- FIXED: CVE-2017-6549 (implemented temporary workaround,
until a proper fix from Asus)
- FIXED: CVE-2017-6548 (backport from GPL 7266)
- FIXED: WOL page fails to load if adding a client with a
quote in its name.
- FIXED: Couldn't add a DHCP reservation client if its name
contained a quote.
- NEW: Merged with parts of Asus GPL 380_4180, left out
most of it because of too many bugs in it.
- NEW: Upgraded to OpenVPN 2.4.0, and implemented support
for many of its new features:
* GCM ciphers
* LZ4 compression
* tls-crypt (uses the Static Key field)
* Cipher negotiation (NCP), with (optional)
fallback to legacy "cipher" parameter when
an OpenVPN 2.3 client connects to the
router's 2.4 server.
Please refer to the OpenVPN 2.4 documentation for
more info on these new features.
You will be warned if any server setting would
generate an exportable ovpn file that would be
incompatible with older clients.
Existing client config shouldn't need to be changed,
unless you modify the router's server configuration.
- NEW: Upgraded Busybox to 1.25.1 (patch by theMIROn)
- NEW: Added the following Busybox applets: ntpd, time, uniq,
xargs and getopt, for feature parity with John's fork.
- NEW: Option on Media Server page to enable minidlna's
built-in status web page. Default URL is
- NEW: Support for Vodafone R226 USB LTE (patch by
- NEW: New "update-notification" user script, that gets run
when a scheduled firmware check detects a new version
- CHANGED: Removed support for all RC ciphers on OpenVPN.
DES is staying for now, but should still be avoided
- CHANGED: Updated openssl to 1.0.2k
- CHANGED: Updated tor to 0.2.9.9 (0.2.9.x patch by blackfuel)
- CHANGED: Updated nano to 2.7.4.
- CHANGED: hosts file will now give a higher priority to the
user-configured hostname for the router ahead of
hardcoded ones (like router.asus.com).
- CHANGED: Create a system log entry if a new firmware
version is available.
- CHANGED: Display name and icon for clients configured on the
- CHANGED: Streamlined miniupnpd stop/start events during boot,
so there are fewer of them now.
- FIXED: Invalid DUID used when requesting an IPv6 prefix
for some of the newer router models, which would
prevent them from getting working IPv6 (Asus bug)
- FIXED: Network Service Firewall rules not applied
under certain configurations
- FIXED: Port triggering wasn't working if traffic had
been whitelisted by Network Service Firewall
- FIXED: Avahi wasn't rejecting connections from
secondary WAN interface
- FIXED: Sorting clients by connection time would incorrectly
treat 10 hours as shorter than 9 hours, as it was
handling it as a string (Asus bug)
- FIXED: Exported ovpn client file wouldn't use the
user-configured hostname when using DDNS custom mode.
- FIXED: Exported OpenVPN client config didn't work when
using static key authentication.
- FIXED: Exported OpenVPN client config wasn't editable with
Notepad, the default editor used by Windows's
- FIXED: OpenVPN was killed too quickly on disconnection,
causing issues when using explicit-exit-notify
(patch by john9527)
- FIXED: OpenVPN client/server instances weren't properly
restarted on a WAN restart (patch by john9527)
- FIXED: Some models (N66/AC66/AC5300) would reboot 3 times
if one of the radios was found disabled by the user
while booting (Asus bug).
- FIXED: Webui layout was broken under Chrome 56.
- FIXED: IPv6 client list failing to properly show hostnames
(regression in 64_1)
- FIXED: A few potential buffer overruns in httpd
- FIXED: Security issues in httpd (backport from GPL 4180 +
additional fixes of my own)
- NEW: New firmware availability notification. The router will
notify you if a new firmware is available, and will also
let you view the changelog before sending you to the
download page (the update process remains manual).
Note that the automated check will only report new
final releases. The Check button on the Firmware Upgrade
will immediately check for final releases or beta (if you
select that option), but not both at the same time.
- NEW: Added iptables MASK support on MIPS kernel (patch
- NEW: Webui warning shown in the notification area if running
low on free nvram.
- CHANGED: Updated nano to 2.7.1.
- CHANGED: Updated OpenVPN to 2.3.14.
- CHANGED: Updated curl to 7.51.0, resolving numerous security
and stability issues.
- CHANGED: Tor clients will now route other TCP ports than just
80/443, and drop UDP and ICMP traffic (patch by
- CHANGED: QoS Stats info will automatically refresh every
3 seconds (user-configurable)
- CHANGED: IPTraffic charts now show sorted slices, so the
clients with the least traffic will get grouped
under "Others" if truncating the list of shown
- CHANGED: Enabled IPv6 support in curl.
- CHANGED: Improved webui performance, by caching large static
life from 5 mins to 1 hour.
- CHANGED: No longer include Download Master packages in the
firmware for those models that still included them,
reducing firmware size by a few megabytes.
Those were always outdated, the router will download
the latest versions from Asus's servers at install
- CHANGED: Improved webui protection against CSS/XSS attacks
(backport from GPL 4164)
- FIXED: Web server crash if importing an ovpn file with an
invalid key or certificate (Asus bug)
- FIXED: App icon at the top wouldn't work on Firefox,
- FIXED: Firefox would sometime fail to display the client
list, reporting a JSON parsing error in the console.
- FIXED: HMAC setting not properly set when importing an ovpn
file for a config based on TLS authentication mode.
(backport from GPL 4164)
- CHANGED: Added detection for iPhone 7 models in networkmap
(patch by Andrei Coman).
- CHANGED: Enabled --dns-loop-detect support in dnsmasq
- CHANGED: Move Dual WAN static routes to a lower priority, so VPN
policy rules will have priority over them
- FIXED: Traditional QoS labels were off by one on the Stats page.
- FIXED: Adaptive QoS upload stats couldn't be retrieved because
qosd seems to be hardcoded to always set up classes on eth0
rather than on the real WAN interface.
- FIXED: USB driver was removed too early at shutdown time on the
RT-AC56U and RT-AC87U (fix by john9527)
- NEW: QoS Statistics page, showing the amount of traffic assigned to
each available classes, as well as the current throughput.
- NEW: Charts added to various Traffic Monitor pages.
Note that you can click on legend items to reveal/hide the
DL/UL data. Hovering over a bar or a pie slice will
display the exact value for that item.
- NEW: Added pc_delete() to the helper script (patch by john95287)
- NEW: IPv6 firewall now supports fixed interface ID (EUI64) ipv6
destination addresses (Patch by john9527)
- CHANGED: Updated Tor to 0.2.8.9
- CHANGED: Updated OUI database.
- CHANGED: ipset was updated to version 6.29 on ARM models.
IMPORTANT: this means you will probably need to
update your script to the new syntax. You need to
load the xt_set.ko module at the start of your script.
There has been no change to MIPS models, due to their
older kernel. (original code by Shibby and Victek,
Asuswrt port by john9527) (ARM only)
- CHANGED: OpenVPN policy rules now start at prio 10000 instead of 1000
- CHANGED: Added help popups to various settings that are unique to
- FIXED: Custom group/shadow/passwd weren't applied at boot time.
- FIXED: CVE-2016-5195 (Dirty COW) vulnerability in kernel
(patches by blackfuel and Joseph A. Yasi)
- FIXED: Network Service Filter rules would only apply to clients
under Parental Control if that was enabled (original
debugging by john9527) (Asus bug)
- FIXED: A few memory leaks in httpd and rc services.
- CHANGED: Updated OpenSSL to 1.0.2j
- NEW: Added nano 2.7.0 (user-friendly text editor)
Note that for space reasons, some of its features are disabled
for the RT-N66U and RT-AC66U. Entware users might want to
uninstall the Entware version if they had it installed and want
to use the built-in version instead.
- NEW: Option to toggle the display of passwords on the PPTPD and
OpenVPN server pages.
- NEW: Allow providing a vendor class on the WAN page (DHCP option 60)
- NEW: Add option to disable sending a RELEASE request when odhcp6c
exits, allowing you to retain your received prefix with some
- CHANGED: Updated nettle to 3.2 (used for dnssec) and increased
- CHANGED: Updated minidlna to 1.1.6
- CHANGED: Updated OpenVPN to 2.3.12
- CHANGED: Updated OpenSSL to 1.0.2i
- CHANGED: Revamped the Wireless Log page:
- Merged some columns to gain more horizontal space
- Longer hostname shown (truncated names are now
shown in a tooltip)
- Display clients' IPv6 if they have one
- CHANGED: Accept up to 250 characters for OpenVPN client's
username and password (one provider needs 64).
- CHANGED: Hide the WPA key on the Wireless config page, and only
reveal it when you click on the field to edit it.
- FIXED: OpenVPN client shouldn't display policy routing settings
when using a TAP interface.
- FIXED: DSL/ATM overhead setting was visible on MIPS models, which
don't support it.
- FIXED: Editing OpenVPN or PPTP users with any value longer than
32 chars could lead to corruption of the user list.
- FIXED: Custom config file for igmpproxy wasn't working.
- FIXED: After turning off a Guest network, the next visit to the
Wireless Settings page would show that guest network's settings
instead of the parent band settings (Asus bug)
- FIXED: Smart Connect rules didn't apply on the RT-AC88U (backported
fix from 380_3941).
- FIXED: Numerous memory leaks in the networkmap service. (Asus bug)
- FIXED: Potential buffer overrun in the networkmap service. (Asus bug)
- FIXED: Broken IPv6 connectivity if enabling SSH brute force
protection (only MIPS models were affected)
- FIXED: 5G LED would fail to turn back on when exiting stealth mode.
- FIXED: Only hostname was used as remote server in an exported
OpenVPN client config when using Namecheap DDNS.
- FIXED: Security vulnerability (XSS/CSR) in httpd (backported
fix from 380_4005).
- FIXED: Chrome would try to autofill some fields (such as on the
DDNS configuration page), which could be problematic.
- FIXED: IPTraffic database was no longer properly named after
the router's MAC address on the AC88/AC3100/AC5300.
If you recently enabled it, you will need to either
re-create a new database, or rename the existing
database from tomato_cstats_000000000000.gz to
tomato_cstats_XXXXXXXXXXXX.gz, where "XXXXXXXXXXXX" is
your MAC as found with "nvram get et2macaddr", in
lowercase (AC88/AC3100/AC5300 only).
Regular traffic monitoring (stored in
tomato_rstats_XXXXXXXXXXXX.gz) is fine.
- FIXED: Connected OpenVPN clients reporting as disconnected
on the status page following any wireless config change
- FIXED: OpenVPN server would report being "Initializing"
while it already was ready, following any
wireless config change (Asus bug)
- FIXED: Various stability issues with minidlna (reverted some
of Asus's customizations)
380.61 Beta 1 (31-July-2016)
- NEW: Merged with GPL 3831.
- CHANGED: updated dropbear to 2016.74.
- FIXED: Do not enforce b/g mode as "auto" if wireless mode
is also set to Auto.
[older history can be found within the distribution archive]