What's new

How a n00b installed Skynet, AB-Solution, pixelserv-tls, and DNSCrypt

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JaimeZX

Senior Member
A caveat: I take zero credit for any of this and am documenting it as much for next time I need to set up a router as anything else... but if another n00b shows up trying to figure out exactly where to start, this may be of some help.
NOTE: Links included where relevant. If much time has passed, the links may be dead. If you are already a regular Linux user then I am certainly going into unnecessary detail. I assume my reader is a Windows user.
NOTE: In some cases I need to phonetically spell a command out because otherwise this forum will block it. So for example if the command were chk I would type CharlieHotelKilo.

I will assume that anyone already in here has installed the latest version of Merlin. If not, that would be...

STEP 1: Install the latest version of Asuswrt-Merlin and perform a full M&M Reset.

STEP 2: Lock that $--t down.

STEP 3: If you don't have one already, locate a suitable SSH terminal program. On the advice of someone here I selected Xshell 6 (free for home use.) Seems to be working okay, YMMV. You can also just use the command prompt in Windows. As in: c:\ssh user@192.168.1.1

STEP 4: Locate a thumbdrive of at least 4GB. Or, better yet, grab an SSD in a small USB enclosure; it should last much longer and give you fewer headaches. After two thumbdrives I now have a 120GB Kingston SSD. (As of this writing, $20 on Amazon. You will also need a USB enclosure for it, another $9.)

STEP 5: Format your drive in (Linux file system format) ext2 or ext4. Not ext3. The simplest way to do this is to use the unwieldly-titled-but-easy-to-use MiniTool Partition Wizard Free 10.2.3. Simply plug in the thumbdrive into the computer, locate it in MTPWF10.2.3,
5A) Right-click > Delete (to kill the FAT32 partition)
5B) Right-click > (New? or Create?) to create a new primary partition. Type should be ext4 or ext2. Name not necessary yet.
5C) Right-click > Format. Again, choose ext4. Or ext2. Name it something memorable like USBStick or FirewallUSB or YourMom. Whatevs. I'll stick with YourMom from now on.
5D) In the top-left of MTPWF10.2.3, click the "Apply" button.

ALTERNATE TECHNIQUE if you're comfortable at a command prompt:
5i) SSH into the router. The drive needs to be plugged in but unmounted. In MerlinWRT, you can click the USB symbol at top right, then click "Eject." That'll unmount it, not make it fall out of the router. Haha.
5ii) Assuming it's the only USB device plugged in, it should be at /dev/sda1. You can type mkfs.ext2 /dev/sda1 -L YourMom. The router SHOULD do its business. But really, the MTPWF10.2.3 technique is much easier. Plus our routers don't seem to be capable of building an ext4 partition, only ext3.
NOTE: Do your own research on which file system you want to use. Read about journaling and flash media. ext2 is a non-journaling file system. OTOH ext4 is a more efficient file system and you may be able to disable journaling. If you have access to a linux liveCD or other bootable media, try formatting in ext4 using mkfs.ext4 -O ^has_journal /dev/sda1 -L YourMom
Alternatively, after formatting in ext4, you may be able to remove the journal at the SSH command line using tune2fs -O ^has_journal /dev/sda1
I have not tried this, however. YMMV.

You may also find this thread useful.

STEP 6: Leave YourMom plugged in and reboot the router. The router should then mount YourMom and there will only be one instance of it. [Too many times when I tried to manually mount YourMom I wound up with YourMom and YourMom(1)... which then confused follow-on steps.]

STEP 7: (EDIT: AB-Solution is now Diversion. I am not going to find-and-replace all instances, please do that in your head. I'll update this link though.) Install Diversion using the script at the top of its thread in this forum.
NOTE: If any of these installs fail, scroll up in your terminal program to see what the error(s) were. When they fail out they tend to blank the screen and return to the previous menu, but the "blank screen" is just a bunch of blank lines, so you can still scroll back to see what happened.

STEP 8: [Note: AMTM is now built-into MerlinWRT. No need to install on your own!] at the SSH / command prompt, type amtm

STEP 9: From the AMTM, install Skynet. (Item 2) How big of a cache file you select will depend on how big YourMom is. Skynet now desires 2GB for the cache size, though I have one router that was working just fine with a 1GB cache. Whatever, you bought that 120GB drive right? Go for 2GB.
* NOTE: If you want to see what Skynet is actually doing you'll need to enable the Debugging Mode option during install. Otherwise you have no idea what's going on when you can't get to a particular website because you can't view the logs.
* NOTE: Once Skynet starts, if you're in the Merlin WebGUI you'll see the processor usage going bonkers. This may last for a few minutes. Don't worry about it.

STEP 10: From the AMTM menu, run [1] Diversion, and install it. This should be straightforward.
Follow any prompts for the creation of the Pixelserv-TLS certificate.
* NOTE: If this install fails it MAY be due to an issue with Entware. TheLonelyCoder has suggested going into the WebGUI and telling the router to wipe the JFFS partition on reboot, then rebooting, then trying the install again. I would try that first. If the problem persists, you can also (at the command prompt) type: entware-setup.sh which should reinstall it, then repeat step 10.
* NOTE: Reference the Pixelserv-TLS thread to best understand that software. I used 192.168.x.2 for my Pixelserv IP.

STEP 11: In your relevant browsers, access http://192.168.x.2/ca.crt and save the file somewhere.

STEP 12: Install the certificate into your browser(s) of choice. Firefox. Chrome. IE. Android. Safari.
(For Firefox, it's Settings > Preferences > Privacy and Security > Certificates > View Certificates > Import)

STEP 13: From AMTM, install DNSCrypt. This is pretty straightforward. The only possibly confusing question is "Fastest / b2 / bhalf / random." Next time I set it up I'll choose bhalf, but I think I picked "random" the other day. (It's a question about which DNS server to pick, based on tracking server speeds. Fastest on list / from the top 2 / top half of list/ random from the whole list)

That's it for installation. Read the threads to understand expected behavior. Monitor for things that don't work correctly so you can see about whitelisting them in AB-Solution or Skynet.

NOTE: If you've tried this several times and are dying of frustration because it ain't working, try a different thumbdrive.

NOTE: A useful utility to use from the command line is "htop." Sort of like Task Manager in Windows. Installation is simple: when logged in via SSH, type: opkg install htop It should only take a moment to install, then you can just type htop to run it.

---------------------------
EDIT: I have now also installed the YazFi script because I not only wanted my guest networks to have different IP ranges but also give them access to the Pixelserv IP for Pixelserving purposes. The only downside of this is that clients on the guest network will no longer show up in "Network Map" because that only displays clients on the main subnet; Merlin can't change this because it's a closed-source part of the firmware.
 
Last edited:
If you don't have the certificate installed in your browsers, then Pixelserv-tls will not give a proper response to ads that send their request via HTTPS. Otherwise it's not a big deal.
Note: if you have computers on your "Guest" wifi, they will not benefit from the Pixelserv-tls script, so it's irrelevant there.
 
Post 1 edited to add YazFi.
 
I want to thank your mom for this write up. Do you know if the Samba Server or FTP will work with ext2 ?
 
Happy to help. :) I'm not sure I understand the question though. Are you also thinking of using the extra space on the thumbdrive as a Samba share? I don't see why this would be a problem; ext2 is just an older version of the Linux file system.
 
Great post...thanks really helped!!!
 
I'm stuck on 'Step 7'. What version of Diversion did you choose? What do I put for 'Enter pixelserv-tls IP Address:'?
Standard is preferred. The install should prompt you to update your LAN DHCP IP Pool Starting Address from 192.168.1.2 to 192.168.1.3 (do this in the router webgui). Then enter 192.168.1.2 as the Pixelserv IP.
 
About to start 'Step 10' now but it doesn't really make sense. It says I should install Pixelserv-TLS but that was all ready installed by Diversion. Also, why do I need the ca.crt and ca.key files?

Is RAM usage supposed to be this high?
upload_2019-1-2_16-6-52.png
 
About to start 'Step 10' now but it doesn't really make sense. It says I should install Pixelserv-TLS but that was all ready installed by Diversion. Also, why do I need the ca.crt and ca.key files?

Is RAM usage supposed to be this high?
View attachment 15683
The simplest way now to install the Pixelserv CA cert on your devices is to browse to http://192.168.1.2/ca.crt from each device on your LAN (where possible). Installing the CA cert allows your devices to more easily and quickly block https ad content. See https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices

If you see growing counters for the uca stat on the pixelserv stat page from earlier, installing the cert will avoid that. I installed on all the Windows, Macs and iOS devices in our family without issue.
 
Sorry, forgot to mention that you can ignore the Pixelserv installation step since Diversion now handles this. Maybe back in the day, AB-Solution didn’t handle pixelserv?

To feel better about your RAM, go to the Tools page in the router GUI and if you see high usage for Buffers or Cache in the Memory section, you can rest assured that the memory is not wasted. Some feel that unused memory is wasted memory. But buffers and cache will be surrendered if a process needs more memory.
 
Thanks but that just confuses me more.
No need to dive in before you understand what it’s doing. I don’t run Stubby or DNSCrypt either. For now, get used to troubleshooting any issues from your new ad-blocking and wait to see how encrypted DNS evolves.

It’s fun to add features to your router that enhance security, but only once you understand what they are doing. Your network security is your responsibility, so only do something you’re comfortable with. Similar to the saying “Don’t invest in something you don’t understand.”
 
I've rebooted the router but now Diversion/ Pixelserv-tls / Skynet is not working. :(
Is there a way to have the settings get saved to the USB stick and start everything back up at boot?
 
Last edited:
I've rebooted the router but now Diversion/ Pixelserv-tls / Skynet is not working. :(
Is there a way to have the settings get saved to the USB stick and start everything back up at boot?
Please post the contents of the file /jffs/scripts/post-mount (run cat /jffs/scripts/post-mount).

Here’s mine:
Code:
#!/bin/sh
swapon /tmp/mnt/apps/myswap.swp # Skynet Firewall Addition

. /jffs/scripts/post-mount.div # Added by Diversion
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top