AB-Solution - The Ad Blocking Solution

[thelonelycoder]

Tried many times, but still could not get pixelserv-tls working on my RT-AC66U (Firmware:380.69). Anyone has the same problems?


Checking pixelserv-tls (AB-Solution)... dead.
removing pixelserv-tls virtual IP 192.168.1.2
starting pixelserv-tls virtual IP 192.168.1.2
starting pixelserv-tls
writing the pixelserv-tls startup script
restarting pixelserv-tls to apply changes
Starting pixelserv-tls (AB-Solution)... failed.
checking pixelserv-tls status again:
---------------------------------------------------
pixelserv-tls appears not to be running
You now have three options:
1. Abort installation, to continue again from here
2. Abort installation and reset pixelserv-tls settings
3. Continue anyway, forcing the install


admin@RT-AC66U-2C68:/tmp/home/root# netstat -tuln | grep :80
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8082 0.0.0.0:* LISTEN

The Syslog will have some more info, post that too.

 

[seattle]

Here is the log. It looks fine now when I change my ssh port to 333. Is it the problem?

Jan 31 14:06:56 admin: Started pixelserv-tls (AB-Solution) from /tmp/mnt/sda1/adblocking/addon/pixelserv-tls.add.
Jan 31 14:06:57 pixelserv-tls[18119]: pixelserv-tls: v2.0.1-rc4 compiled: Dec 12 2017 23:05:05 options: 192.168.1.2
Jan 31 14:06:57 pixelserv-tls[18119]: Listening on :192.168.1.2:80
Jan 31 14:06:57 pixelserv-tls[18119]: Abort: Address already in use - :192.168.1.2:443
Jan 31 14:07:02 admin: AB-Solution created 192.168.1.2 for pixelserv during install.
Jan 31 14:07:10 pixelserv-tls[18215]: pixelserv-tls: v2.0.1-rc4 compiled: Dec 12 2017 23:05:05 options: 192.168.1.2
Jan 31 14:07:10 pixelserv-tls[18215]: Listening on :192.168.1.2:80
Jan 31 14:07:10 pixelserv-tls[18215]: Abort: Address already in use - :192.168.1.2:443
Jan 31 14:07:10 admin: Failed to start pixelserv-tls (AB-Solution) from /tmp/mnt/sda1/adblocking/addon/pixelserv-tls.add.
Jan 31 14:10:17 pixelserv-tls[18937]: pixelserv-tls: v2.0.1-rc4 compiled: Dec 12 2017 23:05:05 options: 192.168.1.2
Jan 31 14:10:17 pixelserv-tls[18937]: Listening on :192.168.1.2:80
Jan 31 14:10:17 pixelserv-tls[18937]: Abort: Address already in use - :192.168.1.2:443
Jan 31 14:10:17 admin: Failed to start pixelserv-tls (AB-Solution) from /tmp/mnt/sda1/adblocking/addon/pixelserv-tls.add.
Jan 31 14:10:48 admin: Started pixelserv-tls (AB-Solution) from /tmp/mnt/sda1/adblocking/addon/pixelserv-tls.add.
Jan 31 14:10:48 pixelserv-tls[19446]: pixelserv-tls: v2.0.1-rc4 compiled: Dec 12 2017 23:05:05 options: 192.168.1.2
Jan 31 14:10:48 pixelserv-tls[19446]: Listening on :192.168.1.2:80
Jan 31 14:10:48 pixelserv-tls[19446]: Abort: Address already in use - :192.168.1.2:443
Jan 31 14:11:42 pixelserv-tls[20062]: pixelserv-tls: v2.0.1-rc4 compiled: Dec 12 2017 23:05:05 options: 192.168.1.2
Jan 31 14:11:42 pixelserv-tls[20062]: Listening on :192.168.1.2:80
Jan 31 14:11:42 pixelserv-tls[20062]: Abort: Address already in use - :192.168.1.2:443
Jan 31 14:11:42 admin: Failed to start pixelserv-tls (AB-Solution) from /tmp/mnt/sda1/adblocking/addon/pixelserv-tls.add.
Jan 31 14:12:14 pixelserv-tls[20667]: pixelserv-tls: v2.0.1-rc4 compiled: Dec 12 2017 23:05:05 options: 192.168.1.2
Jan 31 14:12:14 pixelserv-tls[20667]: Listening on :192.168.1.2:80
Jan 31 14:12:14 pixelserv-tls[20667]: Abort: Address already in use - :192.168.1.2:443
Jan 31 14:12:14 admin: Failed to start pixelserv-tls (AB-Solution) from /tmp/mnt/sda1/adblocking/addon/pixelserv-tls.add.

 

[Jack Yaz]

Here is the log

Abort: Address already in use - :192.168.1.2:443

Is something already on 192.168.1.2?

 

[seattle]

Abort: Address already in use - :192.168.1.2:443

Is something already on 192.168.1.2?

my SSH port is 443. Now it's fine when I change my ssh to 333. Looks like it's the problem.

 

[thelonelycoder]

Is something already on 192.168.1.2?

my SSH port is 443. Now it's fine when I change my ssh to 333. Looks like it's the problem.

I have to check how I test for port 443 usage but it should have warned you that port 443 is in use by an unknown process or something similar.

 

[elorimer]

@elorimer: I just read some more and, if I understand correctly, it appears that sending mail using curl through smtp.gmail.com:465 actually requires the setting "Allow less secure apps" to be enabled, as Google requires Oauth. See my post above:

I have two factor set, and I've been using an app-specific password for, gosh, a year now. But just in the last two or three weeks, the regular weekly backup has stopped coming through.

 

[thelonelycoder]

I have two factor set, and I've been using an app-specific password for, gosh, a year now. But just in the last two or three weeks, the regular weekly backup has stopped coming through.

Is it only the backup or the stats as well?
Send a manual backup or test mail, if you still get curl: (67) Login denied then I assume that gmail has a reason to deny login.

 

[elorimer]

Odd. I generated a new app-specific password and added it to the ab-s config, and then it went through. When I checked, it was the only remaining app-specific password on my account.

The last successful email was 1/13/18, so I wonder what happened.

 

[thelonelycoder]

When I checked, it was the only remaining app-specific password on my account.

The last successful email was 1/13/18, so I wonder what happened.

Hmm. Sounds suspicious, have you had a look at the access list? You would have received an email if an unseen or unknown device logged into your account.

 

[M@rco]

Hmm. Sounds suspicious, have you had a look at the access list?

That sounds like a safe idea. If you don't know how to do so, details can be found here.

 

[elorimer]

I think I have an inkling.

Application Specific Passwords don't generally expire.  As the documentation
 suggests, they are a one-off creation.

However, all programmatic access to your Gmail account - i.e. automated access made by an
 email program - can need re-verifying in the event of changes in the Gmail account or changes to
 the client. Some clients can recognise this and issue the correct error message - most will just
issue their generic "Wrong password" error.  Re-verification usually involves a web login, before
 returning to the client, and a re-entry of the password may be required. Where an ASP is
 involved, that may mean you need to generate a fresh ASP.

I recall now that I deleted from my Gmail account an old ISP email account that my Gmail account was POPing from. So, there was a change in my Gmail account.

So, for @thelonelycoder, I'm afraid I can't think how to recover what the error message might have been that curl might have interpreted differently than the 67 message.

 

[thelonelycoder]

I recall now that I deleted from my Gmail account an old ISP email account that my Gmail account was POPing from. So, there was a change in my Gmail account.

So, for @thelonelycoder, I'm afraid I can't think how to recover what the error message might have been that curl might have interpreted differently than the 67 message.

I believe the error would have been the same, password or username incorrect in either case. I doubt that curl can differentiate the error returned by gmail for a wrong password or if the user needs to re-verify the password.
But good to know and a good find.

 

[thelonelycoder]

@ all that have 382.x, 384.x or 384/NG Asuswrt-Merlin Firmware versions installed:
If you have firmware update notifications enabled, the new version reported will be truncated due to a change in the naming convention in NVRAM.
I don't plan to change that part of the code in AB3.x as you still get the email with the relevant wording present, just not the complete new version number.
It served it's purpose and that is good enough for me

Routers running on 380.xx firmware are not affected by this.

AB...

 

[SMS786]

For those who have a schedule set for weekly router restarts..is there a way to automate the loading of ABS after the reboot? I ask because the pixelserv stats page is down after every reboot and I have to manually open ABS through SSH to access the stats page after the weekly restart..

 

[thelonelycoder]

For those who have a schedule set for weekly router restarts..is there a way to automate the loading of ABS after the reboot? I ask because the pixelserv stats page is down after every reboot and I have to manually open ABS through SSH to access the stats page after the weekly restart..

The Syslog will have some entries relevant to the reason it won't start after the reboot.
Likely your attached device was delayed in mounting successfully.

 

[SMS786]

The Syslog will have some entries relevant to the reason it won't start after the reboot.
Likely your attached device was delayed in mounting successfully.

I'll check out the log after the next reboot..thanks!

 

[Xentrk]

I'll see if I can get my head round Unbound, lots of configuration options. In my head it should work, allowing dnsmasq to resolve in the first instance (therefore allowing AB-S to block with the relevant files?), and set upstream to unbound, which resolves using DNS over TLS.

@Jack Yaz ,
I am following your progress with unbound on asuswrt. I use unbound on pfSense. I can configure everything using the web gui. I can choose what interfaces to use. I select my three vpn clients and the WAN. The ad blocking package, pfBlockerNG, uses Unbound. When I go to a dns leak site, the ip address of the DNS server is the same as my VPN tunnel. However, in Asus Merlin, I have to set Accept DNS Configuration = Strict for ABS to work over the vpn tunnel when using Selective Routing. But when I go to a dns leak site, the ip address of the DNS is the one I entered in the WAN gui. Have you come across a configuration to route VPN DNS traffic to Unbound?

Did you see the links @tomsk posted in this thread?
Unbound Links
https://calomel.org/unbound_dns.html

 

[Jack Yaz]

@Jack Yaz ,
I am following your progress with unbound on asuswrt. I use unbound on pfSense. I can configure everything using the web gui. I can choose what interfaces to use. I select my three vpn clients and the WAN. The ad blocking package, pfBlockerNG, uses Unbound. When I go to a dns leak site, the ip address of the DNS server is the same as my VPN tunnel. However, in Asus Merlin, I have to set Accept DNS Configuration = Strict for ABS to work over the vpn tunnel when using Selective Routing. But when I go to a dns leak site, the ip address of the DNS is the one I entered in the WAN gui. Have you come across a configuration to route VPN DNS traffic to Unbound?

Did you see the links @tomsk posted in this thread?
Unbound Links
https://calomel.org/unbound_dns.html

There's almost certainly a way to force it to Unbound, using iptables to redirect dns to unbound's IP. I'm fairly certain this will "leak" the DNS from the VPN tunnel however.

 

[JJQuin]

So about a week and 1/2 ago I posted about trying to use a script to forward specific clients using iptables to fix the DNS leak or ABS issue with dnsmasq.

https://www.snbforums.com/threads/a...ing-solution-v3-11.37511/page-120#post-376165

I've been working with @Xentrk to try this solution. The truth is Xentrk wrote all the code I just spent hours and HOURS testing it . Unfortunately, all we were able to do was to duplicate what RMerlin has already setup using the web interface.

But another possible solution came up. As I understand it @john9527 's fork takes the opposite approach to RMerlins. Here is a quote from john9527 describing it.

Unfortunately, it's a byproduct of having only one instance of dnsmasq. So....you get a choice and Merlin and I have different implementations here.

- Choice 1: VPN with exclusive mode doesn't use dnsmasq, WAN clients do. VPN clients with exclusive mode can't use AB-Solution (Merlin)
- Choice 2: VPN with exclusive mode uses dnsmasq. WAN clients bypass dnsmasq. WAN clients with VPN exclusive mode set can't use AB-Solution, but VPN clients can (my fork). If you let the WAN clients also use the VPN DNS servers, then everyone can use AB-Solution.

Sorry, but that's about it. No other workaround.

I'm thinking a lot of people would be willing to have their WAN clients use the VPN DNS servers so all their clients can use AB-Solution. I have all my clients both VPN and WAN using a pi-hole right now which only uses the VPN tunnel. The pi-hole is a decent solution but I would prefer to use AB-Solution with pixelserv.

I'm not asking RMerlin to change his software, but I was hoping john9527 would be willing to post the specific scripts in his fork that use his implementation. Then myself or someone with more scripting experience may be able to write a script that runs from nat-start or openvpn-event that forces all the clients to use the VPN DNS Servers through the tunnel.

It should be possible to watch if the VPN tunnel goes down and switch over the WAN clients. I don't think this will be necessary for VPN services like PIA and NordVPN that assign their public DNS servers to be used through their VPN tunnels, but services like TorGuard who use private "10." addresses for their DNS servers INSIDE the tunnel may have an issue.

I'm disabled and have a LOT of time on my hands. It's been about 15 years since I worked with iptables and shell scripting but it's coming back to me . I'm pretty sure I will be able to at least come up with a script to test if this is possible, but I would welcome help from anyone with more recent experience. Even if it's just to look over what I come up with and make suggestions.

Thanks

 

[thelonelycoder]

The pi-hole is a decent solution but I would prefer to use AB-Solution with pixelserv.

I did some tests a while back with a second dnsmasq instance, to use it to direct clients to a separate ad-blocking list.
I have given up on it, but more for the reason that it is a tad too complicated to use in a script that is so widely used as AB-Solution.
The support questions would be endless if something goes haywire.