This is probably not related to the ciphersuites in TLS. ustream-ssl uses chacha20-poly1305 as the first choice, then AES-GCM, and neither is supported by the devcrypto engine (or the cesa). Most of the browsers support AES-GCM, so unless something else is changing the ciphersuite order, AES-CBC is not being used, and I'm guessing this is either related to ECB or SHA256. At least Chrome & Firefox support chacha20-poly1305, and SHA256 is not used for them, so that leaves ECB as the fist suspect. The weird part of this is IE not triggering the error. Can you build openssl with the patch I mentioned earlier and disable ECB ciphers to see if the message goes away? I can supply the library binaries if not. I also have a binary (edit: or a patch for the source, of course) with debugging messages to syslog that can hopefully point to the function that may be causing the error, if anyone is willing to test it. As a bonus, it will log the cipher/mac of every session, and show you the length of each update call, which coupled with openssl speed output, will give you an idea if hw-crypto is speeding you up (inl > 1000 for aes-cbc; len > 10k for sha256) or slowing you down.
This is the library with debugging output to syslog: libopenssl_1.1.1b-1_arm_cortex-a9_vfpv3.ipk
This is the source patch (apply to openwrt source): openssl-debug.patch
Please note that this has not been tidied up.
This patch applies on top of patchwork#1049156
For the next build, all of the compiled image names will start with OpenWrt. I'm thinking over 12 months ago, I switched the name from OpenWrt to LEDE. Well, it is probably time to switch it back to start with OpenWrt, so that's what I have done.
The cyrpto dma pool kernel errors should be fixed in the next build. I've just finished a test build from trunk sources, and I'm not seeing the error anymore.
Thanks for your help @cotequeiroz
Long user of open source firmwares but first mesage on the forum.
First of all thanks David and everyone involved. Works very well for me.
One question for the sysupgrade please. Apparently it upgrades the "other" partition. When I select keep settings does it use the settings of the current partition or uses the other one's as well?
Is anyone here running Wireguard on their router?
Any idea when this build be up in snapshots? No rush though, going back two builds as I might have an issue myself with SQM.
Probably this coming Saturday or Sunday -- 16th-17th.
Thanks for the reply can't wait to test.
Yes, I run Wireguard with the davidc502 build. I've done so both as a client, where I use a service such as Mullvad, IVPN, or a server I created on DigitalOcean; and as a server, where when I'm on travel I use a travel router to create a Wireguard connection to my home network.
I more-or-less follow the guide published by Mullvad:
I have a couple of minor changes. First I install both
luci-app-wireguard, whereas the guide only has the proto package called out. Second, I don't change the LAN interface which is the last step the recommend in the guide.
I've found that it all works good. I also run vpn-policy-routing so I can route some things, like Roku streaming boxes, around to the WAN because Amazon, Netflix, and the like complain about proxy servers.
Hope that helps.
It's more simple and fast way already available - SSH tunnel. Minimal performance decrease, 3 min to configure out, free.
Hello and I hope that you are well; as always, I want to thank you for all your hard work and dedication in keeping us all being able to utilize your excellent OpenWrt Builds. That being said, I felt it incumbent upon me to report my finding concerning OPENVPN and Openssl 1.1 along with difficulty in encountered in creating the OPENVPN Client interface on Build = r9506 Release Date 2019-03-02.
First, see here : https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
Go the section " Checking openssl support " and underneath the box containing the available encryption algorithms you will see the following entry:
For openssl-1.0.2 and earlier, the engine was called cryptodev. It was renamed to devcrypto in openssl 1.1.0. In this example, engine 'devcrypto' is available, showing the list of algorithms available.
For any and all who may have any difficulties getting OPENVPN Client to start when using the the following entry in their config file:
option engine 'cryptodev' it is obsolete with the introduction of Openssl 1.1 - at least on my 3200ACM and 1900ACS - the hardware cryptographic acceleration entry has been changed to the following which means use this instead : option engine 'devcrypto'
In order to run speed tests - run these commands after installing cryptsetup :
openssl speed -evp aes-256-cbc -engine devcrypto
openssl speed -evp aes-256-gcm -engine devcrypto
Now for the other issue of not being able to create the OPENVPN Client interface ( tun0 ).
See this reference: SOLVED: [18.06.1] No tun0 device after upgrading netifd tp netifd_2018-11-19-4b83102d-2_arm_cortex-a9_vfpv3.ipk
I really do not know why this issue surfaced during my setup of NORDVPN OPENVPN Client; especially when others seem did not seem to have had this issue.
This fix is located at the bottom of the page and I can report that it worked for me;
Solved with this workaraound:
root@wrt1900acs:~# cat /etc/rc.local ( enter in /etc/rc.local the entry below ) :
/usr/sbin/openvpn --mktun --dev tun0
The interface was created and survives reboots and works great as it should.. So, those are my findings. I hope that helps those in the event anyone runs across these issues while attempting to connect their VPN Client to their VPN Provider.
May God Bless You and Yours -
From my experience @kar200 it will try and copy the settings from the current partition to the alternate one which the sysupgrade will be applied to. The alternate partition settings will be overwritten/erased. Carrying across settings I find needs to be done with caution however as if you have installed additional packages that modify some of the settings then you may find some things won't work until you have reinstalled them.
Is the new https://dc502wrt.org/ site / repository down?
I cant connect or download packages.
Correct.. It is down right now.
It should be back up shortly. This was my fault for not verifying my email address with the registrar for the new domain... sigh. It has been verified, and they have confirmed it should be back on-line shortly. They didn't give me an exact time.
Thanks for letting me know by the way.
The Site Should be back up for everyone now.
The site is back up now !
Thanks. I use VPN.ac for a vpn.
Thanks to you for all your work.
I just installed python on my wrt3200 and it literally drained all my available space.
Pretty sure there's a tutorial somewhere to install on external storage (didn't think I could ever need it with 512MB but apparently I do, also because 256 mb for tmpfs are maybe a bit much?).
Hello - and I hope that you are well. If you want more space for your router ( I also have wrt3200 acm ) - see here : If you need more storage and swap memory for your router see here: http://ediy.com.my/index.php/blog/item/118-how-to-increase-storage-on-tp-link-tl-mr3020-with-extroot and here: https://samhobbs.co.uk/2013/11/more-space-for-packages-with-extroot-on-your-openwrt-router For partitioning USB external flash drives I personally prefer GParted Live and / or MiniTool Partition Wizard 9.1 Boot Iso and both work great - found here: https://gparted.org/download.php and here respectively https://www.chip.de/downloads/Partition-Wizard-Bootable-CD_38297298.html If you would like a nifty little free portable format tool - then look no further - try out MiniTool Portable Partition Magic found here : https://www.partitionwizard.com/partitionmagic/portable-partition-magic.html
from my tutorial DNS-OVER-TLS on OpenWrt/LEDE found here:
and also here for those who desire implementation using DNSMASQ
I hope that this helps yoiu.
Peace and I am out