AB-Solution - The Ad Blocking Solution

[XIII]

What is “admin.absolution” on 172.20.0.3?

Oh, I like the color scheme; looks like it’s more readable than all the ones in AB3

 

[thelonelycoder]

What is “admin.absolution” on 172.20.0.3?

That is the URL and IP for the WebUI. AB-Solution sets its own tld (.absolution) with the only domain admin in that range locally on the router.

Oh, I like the color scheme; looks like it’s more readable than all the ones in AB3

The theme colors have not changed significantly, only subtle adjustments which I still work on.
This is more or less the same theme as in AB3: blue_on_white
Expanded m option preview pic below.

Again: This is a preview of AB-Solution 4.0 and NOT available to users outside the four walls I live in.

 

[Jack Yaz]

What is “admin.absolution” on 172.20.0.3?

Oh, I like the color scheme; looks like it’s more readable than all the ones in AB3

Probably the webui!

 

[thelonelycoder]

I always chuckle when I scroll by this m option test in the menu options case statements:

[Mm]   )   # show options menu
           [ "$more" = "more" ] && more=less || more=more

It switches between less or more options in the SSH UI as seen in the two previews posted above.

 

[Jack Yaz]

This is how it will work if you put all the pieces together.
AB, or better: Dnsmasq will direct all non-local and not-blocked domain queries upstream. It sounds simple but a steep learning curve might hinder instant success.

I think I've got a working setup, though only in an Ubuntu VM.

Using a lightweight dnsmasq setup to replicate the router DNS server only, setting it to not forward local queries upstream.

If I'm understanding correctly (I will test shortly), adding hostings akin to AB-S will be resolved by dnsmasq and not forwarded to Unbound.

Unbound is set to resolve queries over TLS.

EDIT: In theory, to bypass AB-S DNS filter can be pointed for those devices to unbound. This will most likely prevent local DNS resolution from working since Unbound won't understand the LAN!

EDIT2: Need to have unbound listen on a new IP, rather than localhost, since I don't think DHCP can push DNS with a different port.

Dnsmasq.conf

port=53

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

no-resolv



# Add other name servers here, with domain specs if they are for
# non-public domains.
server=127.0.0.1#5353

Unbound.conf

# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
## DNS Over TLS, Simple ENCRYPTED recursive caching DNS, TCP port 853
## unbound.conf -- https://calomel.org
#
server:
#   access-control: 10.0.0.0/8 allow
#   access-control: 127.0.0.0/8 allow
#   access-control: 192.168.0.0/16 allow
   cache-max-ttl: 14400
   cache-min-ttl: 900
   do-tcp: yes
   hide-identity: yes
   hide-version: yes
   interface: 127.0.0.1
   port: 5353
   minimal-responses: yes
   prefetch: yes
   qname-minimisation: yes
   rrset-roundrobin: yes
   ssl-upstream: yes
   use-caps-for-id: yes
   verbosity: 1

forward-zone:
   name: "."
   forward-addr: 9.9.9.9@853         # quad9.net primary
   forward-addr: 149.112.112.112@853 # quad9.net secondary

#  forward-addr: 145.100.185.15@853  # dnsovertls.sinodun.com US
#  forward-addr: 145.100.185.16@853  # dnsovertls1.sinodun.com US
#  forward-addr: 184.105.193.78@853  # tls-dns-u.odvr.dns-oarc.net US
#  forward-addr: 185.49.141.37@853   # getdnsapi.net US
#  forward-addr: 199.58.81.218@853   # dns.cmrg.net US
#  forward-addr: 146.185.167.43@853  # securedns.eu Europe
#  forward-addr: 89.233.43.71@853    # unicast.censurfridns.dk Europe

 

[M@rco]

&& more=less

So much truth in a single piece of code. It's just... profound wisdom disclosed in shell scripting.


I do miss the menu option 'iwin' (I want it now) but that's most likely a matter of practicing patience.

Love the theme btw, makes me long for spring to come

 

[thelonelycoder]

Apologies to @thelonelycoder for a slight hijack of the thread...

We're here to help, your thoughtful responses are very welcome, everywhere.

 

[thelonelycoder]

EDIT: In theory, to bypass AB-S DNS filter can be pointed for those devices to unbound. This will most likely prevent local DNS resolution from working since Unbound won't understand the LAN!

EDIT2: Need to have unbound listen on a new IP, rather than localhost, since I don't think DHCP can push DNS with a different port.

Which would then seamlessly work with DNS based filtering from the WebUI. Just point the ones to the unbound IP.

 

[Jack Yaz]

Which would then seamlessly work with DNS based filtering from the WebUI. Just point the ones to the unbound IP.

Taking inspiration from AB-S and the PixelServ interface (i.e. ifconfig br0:unbound x.x.x.x up), I've now got unbound up on its own IP, and DNS resolution seems to work. Config file for unbound likely needs some optimising (uploaded here) https://pastebin.com/pA5qPQ6U

Oddly I had to create /opt/var/lib/unbound, it wasn't created as part of the install. But it survives a reboot and unbound is ticking along as an optional DNS resolver. Next up, installing AB-S and seeing how I get on.

 

[skeal]

Taking inspiration from AB-S and the PixelServ interface (i.e. ifconfig br0:unbound x.x.x.x up), I've now got unbound up on its own IP, and DNS resolution seems to work. Config file for unbound likely needs some optimising (uploaded here) https://pastebin.com/pA5qPQ6U

Oddly I had to create /opt/var/lib/unbound, it wasn't created as part of the install. But it survives a reboot and unbound is ticking along as an optional DNS resolver. Next up, installing AB-S and seeing how I get on.

I am following closely!

 

[Jack Yaz]

....and then the anvil dropped. I'm on dnscrypt-proxy v1. Assumed it had to run on 127.0.0.1#65053...not so.

ifconfig br0:dnscrypt 10.14.16.2 up

change /opt/etc/init.d/S09dnscrypt-proxy local-address and ensure port 53 (since directly connecting client to the IP need 53)

ARGS="--local-address=10.14.16.2:53 --daemonize -R cisco"

dnscrypt-proxy now sits on its own IP thus making DNSFilter compatible? Not sure how v2 works, since it's still in beta

 

[Jack Yaz]

I mount Entware in my post-mount script, is there a way I can safely disable this in services-start? I had more success when calling rc.unslung when the partition is being mounted, rather than waiting on a timer.

# DO NOT EDIT this part of the file #
# generated by AB-Solution 3.11
RC='/opt/etc/init.d/rc.unslung'

i=30
until [ -x "$RC" ];do
    i=$(($i-1))
    if [ "$i" -lt 1 ];then
        logger "Unable to start Entware"
        exit
    fi
    sleep 1
done
logger "AB-Solution started rc.unslung via $0"
$RC start $0
# end of DO NOT EDIT #

 

[thelonelycoder]

Taking inspiration from AB-S and the PixelServ interface (i.e. ifconfig br0:unbound x.x.x.x up), I've now got unbound up on its own IP, and DNS resolution seems to work.

Make sure the virtual interfaces are outside the DHCP range for both unbound and dnscrypt.

I mount Entware in my post-mount script, is there a way I can safely disable this in services-start? I had more success when calling rc.unslung when the partition is being mounted, rather than waiting on a timer.

AB3 is adamantly recreating that file, silently if you remove it or part of it.

This changes in AB4 as I no longer need services-start, I found a much better way to do it.
AB4 will only need a post-mount and dnsmasq.postconf with a single line source reference to the actual AB postconf and post-mount files.
I also bring up the virtual interfaces in the actual S80 binary start files, just before the binary gets called.
In AB4 the /opt/etc/init.d/S80pixelserv-tls looks thus:

if [ -f /opt/share/absolution/.conf/absolution.conf ]; then
    . /opt/share/absolution/.conf/absolution.conf

    if [ "$AB_STATUS" = "enabled" ] && [ "$psState" = "on" ]; then
        switchesFile=/opt/share/absolution/.conf/pixelserv.switches
        [ -f "$switchesFile" ] && switches=$(cat $switchesFile | tr '\n' ' ') || switches=
        
        ifconfig br0:pixelserv-tls $psIP up
        logger -t AB-Solution "created br0:pixelserv-tls $psIP from $0"

        export TZ=$(cat /etc/TZ)
        ENABLED=yes
        PROCS=pixelserv-tls
        ARGS="$psIP $switches"
        PREARGS=""
        PRECMD="ulimit -s 64"
        DESC="$PROCS (AB-Solution)"
        PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
        . /opt/etc/init.d/rc.func.ab
    else
        logger -t AB-Solution "pixelserv-tls or AB-Solution disabled, not starting pixelserv-tls from $0"
    fi
else
    logger -t AB-Solution "absolution.conf file not found, not starting pixelserv-tls from $0"
fi

It brings up the needed virtual interface and pixelserv-tls but only if AB services ($AB_STATUS) or pixelserv-tls ($psState) is enabled in AB.

 

[thelonelycoder]

I mount Entware in my post-mount script, is there a way I can safely disable this in services-start? I had more success when calling rc.unslung when the partition is being mounted, rather than waiting on a timer.

# DO NOT EDIT this part of the file #
# generated by AB-Solution 3.11
RC='/opt/etc/init.d/rc.unslung'

i=30
until [ -x "$RC" ];do
    i=$(($i-1))
    if [ "$i" -lt 1 ];then
        logger "Unable to start Entware"
        exit
    fi
    sleep 1
done
logger "AB-Solution started rc.unslung via $0"
$RC start $0
# end of DO NOT EDIT #

The self-check in AB3 for services-start is for the #DO NOT EDIT line and:

if ! grep -q "RC='/opt/etc/init.d/rc.unslung'" $jScripts/$1;then

Meaning if you place a dummy services-start file in /jffs/scripts, no shebang at top so it won't run and place that into it:

# DO NOT EDIT this part of the file #
# generated by AB-Solution 3.9
RC='/opt/etc/init.d/rc.unslung'

It will pass the AB self-check and function 22 which is the verbose self-check.

 

[Jack Yaz]

Make sure the virtual interfaces are outside the DHCP range for both unbound and dnscrypt.

Indeed, DHCP pool doesn't start til 100 in my network.

AB3 is adamantly recreating that file, silently if you remove it or part of it.

This changes in AB4 as I no longer need services-start, I found a much better way to do it.
AB4 will only need a post-mount and dnsmasq.postconf with a single line source reference to the actual AB postconf and post-mount files.
I also bring up the virtual interfaces in the actual S80 binary start files, just before the binary gets called.
In AB4 the /opt/etc/init.d/S80pixelserv-tls looks thus:

It brings up the needed virtual interface and pixelserv-tls but only if AB services ($AB_STATUS) or pixelserv-tls ($psState) is enabled in AB.

Looks good! I'll leave it be, I rarely reboot the router anyway!

 

[wyldstallyn]

Hey guys,

I notice this in the System Log when the router boots, I have a 32GB USB stick split in half with two partitions, one for skynet and one for ABS. ABS is on the sda2 partition with a 2GB swap. I formatted the drive using Gparted on Linux Mint 18.3.

Jan 28 04:20:08 kernel: <6>usbcore: deregistering interface driver usblp
Jan 28 04:20:08 kernel: <6>ohci_hcd 0000:00:0b.0: remove, state 1
Jan 28 04:20:08 kernel: <6>usb usb2: USB disconnect, address 1
Jan 28 04:20:08 kernel: <6>ohci_hcd 0000:00:0b.0: USB bus 2 deregistered
Jan 28 04:20:08 kernel: <6>ehci_hcd 0000:00:0b.1: remove, state 1
Jan 28 04:20:08 kernel: <6>usb usb1: USB disconnect, address 1
Jan 28 04:20:08 kernel: <6>usb 1-2: USB disconnect, address 2
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <6>ehci_hcd 0000:00:0b.1: USB bus 1 deregistered
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 haveged: haveged starting up
Jan 28 04:20:08 kernel: <6>SysRq : Emergency Sync
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <4>Emergency Sync complete
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock detected
Jan 28 04:20:08 kernel: <4>
Jan 28 04:20:08 kernel: <3>EXT2-fs (sda2): previous I/O error to superblock deteccted
Jan 28 04:20:08 kernel: <4>

I also see the following (plus some other messages about usb, usbcore):

Jan 28 12:30:59 hotplug[846]: USB ext2 fs at /dev/sda2 mounted on /tmp/mnt/absolute
Jan 28 12:30:59 usb: USB ext2 fs at /dev/sda2 mounted on /tmp/mnt/absolute.
Jan 28 12:30:59 kernel: EXT2-fs (sda2): warning: mounting unchecked fs, running e2fsck is recommended

Skynet and ABS seem to be working fine, but is the USB possibly crapping out or in need of a reformat? I'm really a novice when it comes to linux, hence why I'm using Mint. I'm just able to decipher the obvious.

 

[M@rco]

Here's your answer:

running e2fsck is recommended

You can check the drive on a different system or use a script like this to do so on the router during boot. If there are many issues to resolve, it might take another reboot (which goes way quicker once your filesystems are marked clean) because it could be that not all of your services are started before e2fsck is done checking and, if necessairy, repairing your filesystems. There are probably many other ways, but I prefer the latter, using the check before mounting (hence the 'pre-mount' script)

Follow the instructions here (the top part with the script and making it executable is most relevant), by pasting the code in a (new) file called pre-mount in /jffs/scripts/. Use a text editor like Notepad++ and make sure it uses Unix encoding (LF), followed by making the script executable by entering:

chmod a+rx /jffs/scripts/pre-mount

and reboot. Make sure to check the contents of /var/fsck.log afterwards, before the next reboot, otherwise it will be gone.

If you regularly reboot and the delay caused by e2fsck bothers you, just make the script non-executable. You can always make it executable again when a new problem arises.

 

[Stardust]

I have problems to write updates notity. I have an gmail account, and the smtp.gmail.com with port 465 are not working. When I try to send a testmessage, it was not possible.

 

[Frejoh4666]

So I'm trying to setup email, but I keep getting errors.

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

From stackoverflow I believe it's because I need to enabled SSL on port 443, from what I have read it is because it can't connect to the server (or get a wrong answer), or there is an extra set of "<IfDefine NotDefined>" referenced in the secure virtual host configuration, tho I doubt a file I haven't touched would be wrong.

I'm using SMTP Server: smtp-mail.outlook.com, and Server port: 587. Confirmed that it is correct from support.office.com

Also, can't wait for AB4, was looking at PiHole and would love some graphs and easy way to see some stats. Just bad that the RPi dosn't support gigabit speed.

Edit:
Seems to only be outlook problem. I created a new gmail instead.

 

[thelonelycoder]

I have problems to write updates notity. I have an gmail account, and the smtp.gmail.com with port 465 are not working. When I try to send a testmessage, it was not possible.

Would you kindly post the error message that was displayed by curl?
The use of smtp.gmail.com and port 465 probably is set on 75% of the AB-Solution installations out there, including the four I have here.
Make sure you have set a application password and use that if you have two factor authentication enabled.