Diversion Diversion - the Router Ad-Blocker

[eclp]

Your answers are always highly appreciated! Thank you very much!

 

[Marin]

@thelonelycoder,

I have been trying to install Stubby on my AC86U. Do you know if this script will interfere with any of the Diversion’s functions? For example, there is VPN section on the Stubby’s installation home page on GitHub that recommends that Accept DNS configuration setting should be changed to Disabled. However, it is my understanding that for Diversion to work such setting should be left as “Strict”.

Any thought on this?

Thank you!


Sent from my iPhone using Tapatalk

 

[thelonelycoder]

@thelonelycoder,

I have been trying to install Stubby on my AC86U. Do you know if this script will interfere with any of the Diversion’s functions? For example, there is VPN section on the Stubby’s installation home page on GitHub that recommends that Accept DNS configuration setting should be changed to Disabled. However, it is my understanding that for Diversion to work such setting should be left as “Strict”.

Any thought on this?

Thank you!


Sent from my iPhone using Tapatalk

I can't say as for some reason the Stubby installer did not work on my RT-AC86U when I last tested it. This(main) router is critical for me so I don't usually play around much on that one. But I trust @Xentrk to have done extensive testing as some of the routers under his care run Diversion and I would imagine that the setting be set to 'Disabled' to work.

 

[Marin]

I can't say as for some reason the Stubby installer did not work on my RT-AC86U when I last tested it. This(main) router is critical for me so I don't usually play around much on that one. But I trust @Xentrk to have done extensive testing as some of the routers under his care run Diversion and I would imagine that the setting be set to 'Disabled' to work.

Thank you! I am struggling as well to get it installed in my AC86U but that a patch is available I will keep trying! [emoji3526]


Sent from my iPhone using Tapatalk

 

[dave14305]

@all Diversion users:
A wild thought just crossed my mind.
...
Let me know what you all think about this random thought, maybe @kvic or anyone understanding more than I could add his thoughts on the implications of such a Diversion feature. I can't see any just now as generally, TLS/SSL certificates are issued by a certificate authority (https://en.wikipedia.org/wiki/Certificate_authority) and the same cert is used world wide by all devices/browsers.

I'm not an expert on certificates, but I think the problem would be that you would be distributing the CA cert and its private key to thousands of routers world-wide, belonging to both trustworthy and untrustworthy people. They could sign a certificate for any site they choose (i.e. that's how Pixelserv works locally).

Today, pixelserv-tls users are only asked to install their own CA cert on their devices and it's not too risky as long as that private key remains under their control. In your proposal, you would be asking us to trust a CA that has no control over its private key, and therefore it would be a bad idea for us to trust that common CA on our client devices in case a bad actor uses that CA to spoof a legitimate site that we Pixelserv users just happen to browse.

Maybe I'm wrong in whether you need to distribute the ca.key as well, or if the ca.crt is all that is needed locally to sign new Pixelserv certs for blocked sites. But overall, I trust pixelserv because it's all self-contained within my router and I can trace the certificate lineage to be within my home network and not rely on an outside party.

 

[dave14305]

While I prefer to stay anonymous under the @thelonelycoder handle, here's me, on a recent vacation to my favorite place in the US, Moab in Utah, from a work related trip to freezing Toronto, Canada.
The Colorado river winds its way around me, the colors at sunset are magical. This is bliss.

A good place to do some lonely coding!

 

[thelonelycoder]

A good place to do some lonely coding!

I did indeed. Diversion 4.0.5 was finalized and released during my sparse free time in Toronto, some initial coding was done on the upcoming v4.0.6 in Moab and Las Vegas during the vacation. At night time only and the coding session in Vegas was very brief...

 

[ascl]

A wild thought just crossed my mind. What if Diversion does NOT create a new set of ca certs during a fresh install but downloads already (self-) generated certs from the Diversion website. This way all Diversion installations would use the same pixelserv-tls certificate, making subsequent importing of the cert into devices a once-only affair and one does not have to worry about it for future re-installs.

Please do not do this. For this cert to be useful, people need to import it and trust it, and if it is widely distributed it will mean it is easy to create seemingly secure sites with a self-signed cert. Better that it is generated on the fly.

 

[kvic]

@all Diversion users:
A wild thought just crossed my mind. What if Diversion does NOT create a new set of ca certs during a fresh install but downloads already (self-) generated certs from the Diversion website. This way all Diversion installations would use the same pixelserv-tls certificate, making subsequent importing of the cert into devices a once-only affair and one does not have to worry about it for future re-installs.

The openssl certs auto-generated by Diversion during the install are good for 10 years, the code used is as follows:

openssl genrsa -out ca.key 1024
openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"

The same code would be used for the common Diversion certificates, with the CA being Pixelserv.
Of course this would mean Diversion users would have to trust me even more not doing anything sketchy on your routers and I would have to make sure the certs on my server are protected from being replaced by a third party.

But this could be a useful feature and end up being more user friendly with clear instructions on the Diversion website of how to import the certificate into browsers/devices. This step would be an opt-in during the installation with the selection in wording being similar to this:
1. Use common Diversion pixelserv-tls certificates
2. Generate new router specific pixelserv-tls certificates

Let me know what you all think about this random thought, maybe @kvic or anyone understanding more than I could add his thoughts on the implications of such a Diversion feature. I can't see any just now as generally, TLS/SSL certificates are issued by a certificate authority (https://en.wikipedia.org/wiki/Certificate_authority) and the same cert is used world wide by all devices/browsers.

THIS IS A HORRIBLE IDEA. PLEASE DO NOT DO THIS.

 

[thelonelycoder]

I'm not an expert on certificates, but I think the problem would be that you would be distributing the CA cert and its private key to thousands of routers world-wide, belonging to both trustworthy and untrustworthy people. They could sign a certificate for any site they choose (i.e. that's how Pixelserv works locally).

THIS IS A HORRIBLE IDEA. PLEASE DO NOT DO THIS.

It was just a random thought, thanks for the input. Buried the idea.

 

[Frejoh4666]

I searched but didn't find anything. Why change the name?

Just to get rid of the ad-block name?

 

[skeal]

While I prefer to stay anonymous under the @thelonelycoder handle, here's me, on a recent vacation to my favorite place in the US, Moab in Utah, from a work related trip to freezing Toronto, Canada.
The Colorado river winds its way around me, the colors at sunset are magical. This is bliss.

Handsome bugger!

 

[dave14305]

It was just a random thought, thanks for the input. Buried the idea.

I think a useful enhancement to Diversion would be to incorporate kvics reporting script which requires an email notification script (like you already provide) and ideally separate logging for the extra pixelserv logging level. Just an idea to consider.

 

[user1085]

This is already built in. Use f '4. Filtered by term' and enter the IP address of the device to filter by.

Got it, thank you!

 

[kolyan]

Another quick question.....I am obviously not a network guy etc, so I don't know how this all works. When I am connected to my own router that's running Diversion and I am behind Google VPN, ads don't get blocked. Is there a setting that I can change to fix this ?

 

[Xentrk]

@thelonelycoder,

I have been trying to install Stubby on my AC86U. Do you know if this script will interfere with any of the Diversion’s functions? For example, there is VPN section on the Stubby’s installation home page on GitHub that recommends that Accept DNS configuration setting should be changed to Disabled. However, it is my understanding that for Diversion to work such setting should be left as “Strict”.

Any thought on this?

Thank you!


Sent from my iPhone using Tapatalk

Stubby will not interfere with Diversion.

However, If you use Diversion with VPN Policy Rules and set Accept DNS Configuration to Exclusive, dnsmasq is bypassed and Diversion will not work.

If you use a VPN with Policy Rules, you need to use the “Strict” setting or the “Disabled” setting for Accept DNS Configuration. The Strict setting requires the dhcp-option dns 1.1.1.1 setting in the Custom Config section whereas the Disabled setting does not. The downside is DNS will leak. But this never caused an issue for my use cases.

 

[Marin]

Stubby will not interfere with Diversion.

However, If you use Diversion with VPN Policy Rules and set Accept DNS Configuration to Exclusive, dnsmasq is bypassed and Diversion will not work.

If you use a VPN with Policy Rules, you need to use the “Strict” setting or the “Disabled” setting for Accept DNS Configuration. The Strict setting requires the dhcp-option dns 1.1.1.1 setting in the Custom Config section whereas the Disabled setting does not. The downside is DNS will leak. But this never caused an issue for my use cases.

Good to know @Xentrk! Thank you!


Sent from my iPhone using Tapatalk

 

[Mutzli]

Did you do any Slick Rock biking while in Moab?
btw. looking forward to 4.06

 

[apathy]

Do you also run DNSmasq? If so check what size the cache is set at.

Yes. I had it set to 3000, I dropped it down to 1500 as well as dropped my blocking file down to ~600k and still the issue returned.

There's been another report of problems when you exceed 1M domains. I'd try shrinking things a bit and see if the problems persist.

I dropped it down to ~600k and it still returned.

As @john9527 writes, use a smaller blocking file to start troubleshoot this issue.

I dropped dropped my lists to around 600k domains and the issue still returned. I took out the duplicate lists you suggested and re-enabled another one I had so im still around 600k domains but don't have the duplicates. Any other suggestions? Its getting to the point where i'm either going to create a script that restarts Diversion every other day or uninstall. Its that frustrating.

As a side note, I noticed that the DC script in AMTM is running a fat32 check on my USB drive according to the logs. The usb drive is Ext2, so I disabled that. Do you know why that is the case?

 

[skeal]

Yes. I had it set to 3000, I dropped it down to 1500 as well as dropped my blocking file down to ~600k and still the issue returned.


I dropped it down to ~600k and it still returned.


I dropped dropped my lists to around 600k domains and the issue still returned. I took out the duplicate lists you suggested and re-enabled another one I had so im still around 600k domains but don't have the duplicates. Any other suggestions? Its getting to the point where i'm either going to create a script that restarts Diversion every other day or uninstall. Its that frustrating.

Have you tried running this all without the "ds" settings enabled?