Diversion Diversion - the Router Ad-Blocker

[L&LD]

Compare it to the gold standard for Diversion use:

https://diversion.ch/diversion/use/blocking-file-hosts-files.html

 

[Asad Ali]

Open your browser and write:

"https://facebook.com/servstats"

Did you see Pixelserv-tls stats page?

You still haven't answered my query lol.

 

[Skeptical.me]

You still haven't answered my query lol.

Sorry, I tried that URL but it went to a 404 on a facebook page

 

[Skeptical.me]

This is why the wildcard blacklist is useful. One facebook.com entry can block all those *.facebook.com domain names. You can add another for fbcdn.net if you really need to. Same for others that occur multiple times in your list.

But the original names may be cached on the client or in the browser after blocking them, based on their original DNS TTL (Time to Live). If you put your phone in Airplane Mode and take it out, I believe it will flush any DNS cache. Then try again.

That did the trick. I completely flushed everything again and it appears that facebook.com is being blocked. I'll still look at using the wildcard blacklist though.

 

[Asad Ali]

Sorry, I tried that URL but it went to a 404

That means your Phone/Devices are not going through Diversion for requesting Facebook.com or it's not properly blocked in Diversion.

I've just added "Facebook.com" in my block list and I see this with the above mentioned URL:

 

[Skeptical.me]

That means your Phone/Devices are not going through Diversion for requesting Facebook.com or it's not properly blocked in Diversion.

I've just added "Facebook.com" in my block list and I see this with the above mentioned URL: (this is the result on my iMac as well)

Ahh, okay. Something is wrong then. Here's what I'm seeing now for https://facebook.com/servstats

 

[Asad Ali]

Ahh, okay. Something is wrong then. Here's what I'm seeing now for https://facebook.com/servstats

Refresh the page again and you should see the stats now, Pixelserv-tls needs to generate the certificate on the first visit.

Also you'll only see that page IF you have the Pixelserv-tls Root CA imported and enabled in your mobile device.

 

[Skeptical.me]

Refresh the page again and you should see the stats now, Pixelserv-tls needs to generate the certificate on the first visit.

Also you'll only see that page IF you have the Pixelserv-tls Root CA imported and enabled in your mobile device.

Thanks, these are the correct instructions, yeah ... https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

 

[Asad Ali]

Thanks, these are the correct instructions, yeah ... https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

Yes, you'll just have to follow the instructions from the "Import Pixelserv CA on client devices" part, no need to generate the Root CA since Diversion already took care of that part.

 

[Skeptical.me]

Yes, you'll just have to follow the instructions from the "Import Pixelserv CA on client devices" part, no need to generate the Root CA since Diversion already took care of that part.

So, thanks for the help. And sorry to everyone if this is frustrating. I'm a bit frustrated.

Here is what I did, I added the ca cert

The I went to https://facebook.com/servstats
and I just got a black screen again.

Then I tried to check picelserv on http://192.168.50.3 and this is what I see:

 

[HairyA00]

So, thanks for the help. And sorry to everyone if this is frustrating. I'm a bit frustrated.

Here is what I did, I added the ca cert

The I went to https://facebook.com/servstats
and I just got a black screen again.

Then I tried to check picelserv on http://192.168.50.3 and this is what I see:

Did you also enable full trust for Pixelserv?

Settings app > General > About > Certificate Trust Settings > Enable Pixelserv CA

 

[Asad Ali]

So, thanks for the help. And sorry to everyone if this is frustrating. I'm a bit frustrated.

Here is what I did, I added the ca cert

The I went to https://facebook.com/servstats
and I just got a black screen again.

Then I tried to check picelserv on http://192.168.50.3 and this is what I see:

Alright I've just noticed you're using Pixelserv-tls v2.2.1 and that's not compatible with Apple's latest operating system for its devices. Now you have three options:

-Wait for Entware to push the Pixelserv-tls v2.3.1 update.
-Manually update your Pixelserv-tls to v2.3.1 as per kvic's instructions.
-Or use the unofficially official JackYaz Pixelserv-tls v2.3.0 for now. You can update to it by opening Diversion and pressing ep>6>3.

 

[Skeptical.me]

Did you also enable full trust for Pixelserv?

Settings app > General > About > Certificate Trust Settings > Enable Pixelserv CA

Yeah, I've done that. I get the same result. Thanks for the reply though.

Pixelserv is running on 192.168.50.3 ... the ip range starts on 192.168.50.4 and all settings are correct in the router and pixeserv

 

[HairyA00]

Installation is a breeze.

1. Download the binary from Github: https://github.com/kvic-z/pixelserv-tls/releases/tag/v2.3.1
a. aarch64 for 64-bit ARM routers/servers.
b. armv7 for 32-bit ARM routers/servers.
2. Unzip the archive, locate & rename 'pixelserv-tls.<your architecture>.performance.dynamic' to 'pixelserv-tls'.
3. Upload the file to your router/server and replace the one of the same name in '/opt/bin'.

 

[Skeptical.me]

Alright I've just noticed you're using Pixelserv-tls v2.2.1 and that's not compatible with Apple's latest operating system for its devices. Now you have three options:

-Wait for Entware to push the Pixelserv-tls v2.3.1 update.
-Manually update your Pixelserv-tls to v2.3.1 as per kvic's instructions.
-Or use the unofficially official JackYaz Pixelserv-tls v2.3.0 for now. You can update to it by opening Diversion and pressing ep>6>3.

Okay, I've updated for now to JackYaz (I'll do the other way later) but unfortunately after deleting the first cert, then installing the JackYaz ca cert on my iPhone, and then enabling full trust for the certificate I'm getting exactly the same result on https://facebook.com/servstats and https://192.168.50.3

Do you think it would be better to just reformat and reinstall?

 

[Asad Ali]

Okay, I've updated for now to JackYaz (I'll do the other way later) but unfortunately after deleting the first cert, then installing the JackYaz ca cert on my iPhone, and then enabling full trust for the certificate I'm getting exactly the same result on https://facebook.com/servstats and https://192.168.50.3

Do you think it would be better to just reformat and reinstall?

Open Diversion
Press ep
Press 3
Press 1
Press 1

After the certificates have been purged, toggle Airplane mode of your iPhone again to clear any cache and then try again.

This time try with this URL as well:

https://192.168.50.3/servstats

 

[HairyA00]

I don't think it's recommended to use the 2.3.0 version for memory leak issues if I remember correctly. If you're going to purge the certs and do this all anyway, might as well just grab 2.3.1...

1. Update Diversion to this latest version.
2. Install Pixelserv-tls v2.3.1: https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-246#post-543550
3. Re-generate the pixelserv-tls CA certificate in ep, 3, 2 (all domain certificates will be purged during that step).
4. Import the new pixelserv-tls CA certificate (ca.crt) into browsers and devices, replacing the previous certificate. Open the certificate link in a browser with your pixelserv-tls IP address, typically this is 192.168.1.2/ca.crt and import it.

 

[Skeptical.me]

Open Diversion
Press ep
Press 3
Press 1
Press 1

After the certificates have been purged, toggle Airplane mode of your iPhone again to clear any cache and then try again.

This time try with this URL as well:

https://192.168.50.3/servstats

Awesome, that did the trick. All working now.

 

[Skeptical.me]

I don't think it's recommended to use the 2.3.0 version for memory leak issues if I remember correctly. If you're going to purge the certs and do this all anyway, might as well just grab 2.3.1...

1. Update Diversion to this latest version.
2. Install Pixelserv-tls v2.3.1: https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-246#post-543550
3. Re-generate the pixelserv-tls CA certificate in ep, 3, 2 (all domain certificates will be purged during that step).
4. Import the new pixelserv-tls CA certificate (ca.crt) into browsers and devices, replacing the previous certificate. Open the certificate link in a browser with your pixelserv-tls IP address, typically this is 192.168.1.2/ca.crt and import it.

Awesome, thanks I'll get this done asap. Thanks for the help much appreciated

 

[HairyA00]

Awesome, thanks I'll get this done asap. Thanks for the help much appreciated

Full release notes of 2.3.1 if interested: https://kazoo.ga/pixelserv-tls/

* NEW check and purge expired certs on-the-fly. Generate new ones to replace the expired automatically.
* NEW support the new TLS requirements on key size, cert valid period & etc from Debian 10 and Apple Inc.
Included findings & code contributed by emeidi and jackyaz.
* CHANGED fix compilation warnings with gcc-9/clang-9 (issue #33) contributed by KiloFoxtrotPapa.