Diversion Diversion - the Router Ad-Blocker

[Skeptical.me]

several trackers are already included. If you use something like Privacy Badger for instance, you'll still see hits, simply because they recognize the tracking url in the webpage. However, Diversion blocks them from actually contacting their HQ as the request is re-routed. If you do see trackers calling home, you can either blacklist them or search for a more extensive list which includes them.

Oh, great. I wasn't aware of this. Thanks for the information. Diversion really is a great tool.

 

[kernol]

RAM Gobbler??

I have installed and uninstalled Diversion "Standard" on my AC5300 three times now - on each occasion hoping that its steady and at times fairly robust consumption of RAM would disappear (as it did in AB-Solution). I appreciate that when running its blocking file updates it would chew processor power and consume RAM - but expected this to drop back to "normal" levels once done. Instead it seems to hold on to ever increasing amount of RAM rising from mid 30% all the way up to 80% ... which only a reboot will set back to "normal" levels.

With Skynet alone installed - the problem does not arise. Just after install of Diversion, RAM consumption increases by about 10% [from 35% to 45%] and stays there until Diversion starts its blocking file updates when it rises again to above 70% without declining unless rebooted.

I do have a 512Mb swap file which Diversion reports is in use - /opt/swap

Anyone else noted this behaviour?

 

[M@rco]

Anyone else noted this behaviour?

No, haven't seen it. Can you check top (or htop) to see what's consuming your memory? htop can be installed by executing

opkg install htop

htop, sorted by MEM%:

(Diversion Custom+ blocking file, larger than Standard)

I do have a 512Kb swap file which Diversion reports is in use - /opt/swap

Do you mean a 512MB swap file?

# free
             total       used       free     shared    buffers     cached
Mem:        255700     111424     144276          0       1000      13640
-/+ buffers/cache:      96784     158916
Swap:       524284          0     524284

 

[joe scian]

RAM Gobbler??

I have installed and uninstalled Diversion "Standard" on my AC5300 three times now - on each occasion hoping that its steady and at times fairly robust consumption of RAM would disappear (as it did in AB-Solution). I appreciate that when running its blocking file updates it would chew processor power and consume RAM - but expected this to drop back to "normal" levels once done. Instead it seems to hold on to ever increasing amount of RAM rising from mid 30% all the way up to 80% ... which only a reboot will set back to "normal" levels.

With Skynet alone installed - the problem does not arise. Just after install of Diversion, RAM consumption increases by about 10% [from 35% to 45%] and stays there until Diversion starts its blocking file updates when it rises again to above 70% without declining unless rebooted.

I do have a 512Kb swap file which Diversion reports is in use - /opt/swap

Anyone else noted this behaviour?

no issue whatsoever on my AC5300 with Diversion, entware, skynet, amtm etc plus other scripts installed. I have 176Mbyte free consistently

 

[thelonelycoder]

RAM Gobbler??

I have installed and uninstalled Diversion "Standard" on my AC5300 three times now - on each occasion hoping that its steady and at times fairly robust consumption of RAM would disappear (as it did in AB-Solution). I appreciate that when running its blocking file updates it would chew processor power and consume RAM - but expected this to drop back to "normal" levels once done. Instead it seems to hold on to ever increasing amount of RAM rising from mid 30% all the way up to 80% ... which only a reboot will set back to "normal" levels.

With Skynet alone installed - the problem does not arise. Just after install of Diversion, RAM consumption increases by about 10% [from 35% to 45%] and stays there until Diversion starts its blocking file updates when it rises again to above 70% without declining unless rebooted.

I do have a 512Kb swap file which Diversion reports is in use - /opt/swap

Anyone else noted this behaviour?

What firmware is installed? 384.x has the tendenzy not to release used memory unless needed for another process. This is normal behaviour.

 

[Xentrk]

My OpenVPN profile using Merlin uses ExpressVPN and DNS Configuration is set to 'Exclusive'. This is interesting as ad blocking is working on both WAN routed and VPN routed clients. Even on my iMac which is routed to the WAN but I use the ProtonVPN App rather than the OpenVPN client in the router. And all the Ads are blocked as well. However, I have no idea if DNSmasq is working correctly.

Nevertheless, I'll follow the TorGuard instructions (I also have an account with them) and see how it goes.

After reading my explanation, I see the need to clarify it. The dnsmasq issue (Diversion does not block ads) occurs when using Accept DNS Configuration = Exclusive AND Redirect Internet Traffic = Policy Rules or Policy Rules (Strict). The issue does not occur when Redirect Internet Traffic = All. If your experience differs, let me know and I'll test again. Go to a DNS leak test site like ipleak.net or dnsleak.com. One time I got a false positive as I had an browser plug-in ad blocker active

Run the script in the next post to see if you have a conflict setting that will prevent Diversion from working

 

[Xentrk]

Run this script to see if you have a conflict setting in the OpenVPN Client that will prevent Diversion from working over the OpenVPN tunnel.

Spoiler: Chk_ADNS.sh

#!/bin/sh
####################################################################################################
# Written By: Xentrk
# Name: x3mtek_Chk_ADNS.sh
# Version 1.2
#
# Description:
# Display WAN and OpenVPN Interfaces and their connectivity status
# Determine if the router uses Diversion. If so, examine OpenVPN client settings
# If Accept DNS Exclusive set to Exlusive and Redirect Internet Traffic is set to Policy Rules or
# Policy Rules (Strict), intruct user that Diversion will not work over the VPN tunnel and
# provide instructios for work-around solution.
#
####################################################################################################
# Uncomment the line below for debugging
#set -x

COLOR_RED='\033[0;31m'
COLOR_WHITE='\033[0m'
COLOR_GREEN='\e[0;32m'

listifaces () {
# Process OpenVPN Client 1 Information
OVPNC1_ADDR=$(nvram get vpn_client1_addr)
OVPNC1_DESC=$(nvram get vpn_client1_desc)
OVPNC1_STATE=$(nvram get vpn_client1_state)
case "$OVPNC1_STATE" in
0) OVPNC1_STATE_DESC="Stopped" ;;
1) OVPNC1_STATE_DESC="Connecting..." ;;
2) OVPNC1_STATE_DESC="Connected" ;;
*) OVPNC1_STATE_DESC="Unknown State" ;;
esac
OVPNNC1_DNS_CONFIG=$(nvram get vpn_client1_adns)
case "$OVPNNC1_DNS_CONFIG" in
0) OVPNC1_DNS_CONFIG_DESC="Disabled" ;;
1) OVPNC1_DNS_CONFIG_DESC="Relaxed" ;;
2) OVPNC1_DNS_CONFIG_DESC="Strict" ;;
3) OVPNC1_DNS_CONFIG_DESC="Exclusive" ;;
esac

# Process OpenVPN Client 2 Information
OVPNC2_ADDR=$(nvram get vpn_client2_addr)
OVPNC2_DESC=$(nvram get vpn_client2_desc)
OVPNC2_STATE=$(nvram get vpn_client2_state)

case "$OVPNC2_STATE" in
0) OVPNC2_STATE_DESC="Stopped" ;;
1) OVPNC2_STATE_DESC="Connecting..." ;;
2) OVPNC2_STATE_DESC="Connected" ;;
*) OVPNC2_STATE_DESC="Unknown State" ;;
esac
OVPNNC2_DNS_CONFIG=$(nvram get vpn_client2_adns)
case "$OVPNNC2_DNS_CONFIG" in
0) OVPNC2_DNS_CONFIG_DESC="Disabled" ;;
1) OVPNC2_DNS_CONFIG_DESC="Relaxed" ;;
2) OVPNC2_DNS_CONFIG_DESC="Strict" ;;
3) OVPNC2_DNS_CONFIG_DESC="Exclusive" ;;
esac

# Process OpenVPN Client 3 Information
OVPNC3_ADDR=$(nvram get vpn_client3_addr)
OVPNC3_DESC=$(nvram get vpn_client3_desc)
OVPNC3_STATE=$(nvram get vpn_client3_state)

case "$OVPNC3_STATE" in
0) OVPNC3_STATE_DESC="Stopped" ;;
1) OVPNC3_STATE_DESC="Connecting..." ;;
2) OVPNC3_STATE_DESC="Connected" ;;
*) OVPNC3_STATE_DESC="Unknown State" ;;
esac
OVPNNC3_DNS_CONFIG=$(nvram get vpn_client3_adns)
case "$OVPNNC3_DNS_CONFIG" in
0) OVPNC3_DNS_CONFIG_DESC="Disabled" ;;
1) OVPNC3_DNS_CONFIG_DESC="Relaxed" ;;
2) OVPNC3_DNS_CONFIG_DESC="Strict" ;;
3) OVPNC3_DNS_CONFIG_DESC="Exclusive" ;;
esac

# Process OpenVPN Client 4 Information
OVPNC4_ADDR=$(nvram get vpn_client4_addr)
OVPNC4_DESC=$(nvram get vpn_client4_desc)
OVPNC4_STATE=$(nvram get vpn_client4_state)
case "$(nvram get vpn_client4_state)" in
0) OVPNC4_STATE_DESC="Stopped" ;;
1) OVPNC4_STATE_DESC="Connecting..." ;;
2) OVPNC4_STATE_DESC="Connected" ;;
*) OVPNC4_STATE_DESC="Unknown State" ;;
esac
OVPNNC4_DNS_CONFIG=$(nvram get vpn_client4_adns)
case "$OVPNNC4_DNS_CONFIG" in
0) OVPNC4_DNS_CONFIG_DESC="Disabled" ;;
1) OVPNC4_DNS_CONFIG_DESC="Relaxed" ;;
2) OVPNC4_DNS_CONFIG_DESC="Strict" ;;
3) OVPNC4_DNS_CONFIG_DESC="Exclusive" ;;
esac

# Process OpenVPN Client 5 Information
OVPNC5_ADDR=$(nvram get vpn_client5_addr)
OVPNC5_DESC=$(nvram get vpn_client5_desc)
OVPNC5_STATE=$(nvram get vpn_client5_state)
case "$(nvram get vpn_client5_state)" in
0) OVPNC5_STATE_DESC="Stopped" ;;
1) OVPNC5_STATE_DESC="Connecting..." ;;
2) OVPNC5_STATE_DESC="Connected" ;;
*) OVPNC5_STATE_DESC="Unknown State" ;;
esac
OVPNNC5_DNS_CONFIG=$(nvram get vpn_client5_adns)
case "$OVPNNC5_DNS_CONFIG" in
0) OVPNC5_DNS_CONFIG_DESC="Disabled" ;;
1) OVPNC5_DNS_CONFIG_DESC="Relaxed" ;;
2) OVPNC5_DNS_CONFIG_DESC="Strict" ;;
3) OVPNC5_DNS_CONFIG_DESC="Exclusive" ;;
esac

# WAN Interface Information
WAN_IP=$(nvram get wan0_ipaddr)
WAN_GW_IFNAME=$(nvram get wan0_gw_ifname)
WAN_IFNAME=$(nvram get wan0_ifname)
case "$(nvram get wan0_state_t)" in
0) WAN0_STATE_DESC="Stopped" ;;
1) WAN0_STATE_DESC="Connecting..." ;;
2) WAN0_STATE_DESC="Connected" ;;
*) WAN0_STATE_DESC="Unknown State" ;;
esac
case "$(nvram get wan1_state_t)" in
0) WAN1_STATE_DESC="Stopped" ;;
1) WAN1_STATE_DESC="Connecting..." ;;
2) WAN1_STATE_DESC="Connected" ;;
4) WAN1_STATE_DESC="Unknown State" ;;
esac


printf '\n'
printf '********************************************************************************************\n'
printf '* WAN Interfaces *\n'
printf '********************************************************************************************\n'
printf '%-6s %-13s %-15s %-4s %-6s\n' "WAN IF " "Status" "Address" "GW" "IFNAME"
printf '%-6s %-13s %-15s %-4s %-6s\n' "------ " "-------------" "---------------" "----" "------"
printf '%-6s %-13s %-15s %-4s %-6s\n' "WAN0: " "$WAN0_STATE_DESC" "$(nvram get wan0_ipaddr)" "$(nvram get wan0_gw_ifname)" "$(nvram get wan0_ifname)"
printf '%-6s %-13s %-15s %-4s %-6s\n' "WAN1: " "$WAN1_STATE_DESC" "$(nvram get wan1_ipaddr)" "$(nvram get wan1_gw_ifname)" "$(nvram get wan1_ifname)"
printf '\n'
printf '********************************************************************************************\n'
printf '* VPN Interfaces *\n'
printf '********************************************************************************************\n'
printf '%+89s\n' "Accept"
printf '%+86s\n' "DNS"
printf '%-7s %-13s %-35s %-24s %-13s\n' "Client" "Status" "Address" "Description" "Configuration"
printf '%-7s %-13s %-35s %-24s %-13s\n' "-------" "-------------" "-----------------------------------" "------------------------" "-------------"
printf '%-7s %-13s %-35s %-24s %-13s\n' "OVPNC1:" "$OVPNC1_STATE_DESC" "$OVPNC1_ADDR" "$OVPNC1_DESC" "$OVPNC1_DNS_CONFIG_DESC"
printf '%-7s %-13s %-35s %-24s %-13s\n' "OVPNC2:" "$OVPNC2_STATE_DESC" "$OVPNC2_ADDR" "$OVPNC2_DESC" "$OVPNC2_DNS_CONFIG_DESC"
printf '%-7s %-13s %-35s %-24s %-13s\n' "OVPNC3:" "$OVPNC3_STATE_DESC" "$OVPNC3_ADDR" "$OVPNC3_DESC" "$OVPNC3_DNS_CONFIG_DESC"
printf '%-7s %-13s %-35s %-24s %-13s\n' "OVPNC4:" "$OVPNC4_STATE_DESC" "$OVPNC4_ADDR" "$OVPNC4_DESC" "$OVPNC4_DNS_CONFIG_DESC"
printf '%-7s %-13s %-35s %-24s %-13s\n' "OVPNC5:" "$OVPNC5_STATE_DESC" "$OVPNC5_ADDR" "$OVPNC5_DESC" "$OVPNC5_DNS_CONFIG_DESC"
printf '\n'
}
listifaces

if [ -d "/opt/share/diversion" ]; then
printf 'Diversion installation detected\n'
printf 'Checking for potential conflicts with active OpenVPN Clients\n'
printf '\n'

# For clients that are in a connected state, see if ADNS=3 (Exclusive)
# If Accept DNS Cofiguration = "Exclusive", give warning message about DNSMASQ
# being bypassed which prevents Diversion from working

for OPENVPN_CLIENT in 1 2 3 4 5
do
if [ "$(nvram get vpn_client${OPENVPN_CLIENT}_state)" -ne "2" ]; then
printf 'OpenVPN Client %s is not in a connected state. Skipping check for OpenVPN Client %s\n\n' "$OPENVPN_CLIENT" "$OPENVPN_CLIENT"
elif [ "$(nvram get vpn_client${OPENVPN_CLIENT}_state)" -eq "2" ] && [ "$(nvram get vpn_client${OPENVPN_CLIENT}_adns)" -eq "3" ] && [ "$(nvram get vpn_client${OPENVPN_CLIENT}_rgw)" -eq "3" ] || [ "$(nvram get vpn_client${OPENVPN_CLIENT}_rgw)" -eq "4" ]; then
printf 'Warning! Potential configuration conflict found with OpenVPN Client %s\n\n' "$OPENVPN_CLIENT"
printf '%bAccept DNS Configuration%b setting is set to %bExclusive%b\n' "$COLOR_GREEN" "$COLOR_WHITE" "$COLOR_GREEN" "$COLOR_WHITE"
printf 'When %bAccept DNS Configuration%b is set to %bExclusive%b and %bRedirect Internet Traffic%b is set to\n%bPolicy Rules%b or %bPolicy Rules (Strict)%b DNSMASQ is bypassed which will prevent Diversion from working\n' "$COLOR_GREEN" "$COLOR_WHITE" "$COLOR_GREEN" "$COLOR_WHITE" "$COLOR_GREEN" "$COLOR_WHITE" "$COLOR_GREEN" "$COLOR_WHITE" "$COLOR_GREEN" "$COLOR_WHITE"
printf '\n'
printf 'The work-around solution is to set %bAccept DNS Configuration%b to %bStrict%b AND\n' "$COLOR_GREEN" "$COLOR_WHITE" "$COLOR_GREEN" "$COLOR_WHITE"
printf 'in the %bCustom Config Section%b add the entry: %bdhcp-option DNS dns.server.ip.address%b\n' "$COLOR_GREEN" "$COLOR_WHITE" "$COLOR_GREEN" "$COLOR_WHITE"
printf 'where %bdns.server.ip.address%b is a DNS server of your choice\n' "$COLOR_GREEN" "$COLOR_WHITE"
printf 'e.g. dhcp-option DNS 9.9.9.9\n'
printf 'This will result in DNS leaking. But it will allow Diversion to work over the VPN tunnel\n'
printf 'To learn more about the issue, see\n'
printf '%bhttps://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
printf 'and navigate to the section %bDNSmasq and OpenVPN DNS%b\n\n' "$COLOR_GREEN" "$COLOR_WHITE"
else
printf 'Good news! No configuration conflicts found with OpenVPN Client %s\n\n' "$OPENVPN_CLIENT"
fi
done
fi

 

[M@rco]

Just wondering, can a VPN client (for instance my iPhone) also benefit of Diversion's capabilities while connected to the VPN server running on my router? It would be great to have Diversion 'with me', even when not at home...

 

[skeal]

Just wondering, can a VPN client (for instance my iPhone) also benefit of Diversion's capabilities while connected to the VPN server running on my router? It would be great to have Diversion 'with me', even when not at home...

When I access my VPN it gives me no adds as I cruise the internet... Use "advertise dns to clients" setting on the server side.

 

[M@rco]

When I access my VPN it gives me no adds as I cruise the internet... Use "advertise dns to clients" setting on the server side.

Thanks, will give that a try too. I only used the VPN until now to connect to home, but speed is very much acceptable so I consider to stay connected to home. Yesterday a publication came out that very much people are unaware of being tracked, also specifically mentioning mobile phones and I thought it would be great to have the same kind of protection I have at home, while being on the move.

 

[skeal]

Thanks, will give that a try too. I only used the VPN until to connect to home, but speed is very much acceptable so I consider to stay connected to home. Yesterday a publication came out that very much people are unaware of being tracked, also specifically mentioning mobile phones and I thought it would be great to have the same kind of protection I have at home, while being on the move.

I don't want to hijack this thread but don't use compression as it has produced security issues.

 

[Adamm]

Just wondering, can a VPN client (for instance my iPhone) also benefit of Diversion's capabilities while connected to the VPN server running on my router? It would be great to have Diversion 'with me', even when not at home...

If you have an iOS device, you can actually use the OpenVPN app to only connect too your "Home Server" when on a mobile connection. By doing this you get the benefit of Diversion / Skynet and any other third party script while on the move, with the added bonus of being able to access your Network shares too to download multimedia etc.

One of the first things I set up with my new shiny iPhone XS Max

 

[kernol]

What firmware is installed? 384.x has the tendenzy not to release used memory unless needed for another process. This is normal behaviour.

I'm running 384.6 ... same version as I was running AB-Solution on ... but with AB-S did not experience the same RAM consumption and failure to release after block file processing?
I understand your point about version 384.x because same problem of RAM consumption and retention instead of release happens when copying files over the local net to the USB3 flashdisk. Also have to reboot to reset RAM to "normal" levels.

In answer to M@rco - yes indeed 512Mbytes [sorry].

 

[M@rco]

What firmware is installed? 384.x has the tendenzy not to release used memory unless needed for another process. This is normal behaviour.

I understand your point about version 384.x because same problem of RAM consumption and retention instead of release happens when copying files over the local net to the USB3 flashdisk. Also have to reboot to reset RAM to "normal" levels.

I haven't experienced it personally with 384.6 but could that be related to this setting, perhaps?

 

[kernol]

I haven't experienced it personally with 384.6 but could that be related to this setting, perhaps?

Mine is set as above - "Yes" to flush caches.

 

[Skeptical.me]

After reading my explanation, I see the need to clarify it. The dnsmasq issue (Diversion does not block ads) occurs when using Accept DNS Configuration = Exclusive AND Redirect Internet Traffic = Policy Rules or Policy Rules (Strict). The issue does not occur when Redirect Internet Traffic = All. If your experience differs, let me know and I'll test again. Go to a DNS leak test site like ipleak.net or dnsleak.com. One time I got a false positive as I had an browser plug-in ad blocker active

Run the script in the next post to see if you have a conflict setting that will prevent Diversion from working

Ok, yeah, I'm seeing two DNS servers on WAN routed devices on ipleak.net, I should only be seeing one.

I have Accept DNS Configuration = Exclusive ... & ... Redirect Internet Traffic = Policy Rules (Strict)

I'm a bit of a noob, so, what part of that script you posted should I actually use. I only ask as it's a very long script and I've not run one that large before, just clarifying which part of it I ought to run. Thanks

 

[Xentrk]

Ok, yeah, I'm seeing two DNS servers on WAN routed devices on ipleak.net, I should only be seeing one.

I have Accept DNS Configuration = Exclusive ... & ... Redirect Internet Traffic = Policy Rules (Strict)

I'm a bit of a noob, so, what part of that script you posted should I actually use. I only ask as it's a very long script and I've not run one that large before, just clarifying which part of it I ought to run. Thanks

I tested again and confirmed that Diversion will not work over the VPN tunnel when Accept DNS Configuration = Exclusive when using Policy Rules or Policy Rules (Strict).

Copy to the entire contents to /jffs/scripts/Chk_ADNS.sh. Type chmod 755 Chk_ADNS.sh to make it executable. Run the script:

./Chk_ADNS.sh

or

sh  Chk_ADNS.sh

or

sh /jffs/scripts/Chk_ADNS.sh

Output below. I need to change the text to also include using Accept DNS Configuration = Disabled as an option.

 

[dugaduga]

Yes strict uses local dns/dnscrypt servers/w dnsmasq, whereas exclusive uses the openvpn assigned DNS only...

 

[dugaduga]

Ok interestingly I ran into a similar or the same issue today with Ab-solution as I had with Diversion. Dnsmasq restarting over and over... logs: https://pastebin.com/PRd7jJXj

This went on for hours. In troubleshooting I had initiated factory defaults, re-applied all settings manually; hit apply lan multiple times, rebooted over and over, messed around with every little setting to no avail. Started and stopped ab solution to no avail, turned on and off automatic dns... you name it. It seems the DNS was not working. I could access cached domains. I tried multiple DNS servers, including cloudflare as they typically work when others are down or possibly blocked. I managed to get one or two domains opened... but that was about it. I'm wondering if the ISP was blocking my DNScrypt servers, or this restarting didn't' allow for a proper DNS connection. I started an openvpn client on the router, no changes. Finally, once I had assigned an IP to openvpn client and started browsing through the VPN, the error suddenly stopped.

Summing up watchdogrc was restarting dnsmasq over and over again, ab-solution was doing the same, loading in and out of the ram. I was also getting icmp black nurse attacks while this was happening before, and immediately after factory default & firmware re-update; I had hardened all potential router vulnerabilities prior to plugging in wan and updated sigs immediately upon defaulting. I suspect this was not an internal infection. Could this be a DNS ddos?

 

[Skeptical.me]

I tested again and confirmed that Diversion will not work over the VPN tunnel when Accept DNS Configuration = Exclusive when using Policy Rules or Policy Rules (Strict).

Copy to the entire contents to /jffs/scripts/Chk_ADNS.sh. Type chmod 755 Chk_ADNS.sh to make it executable. Run the script:

./Chk_ADNS.sh

or

sh  Chk_ADNS.sh

or

sh /jffs/scripts/Chk_ADNS.sh

Output below. I need to change the text to also include using Accept DNS Configuration = Disabled as an option.

View attachment 14568

ahh ok, so, correct me if I'm wrong, doing as you suggest wil cause a DNS leak when using the VPN. However, Diversion will work, correct? I actually need the VPN's DNS for the Apple TV 4K to Stream US content (I'm in Australia but have a shared DirecTV account and use all of the various Streaming Apps, plus Netflix, Hulu, and Prime Video). Is there a way to exclude one device so it is routed completely through the VPN?