsmasq to 2.81-openssl (themiron)
- UPDATED: openvpn to 2.4.9.
- UPDATED: curl to 7.69.1.
- UPDATED: openssl-1.1 to 1.1.1g (themiron)
- UPDATED: nano to 4.9.2.
- FIXED: RT-AC88U/RT-AC3100/RT-AC5300 could fail to upgrade
from newer stock versions to Asuswrt-Merlin.
- FIXED: Various webui issues with sorting DHCP reservations.
384.13_8 (26-Apr-2020)
This release is only available for the RT-AC87U and RT-AC3200.
- UPDATED: dnsmasq to 2.81-openssl (themiron)
- UPDATED: openvpn to 2.4.9.
- UPDATED: openssl-1.1 to 1.1.1g (themiron)
384.16 (5-Apr-2020)
- NEW: Added support for the RT-AX58U and RT-AX3000 (same
firmware), based on GPL 384_8253 + binary blobs 384_8137.
- NEW: Added support for the RT-AX56U, based on GPL + binary
blobs from 384_8253.
- NOTE: The RT-AC87U and RT-AC3200 are now officially considered
to be on limited support. The future for these two
models will depend on Asus's own support in the
coming months.
- NEW: Added ed25519 support in Dropbear (themiron)
- UPDATED: Merged GPL 384_8253 for AX models.
- UPDATED: Merged SDK + binary blobs 384_7977 for RT-AX88U.
- UPDATED: Merged SDK + binary blobs 384_81352 for RT-AC86U.
- UPDATED: Tor to 0.4.2.6.
- UPDATED: curl to 7.68.0.
- UPDATED: nano to 4.8.
- UPDATED: dnsmasq to 2.81rc4-33-g7558f2b-openssl (themiron)
- UPDATED: inadyn to 2.7 (themiron, merlin)
- UPDATED: getdns to 1.6.0 (themiron)
- UPDATED: stubby to 0.3.0 (themiron)
- UPDATED: amtm to 3.1.6 (thelonelycoder)
- UPDATED: openssl-1.1 to 1.1.1f (themiron, merlin)
- UPDATED: Chart.js to 2.9.3
- CHANGED: Wireless Log page will now regroup Guest Network
clients together and identify which guest instance
they are connected to.
- CHANGED: Report temperature of second 5 GHz radio on Sysinfo page
for tri-band models.
- CHANGED: Added down/upload monitor to network status page, and
removed useless RAM chart to free some space.
- CHANGED: Security hardening in dropbear dropped CBC and 3DES
ciphers, removed version disclosure from ident
string (themiron)
- FIXED: DNS server was unreachable when connecting to an OpenVPN
server with Advertise DNS enabled, due to firewall rules.
- FIXED: Router Security Assessment would fail to recognize WPA3
as being secure.
- FIXED: miniupnpd would reject private WAN IPs - changed that
upstream behaviour to allow these.
- FIXED: Would require you to reset the DHCP scope if you
changed the LAN hostname.
- FIXED: Couldn't set http mode to http-only if you previously
had WAN access enabled but have since switched to
non-router mode.
- FIXED: Disks with a single quote in their name would fail to
properly list on various USB service pages.
- FIXED: CVE-2020-8597 security issue.
384.13_6 (5-Apr-2020)
This release is only available for the RT-AC87U and RT-AC3200.
These two models are now considered to be on limited support, and
their future will depend on Asus's future support for these two.
- UPDATED: openssl-1.1 to 1.1.1f (themiron, merlin)
- UPDATED: amtm to 3.1.6 (thelonelycoder)
- CHANGED: Security hardening in dropbear: dropped CBC and 3DES
ciphers, removed version disclosure from ident
string (themiron)
- FIXED: DNS server was unreachable when connecting to an OpenVPN
server with Advertise DNS enabled, due to firewall rules.
- FIXED: miniupnpd would reject private WAN IPs - changed that
upstream behaviour to allow these.
- FIXED: Would require you to reset the DHCP scope if you
changed the LAN hostname.
- FIXED: Couldn't set http mode to http-only if you previously
had WAN access enabled but have since switched to
non-router mode.
- FIXED: Disks with a single quote in their name would fail to
properly list on various USB service pages.
- FIXED: CVE-2020-8597.
384.15 (8-Feb-2020)
The RT-AC87U and RT-AC3200 are not supported by this release, see
the 384.13_4 release released separately for these two models.
- NEW: wan-event script. The first parameter will be the WAN unit
(0 for first WAN, 1 for secondary). The second parameter
will be a string describing the type of event (init,
connected, etc...). A wan-event of type "connected" will
be identical to when the original wan-start script was
being run (wan-start should be considered deprecated