Firmware update: Asuswrt-Merlin 388.1

Asus uses a Tomato-derived firmware called Asuswrt for its routers, such as the RT-AC68 and RT-AX88. This firmware is, except for a few drivers, open source, with closed binaries included. Asuswrt-Merlin is in turn a modified version of the original Asus firmware. It includes bug fixes and minor improvements, but still tries to stay close to the original, so that it remains possible to add new features that Asus introduces to the code. Version 388.1 has been released, a version that is only suitable for the AX models, and the following changes and improvements have been made:

Note:

• This release is only available for AX models. AC models will remain on the 386_xx release branch.

New:

• Add RT-AX86U_PRO support.
• Merged with GPL 388_20566 (RT-AX88U and GT-AX11000)
• Merged with GPL 388_21224 (all other AX models)
• Experimental ROG UI version for GT models, as a separate firmware image within the distribution archive, with “_rog” in the filename.
• (Asus 388) WireGuard client and server. The server uses the new 388 VPN server webui. Implemented a webui for clients, based on the early development UI from Asus.
  WG client routing is handled by VPN Director – you must configure redirection rules through it, same as on stock firmware which requires configuring rules through VPN Fusion.
  DNS handling will be identical to OpenVPN’s Exclusive DNS mode, forcing clients to use the DNS provided by it (if any is provided).
  Note that enabling WireGuard will disable hardware NAT acceleration due to compatibility reasons.
• httpd support for EC certificates (Ivan Kruglov)

Updated:

• getdns/stubby to 1.7.2/0.4.2.
• zlib to 1.2.12 + backports.
• openssl to 1.1.1s.

Changed:

• Rebranded DNSFilter as DNS Director. This will prevent confusion with the company sharing the same name, and also better describes what the feature does.
• Setting an OpenVPN client to redirect all traffic while in “Exclusive” DNS mode will now force redirect ALL DNS traffic just like in VPN Director mode. While this will allow redirecting clients with hardcoded DNS servers, it also means that your whole LAN will lose the ability of doing local name resolution. It might be best to use VPN Director in that case to control which client should be involved in the DNS redirection, or use DNS Director instead of Exclusive DNS mode.
• (Asus 388) nvram storage increased to 192 KB on newer HND 5.04 devices like the GT-AXE16000.
• Reworked VPN Status page to only show currently active services.
• Reworked VPN Director page design, added buttons to access a client’s settings page, and allow leaving both source and destination IPs empty (for “all”).
• Optimized VPN Director WAN and DNS rule creation, so they no longer get re-created multiple times when editing VPNDirector rules.
• Switched generated self-signed certificate to an EC certificate.
• Disabled DSS key support in Dropbear SSH.

Fixed:

• Wrong temperatures used by the temperature graphs (386.8 regression)
• CVE-2022-37434 in zlib.
• GT-AXE16000 random reboots when using an OpenVPN client with VPN Director and Adaptive QoS.
• Clients connected to Guest Network 1 aren’t redirected if NTP interception is enabled.
• Name was truncated to 31 chars when enabling OpenVPN client’s Server Certificate Name Validation.

Removed:

• Interface selector on Speedtest page (no longer working, possibly due to an ookla client update)
• NAT Type setting on HND 5.04 devices (fullcone is not supported by kernel 4.19, so it wasn’t working)