Diversion Diversion - the Router Ad-Blocker

[^Tripper^]

I'll need to do further testing with 1024bit key but Apple's guidelines are pretty clear on this issue:

"TLS server certificates and ISSUING CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS."


https://support.apple.com/en-us/HT210176

I saw that as well thou I remember something being said about server vs client when jackyaz updated pixelserv. It was all too waaay over my head.

 

[Asad Ali]

I saw that as well thou I remember something being said about server vs client when jackyaz updated pixelserv. It was all too waaay over my head.

Both server (issuing CA) and client (generated certificates) have their own set of requirements and we need to fulfill both for a successful TLS authenticate.

 

[jrmwvu04]

Both server (issuing CA) and client (generated certificates) have their own set of requirements and we need to fulfill both for a successful TLS authenticate.

I will watch this space to see what everyone decides. I have migrated to a 2048 bit CA, and it seems fine. It would be a prohibitively large nuisance to change it back and re import on all these various devices who have various owners for me to test, so I will leave that to you fine folks.

My question - one way or the other, does this not only come into play when the certificates are generated by pixelserv? Once they’re generated, that’s that, and they’re all 2048, yeah? Asking, don’t know.

 

[Mutzli]

Thanks for adding domain-only lists. Tried out a couple of malware pi-hole lists from the https://filterlists.com collection. It works like a charm.

 

[Asad Ali]

My question - one way or the other, does this not only come into play when the certificates are generated by pixelserv? Once they’re generated, that’s that, and they’re all 2048, yeah? Asking, don’t know.

Post 2.30 pixelserv-tls all generated client certificates are 2048Bits with ExtendedKeyUsage flag set. But as per Apple's guidelines, Issuing Certificate Authority also needs to be created with a minimum of 2048bit key pair.

 

[thelonelycoder]

Thanks for adding domain-only lists. Tried out a couple of malware pi-hole lists from the https://filterlists.com collection. It works like a charm.

Appreciate the response. I built in some extra verification with the domain only lists which now also runs on the hosts based lists. Just to be on the safe side if some rogue list wants to do malicious hijacking by inserting specific characters.

 

[thelonelycoder]

I will watch this space to see what everyone decides. I have migrated to a 2048 bit CA, and it seems fine. It would be a prohibitively large nuisance to change it back and re import on all these various devices who have various owners for me to test, so I will leave that to you fine folks.

My question - one way or the other, does this not only come into play when the certificates are generated by pixelserv? Once they’re generated, that’s that, and they’re all 2048, yeah? Asking, don’t know.

I regenerated my root CA to 1024 bit. All my Apple devices are still happy and ad free.

 

[jackzonztyl]

I hope someone can help out this noob,

I just installed the latest Diversion standard with the standard list but i noticed that my internet speed slowed down with browsing and sometimes with videos aswell.

Router: AC68U
Firmware: Latest Merlin (384.14)
Diversion: Latest (4.1.7)
With pixelserv-tls (although i don't know if pixelserv-tls is functioning i don't know if i setup everything correctly in my router)
Usb drive: formatted as EXT3 (i did not know which one to choose)

I have my internal network on 192.168.2.1 and i set the start of the IP pool from: 192.168.2.3 and gave 192.168.2.2 to Diversion pixelserv-tls IP.
I don't see it showing up in my DHCP or anything and i don't know what it actually has to do, my understanding was serving 1 pixel with ads but i still see big portions of the screen unable to load.

Is there a way to see if pixelserv works and maybe some tips to speed up my speed?

I am using USB 3.0 in my router with a USB 3.0 drive that has 200~mb/s read and good writing speeds.

 

[dave14305]

I hope someone can help out this noob,

I just installed the latest Diversion standard with the standard list but i noticed that my internet speed slowed down with browsing and sometimes with videos aswell.

Router: AC68U
Firmware: Latest Merlin (384.14)
Diversion: Latest (4.1.7)
With pixelserv-tls (although i don't know if pixelserv-tls is functioning i don't know if i setup everything correctly in my router)
Usb drive: formatted as EXT3 (i did not know which one to choose)

I have my internal network on 192.168.2.1 and i set the start of the IP pool from: 192.168.2.3 and gave 192.168.2.2 to Diversion pixelserv-tls IP.
I don't see it showing up in my DHCP or anything and i don't know what it actually has to do, my understanding was serving 1 pixel with ads but i still see big portions of the screen unable to load.

Is there a way to see if pixelserv works and maybe some tips to speed up my speed?

I am using USB 3.0 in my router with a USB 3.0 drive that has 200~mb/s read and good writing speeds.

Do you get any browser complaints if you browse to https://diversion-adblocking-ip.address/
Otherwise, it will just be a blank page with the Pixelserv favicon in the tab Title. If errors, your Pixelserv CA cert probably isn't installed in the browsers/OS properly, and could delay https requests to blocked domains.

Also just try browsing http://192.168.2.2/servstats and see if your counters are increasing. If you don't see the page at all, Pixelserv probably isn't running.

 

[jackzonztyl]

Do you get any browser complaints if you browse to https://diversion-adblocking-ip.address/
Otherwise, it will just be a blank page with the Pixelserv favicon in the tab Title. If errors, your Pixelserv CA cert probably isn't installed in the browsers/OS properly, and could delay https requests to blocked domains.

Also just try browsing http://192.168.2.2/servstats and see if your counters are increasing. If you don't see the page at all, Pixelserv probably isn't running.

Thank you!

I did get the servstats page, and just to be sure, i imported http://pixelservip/ca.crt in Windows.
But it still a bit slow i have a wired connection and should have 250mb/s but i tried several websites and even starting the video or clicking anywhere in the video is slower than usual.

does pixelserv work in chrome?

 

[Asad Ali]

I regenerated my root CA to 1024 bit. All my Apple devices are still happy and adfree.

Your sure TLS handshakes are also completing on iOS 13+? Ad-free is something else but for pixelserv-tls to work as designed it needs to complete the TLS handshake. I've just tried with 1024Bits certificate on iOS 13.3 and as expected per Apple's guidelines the handshake failed.

 

[dave14305]

Thank you!

I did get the servstats page, and just to be sure, i imported http://pixelservip/ca.crt in Windows.
But it still a bit slow i have a wired connection and should have 250mb/s but i tried several websites and even starting the video or clicking anywhere in the video is slower than usual.

does pixelserv work in chrome?

Yes, Chrome picks up the CA certificate from the OS certificate store (Firefox has its own separate certificate store).

Once you are connected to your websites, Pixelserv should not be causing any performance issues. Is it faster if you disable Pixelserv and/or Diversion?

 

[dave14305]

Your sure TLS handshakes are also completing on iOS 13+? Ad-free is something else but for pixelserv-tls to work as designed it needs to complete the TLS handshake. I've just tried with 1024Bits certificate on iOS 13.3 and as expected per Apple's guidelines the handshake failed.

My Pixelserv CA generated under Jack Yaz Pixelserv-tls 2.3.0 is a 2048-bit certificate. I have no issues on iOS 13.3 devices. Do your stats show high slu values or other anomalies?

 

[jackzonztyl]

Does Diversion use google dns in the background or any other DNS and is there a way to change that?

 

[Asad Ali]

My Pixelserv CA generated under Jack Yaz Pixelserv-tls 2.3.0 is a 2048-bit certificate. I have no issues on iOS 13.3 devices. Do your stats show high slu values or other anomalies?

Pixelserv-tls doesn't even generate its own root CA, we have to do it ourselves.

@thelonelycoder changed the generation algorithm to create a 1024bit root CA in the latest Diversion version and as per my testing, it's not compatible with Apple's changes in ios 13.

 

[^Tripper^]

Pixelserv-tls doesn't even generate its own root CA, we have to do it ourselves.

@thelonelycoder changed the generation algorithm to create a 1024bit root CA in the latest Diversion version and as per my testing, it's not compatible with Apple's changes in ios 13.

So mine wasn’t an isolated case then. Thanks for confirming.

 

[ColinTaylor]

Does Diversion use google dns in the background or any other DNS ...

No.

 

[Centrifuge]

as per my testing

How did you test that? I've updated pixelserv-tls from 2.3.0 to 2.3.1, but haven't regenerated the root CA or purged cert cache, actually how can you tell if your root ca is 1024 or 2048? I'm getting a lot of tls handshake errors.

abbreviated pixelserv stats:

req    191    total # of requests (HTTP, HTTPS, success, failure etc)
avg    1122 bytes    average size of requests
rmx    1241 bytes    largest size of request(s)
tav    24 ms    average processing time (per request)
tmx    39 ms    longest processing time (per request)
slh    0    # of accepted HTTPS requests
slm    1    # of rejected HTTPS requests (missing certificate)
sle    0    # of rejected HTTPS requests (certificate available but not usable)
slc    0    # of dropped HTTPS requests (client disconnect without sending any request)
slu    187    # of dropped HTTPS requests (other TLS handshake errors)

 

[Asad Ali]

how can you tell if your root ca is 1024 or 2048?

By looking at the Root CA details/properties.

 

[Lurkmaster]

I updated to Jack Yaz Pixelserv-tls 2.3.0 yesterday (Dec 23), purged all certs, regenerated and imported into browsers and devices as directed in instructions and per this forum. I have all Apple devices and use safari on my desktop. See screenshot that shows pixelserv using a 2048 bit key. Everything seems to be working fine for me.

RT-AC86U - Main | AsusWRT-Merlin 384.14_0
Two RT-AC68U - Aimesh nodes w/ wired backhaul | Stock 3.0.0.4.385_10000
2GB swap on USB drive

amtm 3.0
Diversion 4.1.7
pixelserv-tls 2.3.0
Skynet 7.0.2
scMerlin 1.0.3
uiDivStats 1.2.3