What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Does anyone know if google analytics, and other analytics/crashlytics services are blocked in Diversion Standard?
That depends what hosts files are in use in your blocking list.
To find what domains contain the words analytics or crashlytics use grep:
Code:
grep "crashlytics\|analytics" /opt/share/diversion/list/blockinglist*
This searches in both blockinglist and blockinglist_fs if found.

This would count how many matches were found in the respective blockinglist*
Code:
grep -c "crashlytics\|analytics" /opt/share/diversion/list/blockinglist*
To limit to one file, remove the * at the end, alter accordingly for blockinglist_fs
 
That depends what hosts files are in use in your blocking list.
To find what domains contain the words analytics or crashlytics use grep:
Code:
grep "crashlytics\|analytics" /opt/share/diversion/list/blockinglist*
This searches in both blockinglist and blockinglist_fs if found.

This would count how many matches were found in the respective blockinglist*
Code:
grep -c "crashlytics\|analytics" /opt/share/diversion/list/blockinglist*
To limit to one file, remove the * at the end, alter accordingly for blockinglist_fs

Excellent, thank you very much for the detailed reply. I have saved the reply in my Standard Notes [How To] notes. Thanks again :)


Sent from my iPhone using Tapatalk Pro
 
Is there a way I can add multiple domains in one go whether it be for white/black list?
 
I tar'd & cleaned my usb partition up, re-copied the files and diversion would not load from amtm; I reinstalled diversion from terminal and it did not detect the previous installation, wiping a years worth of settings (blocklists, whitelists, wildcard lists, counter stats, literally everything) I found a backup I had made 5 months ago; thankfully I got most of it back. Would be nice if there was a warning that it will overwrite old settings, or an option to recover the previous settings or if it would do this automatically to save people the headache. Make sure you back up your data people.

Does diversion make a backup hiding anywhere?

My problem was tar failed, would not extract files so I had to do it through windows, permissions were messed up after copying everything back so i hard to reinstall entware. amtm symlinks seemed to be broken, had to run it manually & diversion would not load from amtm. Command line may have been a work around but in cutting corners I installed & diversion overwrit everything
 
Last edited:
There is a backup-to-email feature, but you need to configure it under c menu. There are some backups under /opt/share/diversion/backup. But that’s not as complete as the email archives.
 
Hey guys,

First off - amazing forum - really love the advice and solutions that I find here :)

Just bought an Asus RT-AC86U and set it up using OpenVPN Client (ExpressVPN), which works great.

However I am having some issues setting up Diversion AND ExpressVPN at the same time.

So far I followed exactly the guide that was recommended here (Configurations required for Policy Rules using AB-Solution): https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

However, I am somehow not able to get it to work. Diversion works, but when I check my IP address it says my IP address is being exposed: https://www.expressvpn.com/what-is-my-ip

Next to installing diversion and setting up OpenVPN (ExpressVPN), I adjusted the following:

• Set up IP Pool Starting Address from standard xxx.xxx.xxx.2 to xxx.xxx.xxx.3 (as requested by Diversion Installer)
• Used xxx.xxx.xxx.2 then for the Diversion pixelserv-tls

In the router I changed:

• JFFS Custom Scripts is enabled
• OpenVPN Client / Accept DNS Configuration: Strict
• OpenVPN Client / Redirect Internet Traffic: Policy Rules (Strict)
• OpenVPN Client / Added a custom config to the OpenVPN Client:
remote-cert-tls server
dhcp-option dns 9.9.9.9
• OpenVPN Client / added the IP of my router to policy rules xxx.xxx.xxx.1 (WAN)
• Added my laptop (with static IP) to the policy rules too xxx.xxx.xxx.136 (VPN)

However what happens is that Diversion (Adblocker) works but ExpressVPN does not and my IP address is being exposed.

I know that the DNS address leaks, which is fine, but it seems ExpressVPN is not working with the above settings.

Did I miss anything? Would appreciate any help on how to set up above scenario, as I did not find any description for it.
 
Last edited:
My problem was tar failed, would not extract files so I had to do it through windows, permissions were messed up after copying everything back so i hard to reinstall entware. amtm symlinks seemed to be broken, had to run it manually & diversion would not load from amtm. Command line may have been a work around but in cutting corners I installed & diversion overwrit everything
I have no control over third party scripts. If you reinstalled Entware by using some other script than Diversion's built in installer then it wiped all content that Diversion has written into it.
 
I have no control over third party scripts. If you reinstalled Entware by using some other script than Diversion's built in installer then it wiped all content that Diversion has written into it.

Thank you @thelonelycoder, I used the standard script offered in Merlin's wiki; does that also wipe the opt folder or just entware? In such a case, it would be nice if diversion also checked the opt folder for previous installations. I will back that up next time if need be.
 
Thank you @thelonelycoder, I used the standard script offered in Merlin's wiki; does that also wipe the opt folder or just entware? In such a case, it would be nice if diversion also checked the opt folder for previous installations. I will back that up next time if need be.
/opt/ IS Entware when installed. Diversion files are at /opt/share/diversion.
The Merlin-built in Entware installer by default removes any existing /opt/ partition and replaces it.
 
Hey guys,

First off - amazing forum - really love the advice and solutions that I find here :)

Just bought an Asus RT-AC86U and set it up using OpenVPN Client (ExpressVPN), which works great.

However I am having some issues setting up Diversion AND ExpressVPN at the same time.

So far I followed exactly the guide that was recommended here (Configurations required for Policy Rules using AB-Solution): https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

However, I am somehow not able to get it to work. Diversion works, but when I check my IP address it says my IP address is being exposed: https://www.expressvpn.com/what-is-my-ip

Next to installing diversion and setting up OpenVPN (ExpressVPN), I adjusted the following:

• Set up IP Pool Starting Address from standard xxx.xxx.xxx.2 to xxx.xxx.xxx.3 (as requested by Diversion Installer)
• Used xxx.xxx.xxx.2 then for the Diversion pixelserv-tls

In the router I changed:

• JFFS Custom Scripts is enabled
• OpenVPN Client / Accept DNS Configuration: Strict
• OpenVPN Client / Redirect Internet Traffic: Policy Rules (Strict)
• OpenVPN Client / Added a custom config to the OpenVPN Client:
remote-cert-tls server
dhcp-option dns 9.9.9.9
• OpenVPN Client / added the IP of my router to policy rules xxx.xxx.xxx.1 (WAN)
• Added my laptop (with static IP) to the policy rules too xxx.xxx.xxx.136 (VPN)

However what happens is that Diversion (Adblocker) works but ExpressVPN does not and my IP address is being exposed.

I know that the DNS address leaks, which is fine, but it seems ExpressVPN is not working with the above settings.

Did I miss anything? Would appreciate any help on how to set up above scenario, as I did not find any description for it.
Please run a test to see what happens when you change from Policy Rules to All Traffic. Check whatismyip.com or similar site to see if your laptop is traversing the WAN or VPN interface.

Also, verify your static IP assignment for your laptop. You can run the command ipconfig in a dos command prompt to display the assignment or validate on the router Network home page.

Another test is to enter the command ip rule in an SSH session to see the assignment of the client device to the OpenVPN1 client. It also shows the priority of the rules.
 
Last edited:
Please run a test to see what happens when you change from Policy Rules to All Traffic. Check whatismyip.com or similar site to see if your laptop is traversing the WAN or VPN interface.

Also, verify your static IP assignment for your laptop. You can run the command ipconfig in a dos prompt to display the assignment or validate on the router Network home page.
"dos prompt"? You're showing your age. :p I bet half the kids that work for me don't even know what dos was.
 
Can somebody point me about what i must exactly see after installation, i'm successfully installed Diversion, it count ads, but suspiciously low amount of it, only 300 for day, or it's indicating about good browsing etc., i have PC wired connection, ads still blocks by adblocker in Mozilla
Do i need any additional settings on Diversion ssh interface/Router after installtion? Thanks
 
Can somebody point me about what i must exactly see after installation, i'm successfully installed Diversion, it count ads, but suspiciously low amount of it, only 300 for day, or it's indicating about good browsing etc., i have PC wired connection, ads still blocks by adblocker in Mozilla
Do i need any additional settings on Diversion ssh interface/Router after installtion? Thanks
Please refer to 1st post.;):)
 
Can somebody point me about what i must exactly see after installation, i'm successfully installed Diversion, it count ads, but suspiciously low amount of it, only 300 for day, or it's indicating about good browsing etc., i have PC wired connection, ads still blocks by adblocker in Mozilla
Do i need any additional settings on Diversion ssh interface/Router after installtion? Thanks
If your browser ad-blocker is preventing the known ad domains from being requested, Diversion will appear to not do much work. But it will work nicely for devices without ad-blocking capabilities (e.g. phone apps). If you want to test Diversion, disable your browser extension and any tracking protection (e.g. in Firefox). It’s a jungle out there!
 
Please run a test to see what happens when you change from Policy Rules to All Traffic. Check whatismyip.com or similar site to see if your laptop is traversing the WAN or VPN interface.

Also, verify your static IP assignment for your laptop. You can run the command ipconfig in a dos prompt to display the assignment or validate on the router Network home page.

Another test is to enter the command ip rule in an SSH session to see the assignment of the client device to the OpenVPN1 client. It also shows the priority of the rules.

Thanks for the quick reply Xentrk!

I double checked the static IP addresses and they are all correct. My laptop (OS X) has the same IP address under network settings that I gave it on the router. The static IP address is also outside the IP Pool Start/Ending Address.

Whatsmyip.com says that my ISP IP address shows up and not an ExpressVPN IP address. So it somehow does not go through the VPN tunnel. Plus, it also does not block ads with Diversion.

When I change to “All” instead of “Policy Rules (Strict)” in the VPN Client Settings I cannot connect to the internet anymore for some reason.

Also, ExpressVPN had quite some text in the VPN Client Custom Configuration:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288



Do I simply replace the entire text with the one from the example link, or do I keep the settings from ExpressVPN and just add the adjustment on top:

remote-cert-tls server
dhcp-option dns 46.182.19.48



Do I also need to change the WAN/WAN DNS Settings? (Right now “Connect to DNS Server automatically” is set to NO)

I am a bit lost here - can I find somewhere a clear step by step guide on how to setup Diversion with OpenVPN? I assume I am not the only one who is looking for that solution, but besides the above link I did not find a clear guide.
 
Last edited:
Thanks for the quick reply Xentrk!

I double checked the static IP addresses and they are all correct. My laptop (OS X) has the same IP address under network settings that I gave it on the router. The static IP address is also outside the IP Pool Start/Ending Address.

Whatsmyip.com says that my ISP IP address shows up and not an ExpressVPN IP address. So it somehow does not go through the VPN tunnel. Plus, it also does not block ads with Diversion.

When I change to “All” instead of “Policy Rules (Strict)” in the VPN Client Settings I cannot connect to the internet anymore for some reason.

Also, ExpressVPN had quite some text in the VPN Client Custom Configuration:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288



Do I simply replace the entire text with the one from the example link, or do I keep the settings from ExpressVPN and just add the adjustment on top:

remote-cert-tls server
dhcp-option dns 46.182.19.48



Do I also need to change the WAN/WAN DNS Settings? (Right now “Connect to DNS Server automatically” is set to NO)

I am a bit lost here - can I find somewhere a clear step by step guide on how to setup Diversion with OpenVPN? I assume I am not the only one who is looking for that solution, but besides the above link I did not find a clear guide.
I suggest you download and import the *.ovpn configuration file from Express VPN into the OpenVPN client. Yes, use the custom config text as listed in their instructions https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/.

First test is to just get the tunnel showing as running and have traffic routed to it. After following the install instructions above, configure the OpenVPN Client to route "All Traffic" and set Accept DNS Configuration to Exclusive. If that works, then we have proven that all traffic can now traverse the tunnel.

The next step is to test policy rules. Enable Policy Rules (Strict). Then, enter the router IP address and assign it to the WAN iface. Then, enter your laptop IP and assign it to the VPN. Save the config. Then, test again that your laptop is going thru the VPN tunnel.

If that passes, my recommendation is to now to set Accept DNS Configuration to "Disable". Then, the tunnel VPN tunnel will use the DNS specified for the WAN iface. Now, test that Diversion is working over the VPN tunnel.

As a last step, secure your DNS entries by installing Stubby DNS-over-TLS to Cloudflare 1.1.1.1.
 
Can you invert option "4. filter by term" in the follow dnsmasq.log?

Having LastPass sending 10000 request a day that flood the log.
 
I suggest you download and import the *.ovpn configuration file from Express VPN into the OpenVPN client. Yes, use the custom config text as listed in their instructions https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/.

First test is to just get the tunnel showing as running and have traffic routed to it. After following the install instructions above, configure the OpenVPN Client to route "All Traffic" and set Accept DNS Configuration to Exclusive. If that works, then we have proven that all traffic can now traverse the tunnel.

The next step is to test policy rules. Enable Policy Rules (Strict). Then, enter the router IP address and assign it to the WAN iface. Then, enter your laptop IP and assign it to the VPN. Save the config. Then, test again that your laptop is going thru the VPN tunnel.

If that passes, my recommendation is to now to set Accept DNS Configuration to "Disable". Then, the tunnel VPN tunnel will use the DNS specified for the WAN iface. Now, test that Diversion is working over the VPN tunnel.

As a last step, secure your DNS entries by installing Stubby DNS-over-TLS to Cloudflare 1.1.1.1.


Thanks a lot for your help Xntrk!

I tried all the versions - here is what I discovered:

I suggest you download and import the *.ovpn configuration file from Express VPN into the OpenVPN client. Yes, use the custom config text as listed in their instructions https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/.

> Works w/o any problems and following the guide from ExpressVPN I can set up OpenVPN using ExpressVPN (IP address and DNS is hidden and both are from ExpressVPN)

First test is to just get the tunnel showing as running and have traffic routed to it. After following the install instructions above, configure the OpenVPN Client to route "All Traffic" and set Accept DNS Configuration to Exclusive. If that works, then we have proven that all traffic can now traverse the tunnel.

> VPN works here (DNS and IP are from ExpressVPN and not exposed), however it does not block ads and diversion is not working.

The next step is to test policy rules. Enable Policy Rules (Strict). Then, enter the router IP address and assign it to the WAN iface. Then, enter your laptop IP and assign it to the VPN. Save the config. Then, test again that your laptop is going thru the VPN tunnel.

> Using Exclusive here for Accept DNS Config does not block ads (Diversion not working) but hides DNS and IP (DNS and IP are ExpressVPN)
> Using Strict here for Accept DNS Config does not block ads (Diversion not working) but hides the IP address (ExpressVPN) but leaks the DNS (IPS)

If that passes, my recommendation is to now to set Accept DNS Configuration to "Disable". Then, the tunnel VPN tunnel will use the DNS specified for the WAN iface. Now, test that Diversion is working over the VPN tunnel.

> This seems to be the only version that works. Ads are being blocked and the IP is hidden (ExpressVPN), however it leaks the specific DNS, which would be ok as the DNS Server that I use does not log anyways

Just wondering why only the last version works but none of the others.

In an ideal world I would love to not have the DNS leaked or just use ExpressVPNs dynamic DNS server instead of using another one. The problem is that their DNS servers are dynamic as they told me on the phone and do not have one specific IP.

Also, do you think instead of using a static IP for each device would it be possible to use this for Policy Rules strict:

Router - xxx.xxx.xxx.1 - 0.0.0.0 - WAN
All devices - xxx.xxx.xxx.0/24 - 0.0.0.0 - VPN (Subnet would of course be 255.255.255.0)

Or would I run into any issues using that configuration vs. having static IPs?
 
Last edited:
Thanks a lot for your help Xntrk!

I tried all the versions - here is what I discovered:

I suggest you download and import the *.ovpn configuration file from Express VPN into the OpenVPN client. Yes, use the custom config text as listed in their instructions https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/.

> Works w/o any problems and following the guide from ExpressVPN I can set up OpenVPN using ExpressVPN (IP address and DNS is hidden and both are from ExpressVPN)

First test is to just get the tunnel showing as running and have traffic routed to it. After following the install instructions above, configure the OpenVPN Client to route "All Traffic" and set Accept DNS Configuration to Exclusive. If that works, then we have proven that all traffic can now traverse the tunnel.

> VPN works here (DNS and IP are from ExpressVPN and not exposed), however it does not block ads and diversion is not working.

The next step is to test policy rules. Enable Policy Rules (Strict). Then, enter the router IP address and assign it to the WAN iface. Then, enter your laptop IP and assign it to the VPN. Save the config. Then, test again that your laptop is going thru the VPN tunnel.

> Using Exclusive here for Accept DNS Config does not block ads (Diversion not working) but hides DNS and IP (DNS and IP are ExpressVPN)
> Using Strict here for Accept DNS Config does not block ads (Diversion not working) but hides the IP address (ExpressVPN) but leaks the DNS (IPS)

If that passes, my recommendation is to now to set Accept DNS Configuration to "Disable". Then, the tunnel VPN tunnel will use the DNS specified for the WAN iface. Now, test that Diversion is working over the VPN tunnel.

> This seems to be the only version that works. Ads are being blocked and the IP is hidden (ExpressVPN), however it leaks the specific DNS, which would be ok as the DNS Server that I use does not log anyways

Just wondering why only the last version works but none of the others.

In an ideal world I would love to not have the DNS leaked or just use ExpressVPNs dynamic DNS server instead of using another one. The problem is that their DNS servers are dynamic as they told me on the phone and do not have one specific IP.

Also, do you think instead of using a static IP for each device would it be possible to use this for Policy Rules strict:

Router - xxx.xxx.xxx.1 - 0.0.0.0 - WAN
All devices - xxx.xxx.xxx.0/24 - 0.0.0.0 - VPN (Subnet would of course be 255.255.255.0)

Or would I run into any issues using that configuration vs. having static IPs?
On the Strict setting, you also have to add the entry "dhcp-option DNS 1.1.1.1" in the Custom Config section.

If Accept DNS Configuration is set to Disabled, then the VPN will use the DNS specified on the WAN iface.

There is no fix for the DNS leak when setting Accept DNS Configuration to Disabled or Strict when using Policy Rules. My understanding of DNS leak is having your ISP intercept your DNS queries so they know what sites you are visiting. That is where Stubby comes in. With Stubby DNS over TLS, the DNS queries are encrypted to Cloudflare. So there has to be a trust with Cloudflare. I have not found situations where sites are using DNS to detect geo location. Yes, a ipleak.net test will show your DNS is leaking, but the ISP can't read the requests.

Yes, you can enter the CIDR for the router. Yorgi's guide https://www.snbforums.com/threads/h...and-other-vpn-providers-384-5-07-10-18.30851/ has some examples.

E: All traffic goes to VPN, this is a great alternative from the "redirecting all traffic" because you have the option to "Block routed clients if tunnel goes down"
The example below says that all traffic goes to VPN

Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface VPN
 
Last edited:
Hi everyone - first time post so apologies if I'm violating etiquette here.

I'm having a problem getting PayPal pages, either direct or via payment pages, to load correctly with Diversion on. The config is:

Merlin 384.7__2
Diversion 4.0.6
SkyNet/PixelServ-tls as installed via amtm 1.5

When I have Diversion enabled, PayPal gets blocked and it looks like a DNS issue rather than a blocking issue; I don't see PayPal show up in red in the dnsmasq log while I follow it and I didn't put in any specific rules.

Diversion/Skynet otherwise works just fine (well, I have issues with forecast.nws.gov sometimes takes multiple reloads with a similar problem).

I know that Paypal's various dependent domains are managed via Akamai, so there's a DNS lookup that goes to a CNAME mapping in the background that needs to be resolved and is probably having trouble crossing the proxy on 192.168.1.2.

Thanks for the help.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top