1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Fork] Tomato by Shibby, compiled by @kille72

Discussion in 'Tomato Firmware' started by kille72, Mar 24, 2017.

  1. ghoffman

    ghoffman LI Guru Member

    thnak you. working on R6300v2.
    i had 138.13 AIO, and upgraded to 138.14 VPN with reset.
    funcions as main router for household without problem.

    however, some cosmetic issues:
    Captive Portal and Web Server appear in main menu, but are not implemented in VPN build; clicking on them goes to blank pages.
    this is fine, and may be a cleaner way to maintain than old implementation, which removed unavailable features from menues.
    i did not know if this is desired behavior or not.
    thnaks again.
    kille72 likes this.
  2. kille72

    kille72 Networkin' Nut Member

    Last edited: Apr 16, 2017
  3. ghoffman

    ghoffman LI Guru Member

    @kille72: that did it. doh. thnak you.
    kille72 likes this.
  4. H48W30c0HK

    H48W30c0HK Network Newbie Member

    For what it's worth, my strange DHCP issue persists with 138.14 on a Asus RT-AC68U

    - single device (Vonage VDV23-VD ATA) seems to be stuck in DHCPDISCOVER/DHCPOFFER loop
    - tried a "hard" factory reset of the Vonage ATA as well as doing a full clear of NVRAM of router
    - problem goes away when I reinstall Shibby v138 AIO
  5. AndreDVJ

    AndreDVJ Addicted to LI Member

    There was changes on dnsmasq that I ported to Tomato-ARM recently. You may try 138.12 and see if the issue goes away.

    Maybe that DHCP client doesn't like the DHCPOFFER coming from dnsmasq, and broadcast another DHCPDISCOVER on the LAN. Please post logs coming from dnsmasq in either syslog or file specified as log-facility.

    The related change that comes into mind is: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=88a77a78ad27adc3ed87b7ee603643d26cb896ee

    Maybe reverting the relevant code to the previous version can solve the culprit, but now we are in danger of being stuck in version 2.76, and forced to backport any future changes.
    H48W30c0HK and kille72 like this.
  6. kille72

    kille72 Networkin' Nut Member

    I got reports that Asus RT-AC68U had a tendency to freeze up from time to time with previous MultiWAN versions. After update of dnsmasq it has not happened so far. One thing is better and another worse, unfortunately...

    @H48W30c0HK: Have you cleared NVRAM and configured from scratch?
    Last edited: Apr 17, 2017
  7. kw_broadens

    kw_broadens Network Newbie Member

    Thanks @kille72! Upgraded my R8000 with nvram erase. Only problem I see is that Status Overview now tells me I can upgrade to Tomato by Shibby. I hoped for the briefest moment that he had released v139 :)

    !! Attention !!
    Tomato by Shibby undefined is now available.​

    I can get rid of it by unticking Tomato Update Notification System: Enable on the TomatoAnon page.

  8. edusodanos

    edusodanos Connected Client Member

    Kille72, thanks for your efforts ahead of the tomato, if you have time could compile the v132vpn with all the updates? Because there are many who do not need the multiwan function.
  9. AndreDVJ

    AndreDVJ Addicted to LI Member

    Update system matches string coming from nvram value os_version. @kille72 you should try and see if removing anon_update() function from status-overview.asp would work. Auto-update at this point is pretty pointless.
    kille72 likes this.
  10. GhaladReam

    GhaladReam Network Guru Member

    A while back, there was a bug in dropbear that broke Socks5 proxy.. The bug in question is referenced in this thread:



    Can you tell me if this bug is in your builds? Last I checked, Shibby's 138 release still had the bug (because of the broken version of dropbear)

    A better question is, what exact version of Dropbear is in 138.14? Looks like the problem was fixed in dropbear during June 2016.
  11. kille72

    kille72 Networkin' Nut Member

    Yes, I will do that!
  12. kille72

    kille72 Networkin' Nut Member

    Latest version of Dropbear:
    # dropbear -V
    Dropbear v2016.74
  13. AndreDVJ

    AndreDVJ Addicted to LI Member

  14. H48W30c0HK

    H48W30c0HK Network Newbie Member

    @AndreDVJ @kille72

    Okay, I tried 138.12 and DHCP provisioning worked fine with the Vonage ATA. (And yes, to answer @kille72 , I did completely clear NVRAM when testing the 138.14 build).

    I'm going to reflash the 138.14 build now and will post logs for you.

    EDIT: I've attached the syslog (dnsmasq messages only). The problematic ATA device is MAC 60:6d:c7:yy:yy:yy (I've obscured unnecessary identifiers).

    Attached Files:

    Last edited: Apr 18, 2017
  15. AndreDVJ

    AndreDVJ Addicted to LI Member

    Are there any logs on your Vonage device that may tell us if it's discarding the DHCPOFFER packet or something?

    Anyway, I'd ask kille72 to revert file release/src-rt-6.x.4708/router/dnsmasq/src/rfc2131.c to the previous state and compile again.
  16. kille72

    kille72 Networkin' Nut Member

    I can try to revert release/src-rt-6.x.4708/router/dnsmasq/src/rfc2131.c as @AndreDVJ propose and compile a test version. @H48W30c0HK What is your router? (AIO or VPN?)
  17. H48W30c0HK

    H48W30c0HK Network Newbie Member

    Thanks for the help, you guys are awesome.

    @kille72 : The build I'm using is RT-AC68U AIO.

    @AndreDVJ : I'll play around with the ATA today and see if I can pull any logs.
    kille72 likes this.
  18. kille72

    kille72 Networkin' Nut Member

    @H48W30c0HK: I have sent download link to you as a private message.
  19. kille72

    kille72 Networkin' Nut Member

    @H48W30c0HK: Glad to hear that the test version works fine. Test a few weeks and return with a report :) Thx @AndreDVJ!
  20. Elfew

    Elfew LI Guru Member

    So we have an issue with the new version of dnsmasq?
  21. AndreDVJ

    AndreDVJ Addicted to LI Member

    The issue isn't really with dnsmasq. It looks like that device doesn't like having RFC-6842 (Client-ids in DHCP replies.) being implemented in the DHCP server. We follow RFC's for the sake of compliance, and break compatibility with something else.

    Since Tomato is already hacked up to death, one more hack to make things work won't hurt anybody, once source code becomes a binary :p
    kille72 likes this.
  22. PetervdM

    PetervdM Network Guru Member

  23. AndreDVJ

    AndreDVJ Addicted to LI Member

  24. lubmar

    lubmar Network Newbie Member

    yep it would be nice to have a "simple" and newest (up to date) version ...
  25. feedzapper

    feedzapper Network Newbie Member

    works also fine for me on Netgear R7000 -> 138.14 AIO-64k build
    nice to see OPENVPN 2.4.1 on arm :)
    I run all 2 openvpn clients at same time + 1 openvpn server with LZ4 compression
    meanwile for 4 days - STABLE
    Also tested AndreDVJ builds before , there are not compatible with my configuration from
    shibbys orginal V138 build AIO-64k. (got no WebGUI frontend after update)
    I need to reset to factory default before !
    No time to set all my router configs again :-(
    Last edited: Apr 20, 2017 at 9:14 PM
  26. M_ars

    M_ars Network Guru Member

    You can use toastman versions, its based on v132 with a lot of updates and no multiwan
    kille72 likes this.
  27. edusodanos

    edusodanos Connected Client Member

    Toastman stopped upgrading and fixing bugs in January ...:(and @kille72 became a specialist in Shibby compilations ... if @kille72 have time, you can do a compilation on top of the 132vpn only for testing ...:)
  28. M_ars

    M_ars Network Guru Member

    The latest toastman builds are very stable. What bugs do you mean? I have not read about any problems :)
    Just because it does not include the latest updates of openvpn and so on its not old or does have bugs

    Maybe kille72 will do a special build v132 but i think that is a lot of work... why dont you use the latest multiwan build from kille72? Have not tested the latest build but the source code @ bitbucket looks very good. What is not working for you?
    edusodanos and kille72 like this.
  29. Elfew

    Elfew LI Guru Member

    I think that there wont be any updated build based on v132 from kille. Use Toastman if you dont need multi wan, or use latest kille build
    kille72 likes this.
  30. kille72

    kille72 Networkin' Nut Member

    Toastman compiles versions without MultiWan that are stable and appreciated. My versions containing MultiWan, the goal is to get it better and better. I collaborate with Shibby, AndreDVJ and many others, picking up the best goodies. I don't have time and effort to start a new project and spend hundreds of hours with it, rather I put energy on existing MultiWAN.

    Shibby: multiWAN versions
    Kille72: multiWAN versions with tight updates
    Jacky: AdvancedTomato multiWAN
    Andre: AdvancedTomato multiWAN with tight updates
    Toastman: singleWAN versions
    Last edited: Apr 21, 2017 at 9:49 PM
    M_ars, Elfew and edusodanos like this.
  31. edusodanos

    edusodanos Connected Client Member

    Forgive my ignorance, I figured it was only "swapping" packages to upgrade, not a lot of work and dedications, more thanks to everyone who keeps the tomato very much alive.;)

    I currently use the v138.14vpn (7000)
    M_ars and kille72 like this.
  32. AndreDVJ

    AndreDVJ Addicted to LI Member

    It's not that straight-forward to backport everything that was done on Multi-WAN to 132. Just looking at the commits page of my repo is enough to make me give up of retrofitting code and hacks back to what 132 was.

    I would need to see where AdvancedTomato GUI breaks. All I can do is to compare the GUI's and see if there's something that I would need to change. As far as I know, updating OpenVPN is just a "drag'n drop". If there are Tomato-specific stuff in the source code, I would need to hack them back to the source tree. Also I have been cherry-picking whatever killer72 pushes, just because often I'm lazy to update stuff myself, and git cherry-pick does all the job.
    kille72 likes this.
  33. RMerlin

    RMerlin Network Guru Member

    As a heads-up, you and the other Tomato maintainers might want to take a look at my recent changes to the gencert.sh script used to generate the httpd SSL certificate. A number of changes were recently made to it to better handle newer versions of Chrome and Firefox, which are deprecating the use of the CN field in favor of the SANs:


    There's a few pieces in it that are specific to Asuswrt which will need to be adjusted/removed (like the DDNS part or the hardcoded router.asus.com), but otherwise it would be a fairly simple adaptation for Tomato.

    The discussion that sparked these changes:

  34. feedzapper

    feedzapper Network Newbie Member

    Sorry AndreDVJ,
    maybe i miss understood.
    There is not a only problem for the AdvancedTomatoGUI.
    If i logged in to my normal WebGUI config , i got no regular WEB frontend in HTML.
    Only some points - i don`t no what exatly (i got it not in my brain) were accessible.
    I think there was only "Firmware Update" accessible and some other ones
    without TREE access.
    "ALL" without graphical Interface :-(
    Seems to that all services ran correctly with settings from nvram (also openvpn)
    only WebGUI fails.
    maybe different configs with Administration-> Web Admin settings. ?
    e.g. TTB Themes settings or /+ GUI Files ?
    Ok ok my favorite theme shows ASUS, but the router is always an NETGEAR R7000
    Last edited: Apr 23, 2017 at 9:04 AM
  35. alf5683

    alf5683 Connected Client Member

    Hey :d

    So after 1 week of test I can say it's perfect !!
    I hav tested Multiwan, MultiVlan, virtual wirless, tor, OpenVpn, brandwitch limiter, AdBlock ! And of course Tinc !! the only thing is for tinc, I had to test with raspbian client beacause my RTN16 tinc client's is not update so tinc doesn't work. I think it's normal !

    If we exept the tinc compatibility issue's , it's perfect for me !

    I hope the problem with Radius/WPA2 Enterprise will be fix soon ^^
    William Clark and kille72 like this.
  36. kille72

    kille72 Networkin' Nut Member

    @alf5683: I'm glad that you like it.
    @lancethepants: How is compatibility of 1.1pre14 with earlier versions?
    William Clark likes this.
  37. alf5683

    alf5683 Connected Client Member

    I saw lot of posts, and the problem is very regular... So pre14 run with pre14 and can't run correctly with pre11.
    For my exemple, I havhe this error :
    "Handshake phase not finished yet from client1"

    But some people have a compression issue... (not my case, compressoin "on" or "off" change nothing) So I think the best thing is run pre11 with pre11 ! and wait tinc's team resolve the compatibility issue ! Maybe one day ^^

    For now I reinstalled 138.13-Kille72 for tinc compatibility.
  38. kille72

    kille72 Networkin' Nut Member

    Shibby's v140 for MIPS will contain Tinc 1.1pre14 for your RT-N16 :)
    Last edited: Apr 23, 2017 at 11:07 AM
  39. edusodanos

    edusodanos Connected Client Member

    Will it be released version 139? He is already testing the 140 ...
  40. kille72

    kille72 Networkin' Nut Member

    No official version 139, it was just a test-version. The official version will be 140.
  41. alf5683

    alf5683 Connected Client Member

    And we have to waiting patiently :d !!
  42. Elfew

    Elfew LI Guru Member

    1. Problem with Radius/WPA2 Enterprise (since MultiWAN)
    2. "Tweak" Switch3/4g/Watchdog
    3. Slow 2.4GHz WiFi Netgear R6400
    4. Problem with Wireless Client Mode (since MultiWAN)
    5. Modeminfo in GUI
    6. UPS ON/OFF in GUI
    Will be #2 and #5 available in v140? Dont you know?
  43. kille72

    kille72 Networkin' Nut Member

    #1: Shibby would look at this problem, I don't know if he's done with any fix in version 140.
    #2: It's my and Pedros project, we're testing it now. I come later with test versions 140.x that contain news for testing.
    #3: According to Shibby, it's hard to fix it without new drivers.
    #4: Has it ever worked?
    #5: NeoX is working on this project, now he paused so I do not know when it's ready.
    #6: Available in version 140.
    #7: Pedro and I also work with, Clean/Modify Tomato UI according to the Web Consortium W3C standard.
    #8: Tomato Autoupdate system will inform about new versions by Kille72 (in my builds).

    There will be some more news in version 140 by Shibby, you'll see soon :)
    Last edited: Apr 23, 2017 at 8:55 PM
    William Clark and M_ars like this.
  44. lancethepants

    lancethepants Network Guru Member

    In my tinc thread I have this.

    I was hoping 1.1 final was coming soon, but it has been years with only a few more pre-releases since. There are ways around tinc versioning if you can't upgrade all your routers at once. Pretty much mount binding static binaries stored in jffs over top the ones built in tomato. It's what I've done in the past.
    kille72 likes this.
  45. AndreDVJ

    AndreDVJ Addicted to LI Member

    Chrome 58 indeed complains about SAN missing, but still renders stuff correctly (I use AT GUI, no idea about the default GUI, neither I care).

    I tried to update this using several approaches, but ended up ripping off your code for the most part.


    Regarding this:
    Obsolete Connection Settings
    The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM).

    I have no idea how to generate a key with a different algorithm.

    I wanted somehow to keep the epoch stuff when we generate certificates, but I had compilation issues that drove me so mad that I got rid of all hacks in the source. Binary size got up by 100KB but I don't care anymore. At least I don't have to worry anymore about getting back all hacks in place when updating OpenSSL.


    I am known of breaking stuff, so I initially didn't want to push my changes to my repo but did anyway. If anyone knows anything else that requires OpenSSL, let me know.

    If anyone has anything to suggest as an improvement, feel free to do so, otherwise I'm done with that script. It doesn't look good, but it works at my end.
    William Clark and kille72 like this.
  46. AndreDVJ

    AndreDVJ Addicted to LI Member

    I am also pushing R7000 build (what's running on my router) and an AC68U build in my repo. Well since these two devices are the most popular ARM ones, will be easier to hear out if I broke something else.
    kille72 likes this.
  47. RMerlin

    RMerlin Network Guru Member

    Make sure you implemented ECDHE support in mssl. My commits are here:


    Also note that some versions of Safari have broken ECDHE support. I'm not sure if disabling it for Safari is still relevant today, I haven't revisited that code since I initially implemented it.
  48. AndreDVJ

    AndreDVJ Addicted to LI Member

    Shibby implemented: https://bitbucket.org/pl_shibby/tomato-arm/commits/d5514b3cc69da85c17380920f978788e1be14aae

    And yes I found by myself what broke. Rebooting the router, web interface starts before WAN, so router is still back at the start of UNIX's epoch time. Certificate gets created and is valid from that time until January 1st 1980.

    I'm no good with OpenSSL, but I will try something to set these dates. Hacking back setstartsecs can be an option.
  49. RMerlin

    RMerlin Network Guru Member

    I believe that's why Asus uses the SECS global var, tho I never really investigated that specific bit.

    I remember openssl also used to have a patch related to certificates, but I can't remember what it was for - been years since I've upgraded from the heavily patched openssl to a more vanilla-one. There was one specific patch which I've kept at the time.

Share This Page