Jump to content
Not connected, Your IP: 184.72.135.210
Baraka

Big problem solved with Asus RT-N66U on Tomato

Recommended Posts

After writing the config guide for Tomato way back, I didn't have any problems afterwards. And judging from the comments here, I think most people using Tomato were able to get up and running in no time.

 

Fast forward to a couple of months ago. I upgraded my Asus RT-N16 router to its more powerful cousin, the RT-N66U. Right away I began to have problems. This was due to the tiny amount of NVRAM (32 KB) that holds the router's config. Including 64 KB would ensure that no one ever had any problems. Too bad Asus skimped.

 

No matter what I tried, I kept on running out of NVRAM. My free space was always running at or near 0.

 

Fast forward a little bit more to last month until Heartbleed and Air's response. The new RSA key was bigger and TLS auth was implemented, which makes use of a static key. This config change basically killed my router. The NVRAM was overflowing and wreaking havoc on my connectivity. I must've tried 50 different configs, but they all failed.

 

Today, I finally solved this problem with the NVRAM running out. It's this simple:

 

First, buy the smallest USB flash memory key you can find and copy your ca.crt, user.crt, user.key and ta.key to a directory of your choice (I created "tomato" on mine). Then remove the key and plug it into your RT-N66U. Make sure you enable USB support and refresh that section to make sure it's detected and mounted. Make note of the directory path that's shown and copy/paste it so you have it ready.

 

Second, in your OpenVPN Client/Keys section DON'T COPY ANYTHING IN. LEAVE THE 4 FIELDS BLANK.

 

[see next post-->]

Share this post


Link to post

Third, under OpenVPN Client/Advanced paste the following (after resolv-retry infinite, remote-cert-tls server, and verb 3):

 

ca "/path_to_your_usb_key/tomato/ca.crt"
cert "/path_to_your_usb_key/tomato/user.crt"
key "/path_to_your_usb_key/tomato/user.key"
tls-auth "/path_to_your_usb_key/tomato/ta.key" 1

 

The "tomato" in the path is the directory I created on my USB key, but you can sub in whatever you want. Just make sure whatever you put in there is exactly what you have on your USB key.

 

Once you're done that you'll be able to connect immediately without any problems. You'll always have plenty of NVRAM left over and you can even fill out another config in your second VPN client section, using the same method.

 

What I had to go through to come up with this updated guide was pure misery. Hopefully I've saved people a lot of time and frustration by posting this.

 

Air Admins: please update the Tomato config guide to reflect this. Otherwise, anyone you have coming to the service with an RT-N66U is going to be screwed.

 

*I'm using the latest version of Toastman's Tomato, Tomato Firmware v1.28.0505 MIPSR2Toastman-RT-N K26 USB VLAN-VPN

Share this post


Link to post

Thanks for this. Did you know if the CFE of your RT-N66U is v1.0.1.3 then you can flash a 64k nvram build on it. to check your cfe version enter the following command in the shell :

 

cat /dev/mtd0ro | grep bl_version

 

if the result is 1.0.1.3 then your router is compatible with 64k nvram builds.

Share this post


Link to post
Posted ... (edited)

Correct me if I'm wrong please.

 

Capture.png

 

So, if that is the path I just should type under OpenVPN Client/Advanced this:

 

resolv-retry infinite
ns-cert-type server
comp-lzo
verb 3
ca "/tmp/mnt/sda/tomato/ca.crt"
cert "/tmp/mnt/sda/tomato/user.crt"
key "/tmp/mnt/sda/tomato/user.key"
tls-auth "/tmp/mnt/sda/tomato/ta.key" 1 (What is that 1 there? just curiosity)

 

It is not working for me... So, I'm really trying to figure out why.

 

Thanks in advance.

 

Edit:

 

I'm so sorry but, it is working just fine... I did a tiny mistake when I gave a name to the folder holding the keys and certs, I called it tomoto instead of tomato.

 

A million thanks Baraka!

Edited ... by Xiocus

Share this post


Link to post

How do you know this for sure? And how is it possible to flash your NVRAM with a build that's far larger than the allotted memory?

 

I researched this quite a bit and Toastman himself warned very strongly against using any of the large builds of his firmware on the N66U.

 

Thanks for this. Did you know if the CFE of your RT-N66U is v1.0.1.3 then you can flash a 64k nvram build on it. to check your cfe version enter the following command in the shell :

 

cat /dev/mtd0ro | grep bl_version

 

if the result is 1.0.1.3 then your router is compatible with 64k nvram builds.

Share this post


Link to post

See for yourself here:

 

http://www.linksysinfo.org/index.php?threads/toastman-rt-n-tomato-firmware-on-asus-rt-n66u-dark-knight-dual-band-wireless-n900-gigabit-router.36959/

 

Please use only the version that is designed for your router, whatever the model. You can't use the 60K version on routers that do not have 60K of NVRAM. That should be rather obvious.

Now, please don't try to be smart and keep asking whether this only applies to model XXX router.

If your router - ANY MAKE, ANY MODEL - does not have 60K of NVRAM then you can't use the 60K version of the software, OK? It's not negotiable.

You can't stick the wheel of a huge truck on your toyota either, can you? What's the problem here?

 

But then there's this- http://linksysinfo.org/index.php?threads/asus-rt-n66u-low-nvram.37500/

 

 

RT-N66U 64K Update

Asus recently published code which has the mod in it, although they have not yet released firmware with this feature enabled. JYAvenard has just been experimenting with this and has just added the code to Tomato - it appears to work fine. So shortly Shibby and my builds will have it also. I did post a build (1.28.0500.3) which I have since withdrawn, as the update has broken some other features.

Please not that it isn't a cfe update, and it will only work while firmware using this code is being run. It will revert to only using 32K if any other firmware is used. If you want to experiment, please back up all your settings first using the nvram export --set method here:

http://www.linksysinfo.org/index.ph...orial-and-discussion.28349/page-9#post-138676

There is a possibility that this method could also be used for other routers, but it would require some additional changes. At the moment only the RT-N66U has it.

 

Really confused now. Anyone want to be a guinea pig and test this out?

Share this post


Link to post

Actually RT-N66U does have 64kb of NVRAM however only 32kb is usable due to the boot loader. With a later version of the bootloader (v1.0.1.3) it is possible to utilize all 64kb of NVRAM.

 

http://www.linksysinfo.org/index.php?threads/determining-nvram-size-on-rt-n66u.69966/

 

 

 

 

How do you know this for sure? And how is it possible to flash your NVRAM with a build that's far larger than the allotted memory?

 

I researched this quite a bit and Toastman himself warned very strongly against using any of the large builds of his firmware on the N66U.

 

 


Thanks for this. Did you know if the CFE of your RT-N66U is v1.0.1.3 then you can flash a 64k nvram build on it. to check your cfe version enter the following command in the shell :

 

cat /dev/mtd0ro | grep bl_version

 

if the result is 1.0.1.3 then your router is compatible with 64k nvram builds.

 

 

See for yourself here:

 

http://www.linksysinfo.org/index.php?threads/toastman-rt-n-tomato-firmware-on-asus-rt-n66u-dark-knight-dual-band-wireless-n900-gigabit-router.36959/

 

 


Please use only the version that is designed for your router, whatever the model. You can't use the 60K version on routers that do not have 60K of NVRAM. That should be rather obvious.

Now, please don't try to be smart and keep asking whether this only applies to model XXX router.

If your router - ANY MAKE, ANY MODEL - does not have 60K of NVRAM then you can't use the 60K version of the software, OK? It's not negotiable.

You can't stick the wheel of a huge truck on your toyota either, can you? What's the problem here?

But then there's this- http://linksysinfo.org/index.php?threads/asus-rt-n66u-low-nvram.37500/

 

 

 

64K Update


Asus recently published code which has the mod in it, although they have not yet released firmware with this feature enabled. JYAvenard has just been experimenting with this and has just added the code to Tomato - it appears to work fine. So shortly Shibby and my builds will have it also. I did post a build (1.28.0500.3) which I have since withdrawn, as the update has broken some other features.


Please not that it isn't a cfe update, and it will only work while firmware using this code is being run. It will revert to only using 32K if any other firmware is used. If you want to experiment, please back up all your settings first using the nvram export --set method here:




There is a possibility that this method could also be used for other routers, but it would require some additional changes. At the moment only the
has it.

 

Really confused now. Anyone want to be a guinea pig and test this out?

Share this post


Link to post

So have you gotten one of the 64KB builds to work on your router with no additional mods? I don't have the balls to try it after the hell I went through over the past couple of months.

 

Actually RT-N66U does have 64kb of NVRAM however only 32kb is usable due to the boot loader. With a later version of the bootloader (v1.0.1.3) it is possible to utilize all 64kb of NVRAM.

 

http://www.linksysinfo.org/index.php?threads/determining-nvram-size-on-rt-n66u.69966/

Share this post


Link to post

No, I dont have this router however I am planning to get one soon and I was researching into this nvram issue for quite a while before buying it. 

 

 

So have you gotten one of the 64KB builds to work on your router with no additional mods? I don't have the balls to try it after the hell I went through over the past couple of months.

 

Actually RT-N66U does have 64kb of NVRAM however only 32kb is usable due to the boot loader. With a later version of the bootloader (v1.0.1.3) it is possible to utilize all 64kb of NVRAM.

 

http://www.linksysinfo.org/index.php?threads/determining-nvram-size-on-rt-n66u.69966/

Share this post


Link to post

How soon? Update this thread when you have the router and have flashed it with the 64KB NVRAM version of Toastman's Tomato. If it works then I'll do the same.

Share this post


Link to post

Thanks, I had the same problem with my Asus RT-N16.

 

Since I didn´t have a USB-Stick, I just enabled JFFS (Adminstration-->JFFS).

Now I have about 20MB available at /jffs on my router for adding two folders with my certs (one folder for each client)

 

My custom config looks like this:

 

CLIENT 1:

resolv-retry infinite
remote-cert-tls server
comp-lzo
verb 3
ca "/jffs/c1-zaurak/ca.crt"
cert "/jffs/c1-zaurak/user.crt"
key "/jffs/c1-zaurak/user.key"
tls-auth "/jffs/c1-zaurak/ta.key" 1

CLIENT 2:

resolv-retry infinite
remote-cert-tls server
comp-lzo
verb 3
ca "/jffs/c2-phoenicis/ca.crt"
cert "/jffs/c2-phoenicis/user.crt"
key "/jffs/c2-phoenicis/user.key"
tls-auth "/jffs/c2-phoenicis/ta.key" 1

Thanks again, I don´t have any problems with my NVRAM anymore!

 

Best wishes,

agunymous

Share this post


Link to post

By the way, if anyone is wondering how to copy a folder from your local computer to the folder /jffs on your router:

 

First enable SSH on your router (with Shibby, it´s already enabled by default).

 

Then just use the Terminal:

 

scp -r c1-zaurak root@192.168.1.1:/jffs

"c1-zaurak" --> replace with name of your folder containing the certificates

"192.168.1.1" --> replace with IP of your router

 

When asked for a password, just enter your router password.

 

On Windows, you could also use WinSCP if you want a GUI.

SFTP clients won´t work though.

Share this post


Link to post

tls-auth "/tmp/mnt/sda/tomato/ta.key" 1 (What is that 1 there? just curiosity)

 

I just checked... you use a "0" on the server and "1" on the client. So "1" is just fine. :-)

Share this post


Link to post

Baraka,

 

I just bought this router the N66u. I used to run toastman on my rt-n16. I also upgraded.

 

I flashed toastman tomato-K26-NVRAM64K-1.28.0506.3MIPSR2Toastman-RT-N-VPN and it works perfect. So 64k nvram no problem. I dont use USB but I assume the usb version of 64k works just the same.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...