Diversion Diversion - the Router Ad-Blocker

[Xentrk]

Yes, the Accept DNS Configuration setting can be confusing as it acts differently depending on if you route All Traffic vs Policy Rules.

If you use Policy Rules with the OpenVPN client and have Accept DNS Configuration set to Exclusive, dnsmasq is bypassed and Diversion will not block ads since it requires dnsmasq to work. This is not an issue if you route All Traffic thru the OpenVPN Client. If you use Policy Rules, my go to recommendation before Stubby was available was to set Accept DNS Configuration to Strict and use the dhcp-opton DNS x.x.x.x in the Custom Config section, where the x.x.x.x is a DNS server of your chosing. Recently, Stubby became available which has created another alternative which I prefer. Install Stubby and set Accept DNS Configuration to Disabled. The OpenVPN client will then use Stubby DNS, which is encrypted. I need to update the blog post with the Stubby alternative. I'll try to get to it in the next day or two.

 

[thelonelycoder]

During clean installs on my AX88U I seem to always run into the same issue where Diversion gets stuck on "Waiting for Dnsmasq to restart..", times out, then gets stuck in a loop continuously spawning processes.

https://pastebin.com/raw/vb0xeMpe

https://pastebin.com/raw/hyifsavm

What addons are installed prior to installing Diversion?
Any other features enabled in the WebUI that are non bare bones?
Something else I should consider to replicate?

 

[Adamm]

What addons are installed prior to installing Diversion?
Any other features enabled in the WebUI that are non bare bones?
Something else I should consider to replicate?

Diversion was the first thing to be installed after amtm, the install (recovering from previous diversion installation on the usb) gets stuck processing the blacklist which starts to expenenentionally grow. Deleting the blacklist fixed the issue but this has happened on more then one occasion in similar circumstances.

 

[skeal]

Diversion was the first thing to be installed after amtm, the install (recovering from previous diversion installation on the usb) gets stuck processing the blacklist which starts to expenenentionally grow. Deleting the blacklist fixed the issue but this has happened on more then one occasion in similar circumstances.

I noticed that as well. I changed to full install instead of recovery and it worked fine. Mine stalled at starting dnsmasq.

 

[Marin]

It happened to me as well on the last few “from scratch” installations. The last time it happened it went on for a long time and I simply lost my patience, unplugged the USB, rebooted router and started over again.


Sent from my iPhone using Tapatalk

 

[thelonelycoder]

It happened to me as well on the last few “from scratch” installations. The last time it happened it went on for a long time and I simply lost my patience, unplugged the USB, rebooted router and started over again.


Sent from my iPhone using Tapatalk

Seems that happened with the 86U for you, right?

 

[Marin]

Seems that happened with the 86U for you, right?

Yep[emoji106]!


Sent from my iPhone using Tapatalk

 

[spiff72]

Yes, the Accept DNS Configuration setting can be confusing as it acts differently depending on if you route All Traffic vs Policy Rules.

If you use Policy Rules with the OpenVPN client and have Accept DNS Configuration set to Exclusive, dnsmasq is bypassed and Diversion will not block ads since it requires dnsmasq to work. This is not an issue if you route All Traffic thru the OpenVPN Client. If you use Policy Rules, my go to recommendation before Stubby was available was to set Accept DNS Configuration to Strict and use the dhcp-opton DNS x.x.x.x in the Custom Config section, where the x.x.x.x is a DNS server of your chosing. Recently, Stubby became available which has created another alternative which I prefer. Install Stubby and set Accept DNS Configuration to Disabled. The OpenVPN client will then use Stubby DNS, which is encrypted. I need to update the blog post with the Stubby alternative. I'll try to get to it in the next day or two.

First of all, this is an AMAZING resource thread. It will take me days to digest all of the info here.

I am interested in whether I can use my new NordVPN on the router (I configured it a few weeks ago - still in my 30 day trial period), and still get the benefit of using the Diversion ad-block. From the sounds of the above quoted post, I think the answer is yes with a bit of configuration. I think my end goal is to have the VPN active, but with a few added tweaks for my setup:

- I currently use diversion + pxl-serv on my router without issue.
- I use the built-in DNS filter function of the Merlin firmware so I can assign different DNS servers to different computers on my network (for my kids' computer/tablet/etc)
- I would like to add the VPN functionality and STILL be able to use the DNS filter method (assigned by MAC addresses) intact (in some way)
- I would like for the DNS not to "leak", as this appears to be a common issue if you don't use the VPN's DNS servers.

If there is a writeup somewhere describing a situation like this I would love to see that! If this means I need to add Stubby I am willing to go down that path.

It would also be really slick if there was a way to set up a dedicated device (RasPi) with a screen that could act as a monitor for stats/logs/etc from Diversion. This would just be a nerd-toy I think would be interesting (for a while at least).

Thanks!

 

[Xentrk]

First of all, this is an AMAZING resource thread. It will take me days to digest all of the info here.

I am interested in whether I can use my new NordVPN on the router (I configured it a few weeks ago - still in my 30 day trial period), and still get the benefit of using the Diversion ad-block. From the sounds of the above quoted post, I think the answer is yes with a bit of configuration. I think my end goal is to have the VPN active, but with a few added tweaks for my setup:

- I currently use diversion + pxl-serv on my router without issue.
- I use the built-in DNS filter function of the Merlin firmware so I can assign different DNS servers to different computers on my network (for my kids' computer/tablet/etc)
- I would like to add the VPN functionality and STILL be able to use the DNS filter method (assigned by MAC addresses) intact (in some way)
- I would like for the DNS not to "leak", as this appears to be a common issue if you don't use the VPN's DNS servers.

If there is a writeup somewhere describing a situation like this I would love to see that! If this means I need to add Stubby I am willing to go down that path.

It would also be really slick if there was a way to set up a dedicated device (RasPi) with a screen that could act as a monitor for stats/logs/etc from Diversion. This would just be a nerd-toy I think would be interesting (for a while at least).

Thanks!

There are different definitions of what a DNS leak is. If you go to some DNS leak test sites and the DNS you have specified appears, it may give you a warning that you may be leaking DNS requests. Some VPN providers use this to scare you into purchasing their service. I think the purist definition of a DNS leak is when your DNS queries are routed outside of your VPN tunnel and to your ISP. But if I specify that my VPN tunnel use Cloudflare, it is really leaking? Not really. Yes, the DNS will appear on the DNS leak test site, but DNS queries are going where I told them to! If you set Accept DNS Configuration to Exclusive and route all traffic to the tunnel, then the DNS leak test site will show the DNS IP to be the same as the VPN Server. How kewl is that?

Be careful with DNS filter, you can exclude a client from using Diversion adblocker when configured a certain way. See https://diversion.ch/faq-reader/how-to-exclude-a-client-from-ad-blocking.html

Similarly, there is another DNSFilter setting so you can use one set of blocking files for the kids and another for the grown ups. https://diversion.ch/diversion/manual/alternate-blocking-file.html

I have not experimented with these features though.

I finally got around to updating the OpenVPN setup guide with the two DNS alternatives you can use if you use Policy Rules and also want to use Diversion ad blocker (which you quoted in your post). See https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/. Most of it should be applicable to other VPN providers but there will be some differences in the OpenVPN client settings depending on the provider.

There is a stat feature in Diversion. The information is ascii text though. I have it emailed to me once per week in a text file as an email attachment.

 

[thelonelycoder]

During clean installs on my AX88U I seem to always run into the same issue where Diversion gets stuck on "Waiting for Dnsmasq to restart..", times out, then gets stuck in a loop continuously spawning processes.

https://pastebin.com/raw/vb0xeMpe

https://pastebin.com/raw/hyifsavm

How large is the blocking file and how many entries in the blacklist?
Do you change the pixelserv-tls IP in the process?

 

[spiff72]

There are different definitions of what a DNS leak is. If you go to some DNS leak test sites and the DNS you have specified appears, it may give you a warning that you may be leaking DNS requests. Some VPN providers use this to scare you into purchasing their service. I think the purist definition of a DNS leak is when your DNS queries are routed outside of your VPN tunnel and to your ISP. But if I specify that my VPN tunnel use Cloudflare, it is really leaking? Not really. Yes, the DNS will appear on the DNS leak test site, but DNS queries are going where I told them to! If you set Accept DNS Configuration to Exclusive and route all traffic to the tunnel, then the DNS leak test site will show the DNS IP to be the same as the VPN Server. How kewl is that?

Be careful with DNS filter, you can exclude a client from using Diversion adblocker when configured a certain way. See https://diversion.ch/faq-reader/how-to-exclude-a-client-from-ad-blocking.html

Similarly, there is another DNSFilter setting so you can use one set of blocking files for the kids and another for the grown ups. https://diversion.ch/diversion/manual/alternate-blocking-file.html

I have not experimented with these features though.

I finally got around to updating the OpenVPN setup guide with the two DNS alternatives you can use if you use Policy Rules and also want to use Diversion ad blocker (which you quoted in your post). See https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/. Most of it should be applicable to other VPN providers but there will be some differences in the OpenVPN client settings depending on the provider.

There is a stat feature in Diversion. The information is ascii text though. I have it emailed to me once per week in a text file as an email attachment.

Thanks for the reply - i will dig into these links and suggestions later this week when I have some free time!

 

[Zonkd]

@thelonelycoder diversion log tells me reply error is SERVFAIL is happening again for all queries. Internet stopped working completely including ping. Network monitoring is not enabled. Router uptime is 2 days.

Rebooting router would fix this but I want to hunt down the cause of this persistent intermittent bug first. Anybody know what commands I should run?

 

[spiff72]

Be careful with DNS filter, you can exclude a client from using Diversion adblocker when configured a certain way. See https://diversion.ch/faq-reader/how-to-exclude-a-client-from-ad-blocking.html

Similarly, there is another DNSFilter setting so you can use one set of blocking files for the kids and another for the grown ups. https://diversion.ch/diversion/manual/alternate-blocking-file.html

I have not experimented with these features though.

I just wanted to say thank you for pointing this out today. I just checked this again and realized that the adblocking function was indeed being bypassed by using the DNSfilter function of the router for the kids computers. I will have to look into how I can use the alternate blocking file for the family/adult blocking functions I was using with cleanbrowsing (i.e. what should the content of that alternate blocking file be?). I want to enforce safe search for google and youtube too (which is taken care of by cleanbrowsing as well).

For the time being, I would rather have the family filter in place as opposed to ad blocking for their computers (until I can figure out the list).

 

[dave14305]

I just wanted to say thank you for pointing this out today. I just checked this again and realized that the adblocking function was indeed being bypassed by using the DNSfilter function of the router for the kids computers. I will have to look into how I can use the alternate blocking file for the family/adult blocking functions I was using with cleanbrowsing (i.e. what should the content of that alternate blocking file be?). I want to enforce safe search for google and youtube too (which is taken care of by cleanbrowsing as well).

For the time being, I would rather have the family filter in place as opposed to ad blocking for their computers (until I can figure out the list).

If you can bear to live with the same restrictions as the kids, you can set the WAN DNS servers to cleanbrowsing and set the DNSFilter global mode to Router to ensure no one can bypass the Router for DNS. Then everyone will get the benefits of Diversion and the smut-free internet from cleanbrowsing.

 

[Deleted member 62525]

Not in my experience here. I have an AC86U with full time OpenVPN client using Strict Policy rules, all devices use VPN except smart TV because Netflix, Amazon Prime and YouTube TV hate proxies.

Also a full time IPSec VPN server, amtm, Diversion, Skynet, Stubby DNS over TLS, Entware, ChkWAN and VPN_Failover scripts.

It all works runs well and communicates with each other. One note is that I have the OpenVPN client "Accept DNS Configuration" set to Disabled so that Stubby works even for all the VPN tunneled clients.

I am interested in VPN_Failover scripts. Can you point me where I can find it or read about it? Would love to have that working with VPN client on my Asus

 

[Deleted member 62525]

Yes, I can understand your confusion. I used the recommendation on the wiki to use Accept DNS Configuration set to Strict before I ran Stubby, and that worked as the wiki states. When Stubby was introduced here that changed the way DNS resolution works. As stated in this message from @Xentrk then Accept DNS Configuration for VPN clients needs to be set to Disabled or it not work correctly. Xentrik is one of the Stubby script contributors and is very knowledgeable in networking and especially VPN use. Since the Stubby script and use is much newer than that wiki information about using DNS with a VPN, one has to learn the new methods.

@skeal and I run Stubby DNS over TLS with a VPN and our experience shows that setting Accept DNS Configuration in the VPN client needs to be set to Disabled. At least try it and see if your ip leaks are solved.

I understand your point but for most secured connection I prefer setting DNS to strict. This way all traffics including DNS queries go through VPN channel. In your config DNS is outside of VPN channel.

 

[Butterfly Bones]

I am interested in VPN_Failover scripts. Can you point me where I can find it or read about it? Would love to have that working with VPN client on my Asus

Here on SNB in this same forum:
https://www.snbforums.com/threads/vpn-failover-script.55635/#post-473636

I understand your point but for most secured connection I prefer setting DNS to strict. This way all traffics including DNS queries go through VPN channel. In your config DNS is outside of VPN channel.

But with Stubby DNS over TLS it is still encrypted. My VPN provider does not have their own DNS, and I am in the process or setting up my own VPN host with Algo and Wireguard, and will still use the Cloudflare DNS over TLS using Stubby.

 

[Thomas Szücs]

Hallo everyone

What is the correct way of starting / reinstalling Diversion after a router firmware upgrade? The files are there but Diversion is not running?

 

[martinr]

Hallo everyone

What is the correct way of starting / reinstalling Diversion after a router firmware upgrade? The files are there but Diversion is not running?

Hi Thomas

Welcome to the forum

Installation instructions are here:

https://diversion.ch/diversion/installation.html

But if yiu have AMTM installed, go to Option 1. And if you don’t have AMTM, you really should install it as a priority

https://www.snbforums.com/threads/amtm-the-snbforum-asuswrt-merlin-terminal-menu.42415/

 

[Ro berto]

Hello all,

First of all thanks Decoderman for creating Diversion, it is working great on my AC86U running Firmware Version:384.10.

If someone could give me his/her insights/recommendation regarding my setup, I would greatly appreciate it:

I'm new to this so sorry if this has been answered before (couldn't find a similar question), I currently have a 1TB HDD connected to my router's USB 3.0 port and a multifunction printer connected to the other 2.0 USB port.

The 1TB HDD is working as a file history disk for the files on my laptop, it is formated as EXT4 because I also have Diversion and pixelserv-tls installed on it.
I have noticed that the HDD is not hibernating after not using it for 300 seconds, I suppose that Diversion and pixelserv-tls are frequently using the HDD because there is always a client connected to the router (I have a PS4 and a Nintendo Switch that are in sleep mode and have seen some activity when using "follow dnsmasq.log" on Diversion comming from their static local IP addresses).

I don't know if there will be more wear to the 1TB HDD for being used 24/7 (it is the HDD from the PS4 Pro since I upgraded it to a 2TB Hybrid drive).

I was thinking of plugging a 4GB USB flash drive (formated as EXT4) to the USB 2.0 port with Diversion and pixelserv-tls installed on it but I have some doubts, according to the iozone benchmark (attached pictures), my HDD has random read/write IOPS (4kB) of 154/447 and the 4GB USB flash drive has random read/write IOPS (4kB) of 796/5.

What is more important for my online experience, read or write speed?

I don't use the printer very often, so in case you would recommend connecting the 1TBHDD to the 3.0 USB port and the 4GB USB flash drive to the 2.0 USB port, I could just unmount and unplug the HDD and connect the printer just to print/scan and then reconnect the HDD.

Sorry for the long post and excuse my english as it's not my native language.
Thanks
Roberto