Skip to main content
Asuswrt-Merlin Changelog

3004.388.8 (xx-xxx-2024)
  - NEW: Rewrote VPN killswitch implementation.  The new method
         uses an always present routing rule to prohibit access to
         the main routing table, so it will be active even if the
         user manually stops a client.  Removing the prohibit rule
         requires disabling the killswitch on the webui.
         The rules are also created before WAN goes up, to reduce
         the risks of leaks between WAN going up and VPN connecting.
  - NEW: Added killswitch support for WireGuard clients.
  - UPDATED: Chart.js was upgraded from 2.x to 3.9, to share the
             same version used by Asus.  Any third party addon
             that used it will need to upgrade their charts to
             the new version.
  - UPDATED: wget to 1.24.5.
  - CHANGED: Removed stop/start and "Start with WAN" buttons from
             OpenVPN clients.  There is now just a single
             "Enable" option, which will immediately start the
             client when applying changes, and will also start it
             automatically when WAN comes up.  This is to reduce
             confusion, better integrate into SDN, and match how
             WireGuard clients already worked.
  - FIXED: JS error on Wifi 6e/7 models when toggling DDNS.
  - FIXED: Couldn't mount CIFS shares on the router for BCM4912 devices
  - REMOVED: Wifi Radar was removed (unsupported by Wifi 7 devices,
             and security issues cited by Asus in their own recent

3004.388.7 (26-Apr-2024)
  - NOTE: RT-AX56U is exceptionally included in this release.

  - NEW: IGD2 support for UPNP/PCP.  This will allow IPv6 pinhole
         support for clients.  It must be enabled on the WAN
         page.  Existing pinholes will be listed on the
         System Log -> IPV6 page.

         Note that IGDv2 has compatibility issues with various
         clients that do not properly follow the standard.
  - UPDATED: Openvpn to 2.6.10.
  - UPDATED: wsdd2 to 2023-12-21 snapshot.
  - UPDATED: miniupnpd to 2.3.6.
  - UPDATED: wireguard kernel to v1.0.20220627.
  - UPDATED: wireguard tools to 2023-08-04 snapshot.
  - UPDATED: dropbear to 2024.84.
  - UPDATED: strongswan to 5.9.13 (fixes CVE-2023-41913)
  - CHANGED: Hardcoded location of the CA bundle in inadyn, so it
             no longer needs to be manually defined in custom
  - CHANGED: Re-designed Tools->Sysinfo page, adding graphs
             and removing useless content.
  - CHANGED: Updated free memory report on networkmap to also
             consider reclaimable memory as being free (kjbracey)
  - CHANGED: "Prevent client auto DoH" will also prevent the use of
             Apple's iCloud Private Relay.
  - CHANGED: NAT Passthrough page - removed the "Enabled + NAT
             Helper" option as the firewall no longer blocks
             traffic when set to disabled.  This is back to the
             former behaviour, where this setting only controls
             whether or not to load the NAT helper.  You might
             need to readjust that setting if you had previously
             changed it.
  - CHANGED: SIP, RTSP and H323 ALG (NAT helpers) are now
             disabled by default, as these legacy features tend
             to create issues with modern VoIP setups.
             This change will only apply to people doing a
             factory default reset of their router.
  - FIXED: Concurrent cronjob changes through cru could cause
           collisions, leading to missing jobs (dave14305)
  - FIXED: crond would not use the new timezone if it got changed.
  - FIXED: MiniDLNA web interface could only be accessed through an
           IP address (regression in 3004.388.6).
  - FIXED: CVE-2023-5678 & CVE-2024-0727 in openssl (backport from
           Ubuntu by RSDNTWK)
  - FIXED: Long lists on System Log -> Connections tab could result
           in a timeout (Sani Huttunen)
  - REMOVED: Temperature page (charts are now part of the redesigned
             Tools->Sysinfo page).

3004.388.6_2 (26-Feb-2024)
  - UPDATED: dnsmasq to 2.90 (resolves CVE 2023-50868 and CVE 2023-50387).
  - FIXED: LACP support was missing on the XT12.

3004.388.6 (20-Jan-2024)
  - NOTE: Since Asus provided GPL code for the RT-AX56U, this model
          will exceptionally be included with this release, despite
          still being considered being end-of-life.

  - NOTE: Asus reworked the way SSL certificates are handled in
          24353.  The automatic conversion code does not always
          work properly, you might need to force your router
          to re-generate its SSL certificates by toggling the
          SSL mode on the DDNS page.

  - NEW: Added ethtool to the firmware.
  - UPDATED: Merged GPL 388_24353.
  - UPDATED: nano to 7.2.
  - UPDATED: ncurses to 6.3.
  - UPDATED: OUI database used by networkmap and the webui.
  - FIXED: CVE-2023-48795 in dropbear.
  - FIXED: e-Learning category not always properly identified
           on the Classification/Stats page.
  - FIXED: Incorrectly report 2.4 GHz as being disabled when
           disabling 6 GHz on the GT-AXE16000.
  - FIXED: UPNP leases without a description would not appear
           on the Forwarded Ports page.

3004.388.5 (2-Dec-2023)
  - UPDATED: OpenSSL to 1.1.1w.
  - UPDATED: Curl to 8.4.0.
  - UPDATED: OpenVPN to 2.6.8.
  - CHANGED: Enable fast-io for OpenVPN clients and servers that
             use UDP, which will speed up performance on some models.
  - CHANGED: You can now directly enter an IPv6 address on the
             Network Tools page as a target.
  - CHANGED: Display tracked connections on the QoS/Classification
             page even if QoS isn't set to Adaptive QoS.
  - CHANGED: QOS/Classification page can now resolve local IPv6
  - CHANGED: Allow custom MTU for Wireguard clients (patch from
  - FIXED: CIDR-formatted addresses were rejected on the Network
           Filter page.  Implemented temporary workaround.
  - FIXED: Various issues with the QOS Classification page.
  - FIXED: Netfilter TEE kernel module is missing.
  - FIXED: OpenVPN client state getting cleared when Wireless
           was being restarted.
  - FIXED: Networkmap wasn't recognizing the GT-AX11000_PRO as
           having USB 3.0 ports

3004.388.4 (21-Aug-2023)
  - NOTE: In preparation for the new codebase, the version
          string will now start with 3004 or 3006 to match with

  - NOTE: The RT-AX56U is no longer supported, as Asus has put it
          on End-of-Life status, and the previous Asuswrt-Merlin
          388 releases for that model were all based on untested

  - NEW: Display channel utilisation for supported platforms on the
         Wireless Log page.
  - UPDATED: Merged GPL 388_23588.
  - UPDATED: curl to 8.1.2.
  - UPDATED: OpenVPN to 2.6.5.
  - UPDATED: openssl to 1.1.1u.
  - UPDATED: tor to
  - CHANGED: FTP server will now only support strong ciphers
             in TLS mode.
  - FIXED: QOS Classification showing no Upload data on some
           WAN configurations.
  - FIXED: Radio temperature graphs weren't updating
  - FIXED: XT12 proximity pairing wasn't working (missing
           bluetooth firmware)
  - REMOVED: Ethernet port status from the Tools Sysinfo page
             (as this is redundant with Asus' own display
             now available on the networkmap page).

388.2_4 (17-Aug-2023)
  - NOTE: This release is only for the GT-AXE11000.

  - UPDATED: Critical Wireless driver update, Asus strongly
             recommends updating.

388.3 (9-June-2023)
  - NOTE: This release is only available for the RT-AX88U_Pro.

  - NEW: Merged with GPL 388_23110, adding support for a new
         RT-AX88U PRO hardware revision.

388.2_2 (7-May-2023)
  - UPDATED: Merged GPL 388_22668 for the XT12 (only)
  - UPDATED: OpenVPN to 2.6.3.
  - FIXED: QoS Status page wouldn't display Upload stats
           if the WAN interface was set to a secondary
           2.5G/10G port instead of the default WAN port.
  - FIXED: dnsmasq may crash if no DNS server is configured
           (fix backported from dnsmasq upstream)
  - FIXED: Missing GPY211 driver for the XT12 and for certain
           hardware revisions of other HND 5.04 models.

388.2 (12-Apr-2023)
  - NOTE: This release is currently not available
          for the XT12 due to issues with that model's GPL.

  - NEW: Added support for the RT-AX88U Pro.
  - NEW: Merged with GPL 388_22525.
  - NEW: Added Site Survey page under Network Tools tab.  This is
         the same network scan that is available for pre-HND
         models, with Wifi 6E support added.
  - UPDATED: dnsmasq to 2.89.
  - UPDATED: openvpn to 2.6.2.  If your client fails to connect
             then your custom settings must contain settings no
             longer supported by OpenVPN 2.6.  Review the System
             Log, then remove unsupported settings that are
             reported in your log.
  - UPDATED: nettle to 3.8.1.
  - UPDATED: inadyn to 2.10.0.
  - UPDATED: dropbear to 2022.83.
  - UPDATED: miniupnpd to 2.3.3.
  - UPDATED: openssl to 1.1.1t.
  - UPDATED: curl to 8.0.1.
  - CHANGED: moved WiFi Radar to the Network Tools tab.
  - CHANGED: Disabled auto logout on System Log and Wireless Log
  - CHANGED: Reduced EDNS packet size from 1280 to 1232 bytes in
             dnsmasq, to better work with some upstream servers
             not fully supporting EDNS0.
  - CHANGED: Allow empty fields on WireGuard Client page if the
             client is disabled.  This allow users to manually
             clear settings when they are no longer using a client.
  - FIXED: NTP redirection wouldn't work properly with Guest
           Network, removed redirection for these.
  - FIXED: Added missing Tools icon on ROG UI (icon contributed
           by Cody).
  - FIXED: DDNS was being refreshed every time IPv6 bound6() event
           occured even if IPv6 DDNS update was disabled.
  - FIXED: Wireless Log wouldn't properly show IPv6 address
           for clients with multiple addresses.
  - FIXED: ICMPv6 pings would be dropped when DoS protection
           was enabled (regression in 388.1).

388.1 (3-Dec-2022)
  - NOTE: This release is only available for AX models.
          AC models will remain on the 386_xx release branch.

  - NEW: Add RT-AX86U_PRO support.
  - NEW: Merged with GPL 388_20566 (RT-AX88U and GT-AX11000)
  - NEW: Merged with GPL 388_21224 (all other AX models)
  - NEW: Experimental ROG UI version for GT models, as a separate
         firmware image within the distribution archive, with
         "_rog" in the filename.
  - NEW: (Asus 388) WireGuard client and server.  The server uses
         the new 388 VPN server webui.  Implemented a webui for
         clients, based on the early development UI from Asus.

         WG client routing is handled by VPN Director - you must
         configure redirection rules through it, same as on stock
         firmware which requires configuring rules through
         VPN Fusion.

         DNS handling will be identical to OpenVPN's Exclusive DNS
         mode, forcing clients to use the DNS provided by it
         (if any is provided).

         Note that enabling WireGuard will disable hardware
         NAT acceleration due to compatibility reasons.

  - NEW: httpd support for EC certificates (Ivan Kruglov)
  - UPDATED: getdns/stubby to 1.7.2/0.4.2.
  - UPDATED: zlib to 1.2.12 + backports.
  - UPDATED: openssl to 1.1.1s.
  - CHANGED: Rebranded DNSFilter as DNS Director.  This will prevent
             confusion with the company sharing the same name, and
             also better describes what the feature does.
  - CHANGED: Setting an OpenVPN client to redirect all traffic while
             in "Exclusive" DNS mode will now force redirect ALL
             DNS traffic just like in VPN Director mode.
             While this will allow redirecting clients with
             hardcoded DNS servers, it also means that your whole
             LAN will lose the ability of doing local name
             resolution.  It might be best to use VPN Director
             in that case to control which client should
             be involved in the DNS redirection, or use
             DNS Director instead of Exclusive DNS mode.
  - CHANGED: (Asus 388) nvram storage increased to 192 KB on newer
             HND 5.04 devices like the GT-AXE16000.
  - CHANGED: Reworked VPN Status page to only show currently
             active services.
  - CHANGED: Reworked VPN Director page design, added buttons to
             access a client's settings page, and allow leaving
             both source and destination IPs empty (for "all").
  - CHANGED: Optimized VPN Director WAN and DNS rule creation, so
             they no longer get re-created multiple times when
             editing VPNDirector rules.
  - CHANGED: Switched generated self-signed certificate to an
             EC certificate.
  - CHANGED: Disabled DSS key support in Dropbear SSH.
  - FIXED: Wrong temperatures used by the temperature graphs
           (386.8 regression)
  - FIXED: CVE-2022-37434 in zlib.
  - FIXED: GT-AXE16000 random reboots when using an OpenVPN
           client with VPN Director and Adaptive QoS.
  - FIXED: Clients connected to Guest Network 1 aren't
           redirected if NTP interception is enabled.
  - FIXED: Name was truncated to 31 chars when enabling OpenVPN client's
           Server Certificate Name Validation.
  - REMOVED: Interface selector on Speedtest page (no longer
             working, possibly due to an ookla client update)
  - REMOVED: NAT Type setting on HND 5.04 devices (fullcone is
             not supported by kernel 4.19, so it wasn't working)

386.8 (13-Aug-2022)
  - NOTE: This release is only available for the RT-AX88U as
          well as the two new models listed below.
  - NEW: Added support for the GT-AXE16000.
  - NEW: Added support for the GT-AX11000_Pro.
  - NEW: Added support for new RT-AX88U hardware revision.
  - UPDATED: Merged with GPL 386_49634.
  - CHANGED: Re-enabled IPv6 DDNS support.
  - CHANGED: Once again block router DNS access over IPv6 when
             using DNSFilter on a pre-HND model (reverted back
             to 386.7 behaviour for that scenario)
  - FIXED: inaccurate nvram usage on Sysinfo page for some HND
           models.  Now accurately report kernel nvram usage.
  - FIXED: WiFi Radar page alignment.
  - FIXED: AiMesh node new firmware popup would use the device model
           (like RT-AC66U_B1) rather than the product id (like
           RT-AC68U) for the generated download URL.
  - FIXED: OVPN client with DNS set to strict had lower priority
           than DNSPrivacy servers.
  - FIXED: IPv6 DNS may be missing if DNSPrivacy is enabled.
  - FIXED: Wifi Radar pages missing on XT12.
  - FIXED: QRcode failing to generate if the SSID contained unicode
           characters (like emojis or other UTF8 entities)

386.7_2 (24-July-2022)
  - UPDATED: openssl to 1.1.1q.
  - UPDATED: RT-AX86U driver + SDK updated to latest upstream version
  - UPDATED: RT-AX88U and GT-AX11000 radio firmware downgraded to the
             previous version.
  - FIXED: Some ISPs would fail to allocate a proper IPv6 prefix (tvlz)
  - FIXED: Packet checksum errors logged when using DNSFilter in Router
           mode.  Router mode will no longer use DNAT, except for newer
           HND 5.04 models like the GT-AX6000 or XT12, which work
           properly.  Non-Router mode on HND will still use
           the new DNAT support added in 386.7.
  - FIXED: Some SSH clients would end up with an incorrect PATH
           value for the default search path.
  - FIXED: OpenVPN clients wouldn't get updated routing tables
           if an OpenVPN server was stopped/started while an
           OpenVPN client was connected

386.7 (22-June-2022)
  - NEW: IPV6 support for DNSFilter for HND router models.
         Custom settings can also let you specify IPv6 servers.
         These (as well as providers that support IPv6) will
         now also get intercepted and redirected like the IPv4
         DNS servers are.
  - UPDATED: Merged with 386_49335 GPL for the RT-AC5300.
  - UPDATED: Merged with 386_48966 GPL for all other models.
  - UPDATED: openssl to 1.1.1o.
  - UPDATED: haveged to 1.9.18.
  - UPDATED: openvpn to 2.5.7.
  - UPDATED: tor to
  - CHANGED: dhcpc-event now has a second parameter that will
             contain "4" or "6" depending on the IP protocol of
             the event (dave14305)
  - FIXED: JFFS backup/restore functions not working on XT12
           and GT-AX6000.
  - FIXED: CVE-2022-0934 in dnsmasq (backport)
  - FIXED: CVE-2022-26376 (reported by Cisco Talos, fixed by Asus)
  - FIXED: DNSFilter client list was limited to around 10 clients
           on some models.
  - FIXED: AuraRGB could be re-enabled on reboot if it was
           previously disabled.
  - FIXED: Wifi LEDs wouldn't turn back on when re-enabling
           LEDs on the RT-AX86S.

386.6 (20-Apr-2022)
  - NOTE: This release is only available on the GT-AX6000
          and XT12.
  - NEW: Added support for the GT-AX6000.
  - NEW: Added support for the ZenWifi Pro XT12.
  - NEW: Added Cloudflare and AdGuard to DNSFilter services.
  - NEW: Added option to enable/disable IPv6 support to OpenVPN
         server.  This is disabled by default.
  - NEW: Added NAT support for OpenVPN server in IPv6 mode.
         This allows to redirect IPv6 Internet traffic
         through your OpenVPN server.
  - UPDATED: Merged with GPL 386_47885.
  - UPDATED: wget to 1.21.3.
  - UPDATED: dropbear to 2022.82.
  - CHANGED: Reworked DNSFilter page design.
  - CHANGED: Allow requesting bigger IPv6 subnets from
             your ISP (Tvlz)
  - CHANGED: Allow hostuniq PPPoE value of up to 256
             characters long.
  - FIXED: Traditional QoS download traffic limited by
           upstream bandwidth (dave14305)

386.5_2 (25-March-2022)
  - UPDATED: openssl to 1.1.1n.
  - UPDATED: openvpn to 2.5.6.
  - CHANGED: Added Wireguard module + userspace tool to
  - FIXED: Only a few DNSFilter clients are supported
           on HND models (entries limited to 255 chars).
  - FIXED: Security issue in AiCloud (backport from Asus)
  - FIXED: Cannot enable Adaptive QoS under certain scenarios
           on pre-HND router models.

386.5 (2-March-2022)
  - NEW: Added support for the RT-AC68U V4.  All
         RT-AC68U models are using a combined
         firmware file (like stock firmware),
         with both firmwares within the same file.
  - NEW: Added support for the GT-AXE11000.
  - NEW: Added config option for the Boost key on
         GT models.  The option can be found on the
         Administration -> System page.
  - NEW: Basic IPv6 support for TQoS (Kevin Bracey)
  - UPDATED: Merged with GPL 386_46065.
  - UPDATED: Reverted dnsmasq from 2.86 to 2.85.
  - UPDATED: miniupnpd to 2.3.0.
  - UPDATED: avahi to 0.8 + a few backports.
  - CHANGED: Improved accuracy of overhead parameters
             in Traditional QoS (Kevin Bracey)
  - CHANGED: Report download stats for TQoS (Kevin Bracey)
  - CHANGED: Report DFS scanning state for both 5 GHz bands
             if appropriate on tri-band models
  - CHANGED: Enabled pass_persist support in net-snmp.
  - FIXED: Various TQoS issues (Kevin Bracey)
  - FIXED: enabling/disabling 802.11b rates wouldn't get saved
           to nvram.
  - FIXED: netatalk failing to load extensions.
  - FIXED: Large swapfiles reported the incorrect size on
           the Tools page (Kevin Bracey)
  - FIXED: User accounts would not show as connected on
           the OpenVPN server username list if a remote
           client connected over IPv6.
  - FIXED: Earlier syslog content was missing on RT-AX86U
           and RT-AX68U after a reboot.
  - FIXED: WAN monitoring could fail if using IPv6 and
           DNS Rebind protection was enabled.
  - FIXED: RT-AX86U syslog could be truncated after a reboot.
  - FIXED: Toggling FTP WAN access without applying settings
           wouldn't reconfigure the FTP server properly.
  - FIXED: Non-functionning TrendMicro features on the
           RT-AX68U and RT-AX86U (reverted kernel components
           to the previous version).

386.4 (1-Jan-2022)
  - NEW: Added support for the RT-AX86S (uses the same firmware
         as the RT-AX86U).
  - NEW: Added wireguard kernel module + userspace tool to
         HND models firmware images.
  - NEW: IPv6 support for OpenVPN server.  Allows to remotely
         connect to your router's OpenVPN server over IPv6, and
         reach LAN clients over their IPv6 (redirecting IPv6
         Internet traffic does not work).
  - UPDATED: Merged with GPL 386_45958 + a few newer patches
             from Asus.
  - UPDATED: curl to 7.79.1.
  - UPDATED: vsftpd to 3.0.5.
  - UPDATED: openssl to 1.1.1m.
  - UPDATED: wget to 1.21.1.
  - UPDATED: nettle to 3.7.3.
  - UPDATED: dnsmasq to 2.86.
  - UPDATED: openvpn to 2.5.5.
  - UPDATED: tor to
  - UPDATED: miniupnpd to 2.2.3-git 20211017.
  - UPDATED: inadyn to 2.9.1.
  - UPDATED: CA bundle to 2021-12-13.
  - UPDATED: amtm to 3.2.2 (thelonelycoder)
  - CHANGED: replaced jitterentropy-rngd with haveged.
             It uses more resources, but it works
             properly on older platforms, and is
             generally less CPU intensive in regular
             use.  This is implemented for all router
  - CHANGED: Switched dnsmasq crypto backend to nettle.
  - CHANGED: Switched to Asus's own dhcp hostname support.
             Existing dhcp_hostnames entries will be
             converted on first boot.
  - CHANGED: miniupnpd will now be supplied the public WAN
             IP to improve compatibility with dual NAT
  - CHANGED: Disabling Auto DoH will now also disable
             Windows' new Discovery of Designated
             Resolvers (DDR) feature.
  - FIXED: Wrong interface might be used for the default
           gateway in an openvpn client routing table.
  - FIXED: Generated OpenVPN certs used SHA1 signatures
           instead of SHA256 (regression from 386.1)
  - FIXED: Various issues with protocol handling when
           importing an ovpn client file.
  - FIXED: IPv6 not working while in Dual WAN mode.
  - FIXED: Failed OpenVPN client connections might sometime
           be stuck with a "Connecting" state.
  - FIXED: NTP sometimes failing to update at boot time
           when using IPv6.
  - FIXED: Changes done by firewall-start may be lost after
           ddns service gets stopped when using tunnelbroker

386.3_2 (6-Aug-2021)
  - NOTE: closed down the Issue tracker on Github, as 90%
          of it was people asking for technical support,
          or failing to use the supplied submission form.
  - CHANGED: Re-disabled jitterentropy-rngd on non-HND
             models.  It kept using CPU time every two
             seconds and had a very marginal impact on
             the entropy pool (which it never could push
             above the target threshold of 1024).
  - CHANGED: Moved the "Redirect Internet traffic" setting on
             the OpenVPN Client page to the Network Settings
             section to increase its visibility, as too many
             users are forgetting to configure it.
  - CHANGED: Display "Internet traffic not redirected" instead
             of "Public IP Unknown" on the OpenVPN Client
             status display when Redirect Internet traffic
             is set to "No".
  - FIXED: Only the first OpenVPN client would be used if
           you had multiple clients connected and the first
           one had a Redirect Internet set to "No".  Now,
           setting this to "No" means that client's routing
           table will no longer get a default gateway
           configured, allowing traffic to be processed
           by other RPDB tables if there wasn't a matching
           route within that client's table.
  - FIXED: IPV6-compatible DNSFilter servers weren't
           properly configured in dnsmasq.
  - FIXED: DNSFilter client rules may get corrupted after a

386.3 (23-July-2021)
  - NOTE: First time you boot into this version, you need to
          either shift-reload the main index page, or clear
          your browser cache.

  - NEW: Introducing VPN Director, which replaces the original
         policy routing management interface for OpenVPN clients.
         A bit similar to Asus's own VPN Fusion, OpenVPN routing
         rules are now managed through a central web interface,
         and they are stored in JFFS instead of nvram, to allow
         creating more rules, and free up some nvram for
         nvram-limited devices such as the RT-AC68U.
         See the Wiki for more information.

  - NEW: Added QR codes to the networkmap as well as the Guest
         Network page, to allow easily connecting a mobile
         device just by scanning the QR code.
         The generated QR code can also be saved as a file
         if you'd like to print it.

  - CHANGED: Rewrote OpenVPN routing handling.  The firmware will
             now handle route creation itself rather than letting
             the openvpn client create/remove routes.
             The new implementation brings a few changes:

             - "Force Internet traffic through tunnel" can now
               be set to "No", "Yes (All)" or "VPN Director".
             - This setting will now override whatever setting
               pushed by the server regarding gateway redirection.
             - The kill switch can now be used in both "Yes" and
               "VPN Director" routing modes
             - Manually stopping a client will remove the kill
               switch.  It will now only be applied at boot time
               (if client was set to start at boot), or if the
               tunnel is disconnected through a non-user event

  - CHANGED: Reworked OpenVPN's DNS Exclusive mode implementation
             and interaction with dnsmasq.
  - CHANGED: Moved OpenVPN Custom settings content to JFFS, and
             increased max storage length from around 350 chars
             to 4095 chars.
  - CHANGED: Added support for BCM50991 used for the 2.5G
             interface in newer RT-AX86U revisions.
  - UPDATED: nano to 5.7.
  - UPDATED: curl to 7.76.1.
  - UPDATED: dnsmasq to 2.85-openssl.
  - UPDATED: openvpn to 2.5.3.
  - UPDATED: getdns to 1.7.0.
  - UPDATED: stubby to 0.4.0.
  - FIXED: Setting an OpenVPN client's DNS mode to Exclusive
           could fail to work for certain configurations
  - FIXED: DNS Exclusive redirections applied in Policy mode
           could be executed in the wrong order if you had
           overlapping policy rules in two separate clients.
  - FIXED: Clients connected to Guest Network 1 couldn't be
           routed through an OpenVPN tunnel.
  - FIXED: Clients connected to Guest Network 1 would bypass
           DNSFilter rules.
  - FIXED: USB disks not properly unmounted on reboot
           on some router models.
  - FIXED: Missing error report on OpenVPN client connection
  - FIXED: profile.add getting used even if JFFS scripting
           was disabled (dave14305)
  - FIXED: Freedns authentication errors would not
           properly be reported as errors.

386.2_6 (6-June-2021)
  - NOTE: The IRC channel, #asuswrt, has moved to the
          Libera IRC network (

  - UPDATED: chart.js to 2.9.4.
  - UPDATED: tor to
  - UPDATED: root certificate bundle to June 5th 2021.
  - FIXED: Fragattack security issues

386.2_4 (30-Apr-2021)
  - NEW: Added jitterentropy-rngd to non-HND models, in addition
         to HND models.
  - UPDATED: OpenVPN to 2.5.2.
  - UPDATED: jitterentropy-rngd to 1.2.2 (library 3.0.3)
  - FIXED: Scheduled new FW checks wouldn't display the webui
           notification icon when the local router had a
           new release available.
  - FIXED: OpenVPN server would flip into an error state (being
           shown as "initializing" on the webui) whenever an
           inbound client failed to connect to it.

386.2_2 (13-Apr-2021)
  - FIXED: IPv6 pings were blocked if sent below the rate limit
           instead of above (issue introduced in 42095)
  - FIXED: kernel debuging log entry (was removed) (RT-AC86U)
  - FIXED: Field that accepted a float value would reject
           values equal to the allowed minimum (for example
           the QoS bandwidth limits)
  - FIXED: QoS Bandwidth settings were hidden on
           non-HND models when accessing the QoS page.
  - CHANGED: Tweaks to the Firmware Upgrade page display.
  - CHANGED: Enabling DOS protection will now also rate limit
             ICMPV6 echo (type 128) packets, like with IPv4.

386.2 (2-Apr-2021)
  - NOTE: due to changes in how custom device icons are handled,
          first time you boot with 386.2 you need to either
          shift-reload the main index page, or clear your
          browser cache.

  - NEW: Added support for the GT-AX11000.  Note that VPN Fusion,
         as well as the ROG-specific features such as the custom
         UI are not supported.
  - NEW: Added support for the RT-AX68U.
  - NEW: Added jitterentropy-rngd daemon to HND routers.  This will
         ensure sufficient entropy is generated early on at
         boot time, reducing boot stalls caused by insufficient
         entropy for the kernel's random number generator,
         and also generally improves security related to
         crypto operations by the router.
  - NEW: Added Cake QoS for HND routers.  Note that just like
         Traditional QoS, this is not compatible with hardware
         acceleration, and therefore might not be usable on
         connections faster than around 350 Mbps (may vary based
         on router models).
  - UPDATED: Merged GPL 386_42095.
  - UPDATED: Openssl to 1.1.1k.
  - UPDATED: OpenVPN to 2.5.1.
  - UPDATED: iproute2 to 5.11.0 (HND models).
  - UPDATED: root certificate bundle to March 9th 2021.
  - CHANGED: qos-start "init" user script now runs in blocking
             mode to ensure it's able to complete any changes
             it may apply to qos configs before these
             configs get applied.
  - FIXED: Router could get stuck at boot time after the user
           migrated from stock firmware, or just erased his
           JFFS partition, requiring a factory default reset.
  - FIXED: ATM checkbox could not be enabled on QOS page.
  - FIXED: DST not getting applied to some timezones (snauton)
  - FIXED: Traditional QoS was broken in 386.1 (dave14305)
  - FIXED: Connected IPSEC clients weren't shown on the VPN Status
  - FIXED: Userspace conntrack tool was no longer working
  - FIXED: Traffic Monitor spikes for HND models.  (Asus backport)
  - FIXED: webui incorrectly complaining about mismatched timezone
           between browser and webui for some timezones (dave14305)
  - REMOVED: SSH Brute Force Protection option (already handled
             by Asuswrt's protect service daemon)

386.1_2 (12-Feb-2021)
  - NEW: Added snmp support to the RT-AX86U.
  - UPDATED: inadyn to 2.8.1.
  - UPDATED: nano to 5.5.
  - CHANGED: Use local OUI database instead of remote one hosted
             on Asus's server (allows queries to work even when
             accessing webui over https)
  - CHANGED: If dropbear cannot create keys in /jffs then
             create temporary ones in /etc so SSH can work even
             without a working JFFS partition.
  - FIXED: Missing Game Mode on RT-AC88U
  - FIXED: Non-working 160 MHz settings for RT-AC88U region/versions
           that should support it
  - FIXED: Missing Instant Guard to RT-AX56U and RT-AC88U.
  - FIXED: IPv6 ending with "::" were considered invalid on the
           webui (was breaking the Prefix field on the 6in4 tunnel
           page for instance).
  - FIXED: OUI lookups on site survey page not working
           (for non-HND models)
  - FIXED: Wifi Radar missing on GT-AC2900
  - FIXED: Netools-enabled pages not used by GT-AC2900 and
  - FIXED: GeForce NOW UPNP not working
  - FIXED: Erasing the JFFS partition would often require a second
           reboot since the operation failed when encountering
           a bad block.  These are now properly skipped.
  - FIXED: Parental Control's time scheduler not working properly.

386.1 (30-Jan-2021)
  Switched to the new 386 codebase.  386 introduces
  AiMesh 2.0, finalizes the move to OpenSSL 1.1.1
  firmware-wide, adds a new speedtest (powered
  by Ookla).  For more details, please refer
  to Asus's own release notes.

  - NOTE: For developers, note that firmware code is
          once again back on the master branch, with
          both mainline and ax being reunified again.

  - NOTE: Some users upgrading might have to go through some
          database maintenance on first boot, which means the
          router might be slower or have a non-responsive webui
          for a while.
          This can take anywhere from 5 minutes up to an hour,
          depending on your model, just give it time to complete
          the process.

  - NEW: Added support for the RT-AX86U.
  - NEW: Added support for the GT-AC2900, with a few restrictions:
           - Non-ROG UI is used
           - VPN Fusion is not supported
           - A few other ROG-specific features are not supported
         This is an experiment done in collaboration with Asus.
  - NEW: Added support for the RT-AC68U V3.
  - NEW: Added stub and stub-v2 compression options to OpenVPN
         clients.  Not added to server, since compression is
         considered deprecated, and will be removed most likely
         in OpenVPN 2.6, for security reasons.
  - NEW: Added tls-crypt-v2 support to OpenVPN clients.
  - NEW: Added option to select an OpenVPN client when
         running Oookla Speedtest.
  - UPDATED: Merged GPL 386_41700
  - UPDATED: Openssl to 1.1.1i.
  - UPDATED: Updated to OpenVPN 2.5.0.  Note that OpenVPN
             2.4.0 or newer is now required by the exported
             client config file.  You can still manually
             configure an older client to connect with your
  - UPDATED: dnsmasq to 2.84, resolving CVE-2020-25681,
             CVE-2020-25682, CVE-2020-25683, CVE-2020-25687,
             CVE-2020-25684, CVE-2020-25685 and
             CVE-2020-25686 aka DNSpooq  (themiron)
  - UPDATED: nano to 5.2.
  - UPDATED: curl to 7.72.0.
  - UPDATED: zlib to 1.2.11.
  - UPDATED: lz4 to 1.9.2.
  - UPDATED: e2fsprogs to 1.45.6.
  - UPDATED: dropbear to 2020.81.
  - UPDATED: miniupnpd to 2.2 (git snapshot from 20201129)
  - UPDATED: Switched userspace ipset from 6.32 to 7.6 (to match
             with upstream)
  - CHANGED: firmware update checks are no longer using the
             server address stored in nvram, for security
             reasons.  Devs who were using that nvram
             should instead edit the webs_scripts/* to
             use their own URL.
  - CHANGED: The old legacy cipher setting in OpenVPN is now only
             available when running with static key authentication.
  - CHANGED: Tweaks to the OpenVPN webui layout
  - CHANGED: OpenVPN clients will now NAT all outbound traffic,
             regardless of the source subnet.
  - CHANGED: Reworked the display of DNSPrivacy presets
  - CHANGED: Added AdGuard (ad blocking) and CIRA Canadian Shield
             (non US-based service) to the DNSPrivacy presets.
  - CHANGED: At boot time, OpenVPN killswitch will only be
             applied for clients set to auto-start with WAN.
  - CHANGED: Increased number of available mount points for addon
             webpages to 20.
  - CHANGED: Multiple routes can now be defined per client on the
             OpenVPN client-specific configuration.
  - CHANGED: Improved NAT acceleration report for newer models on
             the sysinfo page.  Now query the hardware for the
             current state instead of reporting the nvram values.
  - CHANGED: When logging allowed connections is enabled, also log
             outbound LAN connections (reverts to the behaviour from
             a few years ago)
  - FIXED: DHCP could fail to renew its lease with some ISPs when
           Trend Micro engine was enabled (workaround provided
           by Asus)
  - FIXED: OpenVPN client remote IP wasn't updated on client
  - FIXED: Couldn't force generating a new SSL certificate for the
  - REMOVED: Option to disable NCP.  The NCP cipher list is
             now used both for NCP and non-NCP endpoints.
  - REMOVED: fq_codel support for Adaptive QoS.  Due to a change
             in how Trend Micro configures QoS, it is no longer
             possible to intercept these to inject fq_codel.
  - REMOVED: Option to select sfq as a queue scheduler for t.QoS
             or Bandwidth Limiter, and always use fq_codel.
  - REMOVED: Support for the Cloudcheck mobile app.

384.19 (14-Aug-2020)
  - NOTE: Due to flash partitioning changes done by Asus, it is
          strongly recommended to make a backup of your JFFS
          partition before upgrading the RT-AC86U, and restoring
          that backup afterward.  If you run into issues,
          reformat your JFFS partition and reboot.
  - NOTE: The RT-AX56U build is not available for this release.

  - NEW: Added support for static routes for PPTP/L2TP VPN
         clients, on the Static Route page (themiron)
  - NEW: Added notification when JFFS free space drops
         below 3 MB.
  - UPDATED: Merged GPL 384_9354 for AX models.
  - UPDATED: Merged GPL 384_81992 for mainline models.
  - UPDATED: Merged SDK + binary blobs 384_9354 for RT-AX58U.
  - UPDATED: Merged SDK + binary blobs 384_9107 for RT_AX88U.
  - UPDATED: Merged binary blobs + SDK 384_81981 for RT_AC5300.
  - UPDATED: Merged binary blobs + SDK 384_81992 for RT-AC86U.
  - UPDATED: Merged bwdpi components from 385_20630 firmware
             image for RT-AC68U.
  - UPDATED: dnsmasq to 2.82-openssl (themiron)
  - CHANGED: Rewrote a large portion of the OpenVPN implementation,
             to make the code easier to maintain.  The new libovpn
             code is released under a GPL licence.  Functionality
             should largely remain the same.
  - CHANGED: Replaced updown-*.sh OpenVPN event handler scripts
             with binary libovpn functions. The new code does
             stricter validation of the configuration.
  - CHANGED: Enabling Client Config Dir (ccd) for an OpenVPN
             server in non-exclusive mode will no longer accept
             duplicate common names (to prevent issues with
             two clients trying to share the same settings).
             If you need such an unusual setup, you should
             enable "Username/Password auth only", which will
             make the common name become the username.  Or
             better, ensure that you have unique certificates
             for all of your users.
  - CHANGED: Removed the (undocumented) vpn_debug setting.  Debug
             logging will now only come from OpenVPN itself
             (configurable through the log verbosity setting).
  - CHANGED: Improved mechanism for providing an available
             mount point for addon API scripters (dave14305)
  - CHANGED: Harmonized the various SSL certificate modes with
             0-None - will be self-generated
             1-Imported - lets you upload your own (no longer
                           self generated unless you don't
                           upload one)
            2-Let's Encrypt (unchanged)
            Self-generated cert will be stored to /jffs/cert.tgz,
            just like upstream.
  - FIXED: Broken French webui on AX models (fixed with
           Asus's GPL update)
  - FIXED: Chacha20 wasn't prioritized for bcm675x models which
           lacked AES acceleration (RT-AX56U and RT-AX58U)
  - FIXED: ddns updates and OpenVPN instances might be launched
           twice at boot time if the initial ntp clock sync
           happened too fast.
  - FIXED: Enforced DNS and tQoS fix would be lost when the
           firewall gets restarted while an OpenVPN client
           is running.
  - FIXED: Various issues surrounding error state report
           when an OpenVPN client failed to start properly.
  - FIXED: WINS provided by an OpenVPN server weren't properly
  - FIXED: Some large DNS queries could fail when using DoT
           (patch backported from upstream)

384.18 (28-June-2020)
  - NOTE: A number of changes for some models are not backward
          compatible with previous versions.  Downgrading to
          a previous release will require a factory default reset
          afterward in many cases.
  - UPDATED: Merged GPL 384_8563 for AX models.
  - UPDATED: Merged GPL 384_81918 for mainline models.
  - UPDATED: Merged SDK + binary blobs 384_81918 for RT-AC86U.
  - UPDATED: Merged SDK + binary blobs 384_81902 for RT-AC5300.
  - UPDATED: Merged SDK + binary blobs 385_20490 for RT-AC68U.
  - UPDATED: Merged binary blobs 385_20490 for RT-AC3100.
  - UPDATED: Merged binary blobs 384_81918 for RT-AC88U.
  - UPDATED: Merged SDK + binary blobs 384_8563 for RT-AX58U.
  - UPDATED: amtm to 3.1.7.
  - UPDATED: Root certificate bundle to June 3rd 2020.
  - UPDATED: OUI database used by the webui.
  - UPDATED: Dropbear 2020.80 (themiron)
  - UPDATED: nano to 4.9.3.
  - CHANGED: Optimized OpenVPN routing policy storage (this change
             is NOT backward compatible with previous firmwares)
  - FIXED: ssh/scp client would fail to connect while negotiating
           a chacha20 connection (themiron)

384.13_10 (28-June-2020)
  This release will most likely be the last release for the
  RT-AC87U and RT-AC3200, due to limited upstream support.

  - UPDATED: amtm to 3.1.7.
  - UPDATED: Root certificate bundle to June 3rd 2020.
  - UPDATED: OUI database used by the webui.
  - UPDATED: Dropbear 2020.80 (themiron)
  - UPDATED: Wireless driver from 382_52230 for RT-AC87U and
             RT-AC3200 (should in theory address Kr00k)
  - FIXED: ssh/scp client would fail to connect while negotiating
           a chacha20 connection (themiron)

384.17 (26-Apr-2020)
  Updating some models (like the RT-AC88U) from stock firmware and newer will require a factory default reset
  after flashing Asuswrt-Merlin, due to a change in how Asus
  stores the admin password starting with 384_81790.

  - NEW: Add Chacha20-poly1305 support to dropbear (themiron)
  - UPDATED: dnsmasq to 2.81-openssl (themiron)
  - UPDATED: openvpn to 2.4.9.
  - UPDATED: curl to 7.69.1.
  - UPDATED: openssl-1.1 to 1.1.1g (themiron)
  - UPDATED: nano to 4.9.2.
  - FIXED: RT-AC88U/RT-AC3100/RT-AC5300 could fail to upgrade
           from newer stock versions to Asuswrt-Merlin.
  - FIXED: Various webui issues with sorting DHCP reservations.

384.13_8 (26-Apr-2020)
  This release is only available for the RT-AC87U and RT-AC3200.

  - UPDATED: dnsmasq to 2.81-openssl (themiron)
  - UPDATED: openvpn to 2.4.9.
  - UPDATED: openssl-1.1 to 1.1.1g (themiron)

384.16 (5-Apr-2020)
  - NEW: Added support for the RT-AX58U and RT-AX3000 (same
         firmware), based on GPL 384_8253 + binary blobs 384_8137.
  - NEW: Added support for the RT-AX56U, based on GPL + binary
         blobs from 384_8253.
  - NOTE: The RT-AC87U and RT-AC3200 are now officially considered
          to be on limited support.  The future for these two
          models will depend on Asus's own support in the
          coming months.

  - NEW: Added ed25519 support in Dropbear (themiron)
  - UPDATED: Merged GPL 384_8253 for AX models.
  - UPDATED: Merged SDK + binary blobs 384_7977 for RT-AX88U.
  - UPDATED: Merged SDK + binary blobs 384_81352 for RT-AC86U.
  - UPDATED: Tor to
  - UPDATED: curl to 7.68.0.
  - UPDATED: nano to 4.8.
  - UPDATED: dnsmasq to 2.81rc4-33-g7558f2b-openssl (themiron)
  - UPDATED: inadyn to 2.7 (themiron, merlin)
  - UPDATED: getdns to 1.6.0 (themiron)
  - UPDATED: stubby to 0.3.0 (themiron)
  - UPDATED: amtm to 3.1.6 (thelonelycoder)
  - UPDATED: openssl-1.1 to 1.1.1f (themiron, merlin)
  - UPDATED: Chart.js to 2.9.3
  - CHANGED: Wireless Log page will now regroup Guest Network
             clients together and identify which guest instance
             they are connected to.
  - CHANGED: Report temperature of second 5 GHz radio on Sysinfo page
             for tri-band models.
  - CHANGED: Added down/upload monitor to network status page, and
             removed useless RAM chart to free some space.
  - CHANGED: Security hardening in dropbear dropped CBC and 3DES
             ciphers, removed version disclosure from ident
             string (themiron)
  - FIXED: DNS server was unreachable when connecting to an OpenVPN
           server with Advertise DNS enabled, due to firewall rules.
  - FIXED: Router Security Assessment would fail to recognize WPA3
           as being secure.
  - FIXED: miniupnpd would reject private WAN IPs - changed that
           upstream behaviour to allow these.
  - FIXED: Would require you to reset the DHCP scope if you
           changed the LAN hostname.
  - FIXED: Couldn't set http mode to http-only if you previously
           had WAN access enabled but have since switched to
           non-router mode.
  - FIXED: Disks with a single quote in their name would fail to
           properly list on various USB service pages.
  - FIXED: CVE-2020-8597 security issue.

384.13_6 (5-Apr-2020)
  This release is only available for the RT-AC87U and RT-AC3200.
  These two models are now considered to be on limited support, and
  their future will depend on Asus's future support for these two.

  - UPDATED: openssl-1.1 to 1.1.1f (themiron, merlin)
  - UPDATED: amtm to 3.1.6 (thelonelycoder)
  - CHANGED: Security hardening in dropbear: dropped CBC and 3DES
             ciphers, removed version disclosure from ident
             string (themiron)
  - FIXED: DNS server was unreachable when connecting to an OpenVPN
           server with Advertise DNS enabled, due to firewall rules.
  - FIXED: miniupnpd would reject private WAN IPs - changed that
           upstream behaviour to allow these.
  - FIXED: Would require you to reset the DHCP scope if you
           changed the LAN hostname.
  - FIXED: Couldn't set http mode to http-only if you previously
           had WAN access enabled but have since switched to
           non-router mode.
  - FIXED: Disks with a single quote in their name would fail to
           properly list on various USB service pages.
  - FIXED: CVE-2020-8597.

384.15 (8-Feb-2020)
  The RT-AC87U and RT-AC3200 are not supported by this release, see
  the 384.13_4 release released separately for these two models.

  - NEW: wan-event script.  The first parameter will be the WAN unit
         (0 for first WAN, 1 for secondary).  The second parameter
         will be a string describing the type of event (init,
         connected, etc...).  A wan-event of type "connected" will
         be identical to when the original wan-start script was
         being run (wan-start should be considered deprecated
         and will be removed in a future release)
  - NEW: Implemented an official API for addon developers to
         better integrate with the router.  This includes up
         to ten different pages that can be added anywhere within
         the webui, and a dedicated storage repository for your
         settings, which can be interacted with through your
         custom web page or through a shell script.
         See the Wiki for more information:

  - NEW: amtm (Asuswrt-Merlin Terminal Menu) by thelonelycoder has
         been added to the firmware.  Running "amtm" over SSH will
         give you a menu allowing you to select and install various
         addons, such as Diversion (ad blocker) or SKynet (an
         advanced firewall extension).  The plugins for amtm are
         still maintained by its original author (thelonelycoder).

  - UPDATED: Backported some fixes from 384_81981, mostly related
             to WAN, port bonding and mdns.
  - UPDATED: Merged GPL 384_7756 for RT-AX88U, which adds OFDMA and
             WPA3 support to that model.
  - UPDATED: Merged with GPL 385_10002 for other models (from
  - UPDATED: odhcp6c to 1.1-97-ge199804 (themiron)
  - UPDATED: curl to 7.67.0.
  - UPDATED: openssl-1.0 to 1.0.2u
  - UPDATED: dnsmasq to 2.80-114-ge40d8be (themiron)
  - CHANGED: Replaced script with link to amtm, as
             using the amtm Entware installer is now the supported
  - CHANGED: Improved connection handling in httpd (themiron)
  - FIXED: Some of the newest DNSFilter servers weren't properly set
           up with IPv6 (dave14305)

384.13_4 (8-Feb-2020)
  This release is only available for the RT-AC87U and RT-AC3200.

  - NEW: wan-event script.  The first parameter will be the WAN unit
         (0 for first WAN, 1 for secondary).  The second parameter
         will be a string describing the type of event (init,
         connected, etc...).  A wan-event of type "connected" will
         be identical to when the original wan-start script was
         being run (wan-start should be considered deprecated
         and will be removed in a future release)
  - NEW: Implemented an official API for addon developers to
         better integrate with the router.  This includes up
         to ten different pages that can be added anywhere within
         the webui, and a dedicated storage repository for your
         settings, which can be interacted with through your
         custom web page or through a shell script.
         See the Wiki for more information:

  - NEW: amtm (Asuswrt-Merlin Terminal Menu) by thelonelycoder has
         been added to the firmware.  Running "amtm" over SSH will
         give you a menu allowing you to select and install various
         addons, such as Diversion (ad blocker) or SKynet (an
         advanced firewall extension).  The plugins for amtm are
         still maintained by its original author (thelonelycoder).

  - UPDATED: odhcp6c to 1.1-97-ge199804 (themiron)
  - UPDATED: openssl-1.0 to 1.0.2u
  - UPDATED: curl to 7.67.0.
  - UPDATED: OpenVPN to 2.4.8.
  - UPDATED: dnsmasq to 2.80-114-ge40d8be (themiron)
  - CHANGED: Replaced script with link to amtm, as
             using the amtm Entware installer is now the supported
  - CHANGED: Improved connection handling in httpd (themiron)
  - FIXED: Some of the newest DNSFilter servers weren't properly set
           up with IPv6 (dave14305)

384.14_2 (1-1-2020)
  - FIXED: Missing cifs kernel module
  - FIXED: stubby was linked with OpenSSL 1.0 instead of 1.1
  - FIXED: some routers were reporting the Internet connection being
           disconnected.  If you were affected and you had flashed
           a customized bootloader, then please reflash your original
           bootloader, as your modded bootloader is invalid, and other
           potential issues may appear over time.
  - FIXED: Random traffic spikes logged in Traffic Monitor (regression
           from 384_81351)

384.14 (14-Dec-2019)
  - NEW: Implement option to prevent Firefox's automatic usage of DoH.
         By default, this will only apply if you have DNSPrivacy
         enabled, or if you have DNSFilter enabled with a global
         filter, to ensure that Firefox will not bypass either of
         these.  You can also have this override applied all the
         time, or completely disable it.
  - NEW: Added "split" busybox applet.
  - NEW: Added IPv6 support to Network Analysis webui
  - NOTE: You might need to reconfigure your device hostname on the
          LAN -> LAN IP page due to a GPL-level change (exclusing
          the RT-AX88U)
  - UPDATED: RT-AX88U to GPL 384_6436 (with Let's Encrypt fixes
             backported from 384_81351)
  - UPDATED: RT-AC68U, RT-AC86U to GPL 384_81351
  - UPDATED: RT-AC88U, RT-AC3100 to GPL 384_81351 and binary
             blobs from 384_81116
  - UPDATED: RT-AC5300 to GPL 384_81351 and binary blobs from

  - UPDATED: miniupnpd 20190824
  - UPDATED: dnsmasq 2.80-95-g1aef66b (themiron)
  - UPDATED: OpenSSL 1.0.2 to 1.0.2t (themiron)
  - UPDATED: OpenSSL 1.1.1 to 1.1.1d (themiron)
  - UPDATED: Curl 7.66.0
  - UPDATED: nano 4.4
  - UPDATED: OpenVPN 2.4.8
  - UPDATED: OUI database to 2018-08-17 version
  - UPDATED: CA root certificates to October 9th 2019
  - CHANGED: Made webui SSL certificate generation compliant with
             IOS 13 and MacOS 10.15 new requirements.
  - CHANGED: Rewrote the faketc script used to inject Codel into
             Adaptive QoS as a C program for improved performance.
  - CHANGED: Moved /usr/bin/ip to /usr/sbin/ip on the RT-AC86U and
             RT-AX88U to match other models.
  - CHANGED: IPv6 firewall now accepts empty values for local IP
             (which means any local IP).
  - FIXED: Webui wouldn't notify when running dangerously low on
           free nvram (feature was lost at some point in the past)
  - FIXED: Non-working link to YandexDNS on the webui for
           Russian models.
  - FIXED: Backported various httpd fixes to RT-AX88 from other
  - FIXED: Custom clientlist would be wiped if stopping an
           OpenVPN server instance.
  - FIXED: Incorrect detection of EUI64 addresses on the IPv6
           firewall (would prevent using ::/0 for instance).
  - FIXED: EUI64 support missing while in Load Balancing or
           using Multicast IPTV.
  - FIXED: Asus DDNS failing to update due to an invalid
           certificate on Asus's server.
  - FIXED: Let's Encrypt support would sometime fail when using
           Asus DDNS (fixed DNS publishing of validation record)
           (in addition to general failure fixed by GPL 81351)
  - FIXED: IPv6 neighbour solicitation drop toggle not working
           for some models
  - FIXED: openvpn-event scripts would be executed even if custom
           scripts were globally disabled

384.13_2 (14-Dec-2019)
  This release is only available for the RT-AC87U and RT-AC3200.

  - NEW: Added "split" busybox applet.
  - UPDATED: OpenSSL 1.0.2 to 1.0.2t (themiron)
  - UPDATED: OpenSSL 1.1.1 to 1.1.1d (themiron)
  - UPDATED: CA root certificates to October 9th 2019
  - CHANGED: Rewrote the faketc script used to inject Codel into
             Adaptive QoS as a C program for improved performance.
  - CHANGED: Made webui SSL certificate generation compliant with
             IOS 13 and MacOS 10.15 new requirements.
  - CHANGED: IPv6 firewall now accepts empty values for local IP
             (which means any local IP).
  - FIXED: Non-working link to YandexDNS on the webui for
           Russian models.
  - FIXED: Webui wouldn't notify when running dangerously low on
           free nvram (feature was lost at some point in the past)
  - FIXED: Custom clientlist would be wiped if stopping an
           OpenVPN server instance.
  - FIXED: Incorrect detection of EUI64 addresses on the IPv6
           firewall (would prevent using ::/0 for instance).
  - FIXED: EUI64 support missing while in Load Balancing or
           using Multicast IPTV.
  - FIXED: Asus DDNS failing to update due to an invalid
           certificate on Asus's server.
  - FIXED: Let's Encrypt no longer working due to deprecated ACMEv1
           protocol usage (backport from GPL 81351)
  - FIXED: Let's Encrypt support would sometime fail when using
           Asus DDNS (fixed DNS publishing of validation record)
  - FIXED: IPv6 neighbour solicitation drop toggle not working
           for some models

384.13_1 (12-Aug-2019)
  - FIXED: RT-AC87U failing to boot when configuring in AP mode.

384.13 (31-July-2019)
  - NEW: AiMesh Router and node support.  Note that automatic live
         update of Merlin-based nodes is not supported, you will have
         to manually update any Merlin-based nodes when a new firmware
         is available.  Asus-based nodes (which is recommended) will be
         able to make use of the automatic live update.
  - NEW: ChaCha20-Poly1305 support in Strongswan (themiron)
  - UPDATED: RT-AX88U to GPL 384_6210.
  - UPDATED: Curl 7.65.3.
  - CHANGED: dhcp_staticlist no longer contains hostnames, these
             have been moved to dhcp_hostnames for better
             compatibility with upstream and closed source
             components, also allows more static leases to be
             defined before reaching the size limit.
  - CHANGED: Replace Nettle with OpenSSL for dnsmasq's DNSSEC
             validation, which opens the door to supporting
             more ciphers.  (themiron)
  - FIXED: Firmware Update check button would redirect to Asus
           support site if scheduled checks are disabled.
  - FIXED: Firefox was showing a no-op Uninstall button on the
           AiCloud page
  - FIXED: 5 GHz radio showing as disabled on the Sysinfo page for
           the RT-AC87U
  - FIXED: FTP would be accessible from the WAN even while disabled
           if you had DualWAN load balancing enabled, or IPTV
  - FIXED: IGMP Snooper daemon crashing when more than 32 hosts
           are present (themiron)
  - FIXED: External DDNS IP checker would fail for Chinese users,
           as is blocked - switched to .com TLD.
  - FIXED: Devices without a networkmap-defined alias wouldn't fallback
           to their hostname on some webui pages like the IPTraffic
           and QoS Classification pages.
  - FIXED: Remote IP field filtering on Classification page wasn't
  - FIXED: Incorrect user permissions displayed on the FTP page.
  - FIXED: Performance issues for some users, following the kernel
           security fixes in 384.12. (gzenux)

384.12 (22-June-2019)
  - NOTE: The project now has its own domain name.  Official website
          is now and my email address
          for anything related to the project is now
          [email protected].

  - NEW: Added WS-Discovery support.  This allows Windows clients
         to detect the router's shared USB drives even if SMBv1
         support is disabled.
  - NEW: Re-added option to extend the WAN's TTL (from stock
         firmware, was previously disabled as it used to
         be broken)
  - UPDATED: RT-AC3200 and RT-AC87U to 382_51640/51634 binary blobs
             (with a few exceptions for 384_xxxx compatibility)
  - UPDATED: Merged GPL 384_45717 (except for RT-AX88U)
  - UPDATED: Nano 4.2.
  - UPDATED: OpenSSL-11 to 1.1.1c.
  - UPDATED: OpenSSL-10 to 1.0.2s.
  - UPDATED: curl 7.65.1.
  - UPDATED: miniupnpd 20190604.
  - CHANGED: Local clients will be shown by their hostname
             on the Classification page.
  - CHANGED: Reworked handling of up/down events in OpenVPN.
             Server instance will now also use its own
             updown script, which will handle firing up
             openvpn-event (if present).
  - CHANGED: Inbound traffic sent to you through an OpenVPN client
             will now be dropped by default.  This can be changed
             through the new "Inbound Firewall" parameter found
             on the OpenVPN client page.  You should only change
             this to "Allow" if running a site2site tunnel with
             a trusted remote server, or if you do expect
             traffic to be forwarded to you through the tunnel.
  - CHANGED: The router will now use ISP-provided resolvers
             instead of local dnsmasq when attempting to
             resolve addresses, for improved reliability.
             This reproduces how stock firmware behaves.
             This only affects name resolution done
             by the router itself, not by the LAN clients.
             The behaviour can still be changed on the
             Tools -> Other Settings page.
  - CHANGED: Randomize the serial number of certificates
             generated by the router for its httpd.  If
             using a router-generated certificate, then
             it's recommended to generate a new one.
  - CHANGED: Allow USB idle values up to 9999.
  - CHANGED: Replaced Network Analysis and Netstat pages (under
             Network Tools) with new versions based on Asus's
             Netool daemon for non-HND models, but based
             around the more limited traceroute busybox applet.
             RT-AC86U and RT-AX88U still use the newer
             traceroute executable.
  - CHANGED: Reworked how some services are started when the WAN
             interface comes up to prevent deadlocks between
             the WAN completing its initialisation, and the
             clock getting set.  These could result is fairly
             long boot time for some ISPs.
  - FIXED: openvpn-event script not launching if the
           client was configured in Secret Key auth
  - FIXED: IPv6 issues on RT-AX88U - backported accept_ra fix
           from 45717 (themiron)
  - FIXED: Memory leak in erp_monitor process.
  - FIXED: Page redirection failing to apply at boot
           time if WAN was down.
  - FIXED: CVE-2019-11477, CVE-2019-11478 and
           CVE-2019-11479 (themiron)

384.11_2 (18-May-2019)
  - NEW: Implemented source/destination IP filtering
         for the Netool version of Netstat web page.
  - CHANGED: Backported multiple fixes and improvements
             for ntpd from upstream, improving handling
             of failed server hostname resolution, and better
             clock sync discipline.
  - FIXED: RT-AC88U/3100/5300 were accidentally compiled
           with Netool enabled, which isn't compatible with
           these model's kernel.
  - FIXED: Movistar stopped working for some users.  Re-disabled
           udpxy on Movistar profile for now.  A more complete
           fix will have to come from Asus.
  - FIXED: Re-disabled memaccess debugging tool, as it creates
           a symlink called "sh" which is a pretty bad
          idea from Broadcom. (RT-AC86U, RT-AX88U)

384.11 (8-May-2019)
  - NEW: Added DNS Privacy feature, with support for
         DNS-over-TLS (also known as DoT).
         You can configure it on the WAN -> Internet Connection
         page.  You can manually add your own servers, or chose
         one (or a few) from the preset list.  (themiron)
  - NEW: NTP daemon on the router, to allow your LAN clients to
         synchronize their clocks with it.
  - NEW: Option to intercept NTP requests from clients, and
         redirect them to the router's own NTP daemon.
  - NEW: Added service-event-end custom script, executed at the
         end of an rc service call.  Receives the same arguments
         as service-event, but is a non-blocking script.
  - NEW: Added sqlite3 CLI command, to allow script authors to
         create/manage their own sqlite3 database
  - UPDATED: RT-AX88U to 384_5951 GPL.
  - UPDATED: Other models to 384_45713 GPL (RT-AC87U, RT-AC3200
             and RT-AC5300 still using 384_45149 binary blobs)
  - UPDATED: Nano 4.0.
  - UPDATED: Curl 7.64.1.
  - UPDATED: Dropbear 2019.78.
  - CHANGED: Replaced the custom ntpclient with a proper ntpd
             implementation, for reduced memory usage and
             increased accuracy.
  - CHANGED: Made the secondary NTP server configurable through the
             webui.  Note that ntpd will use both servers, so clear
             the second server if there is one and you don't want
             to use it.
  - CHANGED: Re-designed firmware upgrade page, moving the schedule
             option to that page, and removed support for the Beta
  - CHANGED: Removed popup messages showing on the DDNS page when
             a service state change was detected.  Report it within
             the page instead.
  - CHANGED: Report firmware version within the new firmware
             notification popup that appears at the top of the webui.
  - CHANGED: Moved LED control (formerly known as Stealth Mode) to
             the System page.
  - CHANGED: Do not restart whole network whenever changing an IP
             reservation on the Networkmap card.
  - CHANGED: Allow URLs up to 64 chars long on the URL filter.
  - CHANGED: pre-mount user script now receives the filesystem
             as second argument.
  - CHANGED: Moved various DNS-related settings from the DHCP page
             to a more appropriate location on the WAN page.
  - CHANGED: OpenSSL default dir moved to /etc/ssl/.  Allows
             programs to automatically locate the CA bundle
             without requiring explicit configuration.
  - CHANGED: Optimized service restarts generated by the
             System page.
  - CHANGED: Replaced Network Analysis and Netstat pages (under
             Network Tools) with new versions based on Asus's
             Netool daemon (RT-AC86U, RT-AX88U)
  - FIXED: Reboot scheduler would sometime get stuck, or corrupt
           plugged USB drives.  Now doing a more thorough
           shutdown of services, should hopefully make it
           more reliable.
  - FIXED: CVE-2019-1543 issue with Chacha20-poly1305 in
           OpenSSL 1.1 (themiron)
  - FIXED: Client count on the Sysinfo page was missing
           Guest clients
  - FIXED: Miniupnpd sometimes sending ssdp notifies to
           the wrong interface (themiron)
  - FIXED: udpxy not working when using the Movistar
           IPTV profile on RT-AC86U and RT-AX88U.

384.10_2 (3-Apr-2019)
  - CHANGED: Increased OpenVPN interface queue length from 100
             to 1000 bytes, to reduce the amount of dropped
             packets if router can't keep up.
  - CHANGED: Updated CA bundle to January 23rd version
  - FIXED: Moviestar VLAN routes weren't properly configured
           (broken quagga configuration)
  - FIXED: Layout issues on the Wireless Log page for some
  - FIXED: Missing tooltip content for the new local DNS
           resolution setting on the Tweak page
  - FIXED: FAQ URL on Bandwidth Monitor points to a non-existing
           page on Asus's servers (point to old page for now)
  - FIXED: OpenVPN CA would be overwritten if there was no
           server key or cert present - only generate them
           if all three are missing.
  - FIXED: Bandwidth Limiter not working properly in some
           cases, as it failed to disable hardware acceleration

384.10 (24-March-2019)
  - NEW: Added OpenSSL 1.1.1b in parallel to 1.0.2.  Some services
         like AiCloud are still linked against 1.0.2 because they
         would require Asus to recompile them against 1.1.1.

         Main services that currently use OpenSSL 1.1.1:
         httpd (webui), OpenVPN, wget, net-snmp, Tor,
         Strongswan (IPSEC server), inadyn, vsftpd, avahi.

         Models that lack AES acceleration will prioritize the use
         of CHACHA20 over AES-256-GCM, for a small performance
         improvement (for instance with the webui).

         Note that OpenVPN 2.4.7's support is still limited.
         TLS 1.3 is supported, but CHACHA20 support is
         only expected with OpenVPN 2.5.0.

         The 1.0.2 userspace tool is still named "openssl", while
         the 1.1.x version is named "openssl11".

  - NEW: Updated RT-AX88U to GPL 384_5640.
  - NEW: Implemented lcp-ident option in PPP (required by some ISPs)
  - NEW: Added NFSv2 support to HND models.
  - NEW: You can now choose between having your router do internal
         DNS queries locally (through dnsmasq) or with your WAN
         configured DNS (like stock firmware).  This does not
         affect DNS lookups from your clients, only those made
         by the router itself.  The option is under Tools ->
         Other Settings.  (Themiron)
  - CHANGED: Some firmware cleanups to regain flash space (for
             use with the parallel OpenSSL 1.1.x install)
             (RMerlin, Themiron)
  - CHANGED: Updated curl to 7.64.0.
  - CHANGED: Updated OpenVPN to 2.4.7.
  - CHANGED: Updated Tor to
  - CHANGED: Updated strongswan to 5.7.2.
  - CHANGED: Updated OpenSSL 1.0.x to 1.0.2r.
  - CHANGED: Updated dnsmasq to 2.80-44-g608aa9f (Themiron)
  - CHANGED: Re-worked the Classification page.  New design
             is much faster, allows filtering, and shows
             additional info when hovering on a field.  Thanks
             to FreshJr for giving me the motivation to
             spend more time on it.
  - CHANGED: Strongswan is no longer compiled 64-bit
             on HND, allowing it to use a shared openssl library
             instead of a static one.  This should significantly
             reduce the memory and flash usage of Strongswan.
  - CHANGED: Reworked DNS WAN probe implementation (Themiron)
  - FIXED: IPSEC log display wasn't properly formatted (showed
                 entirely on a single line)
  - FIXED: Compatibility issues between recent Tuxera NTFS driver
           and Samba
  - FIXED: NFSv2 support
  - FIXED: PPP host-uniq support (Themiron)
  - FIXED: AiCloud not working on the RT-AX88U
  - FIXED: OpenVPN key/certs would sometime end up in nvram in
           addition to in /jffs
  - FIXED: Couldn't remove an existing OpenVPN key/cert by
           clearing the field on the webui
  - FIXED: Resetting OpenVPN client to Default values wasn't
           removing any existing Extra CA certificate
  - REMOVED: Beceem Wimax driver.  This is deprecated, and was
             already removed from the HND models.  This allows
             to reclaim close to 2 MB of flash space.
  - REMOVED: CFB and OFB ciphers from OpenVPN client

384.9 (2-Feb-2019)
  - NEW: Temporarily reorganized code in separate branches, to handle
         Asus's currently scattered firmware source code releases.
         The GPL situation for this release is as follow:
     o RT-AX88U: Merged GPL 384_5329
     o Other models: Merged GPL 384_45149.
     o Special binary blobs provided by Asus for the RT-AC87U
       and RT-AC3200 (compatible with 384_45149).

  - NEW: Added NFS client support (V2 and V3) to the
         RT-AC86U and RT-AX88U (already present in older models)
  - NEW: Report the number of spatial streams and the PHY type
         used by wireless clients for models supporting it
  - NEW: Display tracked connections on the QoS Stats page (now
         relabeled "Classification").
         Fields can be sorted by clicking on the column headers.
         Thanks to FreshJr for his help in deciphering the packet
         mark values.

  - NEW: Implemented ipsec.postconf and strongswan.postconf scripts.
  - KNOWN ISSUE: dcd process crashing on RT-AC86U (bug in Trend
                 Micro's code, outside of my control).
  - KNOWN ISSUE: IPv6s on Tracked Connections have their last
                 two bytes set to 00 (bug in Trend Micro's
                 code truncating the last two bytes).
  - KNOWN ISSUE: No IPS events logged (bug in Asus's code,
                 IPS should work, just fails to log hits)
  - KNOWN ISSUE: Networkmap listing may be unreliable.
                 (Bug in Asus's code)
  - KNOWN ISSUE: Users failing to read changelogs will
                 probably complain about the above issues.
                 (Outside of my control).
  - CHANGED: Updated wget to 1.20.
  - CHANGED: Updated nano to 3.2.
  - CHANGED: Updated curl to 7.62.0.
  - CHANGED: Updated Chart.js to 2.7.3.
  - CHANGED: Updated dnsmasq to 2.80-32-g28cfe36 (themiron)
  - CHANGED: Optimized some JS files to reduce their size
  - CHANGED: OpenVPN clients can now accept CNs up to 255 chars
             when using it to validate the certificate.
  - CHANGED: No longer reset the OpenVPN client's description,
             policy mode and existing rules when uploading an
             .ovpn config file.
  - CHANGED: No longer accept any server-provided route
             when OpenVPN client set to Policy (Strict).
  - CHANGED: Clients bound to DNSFilter rules will no longer
             bypass it by using DoT.  DNSFilter servers that
             support DoT (like Quad9) will only allow filtered
             clients to use that server
  - FIXED: Firmware update checks would not run at boot time
           on the RT-AX88U.
  - FIXED: Name resolution issues for /etc/hosts entries on
           HND models (themiron)
  - FIXED: Syslog not properly copied to JFFS on reboot
           (John Bacho)
  - FIXED: Volumes not properly unmounted on HND platform
           (John Bacho)
  - FIXED: Added missing TEE Netfilter target on the RT-AC86U
  - FIXED: SSH brute force protection didn't work in Dual WAN
           load balancing mode.
  - FIXED: httpd crashes on RT-AC86U (themiron)
  - FIXED: DNSFilter clients could use a different nameserver
           when using an IPv6 connection
  - FIXED: USB disk idle config changes not applying without a
  - FIXED: "Strict" DNS mode wasn't working properly with OpenVPN
  - FIXED: Cannot upload JFFS backup on HND models

384.8_2 (8-Dec-2018)
  - CHANGED: Updated miniupnpd to 20181205.
  - CHANGED: Push LAN domain to OpenVPN clients as DNS suffix
             for the connection.
  - FIXED: Cannot save custom settings on OpenVPN server page
           on non-HND models.
  - FIXED: Some webui pages fail to load properly in French
  - FIXED: dnsmasq fails to start when certain options are
           configured (themiron)
  - FIXED: Non-functionnal Show Password option on OpenVPN/PPTP
           server page for RT-AX88U (removed)
  - FIXED: Persistent SSL cert was wiped at boot time in
           some specific scenarios.

384.8 (2-Dec-2018)
  - NOTE: Asus has put the RT-AC56U on their End of Life
          list, meaning no further firmware releases from
          them.  Since it's impossible for me to support
          models without matching GPL releases from Asus,
          I also have to retire the RT-AC56U.  384.6 is
          the final release for that model.

  - NOTE: The RT-AC3200 and RT-AC87U are not supported by this
          release, Asus hasn't released any updated code yet for
          these models.

  - NEW: Added RT-AX88U support (based on GPL 384_4736).
  - NEW: Merged with GPL + binary blobs from 384_32799 (all
         supported models except RT-AX88U)
  - NEW: Add LZ4 V2 option to OpenVPN compression
         (more effective at handling already compressed
  - NEW: Added "extend" support to SNMP.
 - NEW: Added CleanBrowsing to DNSFilter supported services.
  - NEW: Webui HTTP LAN port can now be changed from the default 80.
  - NEW: Added support for the Netfilter TEE target.
  - CHANGED: Removed watchdog from OpenVPN clients, to avoid
             conflicting with more advanced configurations.
  - CHANGED: Vsftpd TLS mode will now reuse the web server
             certificate (including any Let's Encrypt generated
  - CHANGED: SSL crypto/cipher hardening for httpd (themiron)
  - CHANGED: Syslog will now ignore bwdpi debug output (themiron)
  - CHANGED: Reworked Wireless Log page, adding a new button to
             view low-level details (what stock firmware shows
             on its Wireless Log page), and removed redundant
             option to display DFS channel details.
  - CHANGED: Update dnsmasq to 2.80-11-g59e4703 (themiron)
  - CHANGED: Updated nettle to 3.4
  - CHANGED: Updated net-snmp to 5.8
  - CHANGED: Updated openssl to 1.0.2q
  - CHANGED: Migrated /jffs/ssl/* content to /jffs/.cert (to
             share the same folder used by Asus stock)
  - CHANGED: Re-enabled WTFast on non-HND models (curl-related
             crash has been fixed).  This is still untested.
  - CHANGED: Updated CA bundle to October 17th 2018 version.
  - CHANGED: Support search domains pushed by a remote OpenVPN
  - FIXED: UOPNP port forwarding not working in CGNAT/double NAT
           scenario even if proper ports were forwarded upstream.
  - FIXED: Pages based on table.js (like the port trigger one)
           would fail to work properly under Firefox
           (Michael Ziminsky)
  - FIXED: Dnsmasq issues when running in non-router mode
           (John Bacho)
  - FIXED: Routing issues when in non-router mode (John Bacho)
  - FIXED: Bug in curl that could cause some applications to
           crash on non-HND models
  - FIXED: IFTTT failing to start on non-HND models (caused by
           curl issue).
  - FIXED: Webui could complain about port 8080 being reserved for
           http WAN port (which is no longer supported)
  - FIXED: Cannot change image for device with a vendor name
           containing an apostrophe (like Micro-Star int'l)
           (Asus bug)
  - FIXED: OpenVPN client download was capped by Adaptive QOS
           upload limit (fix devised by FreshJR)
  - FIXED: OpenVPN custom config might be lost after a reboot
           on the RT-AC86U.

384.7_2 (21-Oct-2018)
  - FIXED: Namecheap DDNS service not working
  - FIXED: CVE-2018-15599 security issue in Dropbear
  - FIXED: Potential buffer overrun in httpd

384.7 (7-Oct-2018)
  - NOTE: The RT-AC3200 and RT-AC56U are not supported by this
          release, Asus hasn't released any updated code yet for
          these models.

  - NOTE: Important changes to DDNS, please read below.

  - NOTE: Important changes to DNSFilter, please read below.

  - NEW: Merged with GPL 384_21152.
  - NEW: Merged RT-AC87U binary blobs + SDK from 382_50702.
  - NEW: Replaced old ez-ipupdate DDNS client with In-a-Dyn.
         A plugin was developed to fully support Asus's DDNS
         Custom services can now be configured through ddns-start,
         inadyn.conf, inadyn.conf.add or inadyn.postconf.  See the
         In-a-Dyn documentation as many custom services can be
         defined for it.
  - NEW: Added support for DDNS service to webui.
  - NEW: Added option to retrieve WAN IP from either the local
         interface (like before) or through a remote server
         (which works through double NAT) for DDNS.
  - NEW: Display DFS channel info on Wireless Log page.
  - NEW: Added option to disable checks on unsigned DNSSEC replies.
         Disabling these will speed up lookups, but it will also
         remove part of the security benefits of DNSSEC, so it
         should not be used unless you have a very specific reason
         to do so.
  - NEW: Added Quad9 to DNSFilter supported services.
  - CHANGED: Updated curl to 7.61.1.
  - CHANGED: Updated wget to 1.19.5.
  - CHANGED: Updated openssl to 1.0.2p.
  - CHANGED: Updated dnsmasq to v2.80test8 (themiron).
  - CHANGED: Updated nano to 3.1.
  - CHANGED: All DDNS services now use HTTPS.
  - CHANGED: Replaced Google Domains DDNS script with In-a-Dyn's own
  - CHANGED: Moved DNSFilter to the LAN section, to make it clear
             that it's unrelated to Trend Micro's engine.
  - CHANGED: Report hostname and IP on Wireless Log page if the
             info is missing from dnsmasq but available from
  - FIXED: Invalid dnsmasq config when setting DNSFilter to Router
           mode and having IPv6 enabled (themiron).
  - FIXED: dnsmasq crashing on RT-AC86U with IPv6 Stateful mode
  - FIXED: client table would be shown twice on the VPN Status
           page if the only connections to an OVPN server
           were invalid clients (like a port scanner)
  - FIXED: DDNS forced updates after "x" days wouldn't be
  - FIXED: CERT VU#598349 vulnerability (DHCP client could
           claim the special "wpad" hostname)
  - REMOVED: Ez-ipupdate DDNS client (replaced with In-a-Dyn).
             Update your scripts if you were relying on it.
  - REMOVED: Norton Safe DNSFilter services (being discontinued
             by Symantec in November).  Configured clients will
             be automatically migrated to OpenDNS Family - make
             sure to edit your DNSFIlter settings if you desire
             to use a different service.

384.6 (25-July-2018)
   - NOTE: The RT-AC87U is not supported in this release, as
           Asus hasn't released any updated code for that model.
   - NEW: Merged with GPL 384_21045/382_50624.
   - NEW: Added support for the "-p" option to netstat.
   - NEW: Added setting to enable DNS rebind protection, on the
          DHCP page.  This works by rejecting upstream server
          responses that would point at a private IP.
   - CHANGED: Updated nano to 2.9.8
   - CHANGED: Updated curl to 7.60.0 (contains security fixes)
   - CHANGED: Allow selecting text (for copy/paste operations)
              on AiProtection pages.
   - CHANGED: Added AES-*-GCM ciphers to the OpenVPN legacy
              ciphers (so they can be explicitely used without
              using NCP).
   - CHANGED: Updated dnsmasq to 2.80test2-17-g51e4eee (themiron)
   - CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
              DNS replies received with DNSSEC enabled are legitimate.
              If your upstream DNS doesn't support DNSSEC, this means
              all replies from signed zones will be considered
              invalid.  Make sure you only enable DNSSEC if your
              upstream DNS servers do support it.  This behaviour is
              a bit slower, but far more secure than the old default.
   - CHANGED: Network Tools -> Netstat output also report program/PID
   - CHANGED: Updated CA bundle to June 20th version.
   - FIXED: IPv6-related issues on non-HND platform (themiron)
   - FIXED: Couldn't log on WTFast if accessing the router
            webui over https.
   - FIXED: USB modem support code failing to properly pass
            parameters to the kernel module (themiron)
   - REMOVED: WTFast support for RT-AC88U/RT-AC3100/RT-AC5300,
              as it's incompatible with recent versions of
              curl (and has been broken for quite some time).
              Not gonna revert back to a 7 years old curl
              version just for wtfast.

384.5 (13-May-2018)
   - NEW: Merged withh GPL 384_20648
   - NEW: Merged RT-AC68U, RT-AC5300 binary blobs from 384_20648
   - NEW: Merged RT-AC86U SDK and binary blobs from 384_20648
   - NEW: service-event script, executed before any service
           call is made.  First argument is the event (typically
           stop, start or restart), second argument is the target
           (wireless, httpd, etc...).
           Note that this script will block the execution of
           the event until it returns.
   - NEW: Added USB HID modules (for use with devices such
          as UPS)
   - NEW: Added ip6tables-save command.
   - CHANGED: Updated OpenVPN to 2.4.6.
   - CHANGED: Updated Dropbear to 2018.76.
   - CHANGED: Updated Openssl to 1.0.2o.
   - CHANGED: Updated miniupnpd to version 2.1 (20180508).
   - CHANGED: Updated nano to 2.9.5.
   - CHANGED: Moved RT-AC86U to the same Busybox version (1.25.1)
              as other models.
   - CHANGED: Revised OpenVPN server options:
              o Removed "TLS Reneg time" (rarely used, can manually
                be set as a custom option)
              o Removed "Server Poll" (which didn't work
                properly), and reimplemented watchdog service,
                hardcoded to 2 mins frequency.
              o Removed "Push LAN" and "Redirect Gateway",
                replaced with new Client Access setting
              o Removed Firewall setting (firewall rules are now
                always created, and the broken External mode
                was fixed and integrated into the new Client
                Access setting).  You can now use the postconf
                script to override it.
              o Removed option to respond to DNS queries - enabling
                the option to Push DNS will also handle it
              o Added new Client Access setting to select between
                three types of access: LAN only, WAN only (will
                block access to the LAN, including the router
                itself) and LAN + WAN.
              o Keys and certificates can now be up to 7999
                characters long.

   - CHANGED: Revised OpenVPN client options:
              o Reorganized settings into groups
              o Removed "Poll Interval" (which didn't work
                properly), and reimplemented watchdog service,
                with a hardcoded frequency of 2 mins.
              o Removed Firewall setting (firewall rules are now
                always created).  You can now use the postconf
                script to override it.
              o Modified behaviour of Connection Retry.  Instead
                of taking a value in seconds that only affected
                resolution failure, it now takes a number of
                attempts, and affects connection failures.
                Resolution failures will now retry for an infinite
                period of time (the default OpenVPN value).
              o Added "refresh" link which can be clicked to
                re-query the public IP endpoint of the tunnel
              o Keys and certificates can now be up to 7999
                characters long.

   - CHANGED: Removed option to resolve names on the
              Log -> Connections page.
              That functionality was added to the
              Network Tools -> Netstat page instead.
   - CHANGED: Re-designed Log -> Connections page into a table
              with sortable fields - click on a column header to
              sort on that field.
   - CHANGED: From now on, setting the router to act as a master
              browser or a WINS server will also require you to
              enable sharing.  This will ensure that users understand
              that enabling either of these settings requires disk
              sharing to also be enabled (which it was already
              silently doing before).
   - CHANGED: Moved "Beta firmware" option to the Tools -> Other
              Settings page
   - CHANGED: Improved layout of the Firmware Update page
   - CHANGED: WPAD behaviour (sending a carriage return on
              DHCP option 252) can now be controlled in the
              Tweaks section.
   - CHANGED: Blocking custom scripts such as service-event
              and pre-mount will now wait a maximum of 120
              seconds before resuming normal operations, to
              prevent accidental lockouts.
   - CHANGED: Autofill start/end time for DST when selecting
              a timezone (LostFreq)
   - FIXED: Some dnsmasq issues related to DNSSEC were fixed,
            including CVE-2017-15107. (backported from
            dnsmasq 2.79 by John Bacho)
   - FIXED: Restoring an OpenVPN instance to default values
            would fail to disable its Start with WAN setting.
   - FIXED: Hardware authentication failure for the RT-AC3100
            and RT-AC5300.
   - FIXED: Minidlna web status page could no longer be enabled.
   - FIXED: CVE-2017-9022, CVE-2017-9023 and CVE-2017-11185 in
            Strongswan (odkrys)
   - FIXED: Various issues with download traffic in Traditional
            QoS (Cédric Dufour)
   - FIXED: TCP timeout values couldn't be changed on the
            Tools -> Other Settings page.
   - FIXED: Security issue related to webui logging in (Asus bug)

384.4_2 (24-Mar-2018)
   - CHANGED: Added visual warning when manually enabling webui
              access on WAN.  Doing so carries serious potential
              security risks, as Asuswrt's web server code should
              not be considered hardened enough for this.
   - FIXED: Security issue in httpd (CVE-2018-8879).
   - FIXED: Potential security issue in httpd related to QiS.
   - FIXED: Minor webui issue in the QoS overhead menu.

384.4 (16-Mar-2018)
   - NEW: Merged with GPL 384_20379 (with some binary components
          from 382_50010 and 384_20308 depending on models)
   - NEW: Added support for the RT-AC5300.
   - NEW: Added support for the RT-AC87U.
   - NEW: Added IPSEC support to the RT-AC86U.
   - NEW: Support the new Entware 64-bit repo on the RT-AC86U.
          To switch to the new repository, re-run the
 script.  You will need to reinstall
          your apps (your old config files are backed up on
          your USB disk).
   - CHANGED: Tightened security around some config files.
   - CHANGED: Allow guest networks settings for AP isolation
              and SSID broadcast to be set separately from
              their parent interface (John Bacho)
   - CHANGED: Samba protocol support can now be set to
              SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default).
              This will result in a performance drop on all
              models but the RT-AC86U, but will be more secure.
              Ideally, people should change it to SMBv2 only,
              and then reboot all their client devices to start
              using only the new protocol.
   - CHANGED: Re-added some of the logging sd-idle used to do
              in 380.xx.
   - CHANGED: Switched to the new Entware repo for armv7 models.
              To upgrade, run the following commands TWICE:

              opkg update; opkg upgrade

   - FIXED: Resetting an OpenVPN client to default settings
            might revert back after a reboot.
   - FIXED: log flood from lldpd about "unable to send packet
            on real device" (moved to debug level)
   - FIXED: Potential racing condition that could lead to two
            instances of miniupnpd running at boot time.
   - FIXED: Single-char hostnames were rejected by DHCP static
            leasees page. (theMIROn)
   - FIXED: AiCloud could sometime generate a new SSL certificate
            that would overwrite the one stored in jffs.  Now,
            AiCloud can also use the same one uploaded by the
            user for the main webui, or the Let's Encrypt one.
   - REMOVED: Telnet server.  Please use SSH for console-based
   - REMOVED: SNMP support on the RT-AC86U (incompatible)
   - REMOVED: Merlin NAT loopback mode (was increasingly
              problematic as the firmware firewall handling became
              more complex)

384.3 (14-Feb-2018)
   - NOTE: To reduce confusion following the version
           bump to 384, the current Github repository
           was renamed from asuswrt-merlin.382 to
  (for New Generation).
           It's recommended that you update your
           local repository if you're a developer,
           for example by running:

              git remote set-url origin \
                 [email protected]:RMerl/

   - NOTE: AiMesh is currently not supported.  Feasability of
           supporting it is still under evaluation.
   - NEW: Merged with GPL 384_10007
   - NEW: Added support for RT-AC3200 (merged
          SDK 7.x-main + binary blobs from 382_19466).
   - NEW: nano can now be configured through /jffs/configs/nanorc
   - CHANGED: Allow up to 5 OpenVPN clients on RT-AC3200.
   - CHANGED: Updated nano to 2.9.3.
   - FIXED: Some routers coming from 380.xx would incorrectly
            report a new firmware available at boot time.
   - FIXED: Some broken clients (like Samsung TVs) try to use
            reserved hostnames - ignore these.  (theMIRon)
   - FIXED: Added missing IPv6 local hostnames (theMIRon)
   - FIXED: Issues withh DNS & broadcast relay for pptp
            clients (theMIRon)
   - FIXED: Fixed CVE-2018-5721 in httpd (Merlin & theMIROn)
   - FIXED: helper.js wasn't properly handling parentheses
   - FIXED: NAT acceleration of PPPoE for some models (fix
            backported from 382_50010)
   - FIXED: Networkmap-related issues on some models (missing
            tx/rx rate and such).
   - FIXED: ipset could cause the router to crash on the HND
            platform (john9527)
   - FIXED: Network Service Filter wasn't working when in
            Blacklist mode.
   - FIXED: Repeater mode (backport from 384_20287)

382.2 Beta (17-Jan-2018)
   - NOTE: Due to various issues with GPL 382_18991, the 382.2
           release is being dropped, and work is moving on to the
           next version.  382.2 beta releases remain available
           for those who still wish to use it (especially RT-AC56U
           users for whom there is no ETA as to when Asus will
           release the next GPL for that particular model.)
           Known issues include lack of PPPoE HW acceleration and
           Adaptive QoS sometimes failing to start at boot among

   - NOTE: The official IRC channel has moved to
           Freenode (#asuswrt).

   - NEW: Merged with GPL 382_18991.
          Most notable changes (will vary between models):
            - Added IPSec VPN server
            - Added IFTTT and Alexa support
            - Let's Encrypt support (DDNS page)
            - Better support for some longer settings (RT-AC86U)
   - NEW: Merged HND SDK + binary components from 382_18848
   - NEW: Added IPSec VPN status on the VPNStatus page.
   - NEW: Added support for RT-AC56U and RT-AC68U
          (and all of its variants)
   - NEW: Enabled support for Let's Encrypt on RT-AC56U and
          RT-AC68U (in addition to RT-AC88U/3100)
   - CHANGED: Moved HTTPS cert management to the DDNS page (where
              Asus has put theirs, as Let's Encrypt is tied to
              the DDNS configuration)
   - CHANGED: Updated openssl to 1.0.2n.
   - CHANGED: Updated tor to
   - CHANGED: Updated nano to 2.9.1.
   - CHANGED: Updated curl to 7.57.0.
   - CHANGED: Increased max length for OpenVPN custom settings from
              170 to 510 characters on RT-AC86U.
   - CHANGED: Updated miniupnod to Github snapshot 20171212.
   - CHANGED: OpenVPN firewall rules are now processed after the
              various security chains (access restriction, network
              service firewall, etc...), ensuring OVPN traffic no
              longer bypasses them.
   - FIXED: httpd crash on certain web pages if there are no Ethernet
            clients connected
   - FIXED: DNSFILTER rules would have priority over OPENVPN Client
            rules (when client has DNS set to Exclusive mode).
   - FIXED: traffic routing from the router itself would fail when
            restarting the firewall while using an ovpn client with
            policy rules in effect.
   - FIXED: Dashes were rejected when used in an OpenVPN policy
            client description.
   - REMOVED: Removed option to select between active and passive
              scan mode for a site survey (that code is now closed
              source and therefore that option can no longer be

382.1_2 (2-Dec-2017)
   - NEW: Added custom/add/postconf support for mcpd.conf (RT-AC86U)
   - CHANGED: Updated odhcp6c to latest upstream version
              (patch by theMIRon)
   - CHANGED: cifs and xt_set kernel modules will get automatically
              loaded as needed.
   - CHANGED: Updated openssl to 1.0.2m.
   - CHANGED: Updated libogg to 1.3.3 and libvorbis to 1.3.5.
   - CHANGED: Merged wireless components from GPL 382_18991 for
              RT-AC88U and RT-AC3100 (should in theory fix KRACK
              issue on these two models)
   - FIXED: allow IA_NA mode downgrade with forced IA_PD
            (for ISPs with broken IPv6 support)
            (patch by theMIRon)
   - FIXED: SSH brute force protection would break WAN
            connectivity (RT-AC86U)
   - FIXED: Wrong Trend Micro signature updater was used when
            compiling with FW update checker enabled.
   - FIXED: QoS Upload chart missing on PPPoE connections with
            Adaptive QoS enabled.
   - FIXED: client and vendor id fields on WAN page would fail
            to accept new values longer than 32 characters.
   - FIXED: The Desc field in the OpenVPN policy section would
            reject ":" if field contained a MAC address.
   - FIXED: Security issues CVE-2017-15275, CVE-2017-12163 and
            CVE-2017-12150 (backported to Samba 3.6 and 3.5)
   - FIXED: DHCP static lease list would refuse any change if
            the list of leases+hostnames was longer than 1000
            chars due to an HND platform limitation (RT-AC86U)

382.1 (12-Nov-2017)
   Asuswrt-Merlin 382 was rebuilt from a clean GPL codebase, as
   merging the new 382 GPL on top of the existing code proved too

   For simplicity, the following abbreviations are used below:
      AM380 = Asuswrt-Merlin
      AM382 = Asuswrt-Merlin
      Asus380 = Asus's
      Asus382 = Asus's

   AM382.1 is based on AM380.68_4 merged on top of a clean GPL.

   At this time, only the RT-AC86U, RT-AC88U and RT-AC3100
   are supported by AM382.  Other models will gradually be
   moved to AM382 as Asus upgrade them to the new 382 code
   base (and GPL code becomes available for them).

   This changelog will focus on changes that happened between
   AM380.68 and AM382.1, or between Asus382_16466 and AM382.

   Also note that the primary download site was changed to
   Sourceforge, due to numerous issues with Mediafire.  Onedrive
   will be the official mirror to the download site.

   - NEW: Moved to Asus382 codebase.  Some of the most important
          changes between Asus380 and Asus382:
            - New Trend Micro DPI engine, with two-way IPS
            - New networkmap service (now closed source)
            - New OpenVPN implementation (now closed source,
              not used by AM382)
            - Numerous security enhancements throughout the code

   - NEW: Merged with GPL 382_16466 (RT-AC86U).
   - NEW: Added support for the RT-AC86U and its Broadcom HND
          platform (HND SDK from GPL 382_18219).
          Note that IPTraffic is not supported by this model due to
          its newer Linux kernel.
   - NEW: Rewrote part of the OpenVPN implementation, as Asus's own
          is now closed source.  Asuswrt-Merlin's OpenVPN code will
          now be independent of Asus's.
   - NEW: Added support for inline CRLs when importing an ovpn file
   - NEW: Added support for fullcone NAT (RT-AC86U)
   - NEW: Added WiFi Radar (Broadcom's Visualization app) in the
          Wireless section.  You must enable data collection on
          its Configuration page for all charts to work properly.
   - NEW: Added option to disable the Asus NAT tunnel service under
          Other Settings -> Tweak.  Not quite sure what this
          partly closed source service is for, but it eats a
          fair amount of CPU and RAM.
   - NEW: Option on OpenVPN Server page to quickly choose
          between pushing LAN or LAN + Internet access (ported
          from Asus382)
   - NEW: Option to select the bitsize to use (1024 or 2048) when
          automatically generating the OpenVPN server key/certs
          (ported from Asus382)
   - CHANGED: Updated wget to 1.19.2 (fixing connectivity to some
              TLS 1.2 servers)
   - CHANGED: SSH host keys are now stored in /jffs/ssl/ rather
              than nvram.
   - CHANGED: SMB2 is enabled by default on RT-AC86U (no performance
              penalty on that platform)
   - CHANGED: Moved UPnP Secure Mode setting from the Tweaks section
              to the WAN page, next to other UPnP settings.
   - CHANGED: Moved "Modify key and certs" link to its own dedicated
              row and made it a button for improved visibility
              (OpenVPN client & server pages)
   - CHANGED: Updated OpenVPN to 2.4.4.
   - CHANGED: The firmware version check behaviour was slightly
              changed.  The "Get Beta" checkbox will now check
              both the Beta and the Release channels for new
              version availability.  Automatic scheduled checks
              will still only check the Release channel.
   - CHANGED: Layout improvements to the SNMP, Login, and
              Operation Mode pages (patches by Alin Trăistaru)
   - CHANGED: Report both the local client IP as well as the
              public/visible IP on the OpenVPN client page once
              a client is connected (same info that was already
              available on the VPN Status page).
   - CHANGED: Moved Disk spindown settings to the System page,
              to match with Asus382 which now offers this feature.
   - REMOVED: Obsolete/exotic HMAC digests for OpenVPN servers (to
              match with Asus' own supported list)
   - REMOVED: "Custom" OpenVPN authentication mode (which probably
              nobody used or even understood).