Reducing NVRAM usage

Discussion in 'Tomato Firmware' started by Robby, May 30, 2017.

  1. Robby

    Robby Reformed Router Member

    So, we all know about the issue of going over 32KB NVRAM usage and the problems it can cause. Or whatever the exact tipping point is, because its not exactly 32KB for me, its a little bit more. If I remember correctly, the highest I could go was about 35KB and not have issues.

    I have a Linksys E3200 running AdvancedTomato 3.4-140 and in an effort of freeing up some NVRAM space (documented below) I also found the sshd_dsskey setting. If this setting was left empty (or removed altogether) it would free up some more space. Starting from OpenSSH version 7.0 the ssh-dss (DSA) public key algorithm was deprecated anyway and should no longer be used because of it being weak. So this would be a win-win.

    Freeing up some space: If you know what you're doing and you do not use any of this functionality, you can free up around 3KB of NVRAM space by going through the settings and steps specified below:
    Advanced Settings - Access Restriction
    Access Restriction Overview
     Click the example, scroll down, click Delete.
    Advanced Settings - Adblock
     Delete all the URLs, then click Save.
    Port Forwarding - Basic
    Basic Port-forwarding
     Delete all the forwards, then click Save.
    Port Forwarding - Triggered
    Triggered Port-Forwarding
     Delete all the forwards, then click Save.
    Quality of Service - Classification
    QOS Classification Rules
     Delete all the rules, then click Save.
    USB & NAS - File Sharing
    Additional Shares List
     Delete all the shares, then click Save.
    USB & NAS - Media Server
    Media Directories
     Delete all the directories, then click Save.
    This is about as good as it gets when freeing up some space through the WebGUI.

    I know there are shell commands going around the Internet to free up space, such as:
    $(nvram show | grep "=$" | awk -F= '{print "nvram unset " $1}')
    for line in `nvram show | grep =$ `; do var=${line%*=}; nvram unset $var; done
    but I don't really like to do this as it can potentially break components inside the firmware that expect the setting to be there, even if it contains an empty value.

    @shibby20: Would it be possible to disable DSS/DSA in dropbear and remove sshd_dsskey from NVRAM? It would free up about 624 bytes of extra space.
    PS: dropbear 2017.75 was released 11 days ago, if only it was released a bit sooner, so that it was in time for firmware v140. ;)
  2. alpovs

    alpovs Networkin' Nut Member

    Can you enlighten me why it is bad to go over 32kB of NVRAM usage and what problems it can cause? I am using 38.1kB at the moment and it has been like this for years without any problems. Currently it's an Asus RT-AC68P router, before it was Asus RT-N66U with 64kB NVRAM. Never noticed any issue. And I write bandwidth monitoring data to NVRAM every 3 days. Shibby Tomato.
  3. dc361

    dc361 Network Guru Member

    Many of the older generation routers only had 32kB of NVRAM. Most today have 60, 64kB or more.
  4. Elfew

    Elfew Network Guru Member

    @kille72 - what do you think, is it needed?
  5. kille72

    kille72 LI Guru Member

    For MIPS, yes, and 32kB ARM.
  6. alpovs

    alpovs Networkin' Nut Member

    That's understood. But the OP wrote:
    implying OP's router has more than 32kB of NVRAM...
  7. dc361

    dc361 Network Guru Member

    Ahh.. missed that .. thanks for pointing that out. I guess I was just replying to alpovs' comment.
  8. Robby

    Robby Reformed Router Member

    Yes, my device has 60KB NVRAM.
  9. alpovs

    alpovs Networkin' Nut Member

    So, what is the issue that "we all know about the issue of going over 32KB NVRAM usage and the problems it can cause", as you write?
  10. Robby

    Robby Reformed Router Member

    Well, the most notable issues are that wifi stops working and that settings are lost upon reboot.
  11. AndreDVJ

    AndreDVJ LI Guru Member

    My main concern of unsetting these NVRAM variables are impacting users who authenticate to their routers using a private key. We never know what's the algorithm they used, whether DSS/DSA, RSA or ECDSA.
  12. Robby

    Robby Reformed Router Member

    I understand, but I believe its safe to say that most, if not all, are using RSA or ECDSA nowadays, and if not, they should. A note can be added to the changelog indicating that DSS/DSA has been removed and that users should upgrade their private keys prior to flashing a new firmware version. If they can flash custom firmware and setup ssh with authentication through a private key, they surely are able to accomplish this too. I don't think we should keep supporting weak algorithms forever, I think the time has come to say goodbye to it, just like OpenSSH has been doing since august of 2015.
  13. Joseph Deck

    Joseph Deck Network Newbie Member

    I know this is a somewhat old topic....

    I am want to use a Asus RT-N16 for a VPN server. Unfortunately, on this old device with only 32K nvram, with recent versions of Fresh Tomato and recent versions of OpenVPN using 4096 key size, there is not enough nvram space to hold the necessary keys.

    I have found the following works in this situation.

    1) mount some external storage (I am using a network-attached file server mounted at /cifs1, but a locally-attached USB flash drive would also work.)

    2) copy the ca and server .crt files, the server .key file, and the Diffie-Hellman .pem file to suitably-named files on the storage

    3) point the server to these files by entering lines like these in the Custom Configuration of the VPN Server Advanced setup page:
    ca /cifs1/ca.crt
    dh /cifs1/dh.pem
    cert /cifs1/serv.crt
    key /cifs1/serv.key
    (the first argument on each line should be copied verbatim; the second argument would be modified as required depending on where you have mounted your storage and the file names you have chosen.)

    4) make sure the edit boxes on the VPN server - Keys page are empty

    To avoid the problem that the external storage might not be mounted yet when the startup script tries to start the vpn, you can un-check the "Start with WAN" box and instead start the VPN by putting the following script into a scheduler task and executing it periodically. (I execute this every 15 minutes.) This method has the added advantage that if the VPN server crashes, the script will attempt to restart it. However, the VPN server will not be available for a few minutes after the device is booted.

    # Test whether openvpn server is running, and restart if needed
    # test - PID or empty.
    runTest=`pidof ${serverName}`
    # restart if no PID was found
    if [ "${runTest}" = "" ]
        service ${serverName} start
        logger "Started VPN, pid: " `pidof ${serverName}`
    If using a flash drive, you can skip this step and just check the "Start with WAN" box.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice